From 9e99f08e38516975dd58e95a8754deeb07298f70 Mon Sep 17 00:00:00 2001
From: "Denis N. Antonioli" <1205618+denisa@users.noreply.github.com>
Date: Mon, 21 Aug 2023 21:09:59 -0700
Subject: [PATCH] 1061: generate multi-architecture (amd64, arm64) docker image
 (#1568)

* 1061: simplify Dockerfile

* 1061: multi-platform build on CI, single platform locally
CI auto push

* 1061: qemu

* 1061: MULTIPLATFORM build is not same as CI

* 1061: permissions

* 1061: better target name

* 1061: Node.js 12 actions are deprecated. Please update the following actions to use Node.js 16: actions/checkout@v2, actions/setup-go@v1

Skipping codecov/codecov-action@v1 ...

* permissions are not needed

because this project publishes to dockerhub, not a a GH package

* permissions are not needed

because this project publishes to dockerhub, not a a GH package
---
 .github/workflows/gobuild.yml | 19 +++++++++---------
 .github/workflows/release.yml | 15 +++++++-------
 Makefile                      |  9 ++++++++-
 build/Dockerfile              |  9 +++------
 scripts/docker-build.sh       | 38 +++++++++++++++++++++++++++++++----
 5 files changed, 62 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/gobuild.yml b/.github/workflows/gobuild.yml
index 80f79814e..0bdc6eddb 100644
--- a/.github/workflows/gobuild.yml
+++ b/.github/workflows/gobuild.yml
@@ -19,10 +19,10 @@ jobs:
       GOOGLE_APPLICATION_CREDENTIALS_TEST_SECRET: ${{ secrets.GOOGLE_APPLICATION_CREDENTIALS_TEST_KEY }}
     steps:
       - name: Checkout Terrascan
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Setup Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ env.GO_VERSION }}
 
@@ -60,22 +60,21 @@ jobs:
     needs: validate
 
     runs-on: ubuntu-latest
-    if: github.event_name == 'push'
+    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
 
     steps:
       - name: Checkout Terrascan
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
-      - name: Build Terrascan docker image
-        run: make docker-build
+      - uses: docker/setup-qemu-action@v2
 
       - name: Login to Docker Hub
         uses: docker/login-action@v2
-        if: ${{ github.ref == 'refs/heads/master' }}
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Push Terrascan latest docker image
-        if: ${{ github.ref == 'refs/heads/master' }}
-        run: make docker-push-latest
+      - name: Build and push Terrascan latest docker image
+        run: make docker-build-push-latest
+        env:
+          MULTIPLATFORM: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8ec895832..fe6a1a8cd 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,11 +13,11 @@ jobs:
       GO_VERSION: 1.19
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Run GoReleaser
@@ -34,10 +34,9 @@ jobs:
 
     steps:
       - name: Checkout Terrascan
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
-      - name: Build Terrascan docker image
-        run: make docker-build
+      - uses: docker/setup-qemu-action@v2
 
       - name: Login to Docker Hub
         uses: docker/login-action@v2
@@ -45,8 +44,10 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Push Terrascan latest tag docker image
-        run: make docker-push-latest-tag
+      - name: Build and Push Terrascan latest tag docker image
+        run: make docker-build-push-latest-tag
+        env:
+          MULTIPLATFORM: true
 
       - name: Build terrascan_atlantis docker image
         run: make atlantis-docker-build
diff --git a/Makefile b/Makefile
index 29ff99b17..cf59d4896 100644
--- a/Makefile
+++ b/Makefile
@@ -108,12 +108,19 @@ install-kind:
 docker-build:
 	./scripts/docker-build.sh
 
+# build and push latest terrascan docker image
+docker-build-push-latest:
+	./scripts/docker-build.sh latest
+
+# build and push release tag terrascan docker image
+docker-build-push-latest-tag:
+	./scripts/docker-build.sh tag
+
 
 # push terrascan docker image
 docker-push:
 	./scripts/docker-push.sh
 
-
 # push latest terrascan docker image
 docker-push-latest:
 	./scripts/docker-push-latest.sh
diff --git a/build/Dockerfile b/build/Dockerfile
index 2f7b71c8c..708ce870b 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -1,23 +1,20 @@
 # -------- builder stage -------- #
 FROM golang:alpine AS builder
 
-ARG GOOS_VAL=linux
-ARG GOARCH_VAL=amd64
-ARG CGO_ENABLED_VAL=1
+ARG CGO_ENABLED_VAL=0
 
 WORKDIR $GOPATH/src/terrascan
 
 # download go dependencies
 COPY go.mod go.sum ./
 RUN go mod download
-RUN apk add -U build-base
+RUN apk update && apk add --no-cache --update build-base git
 
 # copy terrascan source
 COPY . .
 
 # build binary
-RUN apk update && apk add git && \
-    CGO_ENABLED=${CGO_ENABLED_VAL} GOOS=${GOOS_VAL} GOARCH=${GOARCH_VAL} go build -v -ldflags "-w -s" -o /go/bin/terrascan ./cmd/terrascan
+RUN CGO_ENABLED=${CGO_ENABLED_VAL} go build -v -ldflags "-w -s" -o /go/bin/terrascan ./cmd/terrascan
 
 
 # -------- prod stage -------- #
diff --git a/scripts/docker-build.sh b/scripts/docker-build.sh
index 1762b3c4f..a5899a3f5 100755
--- a/scripts/docker-build.sh
+++ b/scripts/docker-build.sh
@@ -1,15 +1,45 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -o errexit
 set -o nounset
 set -o pipefail
 
-GIT_COMMIT=$(git rev-parse --short HEAD 2>/dev/null)
 DOCKER_REPO="tenable/terrascan"
 DOCKERFILE="./build/Dockerfile"
 
-docker buildx create --platform linux/amd64,linux/arm64 --name terrascan-builder --use
+if [ $# -eq 0 ]; then
+  LABEL=$(git rev-parse --short HEAD 2>/dev/null)
+elif [ $# -eq 1 ]; then
+  case "$1" in
+    latest)
+      LABEL="latest"
+      ;;
+    tag)
+      LATEST_TAG=$(git describe --abbrev=0 --tags)
+      LABEL=$(echo "${LATEST_TAG//v}")
+      ;;
+      *)
+  esac
+fi
 
-docker buildx build -t ${DOCKER_REPO}:${GIT_COMMIT} -f ${DOCKERFILE} . --load
+if [ "${LABEL-false}" = "false" ]; then
+  echo "Usage:"
+  echo "  $0          ->  label is the git commit"
+  echo "  $0  tag     ->  label is the latest tag"
+  echo "  $0  latest  ->  label is 'latest'"
+  exit 1
+fi
+
+declare -a PLATFORM
+if [ "${MULTIPLATFORM-false}" = "true" ]; then
+  OUTPUT_TYPE="--push"
+  PLATFORM=("--platform" "linux/amd64,linux/arm64")
+else
+  OUTPUT_TYPE="--load"
+fi
+
+docker buildx create "${PLATFORM[@]}" --name terrascan-builder --use
+
+docker buildx build --provenance=false "${OUTPUT_TYPE}" "${PLATFORM[@]}" -t "${DOCKER_REPO}:${LABEL}" -f "${DOCKERFILE}" .
 
 docker buildx rm terrascan-builder