Merge branch 'stable' into py311

Author: durera

.github/CODEOWNERS

@@ -1 +1 @@
-* @durera @andrercm @sanju7216 @terenceq @whitfiea
+* @ibm-mas/pr-review-team

.github/workflows/build-cli-base.yml

@@ -5,6 +5,11 @@ on:
     tags-ignore: [ "**" ]
   release:
     types: [ published ]
+env:
+  ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }}
+  QUAYIO_USERNAME:   ${{ secrets.QUAYIO_USERNAME }}
+  QUAYIO_PASSWORD:   ${{ secrets.QUAYIO_PASSWORD }}
+  W3_USERNAME:       ${{ secrets.W3_USERNAME }}
 
 jobs:
   build-amd64:
@@ -27,23 +32,7 @@ jobs:
       - name: Build the docker image (amd64)
         run: |
           echo "GITHUB_REF=$GITHUB_REF"
-          echo "GITHUB_EVENT_NAME=$GITHUB_EVENT_NAME"
-
-          # Login to quay.io
-          docker login --username "${{ secrets.QUAYIO_USERNAME }}" --password "${{ secrets.QUAYIO_PASSWORD }}" quay.io
-
-          # Build the image
-          $GITHUB_WORKSPACE/build/bin/docker-build.sh -r quay.io/ibmmas/cli-base --target-platform amd64 -b image/cli-base
-
-          # Squash the image layers
-          python3 -m pip install docker-squash
-          docker-squash --load-image --tag quay.io/ibmmas/cli-base:${{ env.DOCKER_TAG }}-amd64 quay.io/ibmmas/cli-base:${{ env.DOCKER_TAG }}-amd64
-
-          # List available images
-          docker images
-
-          # Push the images
-          docker push quay.io/ibmmas/cli-base:${{ env.DOCKER_TAG }}-amd64
+          source $GITHUB_WORKSPACE/build/bin/build.sh amd64
 
   build-s390x:
     name: Build Image (s390x)
@@ -63,31 +52,31 @@ jobs:
           source $GITHUB_WORKSPACE/build/bin/.functions.sh
 
       - name: Build the docker image (s390x)
-        env:
-          ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }}
         run: |
           echo "GITHUB_REF=$GITHUB_REF"
-          echo "GITHUB_EVENT_NAME=$GITHUB_EVENT_NAME"
+           source $GITHUB_WORKSPACE/build/bin/build.sh s390x
 
-          # Login to quay.io
-          docker login --username "${{ secrets.QUAYIO_USERNAME }}" --password "${{ secrets.QUAYIO_PASSWORD }}" quay.io
-
-          # Before we build the s390x image we need to download some pre-build dependencies from Artifactory
-          wget --header="Authorization:Bearer $ARTIFACTORY_TOKEN" https://na.artifactory.swg-devops.com/artifactory/wiotp-generic-local/dependencies/rclone/rclone.tar.gz -O $GITHUB_WORKSPACE/image/cli-base/install/rclone.tar.gz
-          python3 $GITHUB_WORKSPACE/build/bin/python-collect-prebuilt-wheels.py --req-file $GITHUB_WORKSPACE/image/cli-base/install/requirements.txt --dest $GITHUB_WORKSPACE/image/cli-base/install/ --add-dependency cryptography
-
-          # Build the images
-          $GITHUB_WORKSPACE/build/bin/docker-build.sh -r quay.io/ibmmas/cli-base --target-platform s390x -b image/cli-base
-
-          # Squash the image layers
-          python3 -m pip install docker-squash
-          docker-squash --load-image --tag quay.io/ibmmas/cli-base:${{ env.DOCKER_TAG }}-s390x quay.io/ibmmas/cli-base:${{ env.DOCKER_TAG }}-s390x
+  build-ppc64le:
+    name: Build Image (ppc64le)
+    runs-on: ubuntu-latest
+    if: ${{ !contains(github.event.head_commit.message, '[doc]') }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        # Without this option, we don't get the tag information
+        with:
+          fetch-depth: 0
 
-          # List available images
-          docker images
+      - name: Initialise the build system
+        run: |
+          chmod u+x $GITHUB_WORKSPACE/build/bin/*.sh
+          $GITHUB_WORKSPACE/build/bin/initbuild.sh
+          source $GITHUB_WORKSPACE/build/bin/.functions.sh
 
-          # Push the images
-          docker push quay.io/ibmmas/cli-base:${{ env.DOCKER_TAG }}-s390x
+      - name: Build the docker image (ppc64le)
+        run: |
+          echo "GITHUB_REF=$GITHUB_REF"
+          source $GITHUB_WORKSPACE/build/bin/build.sh ppc64le
 
   build-arm64:
     name: Build Image (arm64)
@@ -108,24 +97,7 @@ jobs:
 
       - name: Build the docker image (arm64)
         run: |
-          echo "GITHUB_REF=$GITHUB_REF"
-          echo "GITHUB_EVENT_NAME=$GITHUB_EVENT_NAME"
-
-          # Login to quay.io
-          docker login --username "${{ secrets.QUAYIO_USERNAME }}" --password "${{ secrets.QUAYIO_PASSWORD }}" quay.io
-
-          # Build the image
-          $GITHUB_WORKSPACE/build/bin/docker-build.sh -r quay.io/ibmmas/cli-base --target-platform arm64 -b image/cli-base
-
-          # # Squash the image layers
-          python3 -m pip install docker-squash
-          docker-squash --load-image --tag quay.io/ibmmas/cli-base:${{ env.DOCKER_TAG }}-arm64 quay.io/ibmmas/cli-base:${{ env.DOCKER_TAG }}-arm64
-
-          # List available images
-          docker images
-
-          # Push the images
-          docker push quay.io/ibmmas/cli-base:${{ env.DOCKER_TAG }}-arm64
+          source $GITHUB_WORKSPACE/build/bin/build.sh arm64
 
   build-manifest:
     name: Build Manifest
@@ -134,6 +106,7 @@ jobs:
       - build-amd64
       - build-s390x
       - build-arm64
+      - build-ppc64le
     if: ${{ !contains(github.event.head_commit.message, '[doc]') }}
     steps:
       - name: Checkout
@@ -157,7 +130,7 @@ jobs:
           docker login --username "${{ secrets.QUAYIO_USERNAME }}" --password "${{ secrets.QUAYIO_PASSWORD }}" quay.io
 
