77 workflow_dispatch :
88
99env :
10- VERSION : dev # env var required when building extension
1110 # adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit
1211 TRIVY_DB_REPOSITORY : ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
1312 TRIVY_JAVA_DB_REPOSITORY : ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
@@ -53,23 +52,29 @@ jobs:
5352 severity-cutoff : low
5453 output-format : table
5554
56- build-and-binary-scans :
55+ build-and-scan-images :
5756 runs-on : ubuntu-22.04
57+ strategy :
58+ matrix :
59+ include :
60+ - arch : amd64
61+ alpine : 0
62+ suffix : amd64
63+ - arch : amd64
64+ alpine : 1
65+ suffix : amd64-alpine
66+ - arch : arm64
67+ alpine : 0
68+ suffix : arm64
69+ - arch : arm64
70+ alpine : 1
71+ suffix : arm64-alpine
72+ fail-fast : false
5873 steps :
59- - name : Checkout datadog-agent repository
60- uses : actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5 # v5.0.1
61- with :
62- repository : DataDog/datadog-agent
63- path : go/src/github.com/DataDog/datadog-agent
64-
65- - name : Checkout datadog-lambda-extension repository
66- uses : actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5 # v5.0.1
67- with :
68- repository : DataDog/datadog-lambda-extension
69- path : go/src/github.com/DataDog/datadog-lambda-extension
74+ - name : Checkout repository
75+ uses : actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
7076
7177 - name : Set up QEMU
72- id : qemu
7378 uses : docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
7479 with :
7580 image : tonistiigi/binfmt:qemu-v9.2.2-52 # v3.6.0 latest
@@ -78,56 +83,76 @@ jobs:
7883 - name : Set up Docker Buildx
7984 uses : docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
8085
81- - name : Build extension
86+ - name : Compile binary (${{ matrix.suffix }})
8287 run : |
83- cd go/src/github.com/DataDog/datadog-lambda-extension
84- ./scripts/build_binary_and_layer_dockerized.sh
88+ ARCHITECTURE=${{ matrix.arch }} ALPINE=${{ matrix.alpine }} FIPS=0 DEBUG=0 FILE_SUFFIX=${{ matrix.suffix }} ./.gitlab/scripts/compile_bottlecap.sh
89+ env :
90+ DOCKER_BUILDKIT : 1
8591
86- name : Scan amd64 image with trivy
87- uses : aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
88- with :
89- image-ref : " datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
90- ignore-unfixed : true
91- exit-code : 1
92- format : table
92+ - name : Build layer (${{ matrix.suffix }})
93+ run : |
94+ ARCHITECTURE=${{ matrix.arch }} FILE_SUFFIX=${{ matrix.suffix }} ./.gitlab/scripts/build_layer.sh
95+ env :
96+ DOCKER_BUILDKIT : 1
9397
94- - name : Scan arm64 image with trivy
98+ - name : Scan layer image with trivy
9599 uses : aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
96100 with :
97- image-ref : " datadog/build-lambda- extension-arm64: ${{ env.VERSION }}"
101+ image-ref : " datadog/build-extension-${{ matrix.suffix }}"
98102 ignore-unfixed : true
99103 exit-code : 1
100104 format : table
101105
102- - name : Scan amd64 image with grype
106+ - name : Scan layer image with grype
103107 uses : anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1
104108 with :
105- image : " datadog/build-lambda- extension-amd64: ${{ env.VERSION }}"
109+ image : " datadog/build-extension-${{ matrix.suffix }}"
106110 only-fixed : true
107111 fail-build : true
108112 severity-cutoff : low
109113 output-format : table
110114
111- - name : Scan arm64 image with grype
115+ - name : Scan binary file with grype
112116 uses : anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1
113117 with :
114- image : " datadog/build-lambda-extension-arm64: ${{ env.VERSION }}"
118+ path : .binaries/bottlecap- ${{ matrix.suffix }}
115119 only-fixed : true
116120 fail-build : true
117121 severity-cutoff : low
118122 output-format : table
119123
120- - name : Scan binary files with grype
124+ - name : Scan layer files with grype
121125 uses : anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1
122126 with :
123- path : go/src/github.com/DataDog/datadog-lambda-extension/.layers
127+ path : .layers/datadog_extension-${{ matrix.suffix }}
128+ only-fixed : true
129+ fail-build : true
130+ severity-cutoff : low
131+ output-format : table
132+
133+ # Scan the compile image only once (it's the same for all variants)
134+ # Only run for the first matrix job to avoid redundant scans
135+ - name : Scan compile image with trivy
136+ if : matrix.suffix == 'amd64'
137+ uses : aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
138+ with :
139+ image-ref : " datadog/compile-bottlecap"
140+ ignore-unfixed : true
141+ exit-code : 1
142+ format : table
143+
144+ - name : Scan compile image with grype
145+ if : matrix.suffix == 'amd64'
146+ uses : anchore/scan-action@3aaf50d765cfcceafa51d322ccb790e40f6cd8c5 # v7.2.0
147+ with :
148+ image : " datadog/compile-bottlecap"
124149 only-fixed : true
125150 fail-build : true
126151 severity-cutoff : low
127152 output-format : table
128153
129154 retry :
130- needs : [trivy-scans, grype-scans, build-and-binary-scans ]
155+ needs : [trivy-scans, grype-scans, build-and-scan-images ]
131156 if : failure() && fromJSON(github.run_attempt) < 2
132157 runs-on : ubuntu-22.04
133158 permissions :
@@ -140,7 +165,7 @@ jobs:
140165 run : gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }}
141166
142167 notify :
143- needs : [trivy-scans, grype-scans, build-and-binary-scans ]
168+ needs : [trivy-scans, grype-scans, build-and-scan-images ]
144169 if : failure() && fromJSON(github.run_attempt) >= 2
145170 runs-on : ubuntu-22.04
146171 steps :
0 commit comments