From 889172ca763cf3c4d8e88a6f0c94e6f6ce9203d4 Mon Sep 17 00:00:00 2001 From: Daniel Chambers Date: Fri, 21 Mar 2025 17:54:42 +1100 Subject: [PATCH 01/13] Add gokakashi scanning in CI --- .../ndc-nodejs-lambda-connector.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index d99b12d..7330373 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -112,6 +112,26 @@ jobs: tags: ${{ steps.docker-metadata.outputs.tags }} labels: ${{ steps.docker-metadata.outputs.labels }} + - name: Get first docker tag for gokakashi + id: first-docker-tag + run: | + FIRST_TAG=$(echo "${{ steps.docker-metadata.outputs.tags }}" | head -n 1) + echo "First docker tag: $FIRST_TAG" + echo "tag=$FIRST_TAG" >> $GITHUB_OUTPUT + + - name: Scan docker image with gokakashi + uses: shinobistack/gokakashi-action@v0.1.1 + with: + image: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ steps.first-docker-tag.outputs.tag }} + labels: agentKey=${{ github.run_id }} + policy: ci-platform + server: https://gokakashi-server.hasura-app.io + token: ${{ secrets.GOKAKASHI_API_TOKEN }} + cf_client_id: ${{ secrets.CF_ACCESS_CLIENT_ID }} + cf_client_secret: ${{ secrets.CF_ACCESS_CLIENT_SECRET }} + interval: 10 + retries: 8 + release-connector: name: Release connector defaults: From f83457579e782315ca4c5f7b29a127bc8c4ea553 Mon Sep 17 00:00:00 2001 From: Daniel Chambers Date: Fri, 21 Mar 2025 17:58:04 +1100 Subject: [PATCH 02/13] Fix image tag --- .github/workflows/ndc-nodejs-lambda-connector.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index 7330373..f2e195d 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -122,7 +122,7 @@ jobs: - name: Scan docker image with gokakashi uses: shinobistack/gokakashi-action@v0.1.1 with: - image: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ steps.first-docker-tag.outputs.tag }} + image: ${{ steps.first-docker-tag.outputs.tag }} labels: agentKey=${{ github.run_id }} policy: ci-platform server: https://gokakashi-server.hasura-app.io From 4e6b6eed64bf43a4425360027a0386c9a084dbd9 Mon Sep 17 00:00:00 2001 From: Daniel Chambers Date: Fri, 21 Mar 2025 18:19:02 +1100 Subject: [PATCH 03/13] Separate building and pushing docker images --- .../workflows/ndc-nodejs-lambda-connector.yaml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index f2e195d..0106bcc 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -102,15 +102,16 @@ jobs: shell: bash working-directory: ./ndc-lambda-sdk - - uses: docker/build-push-action@v6 + - name: Build docker image + uses: docker/build-push-action@v6 with: context: . build-args: | CONNECTOR_VERSION=${{ steps.get-npm-package-version.outputs.package_version }} - push: ${{ startsWith(github.ref, 'refs/tags/v') }} platforms: linux/amd64,linux/arm64 tags: ${{ steps.docker-metadata.outputs.tags }} labels: ${{ steps.docker-metadata.outputs.labels }} + load: true # Load the image into Docker so gokakashi can scan it - name: Get first docker tag for gokakashi id: first-docker-tag @@ -132,6 +133,18 @@ jobs: interval: 10 retries: 8 + - name: Push docker image + uses: docker/build-push-action@v6 + if: ${{ startsWith(github.ref, 'refs/tags/v') }} + with: + context: . + build-args: | + CONNECTOR_VERSION=${{ steps.get-npm-package-version.outputs.package_version }} + platforms: linux/amd64,linux/arm64 + tags: ${{ steps.docker-metadata.outputs.tags }} + labels: ${{ steps.docker-metadata.outputs.labels }} + push: true + release-connector: name: Release connector defaults: From f40996319e6f0d2d3099989a2cd7de710a49e18e Mon Sep 17 00:00:00 2001 From: Daniel Chambers Date: Mon, 24 Mar 2025 11:52:01 +1100 Subject: [PATCH 04/13] Try enabling containerd --- .github/workflows/ndc-nodejs-lambda-connector.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index 0106bcc..da008da 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -75,6 +75,19 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Set up containerd + uses: crazy-max/ghaction-setup-containerd@v3 + + - name: Set up Docker with containerd + uses: docker/setup-docker-action@v4 + with: + daemon-config: | + { + "features": { + "containerd-snapshotter": true + } + } + - name: Set up QEMU uses: docker/setup-qemu-action@v3 From 39a9e9f3555c3c3bccc373fad4870d0bc5d0b84b Mon Sep 17 00:00:00 2001 From: Daniel Chambers Date: Mon, 24 Mar 2025 12:02:43 +1100 Subject: [PATCH 05/13] Add some debugging output --- .github/workflows/ndc-nodejs-lambda-connector.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index da008da..c8b7b30 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -88,6 +88,12 @@ jobs: } } + - name: debug + run: | + ls -al /run/containerd/ + ls -al + id + - name: Set up QEMU uses: docker/setup-qemu-action@v3 From 29c755aea28bfa1fc26dd2f1d94c01f61489076c Mon Sep 17 00:00:00 2001 From: Daniel Chambers Date: Mon, 24 Mar 2025 12:05:41 +1100 Subject: [PATCH 06/13] Try again --- .github/workflows/ndc-nodejs-lambda-connector.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index c8b7b30..c0f0c7e 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -90,9 +90,9 @@ jobs: - name: debug run: | - ls -al /run/containerd/ - ls -al id + sudo ls -al /var/run/docker.sock + sudo ls -al /run/containerd/ - name: Set up QEMU uses: docker/setup-qemu-action@v3 From e37f7780621fd086ff607ba1cf347beb53248866 Mon Sep 17 00:00:00 2001 From: Daniel Chambers Date: Mon, 24 Mar 2025 12:09:48 +1100 Subject: [PATCH 07/13] Try changing socket permissions --- .github/workflows/ndc-nodejs-lambda-connector.