feat: NVSHAS-9502 create standalone Dockerfile

1. Provide cross platform/standalone Dockerfile
2. Release.yml to publish SLSA-capable artifacts
3. Provide build target, test-image, build-image and push-image to sync
   with rancher.
4. Upgrade to BCI 15.6

.github/workflows/release.yml

@@ -0,0 +1,61 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      # write is needed for:
+      # - OIDC for cosign's use in ecm-distro-tools/publish-image.
+      # - Read vault secrets in rancher-eio/read-vault-secrets.
+      id-token: write
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Load Secrets from Vault
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
+    - name: Parse target tag
+      run: |
+        TARGET=${{ github.ref_name }}
+        echo "TAG=${TARGET#v}" >> $GITHUB_ENV
+    - name: Publish public manifest
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
+      with:
+        push-to-public: true
+        push-to-prime: false
+        image: prometheus-exporter
+        tag: ${{ env.TAG }}
+        platforms: linux/amd64,linux/arm64
+
+        public-registry: docker.io
+        public-repo: neuvector
+        public-username: ${{ env.DOCKER_USERNAME }}
+        public-password: ${{ env.DOCKER_PASSWORD }}
+    - name: Publish prime manifest
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
+      with:
+        push-to-public: false
+        push-to-prime: true
+        image: neuvector-prometheus-exporter
+        tag: ${{ env.TAG }}
+        platforms: linux/amd64,linux/arm64
+
+        prime-registry: ${{ env.PRIME_REGISTRY }}
+        prime-repo: rancher
+        prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}

Makefile

@@ -0,0 +1,67 @@
+RUNNER := docker
+IMAGE_BUILDER := $(RUNNER) buildx
+MACHINE := neuvector
+BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max
+DEFAULT_PLATFORMS := linux/amd64,linux/arm64,linux/x390s,linux/riscv64
+
+COMMIT = $(shell git rev-parse --short HEAD)
+ifeq ($(VERSION),)
+	# Define VERSION, which is used for image tags or to bake it into the
+	# compiled binary to enable the printing of the application version, 
+	# via the --version flag.
+	CHANGES = $(shell git status --porcelain --untracked-files=no)
+	ifneq ($(CHANGES),)
+		DIRTY = -dirty
+	endif
+
+
+	COMMIT = $(shell git rev-parse --short HEAD)
+	VERSION = $(COMMIT)$(DIRTY)
+
+	# Override VERSION with the Git tag if the current HEAD has a tag pointing to
+	# it AND the worktree isn't dirty.
+	GIT_TAG = $(shell git tag -l --contains HEAD | head -n 1)
+	ifneq ($(GIT_TAG),)
+		ifeq ($(DIRTY),)
+			VERSION = $(GIT_TAG)
+		endif
+	endif
+endif
+
+ifeq ($(TAG),)
+	TAG = $(VERSION)
+	ifneq ($(DIRTY),)
+		TAG = dev
+	endif
+endif
+
+TARGET_PLATFORMS ?= linux/amd64,linux/arm64
+STAGE_DIR=stage
+REPO ?= neuvector
+IMAGE = $(REPO)/prometheus-exporter:$(TAG)
+BUILD_ACTION = --load
+
+.PHONY: all build test copy_adpt
+
+buildx-machine:
+	docker buildx ls
+	@docker buildx ls | grep $(MACHINE) || \
+	docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS)
+
+test-image:
+	# Instead of loading image, target all platforms, effectivelly testing
+	# the build for the target architectures.
+	$(MAKE) build-image BUILD_ACTION="--platform=$(TARGET_PLATFORMS)"
+
+build-image: buildx-machine ## build (and load) the container image targeting the current platform.
+	$(IMAGE_BUILDER) build -f package/Dockerfile \
+		--builder $(MACHINE) $(IMAGE_ARGS) \
+		--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) -t "$(IMAGE)" $(BUILD_ACTION) .
+	@echo "Built $(IMAGE)"
+
+
+push-image: buildx-machine
+	$(IMAGE_BUILDER) build -f package/Dockerfile \
+		--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
+		--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/neuvector-prometheus-exporter:$(TAG)" --push .
+	@echo "Pushed $(IMAGE)"

package/Dockerfile

@@ -0,0 +1,23 @@
+FROM registry.suse.com/bci/python:3.12
+
+ARG COMMIT
+ARG VERSION
+
+RUN python3 -m venv .venv && source .venv/bin/activate && pip3 install --upgrade pip setuptools prometheus_client requests
+COPY startup.sh /usr/local/bin
+COPY nv_exporter.py /usr/local/bin
+
+LABEL "name"="prometheus-exporter" \
+      "vendor"="SUSE Security" \
+      "neuvector.image"="neuvector/prometheus-exporter" \
+      "neuvector.role"="prometheus-exporter" \
+      "neuvector.rev"="${COMMIT}" \
+      "io.artifacthub.package.logo-url"=https://avatars2.githubusercontent.com/u/19367275 \
+      "io.artifacthub.package.readme-url"="https://raw.githubusercontent.com/neuvector/prometheus-exporter/${VERSION}/README.md" \
+      "org.opencontainers.image.description"="SUSE Security Prometheus Exporter" \
+      "org.opencontainers.image.title"="SUSE Security Prometheus Exporter" \
+      "org.opencontainers.image.source"="https://github.com/neuvector/prometheus-exporter/" \
+      "org.opencontainers.image.version"="${VERSION}" \
+      "org.opensuse.reference"="neuvector/prometheus-exporter:${VERSION}"
+
+ENTRYPOINT ["startup.sh"]

startup.sh

@@ -2,4 +2,4 @@
 if [ -f /.venv/bin/activate ]; then
     source /.venv/bin/activate
 fi
-python -u /usr/local/bin/nv_exporter.py "$@"
+python3 -u /usr/local/bin/nv_exporter.py "$@"