Merge pull request #1 from ministryofjustice/initial-container

Initial Container

.github/workflows/build.yml

@@ -0,0 +1,64 @@
+---
+name: "Build Image"
+
+on:
+  push:
+    branches-ignore:
+      - 'main'
+  pull_request:
+    branches:
+      - 'main'
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Lint Containerfile
+        uses: hadolint/[email protected]
+        with:
+          dockerfile: Containerfile
+
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        platform: [ amd64 ]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Set up QEMU
+        id: setup_qemu
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        id: setup_buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build Container
+        id: build
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Containerfile
+          platforms: linux/${{ matrix.platform }}
+          load: true
+          tags: ministryofjustice/hmpps-ems-actions-toolkit:latest-${{ matrix.platform }}
+
+      - name: Scan Container
+        id: scan
+        uses: anchore/scan-action@v3
+        with:
+          image: ministryofjustice/hmpps-ems-actions-toolkit:latest-${{ matrix.platform }}
+          fail-build: true
+          severity-cutoff: critical
+          acs-report-enable: true
+
+      - name: Upload Anchore scan SARIF report
+        id: upload_serif_report
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/latest.yml

@@ -0,0 +1,62 @@
+---
+name: "Build and Push Latest"
+
+on:
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  build-push-latest:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Install Cosign
+        id: install_cosign
+        uses: sigstore/cosign-installer@main
+
+      - name: Set up QEMU
+        id: setup_qemu
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        id: setup_buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Login to GitHub Container Registry
+        id: ghcr_login
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and Publish Containers to GitHub Container Registry
+        id: build_publish
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Containerfile
+          platforms: linux/amd64
+          push: true
+          tags: ghcr.io/ministryofjustice/hmpps-ems-actions-toolkit:latest
+
+      - name: Sign Containers
+        id: sign_containers
+        run: |
+          cosign sign --recursive ghcr.io/ministryofjustice/hmpps-ems-actions-toolkit:latest
+        env:
+          COSIGN_EXPERIMENTAL: 1
+
+      - name: Verify Containers
+        id: verify_containers
+        run: |
+          cosign verify ghcr.io/ministryofjustice/hmpps-ems-actions-toolkit:latest
+        env:
+          COSIGN_EXPERIMENTAL: 1

.github/workflows/release.yml

@@ -0,0 +1,62 @@
+---
+name: "Build and Push Release"
+
+on:
+  push:
+    tags:
+      - "*"
+
+jobs:
+  build-push-release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Install Cosign
+        id: install_cosign
+        uses: sigstore/cosign-installer@main
+
+      - name: Set up QEMU
+        id: setup_qemu
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        id: setup_buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Login to GitHub Container Registry
+        id: ghcr_login
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and Publish Containers to GitHub Container Registry
+        id: build_publish
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Containerfile
+          platforms: linux/amd64
+          push: true
+          tags: ghcr.io/ministryofjustice/hmpps-ems-actions-toolkit:${{ github.ref_name }}
+
+      - name: Sign Containers
+        id: sign_containers
+        run: |
+          cosign sign --recursive ghcr.io/ministryofjustice/hmpps-ems-actions-toolkit:${{ github.ref_name }}
+        env:
+          COSIGN_EXPERIMENTAL: 1
+
+      - name: Verify Containers
+        id: verify_containers
+        run: |
+          cosign verify ghcr.io/ministryofjustice/hmpps-ems-actions-toolkit:${{ github.ref_name }}
+        env:
+          COSIGN_EXPERIMENTAL: 1

.grype.yaml

@@ -0,0 +1,3 @@
+ignore:
+  - package:
+      location: /usr/local/bin/terragrunt

Containerfile

@@ -0,0 +1,12 @@
+FROM public.ecr.aws/ubuntu/ubuntu:20.04
+
+LABEL org.opencontainers.image.authors="HMPPS EMS Platform Team ([email protected])" \
+      org.opencontainers.image.vendor="Ministry of Justice" \
+      org.opencontainers.image.title="actions-toolkit" \
+      org.opencontainers.image.description="Actions Toolkit" \
+      org.opencontainers.image.source="https://github.com/ministryofjustice/hmpps-ems-container-actions-toolkit" \
+      org.opencontainers.image.licenses="MIT License"
+
+COPY src/root/build.sh /root/build.sh
+
+RUN bash /root/build.sh

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021 Crown Copyright (Ministry of Justice)
+Copyright (c) 2022 Crown Copyright (Ministry of Justice)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,15 +1,2 @@
-# Ministry of Justice Template Repository
+# HMPPS EMS Actions Toolkit
 