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index c0f0c7e..23b2a06 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -88,8 +88,9 @@ jobs: } } - - name: debug + - name: Fix containerd socket permissions run: | + sudo chgrp docker /run/containerd/containerd.sock id sudo ls -al /var/run/docker.sock sudo ls -al /run/containerd/ From 0940aa303c72dcab0e0734c3a2c72a36c7ecb485 Mon Sep 17 00:00:00 2001 From: Daniel Chambers Date: Mon, 24 Mar 2025 12:17:41 +1100 Subject: [PATCH 08/13] More debugging --- .github/workflows/ndc-nodejs-lambda-connector.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index 23b2a06..d191dc8 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -91,9 +91,6 @@ jobs: - name: Fix containerd socket permissions run: | sudo chgrp docker /run/containerd/containerd.sock - id - sudo ls -al /var/run/docker.sock - sudo ls -al /run/containerd/ - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -133,6 +130,10 @@ jobs: labels: ${{ steps.docker-metadata.outputs.labels }} load: true # Load the image into Docker so gokakashi can scan it + - name: Debug docker image + run: | + ctr images ls + - name: Get first docker tag for gokakashi id: first-docker-tag run: | From 60033b47ca78c645ffcda76ad4c597e60e3aa4d6 Mon Sep 17 00:00:00 2001 From: Daniel Chambers Date: Mon, 24 Mar 2025 12:23:40 +1100 Subject: [PATCH 09/13] Debug again --- .github/workflows/ndc-nodejs-lambda-connector.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index d191dc8..99a0542 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -132,6 +132,9 @@ jobs: - name: Debug docker image run: | + echo "-- Docker Images --" + docker images ls + echo "-- containerd Images --" ctr images ls - name: Get first docker tag for gokakashi From c33572d870ab7a0ad6d7d1c47dd1f651f0e5f2bf Mon Sep 17 00:00:00 2001 From: Daniel Chambers Date: Mon, 24 Mar 2025 12:26:10 +1100 Subject: [PATCH 10/13] Typo --- .github/workflows/ndc-nodejs-lambda-connector.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index 99a0542..13209b0 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -133,7 +133,7 @@ jobs: - name: Debug docker image run: | echo "-- Docker Images --" - docker images ls + docker image ls echo "-- containerd Images --" ctr images ls From 87d805564cd06666ad4cc2eeff79bf04bd9ff554 Mon Sep 17 00:00:00 2001 From: Daniel Chambers Date: Mon, 24 Mar 2025 12:34:20 +1100 Subject: [PATCH 11/13] Try manually exporting and importing the image to containerd --- .github/workflows/ndc-nodejs-lambda-connector.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index 13209b0..7b065c4 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -128,7 +128,11 @@ jobs: platforms: linux/amd64,linux/arm64 tags: ${{ steps.docker-metadata.outputs.tags }} labels: ${{ steps.docker-metadata.outputs.labels }} - load: true # Load the image into Docker so gokakashi can scan it + outputs: type=oci,dest=/tmp/image.tar # Export the image to a tar so it can be imported into containerd so gokakashi can scan it + + - name: Import docker image into containerd store + run: | + ctr images import --base-name ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }} --digests --all-platforms /tmp/image.tar - name: Debug docker image run: | From be74da9c66e707de283ea57b2ec9d96d661d72ab Mon Sep 17 00:00:00 2001 From: Daniel Chambers Date: Mon, 24 Mar 2025 12:50:54 +1100 Subject: [PATCH 12/13] Remove debug, add artifact uploading --- .github/workflows/ndc-nodejs-lambda-connector.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index 7b065c4..7b6d4c8 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -134,13 +134,6 @@ jobs: run: | ctr images import --base-name ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }} --digests --all-platforms /tmp/image.tar - - name: Debug docker image - run: | - echo "-- Docker Images --" - docker image ls - echo "-- containerd Images --" - ctr images ls - - name: Get first docker tag for gokakashi id: first-docker-tag run: | @@ -161,6 +154,12 @@ jobs: interval: 10 retries: 8 + - name: Upload Trivy report as artifact + uses: actions/upload-artifact@v4 + with: + name: trivy-report + path: /tmp/trivy-report-*.json + - name: Push docker image uses: docker/build-push-action@v6 if: ${{ startsWith(github.ref, 'refs/tags/v') }} From 2cca8dcffccd03ae278830d5d7447d2a45870761 Mon Sep 17 00:00:00 2001 From: Daniel Chambers Date: Mon, 24 Mar 2025 13:03:17 +1100 Subject: [PATCH 13/13] Don't bother configuring docker to use containerd --- .github/workflows/ndc-nodejs-lambda-connector.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index 7b6d4c8..8eb393c 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -78,16 +78,6 @@ jobs: - name: Set up containerd uses: crazy-max/ghaction-setup-containerd@v3 - - name: Set up Docker with containerd - uses: docker/setup-docker-action@v4 - with: - daemon-config: | - { - "features": { - "containerd-snapshotter": true - } - } - - name: Fix containerd socket permissions run: | sudo chgrp docker /run/containerd/containerd.sock