openobserve · sampathshivakumar · Mar 12, 2025 · Mar 12, 2025
diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml
@@ -9,9 +9,9 @@ on:
         required: false
         type: boolean
     secrets:
-      DOCKER_USERNAME:
+      AWS_ROLE_ARN:
         required: true
-      DOCKER_PASSWORD:
+      AWS_REGION:
         required: true
     outputs:
       container-image-name:
@@ -29,13 +29,16 @@ permissions:
 
 jobs:
   container-images:
-    name: Container images
+    name: Container Images
     runs-on: ubuntu-latest
     strategy:
       matrix:
         variant:
           - alpine
           - distroless
+        platform:
+          - linux/amd64
+          - linux/arm64
 
     permissions:
       attestations: write
@@ -50,189 +53,122 @@ jobs:
       ref: ${{ steps.image-ref.outputs.value }}
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout Repository
+        uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
+        uses: docker/setup-buildx-action@v3
 
-      - name: Set up Syft
-        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
 
-      - name: Install cosign
-        uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
+      - name: Login to AWS Public ECR
+        id: login-ecr
+        run: |
+          aws ecr-public get-login-password --region ${{ secrets.AWS_REGION }} | docker login --username AWS --password-stdin public.ecr.aws
 
-      - name: Set image name
+      - name: Set Image Name
         id: image-name
-        run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"
+        run: echo "value=public.ecr.aws/zinclabs/dex" >> "$GITHUB_OUTPUT"
+      # run: echo "value=${{ secrets.ECR_REPO }}" >> "$GITHUB_OUTPUT"
+
+      - name: Format Platform Name
+        id: platform-name
+        run: echo "PLATFORM_TAG=${{ matrix.platform }}" | sed 's/\//-/g' >> $GITHUB_ENV
+
+      - name: Extract Short SHA for Unique Tagging
+        id: short-sha
+        run: echo "SHORT_SHA=$(echo $GITHUB_SHA | cut -c1-7)" >> $GITHUB_ENV
 
-      - name: Gather build metadata
-        id: meta
-        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
-        with:
-          images: |
-            ${{ steps.image-name.outputs.value }}
-            dexidp/dex
-          flavor: |
-            latest = false
-          tags: |
-            type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }}
-            type=ref,event=pr,prefix=pr-,enable=${{ matrix.variant == 'alpine' }}
-            type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }}
-            type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch && matrix.variant == 'alpine' }}
-            type=ref,event=branch,suffix=-${{ matrix.variant }}
-            type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.variant }}
-            type=semver,pattern={{raw}},suffix=-${{ matrix.variant }}
-            type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.variant }}
-          labels: |
-            org.opencontainers.image.documentation=https://dexidp.io/docs/
-
-      # Multiple exporters are not supported yet
-      # See https://github.com/moby/buildkit/pull/2760
       - name: Determine build output
-        uses: haya14busa/action-cond@94f77f7a80cd666cb3155084e428254fea4281fd # v1.2.1
+        uses: haya14busa/action-cond@v1
         id: build-output
         with:
-          cond: ${{ inputs.publish }}
+          cond: ${{ github.event_name == 'push' }}
           if_true: type=image,push=true
           if_false: type=oci,dest=image.tar
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
-        if: inputs.publish
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-        if: inputs.publish
-
-      - name: Build and push image
+      - name: Build Image
         id: build
-        uses: docker/build-push-action@0adf9959216b96bec444f325f1e493d4aa344497 # v6.14.0
+        uses: docker/build-push-action@v6
         with:
           context: .
-          platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
-          tags: ${{ steps.meta.outputs.tags }}
+          platforms: ${{ matrix.platform }}
+          tags: |
+            ${{ steps.image-name.outputs.value }}:${{ matrix.variant }}-${{ env.PLATFORM_TAG }}-${{ env.SHORT_SHA }}
+            ${{ steps.image-name.outputs.value }}:${{ matrix.variant }}-${{ env.PLATFORM_TAG }}-latest
           build-args: |
             BASE_IMAGE=${{ matrix.variant }}
-            VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
-            COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
-            BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
-          labels: ${{ steps.meta.outputs.labels }}
-          # cache-from: type=gha
-          # cache-to: type=gha,mode=max
           outputs: ${{ steps.build-output.outputs.value }}
-          # push: ${{ inputs.publish }}
+          provenance: false  # Prevents unnecessary provenance attestations
 
-      - name: Sign the images with GitHub OIDC Token
-        run: |
-          cosign sign --yes ${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}
-        if: inputs.publish
-
-      - name: Set image ref
+      - name: Set Image Reference
         id: image-ref
         run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
 
-      - name: Fetch image
-        run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar
-        if: inputs.publish
+      ## Commented out Cosign steps
+      # - name: Install cosign
+      #   uses: sigstore/cosign-installer@v3.8.1
 
