Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Docker scanner workflow #4

Merged
merged 18 commits into from
Sep 5, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 24 additions & 30 deletions .docker/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,25 +2,25 @@
FROM phusion/baseimage:jammy-1.0.4

#####################################
ENV LANG C.UTF-8
ENV LC_ALL en_US.UTF-8
ENV DEBIAN_FRONTEND noninteractive
ENV LANG=C.UTF-8
ENV LC_ALL=en_US.UTF-8
ENV DEBIAN_FRONTEND=noninteractive

###
ENV PHP_VERSION 8.3.10
ENV PACKER_VERSION 1.11.2
ENV TERRAFORM_VERSION 1.9.0
ENV ANSIBLE_VERSION 10.3.0
ENV LINT_VERSION 4.1.0
ENV KUBECTL_VERSION 1.31.0
ENV HELM_VERSION 3.15.1
ENV AZURE_CLI_VERSION 2.63.0-1~jammy
ENV AWS_CLI_VERSION 2.17.33
ENV K9s_Version 0.32.5
ENV GCLOUD_VERSION 489.0.0
ENV KUI_Version 13.1.4
ENV KUBECTX_VERSION 0.9.4
ENV KUBENS_VERSION 0.9.4
ENV PHP_VERSION=8.3.10
ENV PACKER_VERSION=1.11.2
ENV TERRAFORM_VERSION=1.9.5
ENV ANSIBLE_VERSION=10.3.0
ENV LINT_VERSION=4.1.0
ENV KUBECTL_VERSION=1.31.0
ENV HELM_VERSION=3.15.4
ENV AZURE_CLI_VERSION=2.64.0-1~jammy
ENV AWS_CLI_VERSION=2.17.43
ENV K9s_Version=0.32.5
ENV GCLOUD_VERSION=490.0.0
ENV KUI_Version=13.1.4
ENV KUBECTX_VERSION=0.9.4
ENV KUBENS_VERSION=0.9.4

####################################

Expand All @@ -38,8 +38,8 @@ RUN mkdir -p /home/ubuntu/.ssh
RUN chmod 755 /home/ubuntu/.ssh
RUN chown -R ubuntu:ubuntu /home/ubuntu
RUN chmod 755 /home/ubuntu
ENV BOOT2DOCKER_ID 501
ENV BOOT2DOCKER_GID 20
ENV BOOT2DOCKER_ID=501
ENV BOOT2DOCKER_GID=20
# Tweaks to give write permissions to the app
RUN usermod -u ${BOOT2DOCKER_ID} ubuntu && \
usermod -G staff ubuntu
Expand Down Expand Up @@ -76,16 +76,14 @@ RUN apt install -y \


# ZSH
ADD ./etc/install-zsh.sh /root/install-zsh.sh
ADD ./etc/install-zsh.sh /home/ubuntu/install-zsh.sh
ADD .docker/etc/install-zsh.sh /root/install-zsh.sh
ADD .docker/etc/install-zsh.sh /home/ubuntu/install-zsh.sh

RUN chmod +x /root/install-zsh.sh
RUN chmod +x /home/ubuntu/install-zsh.sh
RUN sh /root/install-zsh.sh
RUN su - ubuntu -c "sh /home/ubuntu/install-zsh.sh"
RUN rm /root/.zshrc && chsh -s `which zsh` && chsh -s `which zsh` ubuntu && chmod -R 755 /usr/local/share/zsh*
RUN mkdir -p ~/.oh-my-zsh/custom/plugins/copydir
RUN curl -L https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/plugins/copypath/copypath.plugin.zsh -o ~/.oh-my-zsh/custom/plugins/copydir/copydir.plugin.zsh

##Python with Packages
RUN pip install ansible==${ANSIBLE_VERSION} \
Expand Down Expand Up @@ -138,13 +136,9 @@ RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${AWS_CLI_VERSION
mv /usr/local/bin/aws /bin

#gcloud
RUN cd /tmp && \
wget https://storage.googleapis.com/cloud-sdk-release/google-cloud-cli-${GCLOUD_VERSION}-linux-arm.tar.gz && \
tar -xvzf google-cloud-cli-${GCLOUD_VERSION}-linux-arm.tar.gz && \
mv google-cloud-sdk /usr/local/gcloud && \
/usr/local/gcloud/install.sh --quiet && \
rm /tmp/google-cloud-cli-${GCLOUD_VERSION}-linux-arm.tar.gz
ENV PATH $PATH:/usr/local/gcloud/google-cloud-sdk/bin
RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && \
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg && \
apt-get update -y && apt-get install google-cloud-cli=${GCLOUD_VERSION}-0 -y

#k9s
RUN curl -LO https://github.com/derailed/k9s/releases/latest/download/k9s_Linux_amd64.tar.gz && \
Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/docker-scanner.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,17 @@ permissions:
statuses: write

on:
workflow_dispatch:
pull_request:
types:
- opened
- synchronize
- reopened

jobs:
docker-scanner:
uses: clouddrove/github-shared-workflows/.github/workflows/[email protected].7
uses: clouddrove/github-shared-workflows/.github/workflows/[email protected].8
with:
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
dockerfile-path: "./docker/Dockerfile"
dockerfile-path: "./.docker/Dockerfile"
security-upload: "true"
block_action: "true"
45 changes: 45 additions & 0 deletions .github/workflows/enigma-docker.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
name: Enigma Docker Build and Publish.
on:
push:
tags: [ v* ]

jobs:
docker-build-publish:
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
env:
DOCKER_IMAGE: devops-machine
DOCKER_TAG: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
PROVIDER: github

steps:
- name: Checkout code
uses: actions/[email protected]

- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build Docker Image
uses: clouddrove/[email protected]
with:
command: bake
DOCKER_IMAGE: ${{ env.DOCKER_IMAGE }}
DOCKER_TAG: ${{ env.DOCKER_TAG }}
DOCKERFILE_PATH: .docker/Dockerfile
GITHUB_USERNAME: ${{ github.actor }}
TOKEN: ${{ secrets.GITHUB }}

- name: Publish Docker Image
uses: clouddrove/[email protected]
with:
command: publish
DOCKER_IMAGE: ${{ env.DOCKER_IMAGE }}
DOCKER_TAG: ${{ env.DOCKER_TAG }}
DOCKERFILE_PATH: .docker/Dockerfile
GITHUB_USERNAME: ${{ github.actor }}
TOKEN: ${{ secrets.GITHUB }}
84 changes: 84 additions & 0 deletions .github/workflows/sanity-check.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
name: Sanity Checks

on:
pull_request:

jobs:
build:
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/[email protected]

- name: Build the application image
run: docker build -t clouddrove/devops:0.0.${{ github.run_number }} -f .docker/Dockerfile .

- name: Bring container up and running
run: docker run --name devops -d clouddrove/devops:0.0.${{ github.run_number }}

- name: Wait for container to boot up
run: sleep 10

- name: Sanity check
run: |
mismatches=""

# Terraform
LATEST_TERRAFORM_VERSION=$(curl -s https://checkpoint-api.hashicorp.com/v1/check/terraform | jq -r .current_version)
INSTALLED_TERRAFORM_VERSION=$(docker exec devops terraform version -json | jq -r .terraform_version)
if [ "$LATEST_TERRAFORM_VERSION" != "$INSTALLED_TERRAFORM_VERSION" ]; then
mismatches="$mismatches\nTerraform version mismatch: expected $LATEST_TERRAFORM_VERSION, got $INSTALLED_TERRAFORM_VERSION"
fi

# Azure CLI
LATEST_AZURE_VERSION=$(curl -s https://api.github.com/repos/Azure/azure-cli/releases/latest | jq -r .tag_name | cut -d '-' -f 3)
INSTALLED_AZURE_VERSION=$(docker exec devops az version | jq -r '."azure-cli"')
if [ "$LATEST_AZURE_VERSION" != "$INSTALLED_AZURE_VERSION" ]; then
mismatches="$mismatches\nAzure CLI version mismatch: expected $LATEST_AZURE_VERSION, got $INSTALLED_AZURE_VERSION"
fi

# AWS CLI
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update
LATEST_AWS_VERSION=$(aws --version 2>&1 | awk '{print $1}' | cut -d/ -f2)
INSTALLED_AWS_VERSION=$(docker exec devops aws --version 2>&1 | awk '{print $1}' | cut -d/ -f2)
if [ "$LATEST_AWS_VERSION" != "$INSTALLED_AWS_VERSION" ]; then
mismatches="$mismatches\nAWS CLI version mismatch: expected $LATEST_AWS_VERSION, got $INSTALLED_AWS_VERSION"
fi

# Kubectl
LATEST_KUBECTL_VERSION=$(curl -L -s https://dl.k8s.io/release/stable.txt | cut -c 2-)
INSTALLED_KUBECTL_VERSION=$(docker exec devops kubectl version --client -o json | jq -r '.clientVersion.gitVersion' | cut -c 2-)
if [ "$LATEST_KUBECTL_VERSION" != "$INSTALLED_KUBECTL_VERSION" ]; then
mismatches="$mismatches\nKubectl version mismatch: expected $LATEST_KUBECTL_VERSION, got $INSTALLED_KUBECTL_VERSION"
fi

# Helm
LATEST_HELM_VERSION=$(curl -s https://api.github.com/repos/helm/helm/releases/latest | jq -r .tag_name | cut -c 2-)
INSTALLED_HELM_VERSION=$(docker exec devops helm version --template="{{ .Version }}" | cut -c 2-)
if [ "$LATEST_HELM_VERSION" != "$INSTALLED_HELM_VERSION" ]; then
mismatches="$mismatches\nHelm version mismatch: expected $LATEST_HELM_VERSION, got $INSTALLED_HELM_VERSION"
fi

# Google Cloud SDK (gcloud)
curl -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-x86_64.tar.gz
tar -xf google-cloud-cli-linux-x86_64.tar.gz
./google-cloud-sdk/install.sh --quiet
export PATH=$PATH:$PWD/google-cloud-sdk/bin
LATEST_GCLOUD_VERSION=$(gcloud --version | grep -oP '(?<=Google Cloud SDK )\S+')
INSTALLED_GCLOUD_VERSION=$(docker exec devops gcloud --version | grep -oP '(?<=Google Cloud SDK )\S+')
echo "Google Cloud SDK versions - Latest: $LATEST_GCLOUD_VERSION, Installed: $INSTALLED_GCLOUD_VERSION"
if [ "$LATEST_GCLOUD_VERSION" != "$INSTALLED_GCLOUD_VERSION" ]; then
mismatches="$mismatches\nGoogle Cloud SDK version mismatch: expected $LATEST_GCLOUD_VERSION, got $INSTALLED_GCLOUD_VERSION"
fi

# Print mismatches and fail if any
if [ -n "$mismatches" ]; then
echo -e "Version mismatches found:$mismatches"
exit 1
fi
Loading