DNXLabs · caiovfernandes · Oct 28, 2021 · Oct 28, 2021 · Oct 28, 2021
diff --git a/.github/workflows/registry.yml b/.github/workflows/registry.yml
@@ -7,122 +7,57 @@ on:
 
 jobs:
   build:
-    name: Build
+    name: Build and Push
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v2
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Build and export
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          tags: dnxsolutions/serverless:latest
-          outputs: type=docker,dest=/tmp/serverless.tar
-      - name: Upload artifact
-        uses: actions/upload-artifact@v2
-        with:
-          name: serverless
-          path: /tmp/serverless.tar
-  ecr:
-    name: Push to ECR
-    runs-on: ubuntu-latest
-    needs: build
-    container: dnxsolutions/aws:2.1.6-dnx1
-    steps:
-      - name: Check out the repo
-        uses: actions/checkout@v2
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ECR_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_ECR_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
-      - name: Get the tag
-        id: get_tag
-        run: echo ::set-output name=tag::${GITHUB_REF#refs/tags/}
-      - name: Download docker artifact
-        uses: actions/download-artifact@v2
-        with:
-          name: serverless
-          path: /tmp
-      - name: Load, tag, and push image
-        env:
-          ECR_REGISTRY: public.ecr.aws
-          ECR_REPOSITORY: dnxsolutions/serverless
-          IMAGE_TAG: ${{ steps.get_tag.outputs.tag }}
-        run: |
-          apk add docker
-          aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
-          docker load --input /tmp/serverless.tar
-          docker image ls -a
-          docker tag $ECR_REPOSITORY:latest $ECR_REGISTRY/$ECR_REPOSITORY:latest
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
-          docker tag $ECR_REPOSITORY:latest $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
 
-  docker-hub:
-    name: Push to Docker Hub
-    runs-on: ubuntu-latest
-    needs: build
-    steps:
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: |
+            dnxsolutions/serverless
+            ghcr.io/dnxlabs/serverless
+            public.ecr.aws/dnxsolutions/serverless
+          tags: |
+            type=raw,value=latest
+            type=ref,event=tag
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
+
       - name: Login to DockerHub
         uses: docker/login-action@v1
         with:
           username: ${{ secrets.DNX_DOCKERHUB_USERNAME }}
           password: ${{ secrets.DNX_DOCKERHUB_TOKEN }}
-      - name: Get the tag
-        id: get_tag
-        run: echo ::set-output name=tag::${GITHUB_REF#refs/tags/}
-      - name: Download artifact
-        uses: actions/download-artifact@v2
-        with:
-          name: serverless
-          path: /tmp
-      - name: Load, tag, and push image
-        env:
-          DOCKERHUB_REPOSITORY: dnxsolutions/serverless
-          IMAGE_TAG: ${{ steps.get_tag.outputs.tag }}
-        run: |
-          docker load --input /tmp/serverless.tar
-          docker image ls -a
-          docker push $DOCKERHUB_REPOSITORY:latest
-          docker tag $DOCKERHUB_REPOSITORY:latest $DOCKERHUB_REPOSITORY:$IMAGE_TAG
-          docker push $DOCKERHUB_REPOSITORY:$IMAGE_TAG
 
-  ghcr:
-    name: Push to GitHub Registry
-    runs-on: ubuntu-latest
-    needs: build
-    steps:
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v1
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Get the tag
-        id: get_tag
-        run: echo ::set-output name=tag::${GITHUB_REF#refs/tags/}
-      - name: Download artifact
-        uses: actions/download-artifact@v2
+
+      - name: Login to Public ECR
+        uses: docker/login-action@v1
         with:
-          name: serverless
-          path: /tmp
-      - name: Load, tag, and push image
+          registry: public.ecr.aws
+          username: ${{ secrets.AWS_ECR_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_ECR_SECRET_ACCESS_KEY }}
         env:
-          BASE_REPOSITORY: dnxsolutions/serverless
-          GHCR_REPOSITORY: ghcr.io/dnxlabs/serverless
-          IMAGE_TAG: ${{ steps.get_tag.outputs.tag }}
-        run: |
-          docker load --input /tmp/serverless.tar
-          docker image ls -a
-          docker tag $BASE_REPOSITORY:latest $GHCR_REPOSITORY:latest
-          docker push $GHCR_REPOSITORY:latest
-          docker tag $GHCR_REPOSITORY:latest $GHCR_REPOSITORY:$IMAGE_TAG
-          docker push $GHCR_REPOSITORY:$IMAGE_TAG
+          AWS_REGION: us-east-1
+
+      - name: Build and Push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          platforms: linux/arm64/v6, linux/arm64/v8, linux/arm/v7, linux/s390x, linux/amd64, linux/ppc64le
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -9,17 +9,25 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v1
-
-      - name: Set tag var
-        id: vars
-        run: echo ::set-output name=docker_tag::$(echo ${GITHUB_REF} | cut -d'/' -f3)-${GITHUB_SHA}
+      - name: Checkout the code
+        uses: actions/checkout@v2
 
       - name: Build the Docker image
-        run: docker build . --file Dockerfile --tag docker-kubectl:${{ steps.vars.outputs.docker_tag }}
+        run: docker build . --file Dockerfile --tag dnxsolutions/serverless:latest
+
+      - name: Scan image
+        uses: anchore/scan-action@v3
+        id: scan
+        with:
+          image: dnxsolutions/serverless:latest
+          fail-build: true
+          severity-cutoff: critical
+          acs-report-enable: true
+
+      - name: Inspect action SARIF report
+        run: cat ${{ steps.scan.outputs.sarif }}
 
-      - name: Scan with Phonito Security
-        uses: phonito/phonito-scanner-action@master
+      - name: Upload Anchore Scan Report
+        uses: github/codeql-action/upload-sarif@v1
         with:
-          image: docker-kubectl:${{ steps.vars.outputs.docker_tag }}
-          phonito-token: ${{ secrets.PHONITO_TOKEN }}
+          sarif_file: ${{ steps.scan.outputs.sarif }}