Merge pull request #61 from udx/UAT-47

Workflows Enhancements, Image Upgrades, Modules Fixes [UAT-47]

.dockerignore

@@ -32,9 +32,6 @@ Makefile.variables
 *.bak
 *.old
 
-# Unnecessary configuration or text files
-etc/home/logo.txt
-
 # Readme files in the secrets and auth directories
 lib/auth/readme.md
 lib/secrets/readme.md

.github/workflows/build-and-test.yml

@@ -1,9 +1,17 @@
----
 name: Build and Test Docker Image
 
 on:
   push:
     branches-ignore: latest
+    paths:
+      - '.github/workflows/build-and-test.yml'
+      - 'Dockerfile'
+      - 'bin/**'
+      - 'lib/**'
+      - 'src/**'
+      - 'etc/**'
+      - 'Makefile'
+      - 'Makefile.variables'
 
 jobs:
   build:
@@ -24,14 +32,6 @@ jobs:
         run: make dev-pipeline
         working-directory: .
 
-      - name: Cache Trivy DB
-        uses: actions/cache@v4
-        with:
-          path: ~/.cache/trivy
-          key: ${{ runner.os }}-trivy-db-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-trivy-db-
-
       - name: Install Trivy
         run: |
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | \
@@ -54,44 +54,42 @@ jobs:
 
             # Run the Trivy scan and capture the exit status
             trivy image --severity CRITICAL --exit-code 1 --quiet \
-              udx-worker/udx-worker:latest | tee trivy.log | grep -v 'INFO'
+              usabilitydynamics/udx-worker:latest | tee trivy.log | grep -v 'INFO'
             scan_exit_code=$?
 
-            # Check for CRITICAL vulnerabilities
+            # Check if CRITICAL vulnerabilities were detected
             if grep -E "Total: [1-9]" trivy.log; then
-              echo "CRITICAL vulnerabilities detected!"
+              echo "CRITICAL vulnerabilities detected! Exiting."
               exit 1
             fi
 
-            # Check if Trivy exited with an error
+            # Handle a successful scan (no critical vulnerabilities found)
             if [ $scan_exit_code -eq 0 ]; then
               echo "No CRITICAL vulnerabilities found."
               success=true
               break
             else
-              echo "Trivy scan failed, retrying in 2 minutes..."
+              echo "Trivy scan encountered an error, retrying in 2 minutes..."
               sleep 120
               attempt=$((attempt+1))
             fi
           done
 
-          # If all retries fail, exit with an error
+          # Exit if all retries fail without a successful scan
           if [ "$success" = false ]; then
             echo "Failed to complete Trivy scan after $max_retries attempts."
             exit 1
           fi
 
       - name: Trivy SBOM Generation
         run: |
-          # Suppress verbose notices and informational messages
           export TRIVY_DISABLE_VEX_NOTICE=true
-          trivy image --format spdx-json --output sbom.json udx-worker/udx-worker:latest 2>/dev/null
+          trivy image --format spdx-json --output sbom.json usabilitydynamics/udx-worker:latest 2>/dev/null
 
           echo "SBOM Top Packages Summary:"
           echo "| Package Name      | Version   |"
           echo "|-------------------|-----------|"
 
-          # Use jq to extract name and versionInfo, excluding packages with null versions, and pipe to column for formatting
           jq -r '.packages[] | select(.versionInfo != null) | "\(.name) | \(.versionInfo)"' sbom.json | sort | uniq | head -n 20 | column -t -s '|'
 
       - name: Upload SBOM Artifact

.github/workflows/release.yml

@@ -1,20 +1,21 @@
----
-name: Release UDX Worker
+name: Release
 
 on:
   push:
     branches:
       - "latest"
 
 jobs:
-  test-pipeline:
+  docker-release:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-      contents: read
+      contents: write
+
     outputs:
       semVer: ${{ steps.gitversion.outputs.semVer }}
       changelog: ${{ steps.changelog.outputs.changelog }}
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -26,164 +27,123 @@ jobs:
         with:
           driver: docker-container
 
-      - name: Prepare Docker cache directory
-        run: mkdir -p /tmp/.buildx-cache
-
-      - name: Cache Docker layers
-        uses: actions/cache@v4
+      - name: Install GitVersion
+        uses: gittools/actions/gitversion/[email protected]
         with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile') }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
+          versionSpec: "6.0.0"
 
       - name: Clear GitVersion Cache
         run: rm -rf .git/gitversion_cache
 
-      - name: Install GitVersion
-        uses: gittools/actions/gitversion/[email protected]
-        with:
-          versionSpec: "5.12.0"
-
       - name: Determine Version
         id: gitversion
         uses: gittools/actions/gitversion/[email protected]
         with:
           useConfigFile: true
           configFilePath: ci/git-version.yml
 
-      - name: Multi-arch build
-        id: build
+      - name: Generate Changelog
+        id: changelog
+        run: |
+          git log $(git describe --tags --abbrev=0)..HEAD -- . \
+            --pretty=format:"- %s" > changelog.txt
+          CHANGELOG=$(cat changelog.txt | jq -sRr @uri)
+          echo "changelog<<EOF" >> $GITHUB_ENV
+          echo "$CHANGELOG" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: "usabilitydynamics"
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: Build and Push Docker Image
+        id: docker_push
         uses: docker/build-push-action@v6
         with:
           context: .
-          file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64
-          push: false
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache,mode=max
+          platforms: linux/amd64, linux/arm64
+          push: true
+          sbom: true
+          provenance: true
           tags: |
             usabilitydynamics/udx-worker:${{ steps.gitversion.outputs.semVer }}
+            usabilitydynamics/udx-worker:latest
 
