forked from spiffe/spire
-
Notifications
You must be signed in to change notification settings - Fork 5
119 lines (110 loc) · 3.78 KB
/
spire-server-action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
name: spire-server workflow
on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
- "v[0-9]+.[0-9]+.[0-9]+-*"
pull_request_target:
branches:
- "*"
env:
GO_VERSION: 1.20.1
REPO: 956994857092.dkr.ecr.us-east-2.amazonaws.com
IMAGE_NAME: spire-server
CHART_NAME: spire-server
CHART_PATH: ./spire-server-chart
CHART_REVISION_NAME: spire-server
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DEV_ACCESS_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DEV_SECRET_ID }}
AWS_REGION: us-east-2
permissions:
contents: read
jobs:
tag-validate:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
steps:
- uses: rubenesp87/[email protected]
with:
version: ${{ github.ref_name }}
images:
name: images (linux)
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/[email protected]
- name: Setup go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/[email protected]
with:
go-version: ${{ env.GO_VERSION }}
- name: Set git token
run: git remote set-url origin https://${{ secrets.V_GIT_KEY }}@github.com/accuknox/spire.git
- name: Update submodules
run: git submodule update --init --recursive
- name: Set up QEMU
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # ratchet:docker/[email protected]
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # ratchet:docker/[email protected]
- name: Build spire-server-sidecar-image
run: make server-sidecar
- name: Tag docker images
run: docker image tag spire-sidecar:latest ${{ env.REPO }}/spire-sidecar:latest
success:
runs-on: ubuntu-20.04
needs: [artifacts]
permissions:
contents: read
steps:
- name: Declare victory!
run: echo "# Successful" >> $GITHUB_STEP_SUMMARY
docker-image-scan:
runs-on: ubuntu-latest
needs: [tag-validate]
if: always() && !contains(needs.tag-validate.result, 'failure')
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REPO }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
output: ./trivy-results
severity: CRITICAL,HIGH
exit-code: 0
docker-image-push:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
needs: [docker-image-scan, helm-chart-validate]
steps:
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Docker push to ECR
shell: bash
run: docker push ${{ env.REPO }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
helm-chart-validate:
runs-on: ubuntu-latest
needs: [tag-validate]
if: always() && !contains(needs.version-validation.result, 'failure')
steps:
- name: Checkout source
uses: accuknox/common-gh-actions/actions/checkout-source@main
- name: Validate helm chart
uses: accuknox/common-gh-actions/actions/helm-check@main
with:
chart-path: ${{ env.CHART_PATH }}
revision-name: ${{ env.CHART_REVISION_NAME }}
helm-chart-push:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
needs: [docker-image-push]
steps:
- name: Checkout source
uses: accuknox/common-gh-actions/actions/checkout-source@main
- name: Push helm chart to ECR
uses: accuknox/common-gh-actions/actions/helm-push@main
with:
chart-path: ${{ env.CHART_PATH }}
version: ${{ github.ref_name }}
ecr-region: ${{ env.AWS_REGION }}
ecr-repo: ${{ env.REPO }}