diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 00000000..502283f2 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,35 @@ +# Git +.git +.gitignore + +# Local development environment (Nix, direnv) +.direnv/ +result* +flake.nix +flake.lock +devshell.nix +.envrc* + +# Build artifacts and local tools +bin/ +dist/ + +# Test and linting artifacts +cover.out +cover.html +.golangci.toml +.testcoverage.yml + +# CI/CD & Temporary files +Dockerfile.cross + +# Documentation and planning +docs/ +plans/ +README.md +*.md + +# Project and configuration files not needed for the build +Makefile +PROJECT +scripts/ \ No newline at end of file diff --git a/.github/workflows/build-and-release.yaml b/.github/workflows/build-and-release.yaml index 65c0667d..023ae394 100644 --- a/.github/workflows/build-and-release.yaml +++ b/.github/workflows/build-and-release.yaml @@ -65,6 +65,7 @@ jobs: echo "::error::CodeQL produced ${count} alerts (warning/error)." exit 1 fi + scan-intermediate-image: runs-on: ubuntu-latest steps: @@ -74,7 +75,7 @@ jobs: continue-on-error: true with: cache-db: true - image: "alpine:3.22.2" # sync this with Containerfile + image: "golang:1.25.3-alpine3.22" # sync this with Containerfile output-file: grype.sarif severity-cutoff: high - name: Upload SARIF file @@ -87,12 +88,9 @@ jobs: jq '.runs[0].results | map(select(.level == "error"))' grype.sarif exit 1 - build-go: - needs: [ scan-dependencies, scan-codeql, scan-intermediate-image ] + test-go: + needs: [ scan-dependencies ] runs-on: ubuntu-latest - strategy: - matrix: - arch: ${{ fromJson(inputs.architectures) }} steps: - name: Check out code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -114,34 +112,8 @@ jobs: with: config: ./.testcoverage.yml - - name: Build - run: |- - mkdir -p $GITHUB_WORKSPACE/dist - - CGO_ENABLED=0 \ - GOARCH=${{ matrix.arch }} \ - GOOS=linux \ - go build \ - -ldflags '\ - -s -w \ - -buildid=${{ github.sha }} \ - -X main.version=${{ github.ref_name }} \ - -X main.commit=${{ github.sha }} \ - ' \ - -trimpath -mod=readonly \ - -o $GITHUB_WORKSPACE/dist/multigres-operator-${{ matrix.arch }} \ - ./cmd/multigres-operator - - - name: Upload artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - with: - name: multigres-operator-${{matrix.arch}} - path: dist/* - if-no-files-found: error - retention-days: 7 - build-scan-push-container: - needs: [ build-go ] + needs: [ test-go ] runs-on: ubuntu-latest steps: - name: Check out code @@ -163,11 +135,6 @@ jobs: - name: Setup Docker buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 - with: - pattern: multigres-operator-* - path: dist/ - - name: Log into registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: @@ -179,7 +146,7 @@ jobs: uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . - file: Containerfile + file: Dockerfile platforms: linux/${{ join(fromJson(inputs.architectures), ',linux/') }} load: true push: false @@ -227,18 +194,3 @@ jobs: docker tag "$IMAGE:${{ github.sha }}" "$IMAGE:${{ github.ref_name }}" docker push "$IMAGE:${{ github.ref_name }}" fi - - create-release: - needs: [ build-scan-push-container ] - runs-on: ubuntu-latest - if: ${{ inputs.create-release }} - steps: - - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 - with: - pattern: "*" - path: dist/ - - - name: Release - uses: softprops/action-gh-release@aec2ec56f94eb8180ceec724245f64ef008b89f5 # v2.4.0 - with: - files: dist/** diff --git a/Containerfile b/Containerfile deleted file mode 100644 index 5535361e..00000000 --- a/Containerfile +++ /dev/null @@ -1,19 +0,0 @@ -# Containerfile for multigres-operator - -# Github workflow step anchore/scan-action scans only the final image -# sync this intermediate FROM reference with: -# build-and-release.yaml => scan-intermediate-image -FROM --platform=$BUILDPLATFORM alpine:3.22.2 AS build - -ARG TARGETOS -ARG TARGETARCH - -COPY dist dist -RUN cp dist/multigres-operator-${TARGETARCH}/multigres-operator-${TARGETARCH} multigres-operator -RUN chmod +x multigres-operator - -FROM gcr.io/distroless/static-debian12 - -COPY --from=build multigres-operator multigres-operator - -ENTRYPOINT [ "./multigres-operator" ] \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..1653abef --- /dev/null +++ b/Dockerfile @@ -0,0 +1,43 @@ +# Containerfile for multigres-operator + +# Github workflow step anchore/scan-action scans only the final image +# sync this intermediate FROM reference with: +# build-and-release.yaml => scan-intermediate-image +FROM golang:1.25.3-alpine3.22 AS builder + +ARG TARGETOS +ARG TARGETARCH + +WORKDIR /workspace +# Copy the Go Modules manifests +COPY go.mod go.mod +COPY go.sum go.sum +# cache deps before building and copying source so that we don't need to re-download as much +# and so that source changes don't invalidate our downloaded layer +RUN go mod download + +# Copy the Go source (relies on .dockerignore to filter) +COPY . . + +# Build +# the GOARCH has no default value to allow the binary to be built according to the host where the command +# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO +# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, +# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. +RUN CGO_ENABLED=0 \ + GOOS=${TARGETOS:-linux} \ + GOARCH=${TARGETARCH} \ + go build \ + -ldflags '-s -w -buildid=' \ + -trimpath -mod=readonly \ + -a -o manager \ + cmd/multigres-operator/main.go + +# Use distroless as minimal base image to package the manager binary +# Refer to https://github.com/GoogleContainerTools/distroless for more details +FROM gcr.io/distroless/static:nonroot +WORKDIR / +COPY --from=builder /workspace/manager . +USER 65532:65532 + +ENTRYPOINT ["/manager"] \ No newline at end of file diff --git a/go.sum b/go.sum new file mode 100644 index 00000000..e69de29b