Merge pull request #47 from nirmata/workflow-tag-update

add tag update
nirmata · Feb 20, 2025 · 343b713 · 343b713
2 parents e5aa312 + 5af1a63
commit 343b713
Show file tree

Hide file tree

Showing 4 changed files with 82 additions and 162 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -37,79 +37,78 @@ jobs:
       digest: ${{ steps.digest.outputs.digest }}
     runs-on: ubuntu-latest
     steps:
-      - name: Free disk space
-        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
-        with:
-          tool-cache: true
-          android: true
-          dotnet: true
-          haskell: true
-          large-packages: false
-          docker-images: true
-          swap-storage: false
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          fetch-depth: 0
-      - name: Fetch all tags
-        run: |
-          set -e
-          git fetch --force --tags
-      - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
-        with:
-          go-version-file: go.mod
-          cache-dependency-path: go.sum
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
-      - name: Install Syft
-        uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8
-      - name: Install Ko
-        uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
-      - name: Run GoReleaser
-        id: goreleaser
-        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
-        with:
-          distribution: goreleaser
-          version: latest
-          args: release --clean --timeout 90m
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Upload artifacts.json
-        uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0
-        with:
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: dist/artifacts.json
-          asset_name: artifacts.json
-          tag: ${{ github.ref }}
-      - name: Upload metadata.json
-        uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0
-        with:
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: dist/metadata.json
-          asset_name: metadata.json
-          tag: ${{ github.ref }}
-      - name: Generate subject
-        id: hash
-        env:
-          ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
-        run: |
-          set -euo pipefail
-          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
-          hashes=$(cat $checksum_file | base64 -w0)
-          echo "hashes=$hashes" >> $GITHUB_OUTPUT
-      - name: Image digest
-        id: digest
-        env:
-          ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
-        run: |
-          set -euo pipefail
-          image_and_digest=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Docker Manifest") | .path')
-          image=$(echo "${image_and_digest}" | cut -d'@' -f1 | cut -d':' -f1)
-          digest=$(echo "${image_and_digest}" | cut -d'@' -f2)
-          echo "image=$image" >> "$GITHUB_OUTPUT"
-          echo "digest=$digest" >> "$GITHUB_OUTPUT"
-
+    - name: Free disk space
+      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+      with:
+        tool-cache: true
+        android: true
+        dotnet: true
+        haskell: true
+        large-packages: false
+        docker-images: true
+        swap-storage: false
+    - name: Checkout
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      with:
+        fetch-depth: 0
+    - name: Fetch all tags
+      run: |
+        set -e
+        git fetch --force --tags
+    - name: Set up Go
+      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      with:
+        go-version-file: go.mod
+        cache-dependency-path: go.sum
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+    - name: Install Syft
+      uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8
+    - name: Install Ko
+      uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
+    - name: Run GoReleaser
+      id: goreleaser
+      uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+      with:
+        distribution: goreleaser
+        version: latest
+        args: release --clean --timeout 90m
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Upload artifacts.json
+      uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0
+      with:
+        repo_token: ${{ secrets.GITHUB_TOKEN }}
+        file: dist/artifacts.json
+        asset_name: artifacts.json
+        tag: ${{ github.ref }}
+    - name: Upload metadata.json
+      uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0
+      with:
+        repo_token: ${{ secrets.GITHUB_TOKEN }}
+        file: dist/metadata.json
+        asset_name: metadata.json
+        tag: ${{ github.ref }}
+    - name: Generate subject
+      id: hash
+      env:
+        ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
+      run: |
+        set -euo pipefail
+        checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+        hashes=$(cat $checksum_file | base64 -w0)
+        echo "hashes=$hashes" >> $GITHUB_OUTPUT
+    - name: Image digest
+      id: digest
+      env:
+        ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
+      run: |
+        set -euo pipefail
+        image_and_digest=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Docker Manifest") | .path')
+        image=$(echo "${image_and_digest}" | cut -d'@' -f1 | cut -d':' -f1)
+        digest=$(echo "${image_and_digest}" | cut -d'@' -f2)
+        echo "image=$image" >> "$GITHUB_OUTPUT"
+        echo "digest=$digest" >> "$GITHUB_OUTPUT"
   # provenance:
   #   needs:
   #     - goreleaser

diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml
@@ -35,65 +35,12 @@ jobs:
         echo "Detected architecture: $ARCH"
         echo "ARCH=$ARCH" >> $GITHUB_ENV
 
-    - name: Print Disk & Memory Usage (Before Cleanup)
-      run: |
-        echo "==== Disk Usage Before Cleanup ($ARCH) ===="
-        df -h
-        echo "==== Memory Usage Before Cleanup ($ARCH) ===="
-        free -h
-        echo "==== Docker Disk Usage Before Cleanup ($ARCH) ===="
-        docker system df
-
-    - name: Cleanup Space on Runner
-      run: |
-        echo "Running cleanup for $ARCH..."
-
-        # Remove unnecessary packages
-        sudo apt-get autoremove -y
-        sudo apt-get clean
-
-        # Remove dangling Docker images & containers
-        # docker system prune -af --volumes
-
-        # Remove cached Go modules
-        go clean -modcache
-
-        # Remove unnecessary system logs
-        sudo journalctl --vacuum-time=1s
-
-        # Remove npm cache (if applicable)
-        rm -rf ~/.npm
-        rm -rf ~/.cache
-
-        # Extra cleanup for ARM64 (if needed)
-        if [[ "$ARCH" == "aarch64" ]]; then
-          echo "Applying additional cleanup for ARM64..."
-          # Add ARM64-specific cleanup commands here if needed
-        fi
-
-    - name: Print Disk & Memory Usage (After Cleanup)
-      run: |
-        echo "==== Disk Usage After Cleanup ($ARCH) ===="
-        df -h
-        echo "==== Memory Usage After Cleanup ($ARCH) ===="
-        free -h
-        echo "==== Docker Disk Usage After Cleanup ($ARCH) ===="
-        docker system df
-
     - name: Checkout release
       if: ${{ inputs.tag == 'release'}}
       uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
       with:
         fetch-depth: 0
 