-      # Uncomment the following lines for debugging:
-      # - name: Upload image as artifact
-      #   uses: actions/upload-artifact@v3
-      #   with:
-      #     name: "[${{ github.job }}] OCI tarball"
-      #     path: image.tar
-
-      - name: Extract OCI tarball
-        run: |
-          mkdir -p image
-          tar -xf image.tar -C image
-
-      # - name: List tags
-      #   run: skopeo --insecure-policy list-tags oci:image
-      #
-      # # See https://github.com/anchore/syft/issues/1545
-      # - name: Extract image from multi-arch image
-      #   run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy oci:image:${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} docker-archive:docker.tar
-      #
-      # - name: Generate SBOM
-      #   run: syft -o spdx-json=sbom-spdx.json docker-archive:docker.tar
-      #
-      # - name: Upload SBOM as artifact
-      #   uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-      #   with:
-      #     name: "[${{ github.job }}] SBOM"
-      #     path: sbom-spdx.json
-      #     retention-days: 5
+      # - name: Sign the images with GitHub OIDC Token
+      #   run: |
+      #     cosign sign --yes --upload=false --output-file=signature.sig ${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}
+      #   if: inputs.publish
 
-      # TODO: uncomment when the action is working for non ghcr.io pushes. GH Issue: https://github.com/actions/attest-build-provenance/issues/80
-      # - name: Generate build provenance attestation
-      #   uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
+      # - name: Upload Cosign Signature as Artifact
+      #   uses: actions/upload-artifact@v4
       #   with:
-      #     subject-name: dexidp/dex
-      #     subject-digest: ${{ steps.build.outputs.digest }}
-      #     push-to-registry: true
+      #     name: "Cosign-Signature-${{ matrix.variant }}-${{ env.PLATFORM_TAG }}"
+      #     path: signature.sig
+      #   if: inputs.publish
 
-      - name: Generate build provenance attestation
-        uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
-        with:
-          subject-name: ghcr.io/dexidp/dex
-          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true
-        if: inputs.publish
-
-      ## Use cache for the trivy-db to avoid the TOOMANYREQUESTS error https://github.com/aquasecurity/trivy-action/pull/397
-      ## To avoid the trivy-db becoming outdated, we save the cache for one day
-      - name: Get data
+      ##  Trivy Security Scan Steps
+      - name: Get date
         id: date
         run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
 
-      - name: Restore trivy cache
-        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+      - name: Restore Trivy cache
+        uses: actions/cache@v4
         with:
           path: cache/db
           key: trivy-cache-${{ steps.date.outputs.date }}
           restore-keys: trivy-cache-
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
+        uses: aquasecurity/trivy-action@0.29.0
         with:
           input: image
           format: sarif
           output: trivy-results.sarif
           scan-type: "fs"
           scan-ref: "."
           cache-dir: "./cache"
-        # Disable skipping trivy cache for now
-        # env:
-        #   TRIVY_SKIP_DB_UPDATE: true
-        #   TRIVY_SKIP_JAVA_DB_UPDATE: true
-
-      ## Trivy-db uses `0600` permissions.
-      ## But `action/cache` use `runner` user by default
-      ## So we need to change the permissions before caching the database.
-      - name: change permissions for trivy.db
+
+      - name: Change permissions for Trivy DB
         run: sudo chmod 0644 ./cache/db/trivy.db
 
-      - name: Upload Trivy scan results as artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      - name: Upload Trivy scan results as an artifact
+        uses: actions/upload-artifact@v4
         with:
-          name: "[${{ github.job }}] Trivy scan results"
+          name: "Trivy-scan-results-${{ matrix.variant }}-${{ env.PLATFORM_TAG }}"
           path: trivy-results.sarif
           retention-days: 5
           overwrite: true
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: trivy-results.sarif
+
+      - name: Upload Image as Artifact (Only for PRs)
+        uses: actions/upload-artifact@v4
+        with:
+          name: "OCI-Image-${{ matrix.variant }}-${{ env.PLATFORM_TAG }}"
+          path: image.tar
+        if: github.event_name == 'pull_request'
diff --git a/.github/workflows/build-binary.yaml b/.github/workflows/build-binary.yaml
@@ -0,0 +1,27 @@
+name: Build Binary
+
+on:
+  workflow_dispatch:  # Only manual trigger
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: '1.24'  # Update to Go 1.24
+
+    - name: Build Binary
+      run: |
+        make build
+
+    - name: Upload Binary as Artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: dex-binary-${{ github.ref_name }}-${{ github.sha }}
+        path: ./bin/dex  # Adjust the path to where the binary is built
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -76,9 +76,6 @@ jobs:
       - name: Download tool dependencies
         run: make deps
 
-      # Ensure that generated files were committed.
-      # It can help us determine, that the code is in the intermediate state, which should not be tested.
-      # Thus, heavy jobs like creating a kind cluster and testing / linting will be skipped.
       - name: Verify
         run: make verify
 
@@ -156,8 +153,8 @@ jobs:
     with:
       publish: ${{ github.event_name == 'push' }}
     secrets:
-      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+      AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
+      AWS_REGION: ${{ secrets.AWS_REGION }}
     permissions:
       attestations: write
       contents: read