configure pipeline for polycli docker and dpkg deployment

.github/workflows/build-docker.yml

@@ -0,0 +1,101 @@
+name: "Build Pipeline"
+
+on:
+  push:
+    branches:
+      - jesse/pipeline-deploy
+      - main
+    paths-ignore:
+      - 'helm-chart/**'
+
+env:
+  PROJECT_ID: "prj-polygonlabs-devtools-dev"
+  GAR_LOCATION: "europe-west2"
+  WIF_PROVIDER: ${{ secrets.WIF_PROVIDER }} # this was hard to find: WIP --> Expand pool --> Click pencil icon
+  WIF_SERVICE_ACCOUNT: ${{ secrets.WIF_SERVICE_ACCOUNT }}
+  CRITICAL_COUNT: 5
+  IMAGE_NAME: "europe-west2-docker.pkg.dev/prj-polygonlabs-devtools-dev/polygonlabs-docker-dev/jesse/polygon-cli"
+
+  ATTESTOR_PROJECT_ID: "prj-polygonlabs-devtools-dev"
+  KEY_RING: "jesse-artifacts-ring"
+  KEY: "jesse-artifacts-binary-auth-key"
+  ATTESTOR: "jesse-artifacts-attestor"
+
+jobs:
+  build-pipeline-docker:
+    name: "Build, push, scan, and sign Docker image"
+    permissions:
+      contents: "write"
+      id-token: "write"
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Google Auth
+        id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          token_format: "access_token"
+          workload_identity_provider: "${{ env.WIF_PROVIDER }}"
+          service_account: "${{ env.WIF_SERVICE_ACCOUNT }}"
+
+      - name: Docker Auth
+        id: docker-auth
+        uses: docker/login-action@v1
+        with:
+          username: "oauth2accesstoken"
+          password: "${{ steps.auth.outputs.access_token }}"
+          registry: "${{ env.GAR_LOCATION }}-docker.pkg.dev"
+
+      - name: Build and Push Docker Image to GCP Artifact Registry
+        run: |-
+          docker build -t "${{ env.IMAGE_NAME }}:${{ github.sha }}" .
+          docker push "${{ env.IMAGE_NAME }}:${{ github.sha }}"
+
+      - name: "Set up Cloud SDK"
+        uses: "google-github-actions/setup-gcloud@v1"
+
+      - name: Scan Vulnerabilities
+        run: |
+          (gcloud artifacts docker images scan "${{ env.IMAGE_NAME }}:${{ github.sha }}" --format="value(response.scan)" --remote --quiet) > ./scan_id.txt
+
+      - name: Checking Critical Vulnerabilities
+        run: |-
+          #!/bin/bash
+          # Check if the scan_id.txt file exists
+          if [ ! -f ./scan_id.txt ]; then
+              echo "Error: scan_id.txt not found."
+              exit 1
+          fi
+          # Use gcloud to list vulnerabilities and check for CRITICAL severity
+          severity=$(gcloud artifacts docker images list-vulnerabilities \
+                          "$(cat ./scan_id.txt)" \
+                          --format="value(vulnerability.effectiveSeverity)")
+          # Check if CRITICAL vulnerability is found
+          if [ $(echo "$severity" | grep -c "CRITICAL") -gt 5 ]; then
+              echo "Failed vulnerability check for CRITICAL level"
+              exit 1
+          else
+              echo "No CRITICAL vulnerability found. Congratulations."
+              exit 0
+          fi
+
+      - name: Sign the docker image
+        run: |-
+          export CLOUDSDK_CORE_DISABLE_PROMPTS=1
+          gcloud components install beta --quiet
+          
+          DIGEST=$(gcloud container images describe ${{ env.IMAGE_NAME }}:${{ github.sha }} --format='get(image_summary.digest)')
+          
+          gcloud beta container binauthz attestations sign-and-create \
+              --artifact-url="${{ env.IMAGE_NAME }}@${DIGEST}" \
+              --attestor="${{ env.ATTESTOR }}" \
+              --attestor-project="${{ env.ATTESTOR_PROJECT_ID }}" \
+              --keyversion-project="${{ env.ATTESTOR_PROJECT_ID }}" \
+              --keyversion-location="${{ env.GAR_LOCATION }}" \
+              --keyversion-keyring="${{ env.KEY_RING }}" \
+              --keyversion-key="${{ env.KEY }}" \
+              --keyversion="1"

