-
Notifications
You must be signed in to change notification settings - Fork 0
241 lines (215 loc) · 9 KB
/
rust.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
name: Rust
# TODO: Add a job to release the tracing-utils crate!!
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
types: [opened, reopened, ready_for_review, synchronize]
workflow_dispatch:
# Automatically cancel in-progress actions on the same branch
concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }}
cancel-in-progress: true
env:
CARGO_TERM_COLOR: always
DOCKER_CONTAINER_IMAGE_BASE: lhr.ocir.io/lrdyqp2xtoja/hello-rust-backend
# get correct commit sha for pull requests as well
COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
jobs:
test:
runs-on: ubuntu-latest
# if: ${{ !github.event.pull_request.draft }}
steps:
- uses: actions/checkout@v3
- uses: DeterminateSystems/nix-installer-action@main
- uses: cachix/cachix-action@v12
with:
name: nix-community
- uses: DeterminateSystems/magic-nix-cache-action@main
- uses: Swatinem/rust-cache@v2
with:
cache-on-failure: "true"
- uses: rui314/setup-mold@v1
- name: Run tests
run: nix develop .#buildShell/x86_64-linux -c cargo test
clippy:
runs-on: ubuntu-latest
# if: ${{ !github.event.pull_request.draft }}
steps:
- uses: actions/checkout@v3
- uses: DeterminateSystems/nix-installer-action@main
- uses: cachix/cachix-action@v12
with:
name: nix-community
- uses: DeterminateSystems/magic-nix-cache-action@main
- uses: Swatinem/rust-cache@v2
with:
cache-on-failure: "true"
- run: nix develop .#buildShell/x86_64-linux -c cargo clippy
build:
# runs-on: [self-hosted, linux, ARM64]
runs-on: ubuntu-latest
services:
# Run a local docker registry
# This is needed for pushing the multiarch base image to,
# because buildkit can't access a loaded image for another architecture
registry:
image: registry:2
ports:
- 5000:5000
strategy:
matrix:
target:
- rust: aarch64-unknown-linux-gnu
nix: aarch64-linux
steps:
- uses: actions/checkout@v3
# - uses: dtolnay/rust-toolchain@stable
# with:
# targets: ${{ matrix.target.rust }}
- uses: DeterminateSystems/nix-installer-action@main
- uses: cachix/cachix-action@v12
with:
name: nix-community
- uses: DeterminateSystems/magic-nix-cache-action@main
- uses: Swatinem/rust-cache@v2
- name: Set up Docker Context for Buildx
id: buildx-context
run: |
docker context create builders
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
with:
version: v0.11.2
endpoint: builders
install: true
# required for the docker buildx container to connect to the localhost registry
driver-opts: network=host
- name: nix build base docker image
run: |
nix build -L .#dockerDependenciesOnly/${{ matrix.target.nix }} && ./result | docker load
docker tag hello-rust-backend-dependencies:nix-latest-build-tag localhost:5000/hello-rust-backend-dependencies:nix-latest-build-tag
docker push localhost:5000/hello-rust-backend-dependencies:nix-latest-build-tag
- name: Build binary of project using nix shell
run: |
nix develop .#buildShell/${{ matrix.target.nix }} -c cargo build --target=${{ matrix.target.rust }} --release
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
registry: lhr.ocir.io
username: ${{ secrets.OCIR_USERNAME }}
password: ${{ secrets.OCIR_TOKEN }}
- name: Docker meta
id: meta
uses: docker/metadata-action@v4
env:
DOCKER_METADATA_PR_HEAD_SHA: true
with:
images: |
${{ env.DOCKER_CONTAINER_IMAGE_BASE }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
# An edge tag reflects the last commit of the active branch on your Git repository
type=edge
# git commit sha
type=sha,format=long
# set latest tag for default branch
type=raw,value=latest,enable={{is_default_branch}}
- name: Build Dockerfile
id: build-and-push-action-1
uses: docker/build-push-action@v3
with:
context: .
