Always build & test Zarf Agent during pull requests; publish latest Zarf Agent on release (zarf-dev#651)

- Adds the Zarf Agent (mutating webook) automatic build in test with the latest code
- Fix issue with out of sync Zarf Agent image tag, always cut a new agent image before a release
- Test the release once more before publishing
- Full support for Linux ARM, closes Complete ARM Support zarf-dev#386

Author: jeff-mccoy

.github/workflows/build-rust-injector.yml

@@ -1,7 +1,4 @@
-name: Build Rust Binary
-
-env:
-  zarfInjectorPath: 'src/injector/stage1/target/x86_64-unknown-linux-musl/release/zarf-injector'
+name: Publish Injector Stage I
 
 on:
   workflow_dispatch:
@@ -12,48 +9,58 @@ on:
       branchName:
         description: "Branch to build the injector from"
         required: false
-        default: 'master'
+        default: "master"
 
 jobs:
   build-injector:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     steps:
+      - name: "Dependency: Install cosign"
+        uses: sigstore/cosign-installer@v2.5.0
+
+      - name: "Dependency: Setup rust toolchain"
+        run: |
+          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --no-modify-path
+          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
+
       - name: "Checkout Repo"
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.inputs.branchName }}
 
-      - name: "Install cosign"
-        uses: sigstore/cosign-installer@v2.5.0
-
-      - name: "Install Rust And Build"
-        uses: gmiam/rust-musl-action@v1.1.1
-        with:
-          args: cargo build --target x86_64-unknown-linux-musl --release --manifest-path src/injector/stage1/Cargo.toml
+      - name: "Build Rust Binary for x86_64"
+        working-directory: src/injector/stage1
+        run: |
+          cargo build --target x86_64-unknown-linux-musl --release
+          strip target/x86_64-unknown-linux-musl/release/zarf-injector
 
-      - name: "Strip The Binary Down"
-        run: sudo strip ${{ env.zarfInjectorPath }}
-
-      - name: "Upload Rust Binary"
-        uses: actions/upload-artifact@v3
-        with:
-          name: zarf-injector
-          path: ${{ env.zarfInjectorPath }}
+      - name: "Build Rust Binary for aarch64"
+        working-directory: src/injector/stage1
+        run: |
+          rustup target add aarch64-unknown-linux-musl
+          curl https://musl.cc/aarch64-linux-musl-cross.tgz | tar -xz
+          export PATH="$PWD/aarch64-linux-musl-cross/bin:$PATH"
+          cargo build --target aarch64-unknown-linux-musl --release
+          aarch64-linux-musl-strip target/aarch64-unknown-linux-musl/release/zarf-injector
 
       - name: Login to Docker Hub
         uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: "Upload Binary To DockerHub"
-        run: cosign upload blob -f ${{ env.zarfInjectorPath }} defenseunicorns/zarf-injector:${{ github.event.inputs.versionTag }}
+      - name: "Upload Binaries To DockerHub"
+        working-directory: src/injector/stage1/target
+        run: |
+          cosign upload blob -f x86_64-unknown-linux-musl/release/zarf-injector defenseunicorns/zarf-injector:amd64-${{ github.event.inputs.versionTag }}
+          cosign upload blob -f aarch64-unknown-linux-musl/release/zarf-injector defenseunicorns/zarf-injector:arm64-${{ github.event.inputs.versionTag }}
 
-      - name: "Sign the binary"
-        run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=${{ github.event.inputs.versionTag }} defenseunicorns/zarf-injector:${{ github.event.inputs.versionTag }}
+      - name: "Sign the binaries"
+        run: |
+          cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=${{ github.event.inputs.versionTag }} defenseunicorns/zarf-injector:amd64-${{ github.event.inputs.versionTag }}
+          cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=${{ github.event.inputs.versionTag }} defenseunicorns/zarf-injector:arm64-${{ github.event.inputs.versionTag }}
         env:
           COSIGN_EXPERIMENTAL: 1
           AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
           AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
-

.github/workflows/build-zarf-agent.yml

@@ -2,16 +2,21 @@ name: docs
 on:
   pull_request:
     paths:
-      - '**.md'
-      - '**.jpg'
-      - '**.png'
-      - '**.gif'
-      - '**.svg'
-      - 'adr/**'
-      - 'docs/**'
+      - "**.md"
+      - "**.jpg"
+      - "**.png"
+      - "**.gif"
+      - "**.svg"
+      - "adr/**"
+      - "docs/**"
+
+# Abort prior jobs in the same workflow / PR
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   validate:
     runs-on: ubuntu-latest
     steps:
-      - run: 'echo "Not required, non-code changes only." '      
+      - run: 'echo "Not required, non-code changes only." '

.github/workflows/docs.yml

@@ -3,11 +3,15 @@ on:
   pull_request:
     types: [labeled, unlabeled, opened, edited, synchronize]
 
+# Abort prior jobs in the same workflow / PR
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   enforce:
     runs-on: ubuntu-latest
     steps:
-    - uses: yogevbd/enforce-label-action@2.2.2
-      with:
-        BANNED_LABELS: "needs-docs,needs-tests,needs-adr,needs-git-sign-off"
+      - uses: yogevbd/enforce-label-action@2.2.2
+        with:
+          BANNED_LABELS: "needs-docs,needs-tests,needs-adr,needs-git-sign-off"

.github/workflows/labels.yml

@@ -3,31 +3,56 @@ name: Publish Zarf Packages on Tag
 on:
   push:
     tags:
-      - 'v*'
+      - "v*"
 
 jobs:
   push-resources:
     runs-on: self-hosted
     steps:
-      - name: Install GoLang
+      - name: "Dependency: Install Golang"
         uses: actions/setup-go@v3
         with:
           go-version: 1.18.x
 
