Add docker image (#627)

* Add docker build * create multi-platform dockerfile * install from release page * fix github workflow syntax * test for ATMOS_VERSION * lint the dockerfile * fix github workflow syntax * output summary * output summary * add sarif * add sarif * combine layers * Ignore version pinning * fix input parameters * need release
cloudposse · Jun 26, 2024 · 291a782 · 291a782
1 parent a605e74
commit 291a782
Show file tree

Hide file tree

Showing 3 changed files with 111 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -6,6 +6,13 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  attestations: write
+  contents: write
+  id-token: write
+  pull-requests: write
+  packages: write
+
 concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: false
@@ -27,3 +34,36 @@ jobs:
           formula-path: Formula/a/atmos.rb
         env:
           COMMITTER_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
+
+  docker:
+    name: "Build and push Docker image for Atmos CLI"
+    runs-on: ubuntu-latest
+    needs: release
+    steps:
+      - name: "Checkout source code at current commit"
+        uses: actions/checkout@v4
+
+      - name: "Docker Build"
+        id: build
+        uses: cloudposse/github-action-docker-build-push@main
+        with:
+          registry: ghcr.io
+          organization: "${{ github.event.repository.owner.login }}"
+          repository: "${{ github.event.repository.name }}"
+          login: "${{ github.actor }}"
+          password: "${{ secrets.GITHUB_TOKEN }}"
+          platforms: linux/amd64,linux/arm64
+          file: Dockerfile
+          build-args: |
+            ATMOS_VERSION=${{ github.event.release.tag_name }}
+
+      - name: "Verify Image"
+        run: |
+            docker pull ${{ steps.build.outputs.image }}:${{ steps.build.outputs.tag}}
+
+      - name: "Job Summary"
+        run: |
+          echo "## Docker Image Summary" >> $GITHUB_STEP_SUMMARY
+          echo '```json' >> $GITHUB_STEP_SUMMARY
+          docker inspect ${{ steps.build.outputs.image }}:${{ steps.build.outputs.tag}}  >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -86,6 +86,35 @@ jobs:
       format: binary
     secrets: inherit
 
+  docker:
+    name: "Docker Lint"
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - uses: hadolint/hadolint-action@v3.1.0
+      id: hadolint
+      with:
+        dockerfile: Dockerfile
+        failure-threshold: warning
+        format: sarif
+        output-file: hadolint.sarif
+        # https://github.com/hadolint/hadolint?tab=readme-ov-file#rules
+        # DL3008 Pin versions in apt-get install
+        ignore: DL3008
+
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        # Path to SARIF file relative to the root of the repository
+        sarif_file: hadolint.sarif
+        # Optional category for the results (used to differentiate multiple results for one commit)
+        category: hadolint
+        wait-for-processing: true
+
   # run localstack demo tests
   localstack:
     name: "[localstack] ${{ matrix.demo-folder }}"

diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,42 @@
+# Use a base image with platform specification
+FROM --platform=$BUILDPLATFORM debian:bookworm-slim
+
+# Define the arguments for Atmos version and platforms
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG ATMOS_VERSION
+
+# Check if ATMOS_VERSION is set
+RUN if [ -z "$ATMOS_VERSION" ]; then echo "ERROR: ATMOS_VERSION argument must be set" && exit 1; fi
+
+# Set SHELL to use bash and enable pipefail
+SHELL ["/bin/bash", "-eo", "pipefail", "-c"]
+
+RUN set -ex; \
+    # Update the package list
+    apt-get update; \
+    # Install curl and git
+    apt-get -y install  --no-install-recommends curl git ca-certificates; \
+    # Install the Cloud Posse Debian repository
+    curl -1sLf 'https://dl.cloudsmith.io/public/cloudposse/packages/cfg/setup/bash.deb.sh' | bash -x; \
+    # Install OpenTofu
+    curl -1sSLf 'https://get.opentofu.org/install-opentofu.sh' | bash -s -- --root-method none --install-method deb; \
+    # Install Kustomize binary (required by Helmfile)
+    curl -1sSLf "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash -s -- /usr/local/bin; \
+    # Install toolchain used with Atmos \
+    apt-get -y install --no-install-recommends terraform kubectl helmfile helm; \
+    # Install the helm-diff plugin required by Helmfile
+    helm plugin install https://github.com/databus23/helm-diff; \
+    # Clean up the package lists to keep the image clean
+    rm -rf /var/lib/apt/lists/*
+
+# Install Atmos from the GitHub Release
+RUN case ${TARGETPLATFORM} in \
+        "linux/amd64") OS=linux; ARCH=amd64 ;; \
+        "linux/arm64") OS=linux; ARCH=arm64 ;; \
+        *) echo "Unsupported platform: ${TARGETPLATFORM}" && exit 1 ;; \
+    esac && \
+    ATMOS_VERSION=${ATMOS_VERSION#v} && \
+    echo "Downloading Atmos v${ATMOS_VERSION} for ${OS}/${ARCH}" && \
+    curl -1sSLf "https://github.com/cloudposse/atmos/releases/download/v${ATMOS_VERSION}/atmos_${ATMOS_VERSION}_${OS}_${ARCH}" -o /usr/local/bin/atmos && \
+    chmod +x /usr/local/bin/atmos