-    - name: Checkout image
-      if: ${{ inputs.tag == 'image'}}
-      uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
-
-    - name: Unshallow
-      if: ${{ inputs.tag == 'image'}}
-      run: git fetch --prune --unshallow --tags
-
     - name: Set up Go
       uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
@@ -116,9 +63,12 @@ jobs:
         registry: ghcr.io
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
-    # - name: Set up QEMU
-    #   # if: runner.arch != 'X64' # Only set up QEMU on non-x86_64 architectures
-    #   uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
+    - name: Set up binfmt
+      uses: docker/[email protected]
+
+    - name: Install binfmt
+      run: |
+        docker run --rm --privileged tonistiigi/binfmt --install all
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0
       id: buildx
@@ -153,31 +103,13 @@ jobs:
         name: ${{inputs.image_name}}-bom-cdx
         path: ${{inputs.image_name}}-v*-bom.cdx.json
 
-    - name: Extract branch name
-      if: ${{inputs.tag == 'image'}}
-      shell: bash
-      run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
-      id: extract_branch
-
     - name: Check branch
       if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}}
       id: check-branch
       run: |
         if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then
             echo ::set-output name=match::true
         fi
-    - name: Debug Inputs
-      run: |
-        echo "Tag: ${{ inputs.tag }}"
-        echo "publish_command : ${{ inputs.publish_command}}"
-        echo "Digest Command: ${{ inputs.digest_command }}"
-        echo "Image Name: ${{ inputs.image_name }}"
-        echo "Repository: ${{ github.repository }}"
-        echo "Workflow: ${{ github.workflow }}"
-        echo "SHA: ${{ github.sha }}"
-        echo "secrets.GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}"
-        echo "github.actor: ${{ github.actor }}"
-        echo "Branch: ${{ steps.extract_branch.outputs.branch }}"
     - name: Docker images publish
       if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
       run: make ${{inputs.publish_command}} FIPS_ENABLED=1
@@ -189,14 +121,14 @@ jobs:
         digest=$(make ${{inputs.digest_command}} FIPS_ENABLED=1) 
         echo "digest=${digest}" >> $GITHUB_ENV
     - name: Docker release-images publish
-      if: ${{inputs.tag == 'release' || inputs.tag == 'image' }}
+      if: ${{inputs.tag == 'release' }}
       run: make ${{inputs.publish_command}} FIPS_ENABLED=1
 
     - name: Clear Sigstore TUF Cache
       run: |
         rm -rf ~/.sigstore
     - name: Get release-image digest
-      if: ${{ inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true') }}
+      if: ${{ inputs.tag == 'release' }}
       id: get-step
       run: |
         digest=$(make ${{inputs.digest_command}} FIPS_ENABLED=1  2>/dev/null || true)
@@ -213,17 +145,6 @@ jobs:
           echo "Error: Digest is empty or invalid." >&2
           exit 1
         fi
-    - name: Sign image
-      if: ${{ inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main' }}
-      env:
-        COSIGN_EXPERIMENTAL: "true"
-        COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/signatures"
-      run: |
-        cosign sign --yes \
-          -a "repo=${{ github.repository }}" \
-          -a "workflow=${{ github.workflow }}" \
-          -a "ref=${{ github.sha }}" \
-          ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}@sha256:${digest}
     - name: Sign release-image
       if: ${{ inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true') }}
       env:

diff --git a/Dockerfile.fips b/Dockerfile.fips
@@ -23,7 +23,7 @@ ARG TARGETARCH
 RUN GOOS=linux GOARCH=$TARGETARCH \
     BUILD_TAGS=fips GOEXPERIMENT=systemcrypto \
     CGO_ENABLED=1 FIPS_ENABLED=1 \
-    go build -p 1  -ldflags="-s -w" -o /app/reports-server ./
+    go build -ldflags="-s -w" -o /app/reports-server ./
 
 RUN groupadd --system appgroup && \
     useradd --system --uid 1001 --gid appgroup --home-dir /nonexistent --shell /usr/sbin/nologin appuser && \

diff --git a/Makefile b/Makefile
@@ -297,7 +297,7 @@ ko-publish-reports-server: ko-login ## Build and publish reports-server image (w
 FIPS_ENABLED := 0 # Default to FIPS disabled
 
 ifeq ($(FIPS_ENABLED), 1)
-IMAGE_TAG    := $(shell git describe --tags --abbrev=0)
+IMAGE_TAG    := $(shell git describe --tags --match "v*.*.*" --abbrev=0)
 LD_FLAGS     :="-s -w"
 endif