-Use this template to [create a repository] with the default initial files for a Ministry of Justice Github repository, including:
-
-* The correct LICENSE
-* Github actions
-* .gitignore file
-
-Once you have created your repository, please:
-
-* Edit the copy of this README.md file to document your project
-* Grant permissions to the appropriate MoJ teams
-* Setup branch protection
-
-[create a repository]: https://github.com/ministryofjustice/template-repository/generate

src/root/build.sh

@@ -0,0 +1,143 @@
+#!/usr/bin/env bash
+
+set -e
+set -u
+set -o pipefail
+set -x
+
+####################
+# Variables
+####################
+DEBIAN_FRONTEND="noninteractive"
+
+CFN_LINT_VERSION="0.58.0" # https://github.com/aws-cloudformation/cfn-lint/releases
+AWSCLI_VERSION="2.4.14" # https://github.com/aws/aws-cli/blob/v2/CHANGELOG.rst
+KUBECTL_VERSION="v1.23.3" # https://storage.googleapis.com/kubernetes-release/release/stable.txt
+KUBELINTER_VERSION="0.2.5" # https://github.com/stackrox/kube-linter/releases
+HELM_VERSION="v3.8.0" # https://github.com/helm/helm/releases
+KD_VERSION="v1.19.13" # https://github.com/UKHomeOffice/kd/releases
+TERRAFORM_VERSION="1.1.4" # https://github.com/hashicorp/terraform/releases
+TERRAGRUNT_VERSION="v0.36.1" # https://github.com/gruntwork-io/terragrunt/releases
+TFLINT_VERSION="v0.34.1" # https://github.com/terraform-linters/tflint/releases
+TFSEC_VERSION="v1.0.8" # https://github.com/aquasecurity/tfsec/releases
+
+####################
+# Functions
+####################
+setArch() {
+  if [[ "$( uname -m )" == "x86_64" ]]; then
+    export ARCH="$( uname -m )"
+    export ALT_ARCH="amd64"
+  elif [[ "$( uname -m )" == "aarch64" ]]; then
+    export ARCH="$( uname -m )"
+    export ALT_ARCH="arm64"
+  else
+    echo "$( uname -m ) is not supported - Exiting."
+    exit 1
+  fi
+}
+
+aptPackages() {
+  apt update
+  apt upgrade --yes
+  apt install --yes \
+    apt-transport-https \
+    ca-certificates \
+    curl \
+    git-crypt \
+    lsb-release \
+    python3 \
+    python3-pip \
+    unzip \
+    zip
+}
+
+pipPackages() {
+  python3 -m pip install --upgrade pip
+  python3 -m pip install --no-cache \
+    cfn-lint==${CFN_LINT_VERSION}
+}
+
+awsCli() {
+  curl https://awscli.amazonaws.com/awscli-exe-linux-${ARCH}-${AWSCLI_VERSION}.zip \
+    --output awscliv2.zip
+  unzip -q awscliv2.zip
+  bash aws/install
+  rm --force --recursive aws awscliv2.zip
+}
+
+kubectl() {
+  curl --location https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ALT_ARCH}/kubectl \
+    --output /usr/local/bin/kubectl
+  chmod +x /usr/local/bin/kubectl
+}
+
+helm() {
+  curl --location https://get.helm.sh/helm-${HELM_VERSION}-linux-${ALT_ARCH}.tar.gz \
+    --output helm-${HELM_VERSION}-linux-${ALT_ARCH}.tar.gz
+  tar --gzip --extract --verbose --file helm-${HELM_VERSION}-linux-${ALT_ARCH}.tar.gz
+  mv linux-${ALT_ARCH}/helm /usr/local/bin/helm
+  rm --force --recursive linux-${ALT_ARCH} helm-${HELM_VERSION}-linux-${ALT_ARCH}.tar.gz
+}
+
+kd() {
+  curl --location https://github.com/UKHomeOffice/kd/releases/download/v${KD_VERSION}/kd_linux_amd64 \
+    --output /usr/local/bin/kd
+  chmod +x /usr/local/bin/kd
+}
+
+kubeLinter() {
+  curl --location https://github.com/stackrox/kube-linter/releases/download/${KUBELINTER_VERSION}/kube-linter-linux.zip \
+    --output kube-linter-linux.zip
+  unzip -q kube-linter-linux.zip
+  mv kube-linter /usr/local/bin/kube-linter
+  rm --force --recursive kube-linter-linux.zip
+}
+
+terraform() {
+  curl https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_${ALT_ARCH}.zip \
+    --output terraform.zip
+  unzip -q terraform.zip
+  mv terraform /usr/local/bin/terraform
+  rm --force --recursive terraform.zip
+}
+
+terragrunt() {
+  curl --location https://github.com/gruntwork-io/terragrunt/releases/download/${TERRAGRUNT_VERSION}/terragrunt_linux_${ALT_ARCH} \
+    --output /usr/local/bin/terragrunt
+  chmod +x /usr/local/bin/terragrunt
+}
+
+tflint() {
+  curl --location https://github.com/terraform-linters/tflint/releases/download/${TFLINT_VERSION}/tflint_linux_${ALT_ARCH}.zip \
+    --output tflint_linux_${ALT_ARCH}.zip
+  unzip -q tflint_linux_${ALT_ARCH}.zip
+  mv tflint /usr/local/bin/tflint
+  rm --force --recursive tflint_linux_${ALT_ARCH}.zip
+}
+
+tfsec() {
+  curl --location https://github.com/aquasecurity/tfsec/releases/download/${TFSEC_VERSION}/tfsec-linux-${ALT_ARCH} \
+    --output /usr/local/bin/tfsec
+  chmod +x /usr/local/bin/tfsec
+}
+
+cleanup() {
+  rm --force --recursive /var/lib/{apt,dpkg}
+}
+
+####################
+# Main
+####################
+setArch
+aptPackages
+pipPackages
+awsCli
+kubectl
+helm
+kubeLinter
+terraform
+terragrunt
+tflint
+tfsec
+cleanup