           # Publish the manifest
-          $GITHUB_WORKSPACE/build/bin/docker-manifest.sh -r quay.io/ibmmas/cli-base --target-platforms amd64,s390x,arm64
+          $GITHUB_WORKSPACE/build/bin/docker-manifest.sh -r quay.io/ibmmas/cli-base --target-platforms amd64,s390x,arm64,ppc64le
 
           # Re-issue the manifest under an alias where needed
           # https://github.com/docker/buildx/issues/1744#issuecomment-1896645786

README.md

@@ -23,3 +23,5 @@ Provides:
 | `rosa`                |  ✔️  |  ❌ ️  |  ✔️  |
 | `boto3`               |  ✔️  |  ✔️   |  ✔️  |
 | `argocd`              |  ✔️  |  ✔️   |  ✔️  |
+
+Note: IBM Cloud `Container-Registry` plugin is supported on ppc64le, however the `Container-Service` plugin is not.

build/bin/.env.sh

@@ -5,6 +5,12 @@
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 export PATH=$PATH:$DIR:$DIR/ptc
+CONFIG_DIR=$DIR/config
+
+# Use OSCAP tools to produce image hardening report for built images
+export OSCAP_ENABLED=${OSCAP_ENABLED:-true}
+export OSCAP_DIR=$GITHUB_WORKSPACE/.oscap
+
 
 # Version file (semver)
 export VERSION_FILE=${GITHUB_WORKSPACE}/.version

build/bin/.functions.sh

@@ -101,3 +101,9 @@ function artifactory_upload() {
   echo "Uploading $1 to $2"
   curl -H "Authorization:Bearer $ARTIFACTORY_TOKEN"  -H "X-Checksum-Md5: $md5Value" -H "X-Checksum-Sha1: $sha1Value" -T $1 $2 || exit 1
 }
+
+# install oscap tools
+function install_oscap() {
+  sudo apt-get update
+  sudo apt-get install -y openscap-scanner
+}

build/bin/build.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+set -e
+
+TARGET_PLATFORM=$1
+echo "GITHUB_REF=$GITHUB_REF"
+echo "GITHUB_EVENT_NAME=$GITHUB_EVENT_NAME"
+
+export ARTIFACTORY_GENERIC_RELEASE_URL=${ARTIFACTORY_GENERIC_RELEASE_URL:-https://na.artifactory.swg-devops.com/artifactory/wiotp-generic-release}
+export ARTIFACTORY_GENERIC_LOCAL_URL=${ARTIFACTORY_GENERIC_LOCAL_URL:-https://na.artifactory.swg-devops.com/artifactory/wiotp-generic-local}
+export OSCAP_REMEDIATION_URL=${ARTIFACTORY_GENERIC_LOCAL_URL}/dependencies/oscap/ubi9/remediate.sh
+export OSCAP_REMEDIATION_FILE=${GITHUB_WORKSPACE}/image/cli-base/remediate.sh
+
+echo "OSCAP_REMEDIATION_URL: $OSCAP_REMEDIATION_URL"
+echo "OSCAP_REMEDIATION_FILE: $OSCAP_REMEDIATION_FILE"
+
+# Copy OSCAP remediation file from artifactory
+wget --header="Authorization:Bearer ${ARTIFACTORY_TOKEN}" ${OSCAP_REMEDIATION_URL} -O ${OSCAP_REMEDIATION_FILE}
+
+# Login to quay.io
+docker login --username $QUAYIO_USERNAME --password $QUAYIO_PASSWORD quay.io
+if [[ "$TARGET_PLATFORM" == "s390x" || "$TARGET_PLATFORM" == "ppc64le" ]]; then
+ # Before we build the s390x image we need to download some pre-build dependencies from Artifactory
+    echo "in ... $TARGET_PLATFORM"
+    wget --header="Authorization:Bearer $ARTIFACTORY_TOKEN" https://na.artifactory.swg-devops.com/artifactory/wiotp-generic-local/dependencies/rclone/$TARGET_PLATFORM/rclone.tar.gz -O $GITHUB_WORKSPACE/image/cli-base/install/rclone.tar.gz
+    python3 $GITHUB_WORKSPACE/build/bin/python-collect-prebuilt-wheels.py --req-file $GITHUB_WORKSPACE/image/cli-base/install/requirements.txt --dest $GITHUB_WORKSPACE/image/cli-base/install/ --add-dependency cryptography --target-platform $TARGET_PLATFORM
+fi
+# Build the image
+$GITHUB_WORKSPACE/build/bin/docker-build.sh -r quay.io/ibmmas/cli-base --target-platform $TARGET_PLATFORM -b image/cli-base --scap-data-stream ssg-rhel9-ds
+
+# Squash the image layers
+python3 -m pip install docker-squash
+docker-squash --load-image --tag quay.io/ibmmas/cli-base:$DOCKER_TAG-$TARGET_PLATFORM quay.io/ibmmas/cli-base:$DOCKER_TAG-$TARGET_PLATFORM
+
+# List available images
+docker images
+
+# Push the images
+docker push quay.io/ibmmas/cli-base:$DOCKER_TAG-$TARGET_PLATFORM