Migrate to GHA

.github/workflows/build.yml

@@ -0,0 +1,75 @@
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+name: Build
+permissions:
+    contents: read
+jobs:
+  build-amd64:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set the TAG value
+      id: get-TAG
+      run: |
+        echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
+    - name: Build container image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: false
+        tags: rancher/hardened-etcd:${{ env.TAG }}-amd64
+        file: Dockerfile
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/[email protected]
+      with:
+        image-ref: rancher/hardened-etcd:${{ env.TAG }}-amd64
+        format: 'table'
+        exit-code: '1'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
+        trivyignores: '.trivyignore'
+
+  build-arm64:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Set the TAG value
+      id: get-TAG
+      run: |
+        echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
+    - name: Build container image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: false
+        tags: rancher/hardened-etcd:${{ env.TAG }}-arm64
+        file: Dockerfile
+        outputs: type=docker
+        platforms: linux/arm64
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/[email protected]
+      with:
+        image-ref: rancher/hardened-runc:${{ env.TAG }}-arm64
+        format: 'table'
+        exit-code: '1'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
+        trivyignores: '.trivyignore'

.github/workflows/image-push.yml

@@ -0,0 +1,40 @@
+on:
+  release:
+    types: [published]
+
+jobs:
+  push-multiarch:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: "Read secrets"
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Login to Container Registry
+      uses: docker/login-action@v3
+      with:
+        username: ${{ env.DOCKER_USERNAME }}
+        password: ${{ env.DOCKER_PASSWORD }}
+
+    - name: Build container image for Linux
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: true
+        tags: rancher/hardened-etcd:${{ github.event.release.tag_name }}
+        file: Dockerfile
+        platforms: linux/amd64, linux/arm64

.trivyignore

@@ -0,0 +1,7 @@
+# Upstream CVEs
+# CVE-2023-47108 opentelemetry cve
+CVE-2023-47108
+# CVE-2023-39325 x/net cve
+CVE-2023-39325 
+# GHSA-m425-mq94-257g grpc cve
+GHSA-m425-mq94-257g

Dockerfile

@@ -11,8 +11,8 @@ RUN set -x && \
     make
 # setup the build
 ARG PKG=go.etcd.io/etcd
-ARG SRC=github.com/k3s-io/etcd
-ARG TAG="v3.5.7-k3s1"
+ARG SRC=github.com/rancher/etcd
+ARG TAG="v3.5.9-k3s1"
 ARG ARCH="amd64"
 RUN git clone --depth=1 https://${SRC}.git $GOPATH/src/${PKG}
 WORKDIR $GOPATH/src/${PKG}

Makefile

@@ -52,3 +52,14 @@ image-manifest:
 .PHONY: image-scan
 image-scan:
 	trivy image --severity $(SEVERITIES) --no-progress --ignore-unfixed $(ORG)/hardened-etcd:$(TAG)
+
+.PHONY: log
+log:
+	@echo "ARCH=$(ARCH)"
+	@echo "TAG=$(TAG)"
+	@echo "ORG=$(ORG)"
+	@echo "PKG=$(PKG)"
+	@echo "SRC=$(SRC)"
+	@echo "BUILD_META=$(BUILD_META)"
+	@echo "K3S_ROOT_VERSION=$(K3S_ROOT_VERSION)"
+	@echo "UNAME_M=$(UNAME_M)"