refactor: Separated build workflows for forwarder and installer

Author: vicenteherrera

.github/workflows/build.yaml renamed to .github/workflows/build-forwarder.yaml

@@ -1,35 +1,23 @@
-name: Lint, test and security scan
+name: Build workflow - Forwarder
 on: 
   push:
     branches:
       - master
+    paths:
+      - .github/workflows/build-forwarder.yml
+      - AKSKubeAuditReceiverSolution/
   pull_request:
     branches:
       - master
-  page_build:
+    paths:
+      - .github/workflows/build-forwarder.yml
+      - AKSKubeAuditReceiverSolution/
   workflow_dispatch:
   release:
     types:
       - published
 
 jobs:
-  check_bash_installer:
-    name: Bash shell lint check
-    if: github.event_name != 'release'
-    # This action fails for release event because it can't find the commit SHA
-    runs-on: ubuntu-16.04
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v2
-      - name: Bash shell lint check with shellcheck
-        uses: reviewdog/action-shellcheck@v1
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          reporter: github-check
-          level: error
-          pattern: '*.sh'
-          path: '.'
-          exclude: './test/*'
 
   check_yaml:
     name: YAML lint check
@@ -76,8 +64,8 @@ jobs:
       - name: Dotnet test solution
         run: dotnet test AKSKubeAuditReceiverSolution/AKSKubeAuditReceiver.sln
 
-  sysdig_dockerfile_cis_benchmark_forwarder:
-    name: Sysdig Dockerfile CIS benchmark - Forwarder
+  sysdig_dockerfile_cis_benchmark:
+    name: Sysdig Dockerfile CIS benchmark
     needs: [check_yaml, check_dotnet]
     runs-on: ubuntu-16.04
     steps:
@@ -108,87 +96,26 @@ jobs:
           curl -X POST -s https://app.sysdigcloud.com/api/events -H 'Content-Type: application/json; charset=UTF-8' -H 'Authorization: Bearer '"${SYSDIG_SECURE_TOKEN}"'' -d '{"event":{"name":"CIS Dockerfile Benchmark - PR: '"${PR_TITLE}"' ","description":"'"${reportString}"'","severity":"6"}}' --compressed
           echo "###"
 
-  sysdig_dockerfile_cis_benchmark_installer:
-    name: Sysdig Dockerfile CIS benchmark - Installer
-    needs: [check_bash_installer]
-    runs-on: ubuntu-16.04
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v2
-      - name: Sysdig CIS dockerfile benchmark
-        uses: sysdiglabs/benchmark-dockerfile@v1.0.0
-        id: cis_dockerfile_benchmark
-        with:
-          directory: './build'
-          dockerfilePattern: 'Dockerfile'
-          disallowedPackages: 'netcat'
-          secretPatterns: 'aws_secret,pass'    
-      - name: Post run Sysdig CIS dockerfile benchmark
-        env:
-          SYSDIG_SECURE_TOKEN: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
-          PR_TITLE: ${{ github.event.pull_request.title }}
-          PR_SHA: ${{ github.event.pull_request.head.sha }}
-          PR_OWNER: ${{ github.event.pull_request.head.user.login }}
-        run: |
-          echo "###"
-          echo "{\"pr_name\": \"${PR_TITLE}\", \"pr_sha\": \"${PR_SHA}\", \"pr_owner\": \"${PR_OWNER}\"}" > /tmp/report.json
-          echo ${{ toJSON(steps.cis_dockerfile_benchmark.outputs.violation_report) }} > /tmp/report
-          reportString=$(sed 's/"/\\"/g' /tmp/report)
-          echo $reportString
-          # send result to Sysdig monitor
-          curl -X POST -s https://app.sysdigcloud.com/api/events -H 'Content-Type: application/json; charset=UTF-8' -H 'Authorization: Bearer '"${SYSDIG_SECURE_TOKEN}"'' -d '{"event":{"name":"CIS Dockerfile Benchmark - PR: '"${PR_TITLE}"' ","description":"'"${reportString}"'","severity":"6"}}' --compressed
-          echo "###"
-
-
-  sysdig_image_scan_forwarder:
-    name: Sysdig image scan - Forwarder
+  sysdig_image_scan:
+    name: Sysdig image scan
     needs: [check_yaml, check_dotnet]
     runs-on: ubuntu-16.04
     steps:
       - name: Checkout repo
         uses: actions/checkout@v2      
       - name: Build the Docker image
-        run: docker build -f ./AKSKubeAuditReceiverSolution/AKSKubeAuditReceiver/Dockerfile ./AKSKubeAuditReceiverSolution --tag sysdiglabs/aks-audit-log-forwarder
+        run: |
+          docker build -f ./AKSKubeAuditReceiverSolution/AKSKubeAuditReceiver/Dockerfile \
+            ./AKSKubeAuditReceiverSolution --tag sysdiglabs/aks-audit-log-forwarder
       - name: Sysdig Secure inline image scan
         uses: sysdiglabs/scan-action@v2
         with:
           image-tag: "sysdiglabs/aks-audit-log-forwarder"
           sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
 
-  sysdig_image_scan_installer:
-    name: Sysdig image scan - Installer
-    needs: [check_bash_installer]
-    runs-on: ubuntu-16.04
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v2      
-      - name: Build the Docker image
-        run: docker build -f ./build/Dockerfile . --tag sysdiglabs/aks-audit-log-installer
-      - name: Pull Sysdig inline scan
-        run: docker pull sysdiglabs/secure-inline-scan:2
-      - name: Run Sysdig inline image scan
-        id: run_sysdig_inline_scan
-        env:
-          SYSDIG_SECURE_TOKEN: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
-        run: |
-          docker run sysdiglabs/secure-inline-scan:2 -s https://secure.sysdig.com -k $SYSDIG_SECURE_TOKEN sysdiglabs/aks-audit-log-installer \
-            | tee sysdig_image_scan_installer_result.txt
-          SCAN_RESULT=${PIPESTATUS[0]}
-          echo "::set-output name=SCAN_RESULT::$SCAN_RESULT"
-          echo "Scan finished with result: $SCAN_RESULT"
-      - name: Scan result
-        env:
-          SCAN_RESULT: ${{ steps.run_sysdig_inline_scan.outputs.SCAN_RESULT }}
-        run: |
-          cat sysdig_image_scan_installer_result.txt
-          echo "Scan result: $SCAN_RESULT"
-          # exit $SCAN_RESULT
-
-  publish_images:
-    name: Publish container images to registries
-    needs: [sysdig_image_scan_forwarder]
-    # We do not depend on scan of installer as check_shell can't run on release,
-    # and scan for installer result is skipped
+  publish_image:
+    name: Publish container image to registries
+    needs: [sysdig_image_scan]
     runs-on: ubuntu-16.04    
     if: github.event_name == 'release'
     steps:
@@ -217,22 +144,13 @@ jobs:
           echo "Version tag: $VERSION_TAG"
           VERSION_MAJOR=$(echo $VERSION_TAG | sed 's/[^0-9]*\([0-9]\+\).*/\1/')
           VERSION_FULL=$(echo $VERSION_TAG | sed 's/[^0-9]*\([0-9]\+.*\)/\1/')
+          [ -z $VERSION_FULL ] VERSION_FULL="master"
+          [ -z $VERSION_MAJOR ] VERSION_FULL="master"
           echo "Version major: $VERSION_MAJOR"
           echo "Version full: $VERSION_FULL"
           echo "::set-output name=VERSION_MAJOR::$VERSION_MAJOR"
           echo "::set-output name=VERSION_FULL::$VERSION_FULL"
-      - name: Build and push - Installer
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          file: ./build/Dockerfile
-          platforms: linux/amd64
-          push: true
-          tags: |
-            sysdiglabs/aks-audit-log-installer:latest
-            sysdiglabs/aks-audit-log-installer:${{ steps.prepare_version_labels.outputs.VERSION_MAJOR }}
-            sysdiglabs/aks-audit-log-installer:${{ steps.prepare_version_labels.outputs.VERSION_FULL }}
-      - name: Build and push - Forwarder
+      - name: Build and push
         uses: docker/build-push-action@v2
         with:
           context: AKSKubeAuditReceiverSolution/

