feat: Add initial version

Signed-off-by: Steve Hipwell <steve.hipwell@gmail.com>
fluent · Oct 5, 2022 · 88b52b3 · 88b52b3
1 parent e497c99
commit 88b52b3
Show file tree

Hide file tree

Showing 19 changed files with 729 additions and 25 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,7 @@
+# Ignore everything
+*
+
+# Allow files and directories
+!fluent.conf
+!fluent.yaml
+!entrypoint.sh
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,13 @@
+# All
+[*]
+charset = utf-8
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+insert_final_newline = true
+end_of_line = lf
+max_line_length = off
+
+# Markdown uses whitespace for formatting
+[*.md]
+trim_trailing_whitespace = false
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1,3 @@
+* text=auto eol=lf
+*.{cmd,[cC][mM][dD]} text eol=crlf
+*.{bat,[bB][aA][tT]} text eol=crlf
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
diff --git a/.github/workflows/commit.yaml b/.github/workflows/commit.yaml
@@ -0,0 +1,144 @@
+name: Commit
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    name: Build OCI Image
+    permissions: write-all
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [alpine, debian]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76
+
+      - name: Run Hadolint
+        id: hadolint
+        uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183
+        continue-on-error: true
+        with:
+          dockerfile: ./${{ matrix.os }}.dockerfile
+          format: sarif
+          output-file: hadolint.sarif
+          no-fail: false
+
+      - name: Upload Hadolint SARIF report
+        uses: github/codeql-action/upload-sarif@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44
+        with:
+          category: hadolint
+          sarif_file: hadolint.sarif
+
+      - name: Generate OCI image metadata
+        id: metadata
+        uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a
+        with:
+          flavor: |
+            latest=false
+          images: |
+            ghcr.io/${{ github.repository }}
+            docker.io/${{ github.repository }}
+          tags: |
+            type=raw,value=${{ matrix.os }}-main
+            type=raw,value=main,enable=${{ matrix.os == 'alpine' }}
+          labels: |
+            org.opencontainers.image.description=Fluentd aggregator OCI image based on the default Fluentd OCI image.
+            org.opencontainers.image.authors=Fluentd developers <fluentd@googlegroups.com>
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@8b122486cedac8393e77aa9734c3528886e4a1a8
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6
+
+      - name: Build OCI image
+        id: build
+        uses: docker/build-push-action@c84f38281176d4c9cdb1626ffafcd6b3911b5d94
+        with:
+          file: ./${{ matrix.os }}.dockerfile
+          context: .
+          platforms: linux/amd64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: ${{ steps.metadata.outputs.tags }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          load: true
+          push: false
+
+      - name: Generate OCI image SBOM
+        uses: anchore/sbom-action@b5042e9d19d8b32849779bfe17673ff84aec702d
+        with:
+          image: "ghcr.io/${{ github.repository }}:${{ matrix.os }}-main"
+          dependency-snapshot: true
+          format: spdx-json
+          artifact-name: ${{ github.event.repository.name }}-sbom.spdx.json
+          output-file: ${{ github.event.repository.name }}-sbom.spdx.json
+
+      - name: Scan OCI image SBOM with Grype
+        id: scan
+        uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7
+        continue-on-error: true
+        with:
+          sbom: ${{ github.event.repository.name }}-sbom.spdx.json
+          severity-cutoff: medium
+          output-format: sarif
+          fail-build: true
+
+      - name: Upload Grype SARIF report
+        uses: github/codeql-action/upload-sarif@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44
+        with:
+          category: grype
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Fail workflow
+        if: ${{ steps.hadolint.outcome == 'failure' && steps.scan.outcome == 'failure' }}
+        run: |
+          set -euo pipefail
+          echo "::error::Code scanning failed."
+          exit 1
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to DockerHub
+        uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build & push OCI image
+        id: build_push
+        uses: docker/build-push-action@c84f38281176d4c9cdb1626ffafcd6b3911b5d94
+        with:
+          file: ./${{ matrix.os }}.dockerfile
+          context: .
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: ${{ steps.metadata.outputs.tags }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          load: false
+          push: true
+
+      - name: Sign OCI image
+        env:
+          COSIGN_EXPERIMENTAL: true
+        run: |
+          set -euo pipefail
+          cosign sign --yes --recursive ghcr.io/${{ github.repository }}:main@${{ steps.build_push.outputs.digest }}
+          cosign sign --yes --recursive docker.io/${{ github.repository }}:main@${{ steps.build_push.outputs.digest }}
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -0,0 +1,91 @@
+name: Pull Request
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build:
+    name: Build OCI Image
+    permissions: write-all
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [alpine, debian]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+
+      - name: Run Hadolint
+        uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183
+        with:
+          dockerfile: ./${{ matrix.os }}.dockerfile
+          format: sarif
+          output-file: hadolint.sarif
+          no-fail: true
+
+      - name: Upload Hadolint SARIF report
+        uses: github/codeql-action/upload-sarif@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44
+        with:
+          category: hadolint
+          sarif_file: hadolint.sarif
+
+      - name: Generate OCI image metadata
+        id: metadata
+        uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a
+        with:
+          flavor: |
+            latest=false
+          images: |
+            ${{ github.repository }}
+          tags: |
+            type=raw,value=${{ matrix.os }}-local
+          labels: |
+            org.opencontainers.image.description=Fluentd aggregator OCI image based on the default Fluentd OCI image.
+            org.opencontainers.image.authors=Fluentd developers <fluentd@googlegroups.com>
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6
+
+      - name: Build OCI image
+        id: build
+        uses: docker/build-push-action@c84f38281176d4c9cdb1626ffafcd6b3911b5d94
+        with:
+          file: ./${{ matrix.os }}.dockerfile
+          context: .
+          platforms: linux/amd64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: ${{ steps.metadata.outputs.tags }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          load: true
+          push: false
+
+      - name: Generate OCI image SBOM
+        uses: anchore/sbom-action@b5042e9d19d8b32849779bfe17673ff84aec702d
+        with:
+          image: "${{ github.repository }}:${{ matrix.os }}-local"
+          dependency-snapshot: true
+          format: spdx-json
+          artifact-name: ${{ github.event.repository.name }}-sbom.spdx.json
+          output-file: ${{ github.event.repository.name }}-sbom.spdx.json
+
+      - name: Scan OCI image SBOM with Grype
+        id: scan
+        uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7
+        with:
+          sbom: ${{ github.event.repository.name }}-sbom.spdx.json
+          severity-cutoff: medium
+          output-format: sarif
+          fail-build: false
+
+      - name: Upload Grype SARIF report
+        uses: github/codeql-action/upload-sarif@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44
+        with:
+          category: grype
+          sarif_file: ${{ steps.scan.outputs.sarif }}