-      - name: Generate SBOM
+      - name: Install Trivy
         run: |
-          export TRIVY_DISABLE_VEX_NOTICE=true
-          trivy image --format spdx-json --output sbom.json usabilitydynamics/udx-worker:${{ steps.gitversion.outputs.semVer }} 2>/dev/null
-        # Save SBOM for later upload
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | \
+            sudo sh -s -- -b /usr/local/bin
+
+      - name: Generate SBOM with Retry Logic
         id: generate-sbom
+        run: |
+          export TRIVY_DISABLE_VEX_NOTICE=true
+          max_retries=10
+          attempt=1
+          success=false
+          while [ $attempt -le $max_retries ]; do
+            echo "Generating SBOM, attempt $attempt..."
+            output=$(trivy image --format spdx-json --output sbom.json usabilitydynamics/udx-worker:${{ steps.gitversion.outputs.semVer }} 2>&1)
+            sbom_exit_code=$?
+            if [ $sbom_exit_code -eq 0 ]; then
+              echo "SBOM generation successful."
+              success=true
+              break
+            else
+              echo "Retrying in 120 seconds..."
+              sleep 120
+              attempt=$((attempt+1))
+            fi
+          done
+          if [ "$success" = false ]; then
+            exit 1
+          fi
 
       - name: Upload SBOM Artifact
         uses: actions/upload-artifact@v4
         with:
           name: sbom
           path: sbom.json
 
-      - name: Generate changelog
-        id: changelog
-        run: |
-          git log $(git describe --tags --abbrev=0)..HEAD -- . \
-            --pretty=format:"- %s" > changelog.txt
-          CHANGELOG=$(cat changelog.txt | jq -sRr @uri)
-          echo "changelog<<EOF" >> $GITHUB_ENV
-          echo "$CHANGELOG" >> $GITHUB_ENV
-          echo "EOF" >> $GITHUB_ENV
+      - name: Log out from Docker Hub
+        run: docker logout
 
   github-release:
     runs-on: ubuntu-latest
-    needs: [test-pipeline]
+    needs: docker-release
     permissions:
       contents: write
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - name: Configure git for pushing
+      - name: Configure Git for Pushing
         run: |
           git config --global user.email "[email protected]"
           git config --global user.name "UDX Worker"
 
-      - name: Create GitHub Tag
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-        run: |
-          git tag ${{ needs.test-pipeline.outputs.semVer }}
-          git push origin ${{ needs.test-pipeline.outputs.semVer }}
-
       - name: Download SBOM Artifact
         uses: actions/download-artifact@v4
         with:
           name: sbom
 
-      - name: Create GitHub release
+      - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
         with:
-          tag_name: ${{ needs.test-pipeline.outputs.semVer }}
-          body: ${{ needs.test-pipeline.outputs.changelog }}
+          tag_name: ${{ needs.docker-release.outputs.semVer }}
+          body: |
+            Release version ${{ needs.docker-release.outputs.semVer }}.
+            [View on Docker Hub](https://hub.docker.com/r/usabilitydynamics/udx-worker/tags?page=1&ordering=last_updated).
+            ${{ needs.docker-release.outputs.changelog }}
           draft: false
           prerelease: false
           files: sbom.json
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-
-  docker-release:
-    runs-on: ubuntu-latest
-    needs: [test-pipeline]
-    permissions:
-      contents: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          driver: docker-container
-
-      - name: Log in to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ vars.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_TOKEN }}
-
-      - name: Load Docker cache
-        uses: actions/cache@v4
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile') }}
-
-      - name: Push Docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64
-          push: true
-          cache-from: type=local,src=/tmp/.buildx-cache
-          tags: |
-            usabilitydynamics/udx-worker:${{ needs.test-pipeline.outputs.semVer }}
-            usabilitydynamics/udx-worker:latest
-
-      - name: Download SBOM Artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: sbom
-
-      - name: Install Cosign
-        uses: sigstore/[email protected]
-
-      - name: Sign SBOM with Cosign
-        env:
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-        run: |
-          cosign attest \
-            --key env://COSIGN_PRIVATE_KEY \
-            --type sbom \
-            --predicate sbom.json \
-            usabilitydynamics/udx-worker:${{ needs.test-pipeline.outputs.semVer }}
-
-      - name: Log out from Docker Hub
-        run: docker logout

.yamllint

@@ -2,11 +2,11 @@ extends: default
 
 rules:
   line-length:
-    max: 105 # Set a longer line length if 80 is too restrictive
+    max: 150 # Set a longer line length if 80 is too restrictive
     level: warning # Level should be either "error" or "warning"
 
   truthy:
     level: warning # Correct the level to "error" or "warning" instead of any invalid value
 
   comments-indentation:
-    level: warning # Level should be either "error" or "warning"
+    level: warning # Level should be either "error" or "warning"