aztfmod · arnaudlh · Feb 22, 2025 · Feb 22, 2025 · Feb 22, 2025 · Feb 22, 2025
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,36 +1,64 @@
 {
-    "name": "Azure CAF rover",
-    // Update the 'dockerComposeFile' list if you have more compose files or use different names.
-    "dockerComposeFile": "docker-compose.yml",
+    "name": "Azure SRE rover",
+
     // Container user to use in VSCode Online and GitHub Codespaces
+    "image": "mcr.microsoft.com/devcontainers/base:jammy",
     "remoteUser": "vscode",
-    // The 'service' property is the name of the service for the container that VS Code should
-    // use. Update this value and .devcontainer/docker-compose.yml to the real service name.
-    "service": "rover",
-    // The optional 'workspaceFolder' property is the path VS Code should open by default when
-    // connected. This is typically a volume mount in .devcontainer/docker-compose.yml
-    "workspaceFolder": "/tf/caf",
-    // Use 'settings' to set *default* container specific settings.json values on container create.
-    // You can edit these settings after create using File > Preferences > Settings > Remote.
-    "settings": {
-        "files.eol": "\n",
-        "terminal.integrated.defaultProfile.linux": "zsh",
-        "editor.tabSize": 2,
-        "terminal.integrated.scrollback": 64000,
+
+    // Volume mounts for the container.
+    "mounts": [
+        "source=volume-caf-vscode,target=/home/vscode",
+        "source=volume-caf-vscode-bashhistory,target=/commandhistory",
+        "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind",
+        "source=${localEnv:HOME}${localEnv:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind,consistency=cached"
+    ],
+
+    // Run args for the container.
+    "runArgs": [
+        "--cap-add=SYS_PTRACE",
+        "--security-opt",
+        "seccomp=unconfined",
+        "--init",
+        "--network=host"
+      ],
+
+    // Adding features to the container.
+    "features": {
+        "ghcr.io/azure/azure-dev/azd:latest": {},
+        "ghcr.io/devcontainers/features/azure-cli:1": {},
+        "ghcr.io/devcontainers-contrib/features/act:1": {},
+        "ghcr.io/devcontainers/features/github-cli:1": {},
+        "ghcr.io/devcontainers-contrib/features/zsh-plugins:0": {
+            "plugins": [
+                "aliases syntax-highlighting autosuggestions"
+            ],
+            "username": [
+                "vscode"
+            ]
+        }
     },
-    // Uncomment the next line if you want start specific services in your Docker Compose config.
-    // "runServices": [],
-    // Uncomment this like if you want to keep your containers running after VS Code shuts down.
-    // "shutdownAction": "none",
+
+    // Workspace mounts and environment variables can be added here.
+    "workspaceMount": "source=${localWorkspaceFolder},target=/tf/caf,type=bind",
+    "workspaceFolder": "/tf/caf",
+
+
     // Uncomment the next line to run commands after the container is created.
-    //"postCreateCommand": "cp -R /tmp/.ssh-localhost/* ~/.ssh && sudo chmod 600 ~/.ssh/* && sudo chown -R $(whoami) /tf/caf && git config --global core.editor vim && pre-commit install && pre-commit autoupdate",
+	// "postCreateCommand" : "sudo chmod 400 ~/.ssh/* && git config --global core.editor vi && echo 'export PATH=$HOME/.tfenv/tfenv-3.0.0/bin:$PATH' >> ~/.zshrc",
     "postCreateCommand": "sudo cp -R /tmp/.ssh-localhost/* ~/.ssh && sudo chown -R $(whoami):$(whoami) /tf/caf ~/.ssh && sudo chmod 400 ~/.ssh/* && git config --global core.editor vi && pre-commit install && pre-commit autoupdate",
     "postStartCommand": "sudo chmod 666 /var/run/docker.sock",
-    // Add the IDs of extensions you want installed when the container is created in the array below.
-    "extensions": [
-        "4ops.terraform",
-        "mutantdino.resourcemonitor",
-        "eamodio.gitlens",
-        "golang.go"
-    ]
+    // "postCreateCommand": "sudo cp -R /tmp/.ssh-localhost/* ~/.ssh && sudo chown -R $(whoami):$(whoami) /tf/caf ~/.ssh && sudo chmod 400 ~/.ssh/* && git config --global core.editor vi && pre-commit install && pre-commit autoupdate",
+
+
+    // Adding the extensions you in the container.
