feat(ci/cd): image (#27)

paologallinaharbur · web-flow · commit c54f32c1aa93 · 2025-05-28T11:03:27.000+02:00
* feat(ci/cd): image
diff --git a/.github/workflows/component_image.yml b/.github/workflows/component_image.yml
@@ -0,0 +1,77 @@
+name: 📞 Build container images
+
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+    inputs:
+      image-tag:
+        description: 'Image tag'
+        type: string
+        required: true
+      push:
+        description: 'Push image'
+        type: boolean
+        required: true
+
+jobs:
+  build-image:
+    runs-on: ubuntu-latest
+    name: Build/Push images
+    env:
+      DOCKER_IMAGE_NAME_AUTH: newrelic/newrelic-auth-cli
+      DOCKER_PLATFORMS: "linux/amd64,linux/arm64"
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Obtain Rust version from project
+        run: |
+          RUST_VERSION=$(grep "rust-version" Cargo.toml | cut -d "=" -f2 | tr -d "[:space:]")
+          echo "RUST_VERSION=${RUST_VERSION}" >> $GITHUB_ENV
+
+      - name: Install Rust ${{ env.RUST_VERSION }}
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ env.RUST_VERSION }}
+
+      - name: Build newrelic auth cli
+        run: |
+          which cross || cargo install cross
+          export RUSTFLAGS="-C target-feature=+crt-static"
+          cross build --target "aarch64-unknown-linux-musl" --profile release 
+          cross build --target "x86_64-unknown-linux-musl" --profile release 
+          cp ./target/aarch64-unknown-linux-musl/release/newrelic-auth-cli ./target/newrelic-auth-cli-arm64
+          cp ./target/x86_64-unknown-linux-musl/release/newrelic-auth-cli ./target/newrelic-auth-cli-amd64
+
+      - uses: docker/setup-qemu-action@v3
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.OHAI_DOCKER_HUB_ID }}
+          password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
+
+      - name: Build and push images
+        if: ${{ inputs.push }}
+        run: |
+          docker buildx build \
+            --push \
+            --platform=$DOCKER_PLATFORMS \
+            -t $DOCKER_IMAGE_NAME_AUTH:${{ inputs.image-tag }} \
+            --attest type=provenance,mode=max \
+            --attest type=sbom \
+            .
+
+      - name: Build images
+        if: ${{ ! inputs.push }}
+        run: |
+          docker buildx build \
+            --platform=$DOCKER_PLATFORMS \
+            -t $DOCKER_IMAGE_NAME_AUTH:${{ inputs.image-tag }} \
+            --attest type=provenance,mode=max \
+            --attest type=sbom \
+            .
diff --git a/.github/workflows/component_image_security.yml b/.github/workflows/component_image_security.yml
@@ -0,0 +1,55 @@
+name: 📞 Security image scan
+permissions:
+  contents: read
+on:
+  workflow_call:
+    inputs:
+      image-tag:
+        description: 'Image tag'
+        type: string
+        required: true
+
+env:
+  DOCKER_IMAGE_NAME_AUTH: newrelic/newrelic-auth-cli
+  SEVERITY: 'CRITICAL,HIGH'
+
+jobs:
+  scan:
+    name: Scan image
+    # Runs only when the trigger is different from a scheduled one, like pull request or push.
+    if: ${{ ! github.event.schedule }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Trivy in table mode
+        # Table output is only useful when running on a pull request or push.
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: ${{ env.DOCKER_IMAGE_NAME_AUTH }}:${{ inputs.image-tag }}
+          format: table
+          exit-code: 1
+          ignore-unfixed: true
+          severity: ${{ env.SEVERITY }}
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
+
+  scan-scheduled:
+    name: Scan image
+    if: ${{ github.event.schedule }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Trivy in report mode
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: ${{ env.DOCKER_IMAGE_NAME_AUTH }}:${{ inputs.image-tag }}
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          ignore-unfixed: false  # Get full report when running nightly.
+          severity: ${{ env.SEVERITY }}
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
+
+      # TODO Upload Trivy scan results to GitHub Security tab when the repo gets public state.
+      # more info about current limitation https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/advanced-security-must-be-enabled
diff --git a/.github/workflows/component_security.yml b/.github/workflows/component_security.yml
@@ -0,0 +1,23 @@
+name: 📞 Rust Audit
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  audit:
+    name: Rust audit scanner
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit
+
+      - name: Run cargo audit
+        run: cargo audit
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -0,0 +1,24 @@
+name: Nightly release
+permissions:
+  contents: read
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 4 * * 1-5"
+
+jobs:
+  build-image:
+    name: Build and Push nightly image
+    uses: ./.github/workflows/component_image.yml
+    with:
+      image-tag: nightly
+      push: true
+    secrets: inherit
+
+  security-image:
+    name: Security scan
+    needs: [ build-image ]
+    uses: ./.github/workflows/component_image_security.yml
+    with:
+      image-tag: nightly
+    secrets: inherit
diff --git a/.github/workflows/on_prerelease.yml b/.github/workflows/on_prerelease.yml
@@ -7,6 +7,22 @@ name: on_prerelease
 permissions:
   contents: write
 jobs:
+  build-image:
+    name: Build and Push container image
+    uses: ./.github/workflows/component_image.yml
+    with:
+      image-tag: ${{ github.event.release.tag_name }}-rc
+      push: true
+    secrets: inherit
+
+  security-scan:
+    name: Security scan
+    needs: [ build-image ]
+    uses: ./.github/workflows/component_image_security.yml
+    with:
+      image-tag: ${{ github.event.release.tag_name }}-rc
+    secrets: inherit
+
   build-binaries:
     runs-on: ubuntu-latest
     name: Build/Push binaries
@@ -34,8 +50,8 @@ jobs:
           cross build --target "aarch64-unknown-linux-musl" --profile release 
           cross build --target "x86_64-unknown-linux-musl" --profile release 
           
