mirrors
/
blocky
mirror of https://github.com/0xERR0R/blocky.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #651 from kwitsch/fb-workflow_rework 

GitHub workflow rework
This commit is contained in:
Kwitsch 2022-11-04 20:43:24 +01:00 committed by GitHub
parent 320dc5cf84 fe98cf170f
commit 7236ad13cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 319 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
.dockerignore
View File

@ -1,6 +1,13 @@
bin/
dist/
bin
dist
site
docs
node_modules
.git
.idea
.github
node_modules/
.vscode/
.vscode
.gitignore
*.md
LICENSE
vendor

31
.github/workflows/ci-build.yml vendored
View File

@ -1,10 +1,12 @@
name: CI Build
on: [push, pull_request]
jobs:
build:
name: Build
make:
name: Test
runs-on: ubuntu-latest
strategy:
matrix:
make: [build, test, race, docker-build, goreleaser]
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v1
@ -16,29 +18,18 @@ jobs:
id: go
- name: Get dependencies
run: |
go get -v -t -d ./...
if [ -f Gopkg.toml ]; then
curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
dep ensure
fi
run: go mod download
- name: Build
run: make build
- name: Test
run: make test
- name: Race detection
run: make race
- name: make ${{ matrix.make }}
run: make ${{ matrix.make }}
if: matrix.make != 'goreleaser'
- name: Upload results to codecov
uses: codecov/codecov-action@v3
- name: Docker images
run: make docker-build
if: matrix.make == 'test'
- name: Check GoReleaser configuration
uses: goreleaser/goreleaser-action@v2
if: matrix.make == 'goreleaser'
with:
args: check

1
.github/workflows/close_stale.yml vendored
View File

@ -6,6 +6,7 @@ on:
jobs:
stale:
runs-on: ubuntu-latest
if: github.repository_owner == '0xERR0R'
permissions:
issues: write
pull-requests: write

191
.github/workflows/development-docker.yml vendored
View File

@ -1,14 +1,58 @@
name: Development docker build
on:
push:
branches:
- development
- fb-*
permissions:
security-events: write
actions: read
contents: read
packages: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
docker:
if: github.repository_owner == '0xERR0R'
check:
name: Check if workflow should run
runs-on: ubuntu-latest
outputs:
enabled: ${{ steps.check.outputs.enabled }}
steps:
- name: Enabled Check
id: check
shell: bash
run: |
ENABLED=${{ secrets.DEVELOPMENT_DOCKER }}
if [[ "${{ github.repository_owner }}" == "0xERR0R" ]]; then
ENABLED="true"
fi
if [[ "${ENABLED,,}" != "true" ]]; then
echo "enabled=0" >> $GITHUB_OUTPUT
echo "Workflow is disabled"
echo "### Workflow is disabled" >> $GITHUB_STEP_SUMMARY
echo "To enable this workflow by creating a secret 'DEVELOPMENT_DOCKER' with the value 'true'" >> $GITHUB_STEP_SUMMARY
else
echo "enabled=1" >> $GITHUB_OUTPUT
echo "Workflow is enabled"
fi
docker:
name: Build Docker image
runs-on: ubuntu-latest
needs: check
if: ${{ needs.check.outputs.enabled == 1 }}
outputs:
branch: ${{ steps.get_vars.outputs.branch }}
steps:
- name: Checkout
uses: actions/checkout@v3
@ -17,6 +61,8 @@ jobs:
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
with:
platforms: arm,arm64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
@ -26,18 +72,23 @@ jobs:
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.CR_PAT }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Extract branch name
- name: Populate build variables
id: get_vars
shell: bash
run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
id: extract_branch
run: |
BRANCH=${GITHUB_REF#refs/heads/}
echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
echo "Branch: ${BRANCH}"
VERSION=$(git describe --always --tags)
echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "VERSION: ${VERSION}"
BUILD_TIME=$(date '+%Y%m%d-%H%M%S')
echo "build_time=${BUILD_TIME}" >> $GITHUB_OUTPUT
echo "BUILD_TIME: ${BUILD_TIME}"
- name: Build and push
uses: docker/build-push-action@v3
@ -45,21 +96,109 @@ jobs:
context: .
platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
push: true
tags: |
ghcr.io/0xerr0r/blocky:${{ steps.extract_branch.outputs.branch }}
spx01/blocky:${{ steps.extract_branch.outputs.branch }}
cache-from: type=registry,ref=ghcr.io/0xerr0r/blocky:buildcache
cache-to: type=registry,ref=ghcr.io/0xerr0r/blocky:buildcache,mode=max
tags: ghcr.io/${{ github.repository }}:${{ steps.get_vars.outputs.branch }}
build-args: |
VERSION=${{ steps.get_vars.outputs.version }}
BUILD_TIME=${{ steps.get_vars.outputs.build_time }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Scan image
uses: anchore/scan-action@v3
id: scan
retag:
name: Add DockerHub tag
runs-on: ubuntu-latest
needs: docker
if: github.repository_owner == '0xERR0R'
steps:
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
image: "spx01/blocky:${{ steps.extract_branch.outputs.branch }}"
fail-build: false
acs-report-enable: true
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@v1
- name: DockerHub tag
shell: bash
run: |
docker pull ghcr.io/${{ github.repository }}:${{ needs.docker.outputs.branch }}
docker tag ghcr.io/${{ github.repository }}:${{ needs.docker.outputs.branch }} spx01/blocky:${{ needs.docker.outputs.branch }}
docker push
repo-scan:
name: Repo vulnerability scan
runs-on: ubuntu-latest
needs: check
if: needs.check.outputs.enabled == 1
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-repo-results.sarif'
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-repo-results.sarif'
image-scan:
name: Image vulnerability scan
runs-on: ubuntu-latest
needs: docker
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Run Trivy vulnerability scanner on Docker image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/${{ github.repository }}:${{ needs.docker.outputs.branch }}'
format: 'sarif'
output: 'trivy-image-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-image-results.sarif'
image-test:
name: Test docker images
runs-on: ubuntu-latest
needs: docker
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
with:
platforms: arm,arm64
- name: Test images
shell: bash
run: |
echo '::group::Version for linux/amd64'
docker run --rm ghcr.io/${{ github.repository }}:${{ needs.docker.outputs.branch }} version
echo '::endgroup::'
echo '::group::Version for linux/arm/v6'
docker run --platform linux/arm/v6 --rm ghcr.io/${{ github.repository }}:${{ needs.docker.outputs.branch }} version
echo '::endgroup::'
echo '::group::Version for linux/arm/v7'
docker run --platform linux/arm/v7 --rm ghcr.io/${{ github.repository }}:${{ needs.docker.outputs.branch }} version
echo '::endgroup::'
echo '::group::Version for linux/arm64'
docker run --platform linux/arm64 --rm ghcr.io/${{ github.repository }}:${{ needs.docker.outputs.branch }} version
echo '::endgroup::'

