From abe0954dcb6c629c8896d3fbb3d1cf74f6281d1e Mon Sep 17 00:00:00 2001
From: Carol Valencia <8355621+krol3@users.noreply.github.com>
Date: Mon, 21 Dec 2020 06:10:02 -0500
Subject: [PATCH] feat: github actions to publish ecr and docker (#782)

* feat: github actions to publish ecr and docker

* fix: yaml lint in build

Co-authored-by: Carol Valencia <krol3@users.noreply.github.com>
---
 .github/workflow/build.yml       | 38 +++++++++++++++++++++++
 .github/workflow/publish-ecr.yml | 37 +++++++++++++++++++++++
 .github/workflow/publish.yml     | 52 ++++++++++++++++++++++++++++++++
 .github/workflow/release.yml     | 29 ++++++++++++++++++
 README.md                        | 11 +++++++
 5 files changed, 167 insertions(+)
 create mode 100644 .github/workflow/build.yml
 create mode 100644 .github/workflow/publish-ecr.yml
 create mode 100644 .github/workflow/publish.yml
 create mode 100644 .github/workflow/release.yml

diff --git a/.github/workflow/build.yml b/.github/workflow/build.yml
new file mode 100644
index 0000000..f32ff13
--- /dev/null
+++ b/.github/workflow/build.yml
@@ -0,0 +1,38 @@
+name: Build
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - "*.md"
+      - "LICENSE"
+      - "NOTICE"
+  pull_request:
+    paths-ignore:
+      - "*.md"
+      - "LICENSE"
+      - "NOTICE"
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Setup Go
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.15
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: yaml-lint
+        uses: ibiqlik/action-yamllint@v3
+      - name: Run unit tests
+        run: make tests
+      - name: Upload code coverage
+        uses: codecov/codecov-action@v1
+        with:
+          file: ./coverage.txt
+      - name: Dry-run release snapshot
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          version: v0.148.0
+          args: release --snapshot --skip-publish --rm-dist
diff --git a/.github/workflow/publish-ecr.yml b/.github/workflow/publish-ecr.yml
new file mode 100644
index 0000000..c6014e8
--- /dev/null
+++ b/.github/workflow/publish-ecr.yml
@@ -0,0 +1,37 @@
+name: Publish-ECR
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  deploy:
+    name: Publish to Amazon ECR
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Install AWS Cli 2.0
+        run: |
+          curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+          unzip awscliv2.zip
+          sudo ./aws/install
+      - name: Get the version
+        id: vars
+        run: echo ::set-output name=tag::$(echo ${GITHUB_REF:10})
+      - name: Publish to ECR
+        env:
+          IMAGE_TAG: ${{steps.vars.outputs.tag}}
+          REP_NAME: kube-bench
+          ALIAS: aquasecurity
+        run: |
+          aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/$ALIAS
+          docker build -t $REP_NAME:$IMAGE_TAG .
+          docker tag $REP_NAME:$IMAGE_TAG public.ecr.aws/$ALIAS/$REP_NAME:$IMAGE_TAG
+          docker push public.ecr.aws/$ALIAS/$REP_NAME:$IMAGE_TAG
diff --git a/.github/workflow/publish.yml b/.github/workflow/publish.yml
new file mode 100644
index 0000000..7279e6d
--- /dev/null
+++ b/.github/workflow/publish.yml
@@ -0,0 +1,52 @@
+name: Publish
+on:
+  push:
+    tags:
+      - "v*"
+jobs:
+  publish:
+    name: Publish
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Check Out Repo
+        uses: actions/checkout@v2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Docker meta
+        id: docker_meta
+        uses: crazy-max/ghaction-docker-meta@v1
+        with:
+          images: aquasec/kube-bench
+          tag-semver: |
+            {{version}}
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          context: ./
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64,linux/386
+          builder: ${{ steps.buildx.outputs.name }}
+          push: true
+          tags: |
+            ${{ steps.docker_meta.outputs.tags }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache
+          labels: ${{ steps.docker_meta.outputs.labels }}
+      - name: Image digest
+        run: echo ${{ steps.docker_build.outputs.digest }}
diff --git a/.github/workflow/release.yml b/.github/workflow/release.yml
new file mode 100644
index 0000000..e1991f4
--- /dev/null
+++ b/.github/workflow/release.yml
@@ -0,0 +1,29 @@
+name: Release
+on:
+  push:
+    tags:
+      - "v*"
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Setup Go
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.15
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Run unit tests
+        run: make tests
+      - name: Upload code coverage
+        uses: codecov/codecov-action@v1
+        with:
+          file: ./coverage.txt
+      - name: Release
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          version: v0.148.0
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/README.md b/README.md
index 00439b9..4656264 100644
--- a/README.md
+++ b/README.md
@@ -1,11 +1,22 @@
+[![GitHub Release][release-img]][release]
+![Downloads][download]
+![Docker Pulls][docker-pull]
+[![Go Report Card][report-card-img]][report-card]
 [![Build Status](https://travis-ci.org/aquasecurity/kube-bench.svg?branch=main)](https://travis-ci.org/aquasecurity/kube-bench)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/aquasecurity/kube-bench/blob/main/LICENSE)
 [![Docker image](https://images.microbadger.com/badges/image/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench "Get your own image badge on microbadger.com")
 [![Source commit](https://images.microbadger.com/badges/commit/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench)
 [![Coverage Status][cov-img]][cov]
 
+[download]: https://img.shields.io/github/downloads/aquasecurity/kube-bench/total?logo=github
+[release-img]: https://img.shields.io/github/release/aquasecurity/kube-bench.svg?logo=github
+[release]: https://github.com/aquasecurity/kube-bench/releases
+[docker-pull]: https://img.shields.io/docker/pulls/aquasec/kube-bench?logo=docker&label=docker%20pulls%20%2F%20kube-bench
 [cov-img]: https://codecov.io/github/aquasecurity/kube-bench/branch/main/graph/badge.svg
 [cov]: https://codecov.io/github/aquasecurity/kube-bench
+[report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/kube-bench
+[report-card]: https://goreportcard.com/report/github.com/aquasecurity/kube-bench
+
 <img src="images/kube-bench.png" width="200" alt="kube-bench logo">
 
 kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).