.github/workflows/build-package.yml

@@ -0,0 +1,88 @@
+name: "Build Pipeline"
+
+on:
+  push:
+    branches:
+      - jesse/pipeline-deploy
+      - main
+
+env:
+  PROJECT_ID: "prj-polygonlabs-devtools-dev"
+  GAR_LOCATION: "europe-west2"
+  WIF_PROVIDER: ${{ secrets.WIF_PROVIDER }} # this was hard to find: WIP --> Expand pool --> Click pencil icon
+  WIF_SERVICE_ACCOUNT: ${{ secrets.WIF_SERVICE_ACCOUNT }}
+  APT_REPOSITORY: "polygonlabs-apt-dev"
+
+jobs:
+  build-pipeline-apt:
+    name: "Build and upload APT package"
+    permissions:
+      contents: "write"
+      id-token: "write"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Adding TAG to ENV
+        run: echo "GIT_TAG=`echo $(git describe --tags --abbrev=0)`" >> $GITHUB_ENV
+
+      - name: Building for amd64
+        run: make build
+
+      - name: Making directory structure
+        run: mkdir -p packaging/deb/polycli/usr/bin
+
+      - name: Copying necessary files
+        run: cp -rp out/polycli packaging/deb/polycli/usr/bin/
+
+      - name: Copying control file
+        run: |
+          VERSION="0-${{ github.sha }}"
+          cp -rp packaging/templates/package_scripts/control packaging/deb/polycli/DEBIAN/control
+          sed -i "s/^Version: .*/Version: $VERSION/" packaging/deb/polycli/DEBIAN/control
+
+      - name: Creating package for binary for polycli ${{ env.ARCH }}
+        run: cp -rp packaging/deb/polycli packaging/deb/polycli-${{ env.GIT_TAG }}-${{ env.ARCH }}-${{ github.sha }}
+        env:
+          ARCH: amd64
+
+      - name: Running package build
+        run: dpkg-deb --build --root-owner-group packaging/deb/polycli-${{ env.GIT_TAG }}-${{ env.ARCH }}-${{ github.sha }}
+        env:
+          ARCH: amd64
+
+      - name: Removing the bor binary
+        run: rm -rf packaging/deb/polycli/usr/bin/polycli
+
+#######################################
+
+      - name: Google Auth
+        id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          token_format: "access_token"
+          workload_identity_provider: "${{ env.WIF_PROVIDER }}"
+          service_account: "${{ env.WIF_SERVICE_ACCOUNT }}"
+
+      - name: "Set up Cloud SDK"
+        uses: "google-github-actions/setup-gcloud@v1"
+
+      - name: Check pwd
+        run: pwd
+
+      - name: Check files
+        run: ls -ltr packaging/deb/ | grep polycli
+
+      - id: gcloud
+        name: gcloud
+        run: |-
+          gcloud config set artifacts/repository ${{ env.APT_REPOSITORY }}
+          gcloud config set artifacts/location ${{ env.GAR_LOCATION }}
+          gcloud config set project ${{ env.PROJECT_ID }}
+          gcloud artifacts apt upload polygonlabs-apt-dev --source=packaging/deb/polycli-${{ env.GIT_TAG }}-${{ env.ARCH }}-${{ github.sha }}.deb
+        env:
+          ARCH: amd64