24
.github/workflows/release.yml vendored
View File

@ -7,9 +7,8 @@ on:
jobs:
build:
runs-on: ubuntu-latest
if: github.repository_owner == '0xERR0R'
steps:
- name: Checkout
uses: actions/checkout@v2
@ -36,6 +35,8 @@ jobs:
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
with:
platforms: arm,arm64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
@ -53,6 +54,18 @@ jobs:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Populate build variables
id: get_vars
shell: bash
run: |
VERSION=$(git describe --always --tags)
echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "VERSION: ${VERSION}"
BUILD_TIME=$(date '+%Y%m%d-%H%M%S')
echo "build_time=${BUILD_TIME}" >> $GITHUB_OUTPUT
echo "BUILD_TIME: ${BUILD_TIME}"
- name: Build and push
uses: docker/build-push-action@v3
with:
@ -61,8 +74,11 @@ jobs:
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
cache-from: type=registry,ref=ghcr.io/0xerr0r/blocky:buildcache
cache-to: type=registry,ref=ghcr.io/0xerr0r/blocky:buildcache,mode=max
build-args: |
VERSION=${{ steps.get_vars.outputs.version }}
BUILD_TIME=${{ steps.get_vars.outputs.build_time }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v2

3
.gitignore vendored
View File

@ -14,4 +14,5 @@ todo.txt
!docs/config.yml
node_modules
package-lock.json
.vscode/
.vscode/
vendor/