.github/workflows/build-installer.yaml

@@ -0,0 +1,165 @@
+name: Build workflow - Installer
+on: 
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/build-installer.yml
+      - build/Dockerfile
+      - ./*.sh
+      - ./*.in
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/build-installer.yml
+      - build/Dockerfile
+      - ./*.sh
+      - ./*.in
+  workflow_dispatch:
+  release:
+    types:
+      - published
+
+jobs:
+  check_bash:
+    name: Bash shell lint check
+    if: github.event_name == 'push' || github.event_name == 'pull_request'
+    # This action fails for events that are not 'push' or 'pull_request' because it can't find the commit SHA
+    runs-on: ubuntu-16.04
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Bash shell lint check with shellcheck
+        uses: reviewdog/action-shellcheck@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          reporter: github-check
+          level: error
+          pattern: '*.sh'
+          path: '.'
+          exclude: './test/*'
+
+  check_yaml:
+    name: YAML lint check
+    runs-on: ubuntu-16.04
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: 'Yaml lint'
+        uses: karancode/yamllint-github-action@master
+        with:
+          yamllint_file_or_dir: './*.yaml*'
+          yamllint_strict: false
+          yamllint_comment: true
+        env:
+          GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  sysdig_dockerfile_cis_benchmark:
+    name: Sysdig Dockerfile CIS benchmark
+    needs: [check_yaml]
+    runs-on: ubuntu-16.04
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+      - name: Sysdig CIS dockerfile benchmark
+        uses: sysdiglabs/benchmark-dockerfile@v1.0.0
+        id: cis_dockerfile_benchmark
+        with:
+          directory: './build'
+          dockerfilePattern: 'Dockerfile'
+          disallowedPackages: 'netcat'
+          secretPatterns: 'aws_secret,pass'    
+      - name: Post run Sysdig CIS dockerfile benchmark
+        env:
+          SYSDIG_SECURE_TOKEN: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          PR_SHA: ${{ github.event.pull_request.head.sha }}
+          PR_OWNER: ${{ github.event.pull_request.head.user.login }}
+        run: |
+          echo "###"
+          echo "{\"pr_name\": \"${PR_TITLE}\", \"pr_sha\": \"${PR_SHA}\", \"pr_owner\": \"${PR_OWNER}\"}" > /tmp/report.json
+          echo ${{ toJSON(steps.cis_dockerfile_benchmark.outputs.violation_report) }} > /tmp/report
+          reportString=$(sed 's/"/\\"/g' /tmp/report)
+          echo $reportString
+          # send result to Sysdig monitor
+          curl -X POST -s https://app.sysdigcloud.com/api/events -H 'Content-Type: application/json; charset=UTF-8' -H 'Authorization: Bearer '"${SYSDIG_SECURE_TOKEN}"'' -d '{"event":{"name":"CIS Dockerfile Benchmark - PR: '"${PR_TITLE}"' ","description":"'"${reportString}"'","severity":"6"}}' --compressed
+          echo "###"
+
+  sysdig_image_scan:
+    name: Sysdig image scan
+    needs: [check_yaml]
+    runs-on: ubuntu-16.04
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2      
+      - name: Build the Docker image
+        run: docker build -f ./build/Dockerfile . --tag sysdiglabs/aks-audit-log-installer
+      - name: Pull Sysdig inline scan
+        run: docker pull sysdiglabs/secure-inline-scan:2
+      - name: Run Sysdig inline image scan
+        id: run_sysdig_inline_scan
+        env:
+          SYSDIG_SECURE_TOKEN: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+        run: |
+          docker run sysdiglabs/secure-inline-scan:2 -s https://secure.sysdig.com -k $SYSDIG_SECURE_TOKEN sysdiglabs/aks-audit-log-installer \
+            | tee sysdig_image_scan_result.txt
+          SCAN_RESULT=${PIPESTATUS[0]}
+          echo "::set-output name=SCAN_RESULT::$SCAN_RESULT"
+          echo "Scan finished with result: $SCAN_RESULT"
+      - name: Scan result
+        env:
+          SCAN_RESULT: ${{ steps.run_sysdig_inline_scan.outputs.SCAN_RESULT }}
+        run: |
+          cat sysdig_image_scan_result.txt
+          echo "Scan result: $SCAN_RESULT"
+          # exit $SCAN_RESULT
+
+  publish_images:
+    name: Publish container images to registries
+    needs: [sysdig_image_scan]
+    runs-on: ubuntu-16.04    
+    if: github.event_name == 'release'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Login to DockerHub
+        uses: docker/login-action@v1 
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1 
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.CR_PAT_PKG }}
+      - name: Prepare version labels
+        id: prepare_version_labels
+        env:
+          VERSION_TAG: ${{ github.event.release.tag_name }}
+        run: |
+          echo "Version tag: $VERSION_TAG"
+          VERSION_MAJOR=$(echo $VERSION_TAG | sed 's/[^0-9]*\([0-9]\+\).*/\1/')
+          VERSION_FULL=$(echo $VERSION_TAG | sed 's/[^0-9]*\([0-9]\+.*\)/\1/')
+          [ -z $VERSION_FULL ] VERSION_FULL="master"
+          [ -z $VERSION_MAJOR ] VERSION_FULL="master"
+          echo "Version major: $VERSION_MAJOR"
+          echo "Version full: $VERSION_FULL"
+          echo "::set-output name=VERSION_MAJOR::$VERSION_MAJOR"
+          echo "::set-output name=VERSION_FULL::$VERSION_FULL"
+      - name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./build/Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: |
+            sysdiglabs/aks-audit-log-installer:latest
+            sysdiglabs/aks-audit-log-installer:${{ steps.prepare_version_labels.outputs.VERSION_MAJOR }}
+            sysdiglabs/aks-audit-log-installer:${{ steps.prepare_version_labels.outputs.VERSION_FULL }}