+    "customizations": {
+        "vscode": {
+            "extensions": [
+                "mutantdino.resourcemonitor",
+                "eamodio.gitlens",
+                "GitHub.copilot"
+			]
+        }
+    }
+
 }
diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -11,6 +11,10 @@ updates:
     - 1.15.8
     - 1.16.0
 - package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "daily"
+- package-ecosystem: "devcontainers"
   directory: "/"
   schedule:
     interval: "daily"
diff --git a/.github/workflows/rover-preview.yml → .github/workflows/rover-preview.yml.disabled b/.github/workflows/rover-preview.yml → .github/workflows/rover-preview.yml.disabled
diff --git a/.github/workflows/rover.yml b/.github/workflows/rover.yml
@@ -17,13 +17,13 @@ jobs:
       with:
           username: aztfmod
           password: ${{ secrets.docker_registry_password }}
-    # - name: Cache Docker layers
-    #   uses: actions/cache@v2
-    #   with:
-    #     path: /tmp/.buildx-cache
-    #     key: ${{ runner.os }}-buildx-${{ github.sha }}
-    #     restore-keys: |
-    #       ${{ runner.os }}-buildx-
+    - name: Cache Docker layers
+      uses: actions/cache@v3
+      with:
+        path: /tmp/.buildx-cache
+        key: ${{ runner.os }}-buildx-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-buildx-
     - name: Build the rover
       run: |
         set -e

diff --git a/.github/workflows/roverlight-build.yml b/.github/workflows/roverlight-build.yml
@@ -0,0 +1,172 @@
+name: Roverlight-Build-Release
+# Workflow for building and scanning roverlight image
+
+on:
+  workflow_dispatch:
+  release:
+    types: [created]
+  push:
+    branches:
+      - 'main'
+      - 'roverlight'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      security-events: write  # Required for SARIF upload
+    outputs:
+      tag: ${{ steps.tag.outputs.date }}
+    strategy:
+      matrix:
+        platform: [linux/amd64, linux/arm64]
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Cache Docker layers
+      uses: actions/cache@v4
+      with:
+        path: /tmp/.buildx-cache
+        key: ${{ runner.os }}-buildx-${{ matrix.platform }}-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-buildx-${{ matrix.platform }}-
+          ${{ runner.os }}-buildx-
+
+    - name: Log in to the Container registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Generate tags
+      id: tag
+      run: |
+        echo "date=$(date +'%g%m.%d%H%M')" >> $GITHUB_OUTPUT
+        echo "tag=$(date +'%g%m.%d%H%M')" >> $GITHUB_ENV
+
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+
+    - name: Get build start time
+      id: build-start-time
+      run: echo "build_start_time=$(date +%s)" >> $GITHUB_OUTPUT
+
+    - name: Building roverlight
+      id: push
+      run: |
+        # Build roverlight only
+        TARGETARCH=$(echo ${{ matrix.platform }} | cut -d'/' -f2) && \
+        docker buildx bake \
+          -f docker-bake.hcl \
+          -f docker-bake.override.hcl \
+          --set *.platform=${{ matrix.platform }} \
+          --set *.args.versionRover=${{ steps.tag.outputs.date }} \
+          --set *.args.TARGETARCH=$TARGETARCH \
+          --set *.cache-from=type=gha \
+          --set *.cache-to=type=gha,mode=max \
+          --set *.tags=ghcr.io/${{ github.repository }}/roverlight:${{ steps.tag.outputs.date }} \
+          --push \
+          roverlight
+
+    - name: Calculate build duration
+      id: build-time
+      run: |
+        end_time=$(date +%s)
+        start_time=${{ steps.build-start-time.outputs.build_start_time }}
+        duration=$((end_time - start_time))
+        echo "build_duration=$duration" >> $GITHUB_OUTPUT
+        echo "🏗️ Build took $duration seconds" >> $GITHUB_STEP_SUMMARY
+
+    - name: Comment build time on PR
+      if: github.event_name == 'pull_request'
+      uses: actions/github-script@v3
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        script: |
+          const duration = ${{ steps.build-time.outputs.build_duration }};
+          const message = `🏗️ Build metrics:\n- Build duration: ${duration} seconds`;
+          github.issues.createComment({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.name,
+            body: message
+          });
+
+  scan:
+    needs: build
+    runs-on: ubuntu-latest
+    env:
+      TAG: ${{ needs.build.outputs.tag }}
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
+    steps:
+      - name: Get scan start time
+        id: scan-start-time
+        run: echo "scan_start_time=$(date +%s)" >> $GITHUB_OUTPUT
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Pull image for scanning
+        run: docker pull ghcr.io/${{ github.repository }}/roverlight:${{ env.TAG }}
+
+      - name: Scan container
+        uses: anchore/scan-action@v3
+        id: scan
+        with:
+          image: ghcr.io/${{ github.repository }}/roverlight:${{ env.TAG }}
+          severity-cutoff: critical
+          fail-build: false
+          output-format: sarif
+
+      - name: Upload scan SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Calculate scan duration
+        id: scan-time
+        run: |
+          end_time=$(date +%s)
+          start_time=${{ steps.scan-start-time.outputs.scan_start_time }}
+          duration=$((end_time - start_time))
+          echo "scan_duration=$duration" >> $GITHUB_OUTPUT
+          echo "🔍 Security scan took $duration seconds" >> $GITHUB_STEP_SUMMARY
+
+      - name: Comment scan time on PR
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const duration = ${{ steps.scan-time.outputs.scan_duration }};
+            const message = `🔍 Security scan metrics:\n- Scan duration: ${duration} seconds`;
+            github.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.name,
+              body: message
+            });