workflows: container refactor and promotion to release (#4610)

* documentation: update readme for container images

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* workflows: initial workflow refactor

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* workflows: comment tweak

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* workflows: test specific version of PR image

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* workflows: align name for PR jobs

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* documentation: combine Windows documentation

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* windows: more skips for appveyor

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* documentation: update readme for container images

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* workflows: initial workflow refactor

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* workflows: comment tweak

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* workflows: test specific version of PR image

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* workflows: align name for PR jobs

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* documentation: combine Windows documentation

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* windows: more skips for appveyor

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* workflows: skopeo sync updates

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* workflows: use native skopeo in action

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* workflows: comments

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* workflows: container release signing

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* workflows: add debug images to signing

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* workflows: linting fix

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* dockerfiles: add missing debug image

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* dockerfiles: add missing debug image

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* documentation: add multi-arch info

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* dockerfiles: remove busybox

Signed-off-by: Patrick Stephens <pat@calyptia.com>

* workflows: ignore more CVEs

Signed-off-by: Patrick Stephens <pat@calyptia.com>

Author: patrick-stephens

.github/containerscan/allowedlist.yaml

@@ -14,9 +14,12 @@ general:
     - CVE-2020-1751
     - CVE-2020-1752
     - CVE-2021-3326
+    - CVE-2021-3999
     - CVE-2020-16156
     - CVE-2021-33560
     - CVE-2021-43618
+    - CVE-2022-23218
+    - CVE-2022-23219
   bestPracticeViolations:
     # Fatal
     - DKL-DI-0005 # Clear apt-get caches

.github/workflows/call-build-images.yaml

@@ -115,7 +115,8 @@ jobs:
         images: ${{ inputs.registry }}/${{ inputs.image }}
         tags: |
           raw,x86_64-${{ inputs.version }}-debug
-          raw,x86_64-latest
+          raw,{{ inputs.version }}-debug
+          raw,latest-debug
 
     - name: Build the debug staging image
       uses: docker/build-push-action@v2

.github/workflows/master-integration-test.yaml

@@ -11,8 +11,8 @@ jobs:
       ref: ${{ github.sha }}
       registry: ghcr.io
       username: ${{ github.actor }}
-      image: ${{ github.repository }}
-      image-tag: x86_64-master
+      image: ${{ github.repository }}/master
+      image-tag: x86_64
       environment: integration
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
@@ -31,8 +31,8 @@ jobs:
     needs: master-integration-test-build
     uses: calyptia/fluent-bit-ci/.github/workflows/reusable-integration-test-gcp.yaml@main
     with:
-      image_name: ghcr.io/${{ github.repository }}
-      image_tag: x86_64-master
+      image_name: ghcr.io/${{ github.repository }}/master
+      image_tag: x86_64
     secrets:
       grafana_username: ${{ secrets.GRAFANA_USERNAME }}
       terraform_api_token: ${{ secrets.TF_API_TOKEN }}

.github/workflows/pr-closed-docker.yaml

@@ -6,17 +6,10 @@ on:
     types: [closed]
 jobs:
   cleanup:
+    name: PR - cleanup pr-${{ github.event.number }} images
     runs-on: ubuntu-latest
     steps:
       - uses: bots-house/ghcr-delete-image-action@v1.0.1
-        with:
-          owner: fluent
-          name: fluent-bit
-          token: ${{ secrets.GITHUB_TOKEN }}
-          tag: x86_64-master-pr-${{ github.event.number }}
-
-      - uses: bots-house/ghcr-delete-image-action@v1.0.1
-        if: always()
         with:
           owner: fluent
           name: fluent-bit/pr-${{ github.event.number }}

.github/workflows/pr-fuzz.yaml

@@ -6,7 +6,8 @@ on:
       - '**.c'
       - '**.h'
 jobs:
-  Fuzzing:
+  fuzzing:
+    name: PR - fuzzing test
     runs-on: ubuntu-latest
     steps:
     - name: Build Fuzzers

.github/workflows/pr-image-tests.yaml

@@ -6,7 +6,7 @@ on:
 
 jobs:
     pr-get-latest-tag:
-      name: PR get latest tag for source build
+      name: PR - get latest tag for source build
       runs-on: ubuntu-latest
       environment: pr
       outputs:
@@ -26,6 +26,7 @@ jobs:
             flags: 'g'
 
     pr-image-tests-build-images:
+      name: PR - build images
       uses: fluent/fluent-bit/.github/workflows/call-build-images.yaml@master
       needs: pr-get-latest-tag
       with:
@@ -38,14 +39,14 @@ jobs:
         token: ${{ secrets.GITHUB_TOKEN }}
 
     pr-image-tests-smoke-test-images:
-      name: Multi-arch images smoke tests
-      needs: pr-image-tests-build-images
+      name: PR - smoke test images
+      needs: [pr-get-latest-tag, pr-image-tests-build-images]
       uses: fluent/fluent-bit/.github/workflows/call-test-images.yaml@master
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
         image: ${{ github.repository }}/pr-${{ github.event.number }}
-        image-tag: latest
+        image-tag: ${{ needs.pr-get-latest-tag.outputs.latest_tag }}
         environment: pr
       secrets:
         token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-integration-test.yaml

