wip: slsa lv 3

.github/workflows/release.yml

@@ -18,16 +18,16 @@ jobs:
   create-release:
     runs-on: ubuntu-latest
     steps:
-        - name: Checkout Code
-          uses: actions/checkout@v4
+      - name: Checkout Code
+        uses: actions/checkout@v4
 
-        - name: Create a Release
-          id: create_release
-          uses: actions/create-release@v1
-          with:
-            tag_name: ${{ github.ref }}
-            release_name: Release ${{ github.ref_name }}
-            prerelease: true
+      - name: Create a Release
+        id: create_release
+        uses: actions/create-release@v1
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ github.ref_name }}
+          prerelease: true
 
   build-and-push-amd64:
     runs-on: ubuntu-latest
@@ -44,80 +44,15 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: Install Dependencies
-        run: |
-          go mod download
-          curl -sL https://get.helm.sh/helm-v3.5.4-linux-amd64.tar.gz | tar xvzf - -C /usr/local/bin --strip-components=1
-
-      - name: Build Binary
-        run: |
-          VERSION=$(git describe --tags --always)
-          ARCH=$(go env GOHOSTARCH)
-          SUFFIX="-${ARCH}"
-
-          # Set linker flags
-          LINKFLAGS="-X github.com/rancher/csp-adapter.Version=$VERSION"
-
-          CGO_ENABLED=0 go build -ldflags "$LINKFLAGS -extldflags -static -s" -o bin/csp-adapter
-
-          mkdir -p dist/artifacts
-          cp bin/csp-adapter dist/artifacts/csp-adapter-linux${SUFFIX}
-          
-      - name: Run Tests
-        run: |
-          go test ./... -v
-
-      - name: Package Helm Charts
-        run: |
-          VERSION=$(git describe --tags --always)
-          HELM_VERSION=${VERSION/v/}
-
-          mkdir -p build/charts
-          cp -r charts build/
-
-          sed -i -e "s/^version:.*/version: $HELM_VERSION/" \
-                  -e "s/appVersion:.*/appVersion: $HELM_VERSION/" \
-                  build/charts/rancher-csp-adapter/Chart.yaml
-
-          sed -i -e "s/tag: latest/tag: $HELM_VERSION/" \
-                  build/charts/rancher-csp-adapter/values.yaml
-
-          helm package -d ./dist/artifacts ./build/charts/rancher-csp-adapter
-          
-      - name: Generate Checksum
-        run: |
-          cd dist/artifacts 
-          sha256sum * > sha256sum-amd64.txt
-
-      - name: Upload Assets
-        run: |
-          ASSETS_DIR="dist/artifacts"
-          TAG=${{ github.ref_name }}
-          for file in $ASSETS_DIR/*; do
-            gh release upload $TAG $file --repo ${{ github.repository }}
-          done
-
-      - name: Build Manifest
-        id: metadata
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            docker.io/rancher/rancher-csp-adapter
-            709825985650.dkr.ecr.us-east-1.amazonaws.com/suse/rancher/rancher-csp-adapter
-          flavor: |
-            latest=false
-
       - name: Read Secrets
         uses: rancher-eio/read-vault-secrets@main
         with:
           secrets: |
             secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
             secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
             secret/data/github/repo/${{ github.repository }}/aws/aws-rancher-csp-adapter-ecr/credentials accessKeyId | ECR_ACCESS_KEY ;
             secret/data/github/repo/${{ github.repository }}/aws/aws-rancher-csp-adapter-ecr/credentials secretAccessKey | ECR_SECRET_KEY ;
             secret/data/github/repo/${{ github.repository }}/aws/aws-rancher-csp-adapter-ecr-eu/credentials accessKeyId | ECR_ACCESS_KEY_EU ;
@@ -129,6 +64,44 @@ jobs:
           username: ${{ env.DOCKER_USERNAME }}
           password: ${{ env.DOCKER_PASSWORD }}
 
+      - name: Build Manifest
+        id: metadata
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            docker.io/rancher/rancher-csp-adapter
+            709825985650.dkr.ecr.us-east-1.amazonaws.com/suse/rancher/rancher-csp-adapter
+          flavor: |
+            latest=false
+
+      - name: Publish manifest
+        uses: rancher/ecm-distro-tools/actions/publish-image@master
+        with:
+          image: security-scan
+          tag: ${{ steps.metadata.outputs.tags }}
+          platforms: linux/amd64
+          public-registry: docker.io
+          public-repo: rancher-csp-adapter
+          public-username: ${{ secrets.DOCKER_USERNAME }}
+          public-password: ${{ secrets.DOCKER_PASSWORD }}
+          prime-registry: ${{ env.PRIME_REGISTRY }}
+          prime-repo: rancher
+          prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+          prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
+
+      # - name: Generate Checksum
+      #   run: |
+      #     cd dist/artifacts 
+      #     sha256sum * > sha256sum-amd64.txt
+
+      # - name: Upload Assets
+      #   run: |
+      #     ASSETS_DIR="dist/artifacts"
+      #     TAG=${{ github.ref_name }}
+      #     for file in $ASSETS_DIR/*; do
+      #       gh release upload $TAG $file --repo ${{ github.repository }}
+      #     done
+
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
@@ -141,16 +114,6 @@ jobs:
         with:
           registry: 709825985650.dkr.ecr.us-east-1.amazonaws.com
 
-      - name: Push Images to Registries
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          push: true
-          tags: ${{ steps.metadata.outputs.tags }}
-          labels: ${{ steps.metadata.outputs.labels }}
-          file: package/Dockerfile
-          platforms: linux/amd64
-
       - name: Build Manifest for EU Registry Images
         id: metadata_eu
         uses: docker/metadata-action@v5

Makefile

@@ -1,16 +1,24 @@
-TARGETS := $(shell ls scripts)
+RUNNER := docker
+IMAGE_BUILDER := $(RUNNER) buildx
+MACHINE := rancher
+BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max
+DEFAULT_PLATFORMS := linux/amd64
 
-.dapper:
-	@echo Downloading dapper
-	@curl -sL https://releases.rancher.com/dapper/latest/dapper-`uname -s`-`uname -m` > .dapper.tmp
-	@@chmod +x .dapper.tmp
-	@./.dapper.tmp -v
-	@mv .dapper.tmp .dapper
+# Define target platforms, image builder and the fully qualified image name.
+TARGET_PLATFORMS ?= linux/amd64
 
-$(TARGETS): .dapper
-	./.dapper $@
+REPO ?= rancher
+IMAGE = $(REPO)/rancher-csp-adapter:$(TAG)
 
 clean:
 	rm -rf bin dist
 
-.PHONY: $(TARGETS)
+push-image: buildx-machine ## build the container image targeting all platforms defined by TARGET_PLATFORMS and push to a registry.
+$(IMAGE_BUILDER) build -f package/Dockerfile \
+	--builder $(MACHINE) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
+	--platform=$(TARGET_PLATFORMS) -t "$(IMAGE)" --push .
+@echo "Pushed $(IMAGE)"
+
+.PHONY: buildx-machine
+buildx-machine: ## create rancher dockerbuildx machine targeting platform defined by DEFAULT_PLATFORMS.
+	@docker buildx ls | grep $(MACHINE) || docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS)