diff --git a/.github/workflows/image-build-pr.yaml b/.github/workflows/image-build-pr.yaml new file mode 100644 index 0000000..3f999a1 --- /dev/null +++ b/.github/workflows/image-build-pr.yaml @@ -0,0 +1,62 @@ +# +# Copyright contributors to the Hyperledger Fabric Operator project +# +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name: Chaincode Builder Image Build and Checks + +on: + push: + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: + +env: + GO_VER: 1.24.3 + GOPROXY: "https://proxy.golang.org,direct" # Bypass all proxies to avoid TLS issues + GO111MODULE: on # Ensure module-aware mode + GOPATH: /opt/go +jobs: + build-image: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up go + uses: actions/setup-go@v4 + with: + go-version: ${{ env.GO_VER }} + - name: Ensure Go is in PATH + run: | + echo "GOPATH: $GOPATH" + echo "PATH: $PATH" + - name: Check Go version + run: | + echo "*********************Go version:***************************" + go version + echo "************************************************************" + - name: unit-tests + run: go test `go list ./... | grep -v integration` + - name: checks + run: | + echo "*********************Running checks*************************" + chmod +x scripts/* + make checks + - name: gosec + run: make gosec + - name: build + run: make image + \ No newline at end of file diff --git a/.github/workflows/image.build.yml b/.github/workflows/image.build.yml new file mode 100644 index 0000000..1b97e2c --- /dev/null +++ b/.github/workflows/image.build.yml @@ -0,0 +1,16 @@ +name: Build and Push Chaincode Builder image + +on: + push: + branches: [main] + workflow_dispatch: + +jobs: + image: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Push + run: | + echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin + make image image-push \ No newline at end of file diff --git a/.gitignore b/.gitignore index 13f2d8c..473a638 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,5 @@ build/ .env golang_copyright.txt shell_copyright.txt -launch.json \ No newline at end of file +launch.json +.DS_Store \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..ec4ba43 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,64 @@ +# +# Copyright contributors to the Hyperledger Fabric Operations Console project +# +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +ARG ARCH +ARG GO_VER + +FROM registry.access.redhat.com/ubi9/ubi-minimal as builder +ARG GO_VER +ARG ARCH +# gcc required for cgo +RUN microdnf install -y make gcc tar gzip gcc-c++ && microdnf clean all +RUN echo "GO_VER=${GO_VER}" && echo "ARCH=${ARCH}" +RUN test -n "$GO_VER" && test -n "$ARCH" || (echo "GO_VER or ARCH not set!" && exit 1) + +RUN curl -sSL https://go.dev/dl/go${GO_VER}.linux-${ARCH}.tar.gz | tar zxf - -C /usr/local + +ENV PATH="/usr/local/go/bin:$PATH" +COPY . /go/src/github.ibm.com/fabric/fabric-chaincode-builder +WORKDIR /go/src/github.ibm.com/fabric/fabric-chaincode-builder +RUN GOOS=linux GOARCH=$(go env GOARCH) go build -o build/fabric-chaincode-builder ./cmd/ibp-builder + +FROM registry.access.redhat.com/ubi9/ubi-minimal +ARG IBP_VER +ARG BUILD_ID +ARG BUILD_DATE + + +ENV BUILDER=/usr/local/bin/fabric-chaincode-builder \ + USER_UID=1001 \ + USER_NAME=fabric-chaincode-builder \ + CLIENT_TIMEOUT=5m \ + FILE_SERVER_LISTEN_IP=0.0.0.0 \ + FILE_SERVER_LISTEN_PORT=22222 \ + SHARED_VOLUME_PATH=/data \ + SIDECAR_LISTEN_ADDRESS=0.0.0.0:11111 + +RUN microdnf update -y +RUN microdnf install -y shadow-utils iputils +RUN groupadd -g 7051 ibp-user \ + && useradd -u 7051 -g ibp-user -s /bin/bash ibp-user \ + && microdnf remove -y shadow-utils \ + && microdnf clean -y all; + +COPY --from=builder /go/src/github.ibm.com/fabric/fabric-chaincode-builder/build/fabric-chaincode-builder ${BUILDER} +COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh + +USER ibp-user + +ENTRYPOINT ["docker-entrypoint.sh"] +CMD [ "sh", "-c", "fabric-chaincode-builder --kubeconfig \"${KUBECONFIG}\" --kubeNamespace \"${KUBE_NAMESPACE}\" --clientTimeout \"${CLIENT_TIMEOUT}\" --peerID \"${PEER_ID}\" --sharedVolumePath \"${SHARED_VOLUME_PATH}\" --fileServerListenAddress \"${FILE_SERVER_LISTEN_IP}:${FILE_SERVER_LISTEN_PORT}\" --sidecarListenAddress \"${SIDECAR_LISTEN_ADDRESS}\" --fileServerBaseURL \"${FILE_SERVER_BASE_URL}\"" ] diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..00b00aa --- /dev/null +++ b/Makefile @@ -0,0 +1,70 @@ +# +# Copyright contributors to the Hyperledger Fabric Operator project +# +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + + +IMAGE ?= ghcr.io/hyperledger-labs/fabric-chaincode-builder +TAG ?= $(shell git rev-parse --short HEAD) +ARCH ?= $(shell go env GOARCH) +BRANCH ?= $(shell git branch --show-current) +DOCKER_IMAGE_REPO ?= ghcr.io +REGISTRY ?= $(DOCKER_IMAGE_REPO)/ibp-golang +GO_VER ?= 1.24.3 +BUILD_DATE = $(shell date -u +"%Y-%m-%dT%H:%M:%SZ") +GOOS ?= $(shell go env GOOS) + + +BUILD_ARGS=--build-arg ARCH=$(ARCH) +BUILD_ARGS+=--build-arg REGISTRY=$(REGISTRY) +BUILD_ARGS+=--build-arg BUILD_ID=$(TAG) +BUILD_ARGS+=--build-arg BUILD_DATE=$(BUILD_DATE) +BUILD_ARGS+=--build-arg GO_VER=$(GO_VER) + + +.PHONY: build login + +int-tests: + @ginkgo -v ./integration + +build: + GOOS=$(GOOS) GOARCH=$(ARCH) go build -o build/fabric-chaincode-builder ./cmd/ibp-builder + GOOS=$(GOOS) GOARCH=$(ARCH) go build -o build/fabric-chaincode-builder-client ./cmd/ibp-builder-client + +image: ## Builds a x86 based image + @go mod vendor + docker build --rm . -f Dockerfile $(BUILD_ARGS) -t $(IMAGE):$(TAG)-$(ARCH) + docker tag $(IMAGE):$(TAG)-$(ARCH) $(IMAGE):latest-$(ARCH) + +image-nologin: + @go mod vendor + docker build --rm . -f Dockerfile $(BUILD_ARGS) -t $(IMAGE):$(TAG)-$(ARCH) + docker tag $(IMAGE):$(TAG)-$(ARCH) $(IMAGE):latest-$(ARCH) +image-push: + docker push $(IMAGE):$(TAG)-$(ARCH) + +unit-tests: + go test `go list ./... | grep -v integration` + +gosec: + @scripts/go-sec.sh + +checks: license + @scripts/checks + +.PHONY: license +license: + @scripts/check-license.sh diff --git a/scripts/check-license.sh b/scripts/check-license.sh new file mode 100644 index 0000000..d4a0f0d --- /dev/null +++ b/scripts/check-license.sh @@ -0,0 +1,138 @@ +#!/bin/bash +# +# Copyright contributors to the Hyperledger Fabric Operations Console project +# +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +cat << EOB > golang_copyright.txt +/* + * Copyright contributors to the Hyperledger Fabric Operations Console project + * + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +EOB + +cat << EOB > shell_copyright.txt +# +# Copyright contributors to the Hyperledger Fabric Operations Console project +# +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +EOB + +function filterGeneratedFiles { + for f in $@; do + head -n5 $f | grep -qE 'Code generated by.*DO NOT EDIT' || echo $f + done +} + +function filterExcludedFiles { + CHECK=`echo "$CHECK" \ + | grep -v "^\.build/" \ + | grep -v "^\.git/" \ + | grep -v "^\.gitignore" \ + | grep -v "\.json$" \ + | grep -v "\.pem$" \ + | grep -v "\.crt$" \ + | grep -v "\.txt$" \ + | grep -v "\.md$" \ + | grep -v "_sk$" \ + | grep -v "\.key$" \ + | grep -v "\.gen\.go$" \ + | grep -v "tools/" \ + | grep -v "testdata/" \ + | grep -v "vendor/" \ + | grep -v "go.mod" \ + | grep -v "go.sum" \ + | grep -v .secrets.baseline \ + | grep -v .pre-commit-config.yaml \ + | sort -u` + + CHECK=$(filterGeneratedFiles "$CHECK") +} + +CHECK=$(git diff --name-only --diff-filter=ACMRTUXB HEAD) +filterExcludedFiles +if [[ -z "$CHECK" ]]; then + CHECK=$(git diff-tree --no-commit-id --name-only --diff-filter=ACMRTUXB -r "HEAD^..HEAD") + filterExcludedFiles +fi + +if [[ -z "$CHECK" ]]; then + echo "All files are excluded from having license headers" + exit 0 +fi + +missing=`echo "$CHECK" | xargs ls -d 2>/dev/null | xargs grep -L "SPDX-License-Identifier: Apache-2.0"` +if [[ -z "$missing" ]]; then + echo "All files have SPDX-License-Identifier: Apache-2.0" + exit 0 +fi + +TMPFILE="./tmpfile" + +for FILE in ${missing}; do + EXT="${FILE##*.}" + echo "Adding copyright notice to $FILE" + if [ "${EXT}" = "go" ]; then + cat golang_copyright.txt ${FILE} > ${TMPFILE} + cat ${TMPFILE} > ${FILE} + rm -f ${TMPFILE} + echo " ${FILE} copyright notice added" + elif [ "${EXT}" = "yaml" ]; then + cat shell_copyright.txt ${FILE} > ${TMPFILE} + cat ${TMPFILE} > ${FILE} + rm -f ${TMPFILE} + echo " ${FILE} copyright notice added" + elif [ "${EXT}" = "sh" ]; then + cat shell_copyright.txt ${FILE} > ${TMPFILE} + cat ${TMPFILE} > ${FILE} + rm -f ${TMPFILE} + echo " ${FILE} copyright notice added" + else + echo "invalid file extension" + fi +done + +rm golang_copyright.txt shell_copyright.txt + +exit 0 \ No newline at end of file