@@ -11,22 +11,22 @@ on:
       - synchronize
 jobs:
   pr-integration-test-build:
-    name: PR - integration build
+    name: PR - GCP build
     # We only need to test this once as the rest are chained from it.
     if: contains(github.event.pull_request.labels.*.name, 'ok-to-test')
     uses: fluent/fluent-bit/.github/workflows/call-integration-image-build.yaml@master
     with:
       ref: ${{ github.event.pull_request.head.sha }}
       registry: ghcr.io
       username: ${{ github.actor }}
-      image: ${{ github.repository }}
-      image-tag: x86_64-master-pr-${{ github.event.number }}
+      image: ${{ github.repository }}/pr-${{ github.event.number }}
+      image-tag: x86_64
       environment: integration
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
 
   pr-integration-test-build-complete:
-    name: PR - build complete
+    name: PR - GCP build complete
     runs-on: ubuntu-latest
     needs: pr-integration-test-build
     steps:
@@ -42,7 +42,7 @@ jobs:
           docker pull $IMAGE
           docker save --output /tmp/pr-image.tar $IMAGE
         env:
-          IMAGE: ghcr.io/${{ github.repository }}:x86_64-master-pr-${{ github.event.pull_request.number }}
+          IMAGE: ghcr.io/${{ github.repository }}/pr-${{ github.event.pull_request.number }}:x86_64
         shell: bash
 
       - name: Upload artifact
@@ -57,16 +57,16 @@ jobs:
     needs: pr-integration-test-build
     uses: calyptia/fluent-bit-ci/.github/workflows/reusable-integration-test-gcp.yaml@main
     with:
-      image_name: ghcr.io/${{ github.repository }}
-      image_tag: x86_64-master-pr-${{ github.event.pull_request.number }}
+      image_name: ghcr.io/${{ github.repository }}/pr-${{ github.event.pull_request.number }}
+      image_tag: x86_64
     secrets:
       grafana_username: ${{ secrets.GRAFANA_USERNAME }}
       terraform_api_token: ${{ secrets.TF_API_TOKEN }}
       gcp_service_account_key: ${{ secrets.GCP_SA_KEY }}
       grafana_password: ${{ secrets.GRAFANA_PASSWORD }}
 
   pr-integration-test-run-integration-post-label:
-    name: PR - test complete
+    name: PR - GCP test complete
     runs-on: ubuntu-latest
     needs: pr-integration-test-run-integration-gcp
     steps:

.github/workflows/pr-labels.yaml

@@ -5,7 +5,7 @@ on:
       - opened
 jobs:
   apply-default-labels:
-    name: apply default labels
+    name: PR - apply default labels
     runs-on: ubuntu-latest
     steps:
       - uses: actions-ecosystem/action-add-labels@v1

.github/workflows/pr-lint.yaml

@@ -7,18 +7,18 @@ jobs:
 
   hadolint-pr:
     runs-on: ubuntu-latest
-    name: Hadolint
+    name: PR - Hadolint
     steps:
       - uses: actions/checkout@v2
-        # Ignores do no work: https://github.com/reviewdog/action-hadolint/issues/35 is resolved
+        # Ignores do not work: https://github.com/reviewdog/action-hadolint/issues/35 is resolved
       - uses: reviewdog/action-hadolint@v1
         with:
           exclude: |
             packaging/testing/smoke/packages/Dockerfile.*
 
   shellcheck-pr:
     runs-on: ubuntu-latest
-    name: Shellcheck
+    name: PR - Shellcheck
     steps:
       - uses: actions/checkout@v2
       - uses: ludeeus/action-shellcheck@master
@@ -27,7 +27,7 @@ jobs:
 
   actionlint-pr:
     runs-on: ubuntu-latest
-    name: Actionlint
+    name: PR - Actionlint
     steps:
       - uses: actions/checkout@v2
       - run: |

.github/workflows/pr-stale.yaml

@@ -5,6 +5,7 @@ on:
 
 jobs:
   stale:
+    name: PR - mark stale
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v3

.github/workflows/staging-build.yaml

@@ -60,7 +60,7 @@ jobs:
       version: ${{ needs.staging-build-get-version.outputs.version }}
       registry: ghcr.io
       username: ${{ github.actor }}
-      image: ${{ github.repository }}
+      image: ${{ github.repository }}/staging
       environment: staging
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}