Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
.git
.github
ci
main_test.go
vault-init
5 changes: 3 additions & 2 deletions .github/workflows/github-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,9 @@ on:
jobs:
release:
if: github.event.pull_request.merged == true && !contains(github.event.pull_request.title, 'skip-release')
uses: libops/.github/.github/workflows/bump-release.yaml@main
uses: libops/.github/.github/workflows/bump-release.yaml@578137212ead4ab4059e95df17fa30e9b7ac4aed
with:
workflow_file: goreleaser.yaml
permissions:
contents: write
actions: write
secrets: inherit
49 changes: 44 additions & 5 deletions .github/workflows/goreleaser.yaml
Original file line number Diff line number Diff line change
@@ -1,32 +1,71 @@
name: goreleaser

on:
workflow_dispatch:
push:
tags:
- "*"

permissions:
contents: write
contents: read

jobs:
test:
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
with:
persist-credentials: false

- name: Set up Go
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6
with:
go-version-file: go.mod

- name: Verify tagged source
run: |
go mod download
go mod verify
go mod tidy -diff
go test -race ./...

goreleaser:
needs: test
runs-on: ubuntu-24.04
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
with:
fetch-depth: 0
persist-credentials: false

- name: Set up Go
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6
with:
go-version: ">=1.25.6"
go-version-file: go.mod

- name: Run GoReleaser
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6
uses: goreleaser/goreleaser-action@f06c13b6b1a9625abc9e6e439d9c05a8f2190e94 # v7
with:
distribution: goreleaser
version: latest
version: v2.17.0
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

publish-images:
if: github.ref_type == 'tag'
needs:
- test
- goreleaser
uses: ./.github/workflows/lint-test-build-push.yml
permissions:
contents: read
id-token: write
packages: write
secrets:
GCLOUD_OIDC_POOL: ${{ secrets.GCLOUD_OIDC_POOL }}
GSA: ${{ secrets.GSA }}
118 changes: 107 additions & 11 deletions .github/workflows/lint-test-build-push.yml
Original file line number Diff line number Diff line change
@@ -1,30 +1,126 @@
name: build-push

on:
workflow_call:
secrets:
GCLOUD_OIDC_POOL:
required: false
GSA:
required: false
pull_request:
push:
branches:
- main
workflow_dispatch:

permissions:
contents: read

jobs:
test:
permissions:
contents: read
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
with:
persist-credentials: false

- uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6
with:
go-version-file: go.mod

- name: Verify dependencies
run: |
go mod download
go mod verify
go mod tidy -diff

- name: Check GoReleaser configuration
uses: goreleaser/goreleaser-action@f06c13b6b1a9625abc9e6e439d9c05a8f2190e94 # v7
with:
distribution: goreleaser
version: v2.17.0
args: check

- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
- name: Lint
uses: golangci/golangci-lint-action@ba0d7d2ec06a0ea1cb5fa41b2e4a3ab91d21278a # v9
with:
go-version: ">=1.25.3"
version: v2.12.2

- uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
- name: Test
run: go test -race ./...

- name: Test with the Go CLI
run: go test -v -race ./...
image-check:
if: github.event_name == 'pull_request'
strategy:
fail-fast: false
matrix:
runner:
- ubuntu-24.04
- ubuntu-24.04-arm
runs-on: ${{ matrix.runner }}
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
with:
persist-credentials: false

- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3

- name: Resolve native platform
id: platform
run: |
set -euo pipefail
case "$RUNNER_ARCH" in
X64) platform=amd64 ;;
ARM64) platform=arm64 ;;
*) echo "Unsupported runner architecture: $RUNNER_ARCH" >&2; exit 1 ;;
esac
echo "name=$platform" >> "$GITHUB_OUTPUT"

- name: Build native image without credentials
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
with:
context: .
load: true
platforms: linux/${{ steps.platform.outputs.name }}
provenance: false
push: false
tags: vault-init:ci-${{ steps.platform.outputs.name }}

- name: Scan native image
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: vault-init:ci-${{ steps.platform.outputs.name }}
format: table
exit-code: "1"
ignore-unfixed: true
severity: HIGH,CRITICAL
vuln-type: os,library

build-push:
needs: [test]
uses: libops/.github/.github/workflows/build-push.yaml@main
if: always() && github.event_name == 'pull_request'
needs:
- test
- image-check
uses: libops/.github/.github/workflows/pr-status.yaml@578137212ead4ab4059e95df17fa30e9b7ac4aed
permissions: {}
with:
needs-json: ${{ toJSON(needs) }}

publish:
if: github.event_name != 'pull_request'
needs: test
uses: libops/.github/.github/workflows/build-push.yaml@578137212ead4ab4059e95df17fa30e9b7ac4aed
with:
docker-registry: "libops"
ref: ${{ github.sha }}
expected-main-sha: ${{ github.ref == 'refs/heads/main' && github.sha || '' }}
additional-gar-registry: us-docker.pkg.dev/libops-images/public
scan: true
sign: true
certificate-identity: https://github.com/libops/.github/.github/workflows/build-push.yaml@578137212ead4ab4059e95df17fa30e9b7ac4aed
permissions:
contents: read
id-token: write
packages: write
secrets: inherit
secrets:
GCLOUD_OIDC_POOL: ${{ secrets.GCLOUD_OIDC_POOL }}
GSA: ${{ secrets.GSA }}
15 changes: 9 additions & 6 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
@@ -1,17 +1,19 @@
before:
hooks:
- go mod tidy
version: 2

builds:
- binary: vault-init
env:
- CGO_ENABLED=0
ldflags:
- -s -w -X main.version={{ .Version }}
goos:
- linux
- windows
- darwin

archives:
- format: tar.gz
- formats:
- tar.gz
# this name template makes the OS and Arch compatible with the results of uname.
name_template: >-
{{ .ProjectName }}_
Expand All @@ -23,11 +25,12 @@ archives:
# use zip for windows archives
format_overrides:
- goos: windows
format: zip
formats:
- zip
checksum:
name_template: "checksums.txt"
snapshot:
name_template: "{{ incpatch .Version }}-next"
version_template: "{{ incpatch .Version }}-next"
changelog:
sort: asc
filters:
Expand Down
23 changes: 13 additions & 10 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
FROM golang:1.25.6@sha256:ce63a16e0f7063787ebb4eb28e72d477b00b4726f79874b3205a965ffd797ab2 AS builder
FROM ghcr.io/libops/go:1.26.5@sha256:ea764e85e42a243217c621891123b3fda9374674c29d59785414fc6b15815b3d AS builder

ENV GO111MODULE=on \
CGO_ENABLED=0 \
GOOS=linux \
GOARCH=amd64
SHELL ["/bin/ash", "-o", "pipefail", "-ex", "-c"]

ENV CGO_ENABLED=0 \
GOOS=linux

ARG GIT_BRANCH=devel

WORKDIR /src

Expand All @@ -12,15 +14,16 @@ RUN --mount=type=cache,target=/go/pkg/mod \
go mod download

COPY main.go .
RUN go build \
-a \
RUN --mount=type=cache,target=/root/.cache/go-build \
go build \
-trimpath \
-ldflags "-s -w -extldflags '-static'" \
-tags 'osusergo netgo static_build' \
-ldflags "-s -w -X main.version=${GIT_BRANCH}" \
-tags "osusergo netgo" \
-o /bin/vault-init \
.

FROM scratch
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /bin/vault-init /bin/vault-init
CMD ["/bin/vault-init"]
USER 65532:65532
ENTRYPOINT ["/bin/vault-init"]
Loading
Loading