-          cp ./target/aarch64-unknown-linux-musl/release/newrelic-auth-cli ./newrelic-auth-cli-arm64
-          cp ./target/x86_64-unknown-linux-musl/release/newrelic-auth-cli ./newrelic-auth-cli-amd64
+          cp ./target/aarch64-unknown-linux-musl/release/newrelic-auth-cli ./target/newrelic-auth-cli-arm64
+          cp ./target/x86_64-unknown-linux-musl/release/newrelic-auth-cli ./target/newrelic-auth-cli-amd64
           
           gh release upload ${{ github.event.release.tag_name }} newrelic-auth-cli-arm64
           gh release upload ${{ github.event.release.tag_name }} newrelic-auth-cli-amd64
diff --git a/.github/workflows/on_release.yml b/.github/workflows/on_release.yml
@@ -0,0 +1,32 @@
+on:
+  release:
+    types:
+      - released
+    tags:
+      - '*'
+
+name: Release
+permissions:
+  contents: read
+jobs:
+  push-container-tags:
+    runs-on: ubuntu-latest
+    name: Push container release tags
+    env:
+      DOCKER_IMAGE_NAME_AUTH: newrelic/newrelic-auth-cli
+    steps:
+      - uses: docker/setup-qemu-action@v3
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.OHAI_DOCKER_HUB_ID }}
+          password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
+
+      - name: Push release tags
+        run: |
+          docker buildx imagetools create \
+            -t $DOCKER_IMAGE_NAME_AUTH:${{ github.event.release.tag_name }} \
+            -t $DOCKER_IMAGE_NAME_AUTH:latest \
+            $DOCKER_IMAGE_NAME_AUTH:${{ github.event.release.tag_name }}-rc
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,11 @@
+name: . 🕵🏼 Security scanner
+permissions:
+  contents: read
+on:
+  pull_request:
+  merge_group:
+  workflow_dispatch:
+
+jobs:
+  security:
+    uses: ./.github/workflows/component_security.yml
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,16 @@
+FROM debian:trixie-slim
+
+ARG TARGETARCH
+
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get clean && \
+    apt-get install -y curl
+
+RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${TARGETARCH}/kubectl"
+
+COPY --chmod=755 target/newrelic-auth-cli-${TARGETARCH} /bin/newrelic-auth-cli
+
+USER nobody
+
+ENTRYPOINT ["/bin/newrelic-auth-cli"]
diff --git a/src/bin/main_cli.rs b/src/bin/main_cli.rs
@@ -1,5 +1,7 @@
 use std::process::{exit, ExitCode};
 
 fn main() -> ExitCode {
+    println!("I am the auth CLI");
+
     exit(0)
 }

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,7 @@`
`1`	`1`	`use std::process::{exit, ExitCode};`
`2`	`2`
`3`	`3`	`fn main() -> ExitCode {`
	`4`	`+ println!("I am the auth CLI");`
	`5`	`+`
`4`	`6`	`exit(0)`
`5`	`7`	`}`