file: Dockerfile
push: false
load: true
# doesn't need to have the correct final tag or labels here, this build just puts
# something in the local cache rather than pushing it. Correct tags and labels
# are set in the next docker/build-push-action
tags: docker-built-image:latest-image
cache-from: type=gha
# cache-to: type=local,dest=buildkit-docker-cache-location
cache-to: type=gha
platforms: linux/arm64
# BASE_IMAGE referring to the nix built base docker image
build-args: |
RUST_TARGET_DIR=target/${{ matrix.target.rust }}/release
BASE_IMAGE=localhost:5000/hello-rust-backend-dependencies:nix-latest-build-tag
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: docker-built-image:latest-image
format: "table"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
# tag nix image
- name: re-tag docker image and get the image id and final image size
run: |
export IMAGE_TO_RETAG_AND_PUSH="docker-built-image:latest-image"
echo image_id=`docker image ls $IMAGE_TO_RETAG_AND_PUSH --format "{{.ID}}"`
echo image_id=`docker image ls $IMAGE_TO_RETAG_AND_PUSH --format "{{.ID}}"` >> "$GITHUB_OUTPUT"
echo final_image_size=$(docker image ls $IMAGE_TO_RETAG_AND_PUSH --format "{{.Size}}") >> "$GITHUB_OUTPUT"
echo "${{steps.meta.outputs.tags}}" | xargs -n1 docker tag $IMAGE_TO_RETAG_AND_PUSH
docker rmi $IMAGE_TO_RETAG_AND_PUSH
id: nix-image-tagging
- name: docker push (and get digest)
run: |
echo ${{ env.DOCKER_CONTAINER_IMAGE_BASE }}
docker push --all-tags ${{ env.DOCKER_CONTAINER_IMAGE_BASE }}
echo image_digest=$(docker inspect --format='{{index .RepoDigests 0}}' ${DOCKER_CONTAINER_IMAGE_BASE}:sha-${COMMIT_SHA} | sed 's/.*@//') \
>> $GITHUB_OUTPUT
id: docker-push
- name: Job summary info (as markdown)
run: |
echo "# Built image info" >> $GITHUB_STEP_SUMMARY
echo "- image digest: \`${{ steps.docker-push.outputs.image_digest }}\`" >> $GITHUB_STEP_SUMMARY
echo "- revision (commit-sha): \`${{ env.COMMIT_SHA }}\`" >> $GITHUB_STEP_SUMMARY
echo "- tags: \`${{ steps.meta.outputs.tags }}\`" >> $GITHUB_STEP_SUMMARY
echo "- image size: \`${{ steps.nix-image-tagging.outputs.final_image_size }}\`" >> $GITHUB_STEP_SUMMARY
outputs:
docker-image-published-digest: ${{ steps.docker-push.outputs.image_digest }}
app-version: ${{ env.COMMIT_SHA }}
deploy:
runs-on: ubuntu-latest
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
needs: [build, clippy, test]
steps:
- uses: actions/checkout@v3
with:
repository: SG60/hello-rust-infrastructure-config
ref: "main"
token: ${{ secrets.WRITE_INFRASTRUCTURE_REPOSITORY_PAT }}
- name: install kustomize
id: kustomize-installation
run: |
curl -sfLo kustomize.tar.gz https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv4.5.7/kustomize_v4.5.7_linux_amd64.tar.gz
tar xzf ./kustomize.tar.gz
echo "KUSTOMIZE_COMMAND=$PWD/kustomize" >> $GITHUB_OUTPUT
- name: Update kustomization for new image
# in 'prod' folder
run: |
cd k8s/prod
${{ steps.kustomize-installation.outputs.KUSTOMIZE_COMMAND }} edit set image ${{ env.DOCKER_CONTAINER_IMAGE_BASE }}@${{ needs.build.outputs.docker-image-published-digest }}
# update version label
echo "apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-rust-backend
labels:
app.kubernetes.io/version: ${{ needs.build.outputs.app-version }}
" > ./generated/labels.patch.yaml
- name: Commit to git
run: |
git config user.name github-actions
git config user.email [email protected]
git add k8s/prod/kustomization.yaml k8s/prod/generated
git commit -m "update: SG60/hello-rust@${{ needs.build.outputs.app-version }} "
git push
echo "Committed to infra: https://github.com/SG60/hello-rust-infrastructure-config/commit/`git rev-parse HEAD` " >> $GITHUB_STEP_SUMMARY