art: Make targets more flexible

and adds more useful Earthly targets
2025-09-17 07:17:41 +00:00 · 2022-07-14 18:05:58 +00:00
parent aa720de6f8
commit a7cf9f9a8f
1 changed files with 54 additions and 9 deletions
--- a/63
+++ b/63
@@ -17,6 +17,17 @@ ARG COSIGN_EXPERIMENTAL=0
 ARG CGO_ENABLED=0
 ARG ELEMENTAL_IMAGE=quay.io/costoolkit/elemental:v0.0.15-8a78e6b

+
+all:
+  BUILD +docker
+  BUILD +iso
+  BUILD +netboot
+  BUILD +ipxe-iso
+
+all-arm:
+  BUILD --platform=linux/arm64 +docker
+  BUILD +arm-image
+
 go-deps:
    FROM golang
    WORKDIR /build
@@ -64,6 +75,7 @@ framework:
    ARG REPOSITORIES_FILE
    ARG COSIGN_EXPERIMENTAL
    ARG COSIGN_REPOSITORY
+    ARG WITH_KERNEL

    FROM alpine
    COPY +luet/luet /usr/bin/luet
@@ -80,7 +92,7 @@ framework:

    ENV USER=root

-    IF [ "$FLAVOR" = "alpine" ] || [ "$FLAVOR" = "fedora" ] || [ "$FLAVOR" = "ubuntu" ] || [ "$FLAVOR" = "alpine-arm-rpi" ] 
+    IF [ "$WITH_KERNEL" = "true" ] || [ "$FLAVOR" = "alpine" ] || [ "$FLAVOR" = "fedora" ] || [ "$FLAVOR" = "ubuntu" ] || [ "$FLAVOR" = "alpine-arm-rpi" ]
        RUN /usr/bin/luet install -y --system-target /framework \
            meta/cos-verify \
            meta/cos-core \
@@ -110,9 +122,24 @@ framework:
            container/kubectl \
            utils/nerdctl
    END
+
+    RUN /usr/bin/luet cleanup --system-target /framework
    COPY overlay/files /framework
+    RUN rm -rf /framework/var/luet
+    RUN rm -rf /framework/var/cache
    SAVE ARTIFACT /framework/ framework

+framework-image:
+    FROM scratch
+    ARG IMG
+    COPY +framework/framework /
+    SAVE IMAGE $IMG
+
+framework-images:
+    ARG IMG
+    BUILD +framework-image --WITH_KERNEL=true
+    BUILD +framework-image --WITH_KERNEL=false --IMG=$IMG-kernel
+
 docker:
    ARG K3S_VERSION
    IF [ "$BASE_IMAGE" = "" ]
@@ -268,12 +295,30 @@ ipxe-iso:
    SAVE ARTIFACT /build/ipxe/src/bin/ipxe.iso iso AS LOCAL build/${ISO_NAME}-ipxe.iso.ipxe
    SAVE ARTIFACT /build/ipxe/src/bin/ipxe.usb usb AS LOCAL build/${ISO_NAME}-ipxe-usb.img.ipxe

-all:
-  BUILD +docker
-  BUILD +iso
-  BUILD +netboot
-  BUILD +ipxe-iso

-all-arm:
-  BUILD --platform=linux/arm64 +docker
-  BUILD +arm-image
+## Security targets
+trivy:
+    FROM aquasec/trivy
+    SAVE ARTIFACT /usr/local/bin/trivy /trivy
+
+trivy-scan:
+    ARG SEVERITY=CRITICAL
+    FROM +docker
+    COPY +trivy/trivy /trivy
+    RUN /trivy filesystem --severity $SEVERITY --exit-code 1 --no-progress /
+
+linux-bench:
+    FROM golang
+    GIT CLONE https://github.com/aquasecurity/linux-bench /linux-bench-src
+    RUN cd /linux-bench-src && CGO_ENABLED=0 go build -o linux-bench . && mv linux-bench /
+    SAVE ARTIFACT /linux-bench /linux-bench
+
+# The target below should run on a live host instead. 
+# However, some checks are relevant as well at container level.
+# It is good enough for a quick assessment.
+linux-bench-scan:
+    FROM +docker
+    GIT CLONE https://github.com/aquasecurity/linux-bench /build/linux-bench
+    WORKDIR /build/linux-bench
+    COPY +linux-bench/linux-bench /build/linux-bench/linux-bench
+    RUN /build/linux-bench/linux-bench