refs platform/#2550: update gcloud version and update github workflow to use the official action templates

.github/workflows/docker-publish.yml

@@ -1,70 +1,108 @@
 name: Docker
 
 on:
-  push:
-    branches:
-      - "master"
   pull_request:
-    branches:
-      - "master"
+  push:
+    branches: master
 
 env:
+  RELEASE_BRANCH: master
+  REGISTRY: ghcr.io
   IMAGE_NAME: spark-k8s-deployer
 
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
-      - name: Build image
-        run: docker build . --file Dockerfile --tag $IMAGE_NAME-test
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
+          tags: |
+            # set latest tag for RELEASE_BRANCH branch
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', env.RELEASE_BRANCH) }}
+            type=sha,format=long,prefix=
 
-  test-build-args:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
-      - name: Build image
-        run: docker build . --file Dockerfile --tag $IMAGE_NAME-test-args --build-arg QEMU_ARCHS="aarch64 arm x86_64"
+      - name: Get the Google Cloud CLI image tag
+        id: vars
+        run: |
+          echo "google_cloud_cli_image_tag=$(make print-google-cloud-cli-image-tag)" >> "$GITHUB_OUTPUT"
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
+        with:
+          load: true
+          push: false
+          context: .
+          build-args: |
+            GOOGLE_CLOUD_CLI_IMAGE_TAG=${{ steps.vars.outputs.google_cloud_cli_image_tag }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
 
   deploy:
-    needs: [test, test-build-args]
+    needs: test
     runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/master'
+    # Only deploy on the main/master branch
+    if: contains('["refs/heads/main", "refs/heads/master"]', github.ref)
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
-      # Refs https://github.com/docker/login-action#github-container-registry
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+      # We use commit sha here to be as safe as possible with credentials.
+      - name: Log in to the Container registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
         with:
-          registry: ghcr.io
+          registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build image
-        run: docker build . --file Dockerfile --tag $IMAGE_NAME
-
-      - name: Push image to GitHub Container Registry
-        run: |
-          IMAGE_ID=ghcr.io/${{ github.repository_owner }}/$IMAGE_NAME
-
-          # Change all uppercase to lowercase.
-          IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
-
-          # Strip git ref prefix from version.
-          VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
-
-          # Strip "v" prefix from tag name.
-          [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
+          tags: |
+            # set latest tag for RELEASE_BRANCH branch
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', env.RELEASE_BRANCH) }}
+            type=sha,format=long,prefix=
 
-          # Use Docker `latest` tag convention.
-          [ "$VERSION" == "master" ] && VERSION=latest
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
-          echo IMAGE_ID=$IMAGE_ID
-          echo VERSION=$VERSION
+      - name: Get the Google Cloud CLI image tag
+        id: vars
+        run: |
+          echo "google_cloud_cli_image_tag=$(make print-google-cloud-cli-image-tag)" >> "$GITHUB_OUTPUT"
 
-          docker tag $IMAGE_NAME $IMAGE_ID:$VERSION
-          docker push $IMAGE_ID:$VERSION
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          platforms: linux/amd64,linux/arm64
+          context: .
+          build-args: |
+            GOOGLE_CLOUD_CLI_IMAGE_TAG=${{ steps.vars.outputs.google_cloud_cli_image_tag }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          format: "sarif"
+          output: "trivy-results.sarif"
+          ignore-unfixed: true
+          severity: "CRITICAL,HIGH"
+          vuln-type: "os,library"
+          skip-dirs: "/google-cloud-sdk"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"

Dockerfile

@@ -1,6 +1,7 @@
-FROM eu.gcr.io/google.com/cloudsdktool/google-cloud-cli:445.0.0-alpine
+# Define the google cloud sdk image tag to use.
+ARG GOOGLE_CLOUD_CLI_IMAGE_TAG
 
-LABEL org.opencontainers.image.source https://github.com/sparkfabrik/spark-k8s-deployer
+FROM eu.gcr.io/google.com/cloudsdktool/google-cloud-cli:${GOOGLE_CLOUD_CLI_IMAGE_TAG}
 
 # https://github.com/docker/compose/releases
 ENV COMPOSE_VERSION v2.23.1

Makefile

@@ -3,6 +3,7 @@
 # make cli
 #
 DOCKER_VERSION=20.10.5
+GOOGLE_CLOUD_CLI_IMAGE_TAG ?= 458.0.1-alpine
 
 cli: build-docker-image
 	# Run the cli.
@@ -13,10 +14,20 @@ cli: build-docker-image
 	-it sparkfabrik/spark-k8s-deployer:latest bash -il
 
 build-docker-image:
-	docker build -t sparkfabrik/spark-k8s-deployer:latest -f Dockerfile .
+	docker build \
+		-t sparkfabrik/spark-k8s-deployer:latest \
+		--build-arg GOOGLE_CLOUD_CLI_IMAGE_TAG=$(GOOGLE_CLOUD_CLI_IMAGE_TAG) \
+		-f Dockerfile .
 
 build-docker-image-build-args:
-	docker build -t sparkfabrik/spark-k8s-deployer:latest -f Dockerfile . --build-arg QEMU_ARCHS="aarch64 arm x86_64"
+	docker build \
+		-t sparkfabrik/spark-k8s-deployer:latest \
+		--build-arg GOOGLE_CLOUD_CLI_IMAGE_TAG=$(GOOGLE_CLOUD_CLI_IMAGE_TAG) \
+		--build-arg QEMU_ARCHS="aarch64 arm x86_64" \
+		-f Dockerfile .
 
 tests:
 	cd test && DOCKER_VERSION=$(DOCKER_VERSION) docker-compose run --rm docker-client ash -c "sleep 3; docker run --rm hello-world"
+
+print-google-cloud-cli-image-tag:
+	@echo $(GOOGLE_CLOUD_CLI_IMAGE_TAG)