chore(ci): update docker image and build prod images

- build from go 1.18 base image
- build from distroless image
- update push CI pipeline to build all dist binaries
- update push CI to create docker image
- add pull CI pipeline to run tests for every PR

Author: Farhan Khan

.github/workflows/pull.yml

@@ -0,0 +1,25 @@
+name: pullCI
+
+on: [pull_request]
+
+jobs:
+  build:
+    name: build-and-test
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-latest
+            go: "1.18"
+            test: true
+
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.go }}
+
+      - uses: actions/checkout@v3
+
+      - name: Test
+        run: make test
+        if: matrix.test

.github/workflows/push.yml

@@ -1,5 +1,13 @@
-name: CI
-on: [push]
+name: pushCI
+
+on:
+  push:
+    branches:
+      - master
+      - release/v*
+    tags:
+      - 'v*'
+
 jobs:
   build-linux:
     name: Build
@@ -21,6 +29,7 @@ jobs:
         run: |
           make test
         shell: bash
+
   build-windows:
     name: Build
     strategy:
@@ -38,3 +47,68 @@ jobs:
         env:
           GO111MODULE: "on"
         run: make all
+
+  binaries:
+      name: Build binaries and notarize sources
+      needs:
+        - build-windows
+        - build-linux
+      runs-on: ubuntu-latest
+      env:
+        JOB_NAME: ${{ github.job }}
+        JOB_ID: ${{ github.run_id }}
+      outputs:
+        matrix: ${{ steps.list-binaries.outputs.matrix }}
+      steps:
+        - uses: actions/setup-go@v3
+          with:
+            go-version: ${{ env.GO_VERSION }}
+        - uses: actions/checkout@v3
+        - name: Build binaries
+          run: make dist
+        - id: list-binaries
+          run: |
+            echo "::set-output name=matrix::$(ls dist | jq -R -s -c 'split("\n")[:-1] | {binary: .}')"
+        - name: Upload binary artifacts
+          uses: actions/upload-artifact@v3
+          with:
+            name: immugw-binaries
+            path: dist
+            retention-days: 5
+        - name: Calculate checksums
+          run: make dist/binary.md
+
+  images:
+      name: Build and notarize Docker Images
+      needs:
+        - binaries
+      runs-on: ubuntu-latest
+      env:
+        JOB_NAME: ${{ github.job }}
+        JOB_ID: ${{ github.run_id }}
+        DOCKER_IMAGE_IMMUGW: "codenotary/immugw"
+        DOCKER_BUILDKIT: "1"
+      steps:
+        - uses: actions/checkout@v3
+        - name: Build docker images
+          shell: bash
+          run: |
+            if [[ "${GITHUB_REF}" =~ ^refs/tags/v([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+              VERSION_TAG="${BASH_REMATCH[1]}.${BASH_REMATCH[2]}.${BASH_REMATCH[3]}"
+              VERSION_TAG_SHORT="${BASH_REMATCH[1]}.${BASH_REMATCH[2]}"
+            fi
+
+            docker build --tag "${DOCKER_IMAGE_IMMUGW}:dev" -f Dockerfile .
+
+            docker login -u "${{ secrets.REGISTRY_USER }}" -p "${{ secrets.REGISTRY_PASS }}"
+
+            docker push "${DOCKER_IMAGE_IMMUGW}:dev"
+
+            if [[ ! -z "$VERSION_TAG" ]]; then
+              for tag in "${VERSION_TAG}" "${VERSION_TAG_SHORT}" "latest"; do
+                docker tag "${DOCKER_IMAGE_IMMUGW}:dev" "${DOCKER_IMAGE_IMMUGW}:${tag}"
+                docker push "${DOCKER_IMAGE_IMMUGW}:${tag}"
+              done
+            fi
+
+            docker logout

Dockerfile

@@ -1,14 +1,16 @@
-FROM golang:1.13-stretch as build
+FROM golang:1.18 as build
 WORKDIR /src
+COPY go.mod go.sum /src/
+RUN go mod download
 COPY . .
 RUN GOOS=linux GOARCH=amd64 make immugw-static
-FROM ubuntu:18.04
-MAINTAINER vChain, Inc.  <[email protected]>
+RUN mkdir /empty
 
-COPY --from=build /src/immugw /usr/sbin/immugw
+FROM gcr.io/distroless/base:nonroot
+LABEL org.opencontainers.image.authors="Codenotary Inc. <[email protected]>"
 
-ARG IMMU_UID="3323"
-ARG IMMU_GID="3323"
+WORKDIR /usr/sbin
+COPY --from=build /src/immugw /usr/sbin/immugw
 
 ENV IMMUGW_DIR="/var/lib/immudb" \
     IMMUGW_ADDRESS="0.0.0.0" \
@@ -24,16 +26,10 @@ ENV IMMUGW_DIR="/var/lib/immudb" \
     IMMUGW_AUDIT_USERNAME="" \
     IMMUGW_AUDIT_PASSWORD=""
 
-RUN addgroup --system --gid $IMMU_GID immu && \
-    adduser --system --uid $IMMU_UID --no-create-home --ingroup immu immu && \
-    mkdir -p "$IMMUGW_DIR" && \
-    chown -R immu:immu "$IMMUGW_DIR" && \
-    chmod -R 777 "$IMMUGW_DIR" && \
-    chmod +x /usr/sbin/immugw
+COPY --from=build --chown=nonroot:nonroot /empty "$IMMUGW_DIR"
 
 EXPOSE 3323
 EXPOSE 9476
 
 HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "/usr/sbin/immugw", "version" ]
-USER immu
 ENTRYPOINT ["/usr/sbin/immugw"]

Makefile

@@ -100,4 +100,8 @@ dist/binary.md:
 		printf "[$$ff](https://github.com/codenotary/immugw/releases/download/v${VERSION}/$$ff) | $$shm_id \n" ; \
 	done
 
+.PHONY: dist
+dist: dist/binaries
+	@echo 'Binaries generation complete. Now vcn signature is needed.'
+
 ########################## releases scripts end ########################################################################