-      - name: Checkout Repo
+      - name: "Dependency: Install Docker Buildx"
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: "Checkout Repo"
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
-      - name: "Setup caching"
-        uses: actions/cache@v3
+      - name: "Build CLI"
+        run: make build-cli-linux
+
+      - name: "Zarf Agent: Login to Docker Hub"
+        uses: docker/login-action@v2
         with:
-          path: |
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: "Zarf Agent: Build and Publish the Image"
+        run: |
+          cp build/zarf build/zarf-linux-amd64 && cp build/zarf-arm build/zarf-linux-arm64
+          docker buildx build --push linux/arm64/v8,linux/amd64 --tag defenseunicorns/zarf-agent:$GITHUB_REF_NAME .
+
+      - name: "Zarf Agent: Sign the Image"
+        run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME defenseunicorns/zarf-agent:$GITHUB_REF_NAME
+        env:
+          COSIGN_EXPERIMENTAL: 1
+          AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
+
+      # Builds init packages since GoReleaser won't handle this for us
+      - name: "Build init-packages For Release"
+        run: |
+          make init-package ARCH=amd64 AGENT_IMAGE=defenseunicorns/zarf-agent:$GITHUB_REF_NAME
+          make init-package ARCH=arm64 AGENT_IMAGE=defenseunicorns/zarf-agent:$GITHUB_REF_NAME
+
+      - name: "Run Tests"
+        run: sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true make test-e2e ARCH=amd64
 
       # Set up AWS credentials for GoReleaser to upload backups of artifacts to S3
       - name: Set AWS Credentials
@@ -37,12 +62,6 @@ jobs:
           aws-secret-access-key: ${{ secrets.AWS_GOV_SECRET_ACCESS_KEY }}
           aws-region: us-gov-west-1
 
-      # Builds init packages since GoReleaser won't handle this for us
-      - name: "Build init-packages For Release"
-        run: |
-          make build-cli-linux-amd init-package ARCH=amd64
-          make init-package ARCH=arm64
-
       # Create the GitHub release notes, upload artifact backups to S3, publish homebrew recipe
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v3
@@ -53,3 +72,6 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.ZARF_ORG_PROJECT_TOKEN }}
+
+      - name: "Cleanup"
+        run: sudo make destroy

.github/workflows/release.yml

@@ -10,26 +10,46 @@ on:
       - "adr/**"
       - "docs/**"
 
+# Abort prior jobs in the same workflow / PR
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   validate:
     runs-on: self-hosted
     steps:
-      - name: "Install GoLang"
+      - name: "Dependency: Install Golang"
         uses: actions/setup-go@v3
         with:
           go-version: 1.18.x
 
-      - name: "Checkout Repo"
-        uses: actions/checkout@v3
+      - name: "Dependency: Install Docker Buildx"
+        id: buildx
+        uses: docker/setup-buildx-action@v2
 
-      - name: "K3d cluster init"
+      - name: "Dependency: K3d cluster init"
         run: k3d cluster delete && k3d cluster create
 
+      - name: "Checkout Repo"
+        uses: actions/checkout@v3
+
       - name: "Build CLI"
         run: make build-cli-linux-amd ARCH=amd64
 
+      - name: "Zarf Agent: Login to Docker Hub"
+        uses: docker/login-action@v2
+        with:
+          username: zarfdev
+          password: ${{ secrets.ZARF_DEV_DOCKERHUB }}
+
+      - name: "Zarf Agent: Build and Publish the Image"
+        run: |
+          cp build/zarf build/zarf-linux-amd64
+          docker buildx build --push --platform linux/amd64 --tag zarfdev/agent:$GITHUB_SHA .
+
       - name: "Make Packages"
-        run: make init-package build-examples ARCH=amd64
+        run: make init-package build-examples ARCH=amd64 AGENT_IMAGE=zarfdev/agent:$GITHUB_SHA
 
       - name: "Run Tests"
         # NOTE: This test run will create its own K3d cluster. A single cluster will be used throughout the test run.

.github/workflows/test-k3d.yml

@@ -10,23 +10,43 @@ on:
       - "adr/**"
       - "docs/**"
 
+# Abort prior jobs in the same workflow / PR
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   validate:
     runs-on: self-hosted
     steps:
-      - name: "Install GoLang"
+      - name: "Dependency: Install Golang"
         uses: actions/setup-go@v3
         with:
           go-version: 1.18.x
 
+      - name: "Dependency: Install Docker Buildx"
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
       - name: "Checkout Repo"
         uses: actions/checkout@v3
 
       - name: "Build CLI"
         run: make build-cli-linux-amd ARCH=amd64
 
+      - name: "Zarf Agent: Login to Docker Hub"
+        uses: docker/login-action@v2
+        with:
+          username: zarfdev
+          password: ${{ secrets.ZARF_DEV_DOCKERHUB }}
+
+      - name: "Zarf Agent: Build and Publish the Image"
+        run: |
+          cp build/zarf build/zarf-linux-amd64
+          docker buildx build --push --platform linux/amd64 --tag zarfdev/agent:$GITHUB_SHA .
+
       - name: "Make Packages"
-        run: make init-package build-examples ARCH=amd64
+        run: make init-package build-examples ARCH=amd64 AGENT_IMAGE=zarfdev/agent:$GITHUB_SHA
 
       - name: "Run Tests"
         # NOTE: "PATH=$PATH" preserves the default user $PATH. This is needed to maintain the version of go installed