88
Dockerfile
View File

@ -1,49 +1,77 @@
# build stage
FROM golang:1-alpine AS build-env
RUN apk add --no-cache \
build-base \
linux-headers \
coreutils \
binutils \
libtool \
musl-dev \
git \
make \
gcc \
libc-dev \
zip \
ca-certificates \
libcap
# ----------- stage: ca-certs
# get newest certificates in seperate stage for caching
FROM --platform=$BUILDPLATFORM alpine:3.16 AS ca-certs
RUN apk add --no-cache ca-certificates
ENV GO111MODULE=on \
CGO_ENABLED=0
WORKDIR /src
# update certificates and use the apk ones if update fails
RUN --mount=type=cache,target=/etc/ssl/certs \
update-ca-certificates 2>/dev/null || true
# ----------- stage: zig-env
# zig compiler is used for CGO cross compilation
# even though CGO is disabled it is used in the os and net package
FROM --platform=$BUILDPLATFORM ghcr.io/euantorano/zig:master AS zig-env
# ----------- stage: build
FROM --platform=$BUILDPLATFORM golang:1-alpine AS build
# required arguments
ARG VERSION
ARG BUILD_TIME
# auto provided by Docker
# https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope
ARG TARGETOS
ARG TARGETARCH
ARG TARGETVARIANT
# set working directory
WORKDIR /go/src
# download packages
COPY go.mod go.sum ./
RUN go mod download
RUN --mount=type=cache,target=/go/pkg \
go mod download
# add source
ADD . .
COPY . .
ARG opts
RUN env ${opts} make build-static && \
chown 100 /src/bin/blocky && \
setcap 'cap_net_bind_service=+ep' /src/bin/blocky
# setup go & zig as CGO compiler
COPY --from=zig-env /usr/local/bin/zig /usr/local/bin/zig
ENV PATH="/usr/local/bin/zig:${PATH}" \
CC="zigcc" \
CXX="zigcpp" \
CGO_ENABLED=0 \
GOOS="linux" \
GOARCH=$TARGETARCH \
GO_SKIP_GENERATE=1\
GO_BUILD_FLAGS="-tags static -v " \
BIN_USER=100\
BIN_AUTOCAB=1 \
BIN_OUT_DIR="/bin"
# final stage
# add make & libcap
RUN apk add --no-cache make libcap
# build binary
RUN --mount=type=bind,target=. \
--mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg \
make build GOARM=${TARGETVARIANT##*v}
# ----------- stage: final
FROM scratch
LABEL org.opencontainers.image.source="https://github.com/0xERR0R/blocky" \
org.opencontainers.image.url="https://github.com/0xERR0R/blocky" \
org.opencontainers.image.title="DNS proxy as ad-blocker for local network"
COPY --from=build-env /src/bin/blocky /app/blocky
COPY --from=build-env /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
USER 100
WORKDIR /app
COPY --from=ca-certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=build /bin/blocky /app/blocky
ENV BLOCKY_CONFIG_FILE=/app/config.yml
ENTRYPOINT ["/app/blocky"]

59
Makefile
View File

@ -1,20 +1,32 @@
#!/usr/bin/env bash
.PHONY: all clean build swagger test lint run fmt docker-build help
.DEFAULT_GOAL:=help
.PHONY: all clean build swagger test lint run help
.DEFAULT_GOAL := help
VERSION := $(shell git describe --always --tags)
BUILD_TIME=$(shell date '+%Y%m%d-%H%M%S')
VERSION?=$(shell git describe --always --tags)
BUILD_TIME?=$(shell date '+%Y%m%d-%H%M%S')
DOCKER_IMAGE_NAME=spx01/blocky
BINARY_NAME=blocky
BIN_OUT_DIR=bin
BINARY_NAME:=blocky
BIN_OUT_DIR?=bin
GOARCH?=$(shell go env GOARCH)
GOARM?=$(shell go env GOARM)
GO_BUILD_FLAGS?=-v
GO_BUILD_LD_FLAGS:=\
-w \
-s \
-X github.com/0xERR0R/blocky/util.Version=${VERSION} \
-X github.com/0xERR0R/blocky/util.BuildTime=${BUILD_TIME} \
-X github.com/0xERR0R/blocky/util.Architecture=${GOARCH}${GOARM}
GO_BUILD_OUTPUT:=$(BIN_OUT_DIR)/$(BINARY_NAME)$(BINARY_SUFFIX)
export PATH=$(shell go env GOPATH)/bin:$(shell echo $$PATH)
all: build test lint ## Build binary (with tests)
clean: ## cleans output directory
$(shell rm -rf $(BIN_OUT_DIR)/*)
rm -rf $(BIN_OUT_DIR)/*
swagger: ## creates swagger documentation as html file
npm install bootprint bootprint-openapi html-inline
@ -26,12 +38,20 @@ serve_docs: ## serves online docs
mkdocs serve
build: ## Build binary
ifdef GO_SKIP_GENERATE
$(info skipping go generate)
else
go generate ./...
go build -v -ldflags="-w -s -X github.com/0xERR0R/blocky/util.Version=${VERSION} -X github.com/0xERR0R/blocky/util.BuildTime=${BUILD_TIME}" -o $(BIN_OUT_DIR)/$(BINARY_NAME)$(BINARY_SUFFIX)
build-static: ## Build static binary
go generate ./...
go build -tags static -v -ldflags="-linkmode external -extldflags -static -X github.com/0xERR0R/blocky/util.Version=${VERSION} -X github.com/0xERR0R/blocky/util.BuildTime=${BUILD_TIME}" -o $(BIN_OUT_DIR)/$(BINARY_NAME)$(BINARY_SUFFIX)
endif
go build $(GO_BUILD_FLAGS) -ldflags="$(GO_BUILD_LD_FLAGS)" -o $(GO_BUILD_OUTPUT)
ifdef BIN_USER
$(info setting owner of $(GO_BUILD_OUTPUT) to $(BIN_USER))
chown $(BIN_USER) $(GO_BUILD_OUTPUT)
endif
ifdef BIN_AUTOCAB
$(info setting cap_net_bind_service to $(GO_BUILD_OUTPUT))
setcap 'cap_net_bind_service=+ep' $(GO_BUILD_OUTPUT)
endif
test: ## run tests
go run github.com/onsi/ginkgo/v2/ginkgo -v --coverprofile=coverage.txt --covermode=atomic -cover ./...
@ -48,8 +68,15 @@ run: build ## Build and run binary
fmt: ## gofmt and goimports all go files
find . -name '*.go' | while read -r file; do gofmt -w -s "$$file"; goimports -w "$$file"; done
docker-build: ## Build docker image
docker buildx build -o type=docker --network=host -t ${DOCKER_IMAGE_NAME} .
docker-build: ## Build docker image
go generate ./...
docker buildx build \
--build-arg VERSION=${VERSION} \
--build-arg BUILD_TIME=${BUILD_TIME} \
--network=host \
-o type=docker \
-t ${DOCKER_IMAGE_NAME} \
.
help: ## Shows help
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

