refactore: markfile and release.yml adjustments for SLSA.

Author: NickChungSUSE

.github/workflows/release.yml

@@ -19,56 +19,30 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@v4
-    - name: Read secrets
-      env:
-        DOCKER_REPO: ${{ secrets.DOCKER_REPO }}
-        DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-        PRIME_REGISTRY: ${{ secrets.PRIME_REGISTRY }}
-        PRIME_REPO: ${{ secrets.PRIME_REPO }}
-        PRIME_REGISTRY_USERNAME: ${{ secrets.PRIME_REGISTRY_USERNAME }}
-        PRIME_REGISTRY_PASSWORD: ${{ secrets.PRIME_REGISTRY_PASSWORD }}
-      run: |
-        echo "DOCKER_REPO=$DOCKER_REPO" >> $GITHUB_ENV
-        echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_ENV
-        echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_ENV
-        echo "PRIME_REGISTRY=$PRIME_REGISTRY" >> $GITHUB_ENV
-        echo "PRIME_REPO=$PRIME_REPO" >> $GITHUB_ENV
-        echo "PRIME_REGISTRY_USERNAME=$PRIME_REGISTRY_USERNAME" >> $GITHUB_ENV
-        echo "PRIME_REGISTRY_PASSWORD=$PRIME_REGISTRY_PASSWORD" >> $GITHUB_ENV
+
+    - name: Load Secrets from Vault
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
 
     - name: Publish manifest
       uses: rancher/ecm-distro-tools/actions/publish-image@master
       with:
-        image: manager
+        image: registry-adapter
         tag: ${{ github.ref_name }}
         platforms: linux/amd64,linux/arm64
 
         public-registry: docker.io
-        public-repo: ${{ env.DOCKER_REPO }}
+        public-repo: neuvector
         public-username: ${{ env.DOCKER_USERNAME }}
         public-password: ${{ env.DOCKER_PASSWORD }}
 
         prime-registry: ${{ env.PRIME_REGISTRY }}
-        prime-repo: ${{ env.PRIME_REPO }}
+        prime-repo: rancher
         prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
-        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
-
-    # TODO: For experiment only
-    - name: Login to registry [Public]
-      uses: docker/login-action@v3
-      with:
-        registry: docker.io
-        username: nickchungsuse
-        password: ${{ secrets.DOCKER_PASSWORD }}
-    - name: Login to registry [Prime]
-      uses: docker/login-action@v3
-      with:
-        registry: docker.io
-        username: nickchungsuse
-        password: ${{ secrets.PRIME_REGISTRY_PASSWORD }}
-    - name: Retag
-      shell: bash
-      run: |
-        docker buildx imagetools create -t nickchungsuse/manager:latest nickchungsuse/manager:${{ github.ref_name }}
-        docker buildx imagetools create -t nickchungsuse/manager:1 nickchungsuse/manager:${{ github.ref_name }}
+        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}

Makefile

@@ -36,21 +36,7 @@ jar:
 RUNNER := docker
 IMAGE_BUILDER := $(RUNNER) buildx
 MACHINE := neuvector
-BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max --cache-to type=gha --cache-from type=gha
 DEFAULT_PLATFORMS := linux/amd64,linux/arm64,linux/x390s,linux/riscv64
-TARGET_PLATFORMS ?= linux/amd64
-
-CURRENT_OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
-CURRENT_ARCH := $(shell uname -m)
-
-# Convert architecture names to match Docker's convention
-ifeq ($(CURRENT_ARCH),x86_64)
-    CURRENT_ARCH := amd64
-else ifeq ($(CURRENT_ARCH),aarch64)
-    CURRENT_ARCH := arm64
-endif
-
-REPO ?= nickchungsuse
 
 COMMIT = $(shell git rev-parse --short HEAD)
 ifeq ($(VERSION),)
@@ -90,11 +76,35 @@ ifeq ($(TAG),)
 	endif
 endif
 
+TARGET_PLATFORMS ?= linux/amd64,linux/arm64
+STAGE_DIR=stage
+REPO ?= neuvector
+IMAGE = $(REPO)/manager:$(TAG)
+BUILD_ACTION = --load
+BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max --cache-to type=gha --cache-from type=gha
+
+stage_init:
+	rm -rf ${STAGE_DIR}; mkdir -p ${STAGE_DIR}
+	mkdir -p ${STAGE_DIR}/usr/local/bin/
+	mkdir -p ${STAGE_DIR}/licenses/
+	mkdir -p ${STAGE_DIR}/usr/lib/jvm/java-17-openjdk/lib/security/
+
 buildx-machine:
 	docker buildx ls
 	@docker buildx ls | grep $(MACHINE) || \
 	docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS)
 
+test-image:
+	# Instead of loading image, target all platforms, effectivelly testing
+	# the build for the target architectures.
+	$(MAKE) build-image BUILD_ACTION="--platform=$(TARGET_PLATFORMS)"
+
+build-image: buildx-machine ## build (and load) the container image targeting the current platform.
+	$(IMAGE_BUILDER) build -f build/Dockerfile \
+		--builder $(MACHINE) $(IMAGE_ARGS) \
+		--build-arg VERSION=$(VERSION) -t "$(IMAGE)" $(BUILD_ACTION) .
+	@echo "Built $(IMAGE)"
+
 push-image: stage_init buildx-machine
 	$(IMAGE_BUILDER) build -f build/Dockerfile \
 		--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \

build/Dockerfile

@@ -1,8 +1,6 @@
 # Builder image
 FROM registry.suse.com/bci/openjdk:17 AS builder
 
-ARG VERSION
-ARG COMMIT
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -74,6 +72,8 @@ RUN cd /chroot/usr/bin/ && \
     unlink watch
 
 FROM micro
+ARG VERSION
+ARG COMMIT
 WORKDIR /
 COPY --from=base /chroot/ /
 COPY --from=base /usr/sbin/useradd /usr/sbin