Dockerfile

@@ -0,0 +1,23 @@
+# Use an official Go runtime as a parent image
+FROM golang:1.21 as builder
+
+# Set the working directory inside the container
+WORKDIR /go/src/app
+
+# Copy the Go source code and .git directory into the container
+COPY . .
+
+# Build your Go app using the 'build' target in your Makefile
+RUN make build
+
+# Use a smaller base image to create a minimal final image
+FROM ubuntu:latest
+
+# Set working directory
+WORKDIR /root/
+
+# Copy the binary from the builder stage
+COPY --from=builder /go/src/app/out/polycli .
+
+# Command to run the binary
+CMD ["./polycli"]

go.mod

@@ -103,7 +103,7 @@ require (
 	github.com/mr-tron/base58 v1.2.0 // indirect
 	github.com/multiformats/go-base32 v0.1.0 // indirect
 	github.com/multiformats/go-base36 v0.2.0 // indirect
-	github.com/multiformats/go-multiaddr v0.11.0 // indirect
+	github.com/multiformats/go-multiaddr v0.12.1 // indirect
 	github.com/multiformats/go-multibase v0.2.0 // indirect
 	github.com/multiformats/go-multicodec v0.9.0 // indirect
 	github.com/multiformats/go-multihash v0.2.3 // indirect

go.sum

@@ -360,8 +360,8 @@ github.com/multiformats/go-base32 v0.1.0 h1:pVx9xoSPqEIQG8o+UbAe7DNi51oej1NtK+aG
 github.com/multiformats/go-base32 v0.1.0/go.mod h1:Kj3tFY6zNr+ABYMqeUNeGvkIC/UYgtWibDcT0rExnbI=
 github.com/multiformats/go-base36 v0.2.0 h1:lFsAbNOGeKtuKozrtBsAkSVhv1p9D0/qedU9rQyccr0=
 github.com/multiformats/go-base36 v0.2.0/go.mod h1:qvnKE++v+2MWCfePClUEjE78Z7P2a1UV0xHgWc0hkp4=
-github.com/multiformats/go-multiaddr v0.11.0 h1:XqGyJ8ufbCE0HmTDwx2kPdsrQ36AGPZNZX6s6xfJH10=
-github.com/multiformats/go-multiaddr v0.11.0/go.mod h1:gWUm0QLR4thQ6+ZF6SXUw8YjtwQSPapICM+NmCkxHSM=
+github.com/multiformats/go-multiaddr v0.12.1 h1:vm+BA/WZA8QZDp1pF1FWhi5CT3g1tbi5GJmqpb6wnlk=
+github.com/multiformats/go-multiaddr v0.12.1/go.mod h1:7mPkiBMmLeFipt+nNSq9pHZUeJSt8lHBgH6yhj0YQzE=
 github.com/multiformats/go-multibase v0.2.0 h1:isdYCVLvksgWlMW9OZRYJEa9pZETFivncJHmHnnd87g=
 github.com/multiformats/go-multibase v0.2.0/go.mod h1:bFBZX4lKCA/2lyOFSAoKH5SS6oPyjtnzK/XTFDPkNuk=
 github.com/multiformats/go-multicodec v0.9.0 h1:pb/dlPnzee/Sxv/j4PmkDRxCOi3hXTz3IbPKOXWJkmg=

packaging/deb/polycli/DEBIAN/README.md

@@ -0,0 +1,20 @@
+# Debian
+
+
+
+For debian packages you will need to add the following layouts during the build
+
+
+
+polycli/
+   DEBIAN/control
+   usr/local/bin/polycli
+
+This will be wrapped during the build package process building
+
+
+Note this is still a work in progress:
+
+TODO: removal/purge on removal using dpkg
+      cleanup of control files to list what we want
+      copyright inclusion

packaging/templates/package_scripts/control

@@ -0,0 +1,12 @@
+Source: polygon-cli
+Version: 0.3.5-beta
+Section: main
+Priority: standard
+Maintainer: Polygon <[email protected]>
+Build-Depends: debhelper-compat (= 13)
+Package: polygon-cli
+Rules-Requires-Root: yes
+Architecture: amd64
+Multi-Arch: foreign
+Depends:
+Description: This is the polygon-cli package from Polygon Technology.