1
cmd/version.go
View File

@ -21,4 +21,5 @@ func printVersion(_ *cobra.Command, _ []string) {
fmt.Println("blocky")
fmt.Printf("Version: %s\n", util.Version)
fmt.Printf("Build time: %s\n", util.BuildTime)
fmt.Printf("Architecture: %s\n", util.Architecture)
}

2
go.mod
View File

@ -36,7 +36,7 @@ require (
gorm.io/gorm v1.24.1-0.20221019064659-5dd2bb482755
)
require github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
require github.com/dosgo/zigtool v0.0.0-20210923085854-9c6fc1d62198
require (
github.com/Abirdcfly/dupword v0.0.7 // indirect

3
go.sum
View File

@ -67,7 +67,6 @@ github.com/OpenPeeDeeP/depguard v1.1.1/go.mod h1:JtAMzWkmFEzDPyAd+W0NHl1lvpQKTvT
github.com/abice/go-enum v0.5.1 h1:a2dVcyIbTynnQofqRug+cBbf54XBliKcvBcyv9Ek0Rk=
github.com/abice/go-enum v0.5.1/go.mod h1:fyoDuELC37hr1sfecEaKEwS+bwiJfmtyixNaKH3dhdQ=
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@ -142,6 +141,8 @@ github.com/denis-tingaikin/go-header v0.4.3 h1:tEaZKAlqql6SKCY++utLmkPLd6K8IBM20
github.com/denis-tingaikin/go-header v0.4.3/go.mod h1:0wOCWuN71D5qIgE2nz9KrKmuYBAC2Mra5RassOIQ2/c=
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
github.com/dosgo/zigtool v0.0.0-20210923085854-9c6fc1d62198 h1:3b37D/Oxs95GmDsGKNx21aBYWF270emHjqUExsAL01g=
github.com/dosgo/zigtool v0.0.0-20210923085854-9c6fc1d62198/go.mod h1:NUrh34aXXgbs4C2HkTmRmkzsKhtrFPRitYkbZMDDONo=
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=

2
tools.go
View File

@ -7,6 +7,8 @@ package tools
import (
_ "github.com/abice/go-enum"
_ "github.com/dosgo/zigtool/zigcc"
_ "github.com/dosgo/zigtool/zigcpp"
_ "github.com/golangci/golangci-lint/cmd/golangci-lint"
_ "github.com/onsi/ginkgo/v2/ginkgo"
_ "github.com/swaggo/swag/cmd/swag"

2
util/buildinfo.go
View File

@ -6,4 +6,6 @@ var (
Version = "undefined"
// BuildTime build time of the binary
BuildTime = "undefined"
// Architecture current CPU architecture
Architecture = "undefined"
)