forked from spiffe/spire
-
Notifications
You must be signed in to change notification settings - Fork 5
188 lines (173 loc) · 6.34 KB
/
spire-agent-action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
name: spire-agent workflow
on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
- "v[0-9]+.[0-9]+.[0-9]+-*"
pull_request_target:
branches:
- "*"
env:
GO_VERSION: 1.20.1
REPO: 956994857092.dkr.ecr.us-east-2.amazonaws.com
IMAGE_NAME: spire-agent
CHART_NAME: spire-agent
CHART_PATH: ./spire-agent-chart
CHART_REVISION_NAME: spire-agent
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DEV_ACCESS_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DEV_SECRET_ID }}
AWS_REGION: us-east-2
permissions:
contents: read
jobs:
tag-validate:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
steps:
- uses: rubenesp87/[email protected]
with:
version: ${{ github.ref_name }}
cache-deps:
name: cache-deps (linux)
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/[email protected]
- name: Setup go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/[email protected]
with:
go-version: ${{ env.GO_VERSION }}
- name: Set git token
run: git remote set-url origin https://${{ secrets.V_GIT_KEY }}@github.com/accuknox/spire.git
- name: Update submodules
run: git submodule update --init --recursive
- name: Setup dep cache
uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # ratchet:actions/[email protected]
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Pull go deps
run: go mod download
artifacts:
name: artifacts (linux)
runs-on: ubuntu-20.04
needs: [cache-deps]
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/[email protected]
- name: Setup go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/[email protected]
with:
go-version: ${{ env.GO_VERSION }}
- name: Load cached deps
uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # ratchet:actions/[email protected]
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Load cached build tools
uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # ratchet:actions/[email protected]
with:
path: .build
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
- name: Build artifacts
run: ./.github/workflows/scripts/build_artifacts.sh
images:
name: images (linux)
runs-on: ubuntu-20.04
needs: [cache-deps]
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/[email protected]
- name: Setup go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/[email protected]
with:
go-version: ${{ env.GO_VERSION }}
- name: Load cached deps
uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # ratchet:actions/[email protected]
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Load cached build tools
uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # ratchet:actions/[email protected]
with:
path: .build
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
- name: Set up QEMU
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # ratchet:docker/[email protected]
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # ratchet:docker/[email protected]
- name: download regctl
run: |
curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 >regctl
chmod 755 regctl
mv regctl /usr/bin
whereis regctl
- name: Build spire-agent-image
run: make spire-agent-image
- name: load spire-agent-image
run: make load-images
- name: Tag docker images
run: docker image tag ${{ env.IMAGE_NAME }}:latest ${{ env.REPO }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
docker-image-scan:
runs-on: ubuntu-latest
needs: [tag-validate]
if: always() && !contains(needs.tag-validate.result, 'failure')
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REPO }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
output: ./trivy-results
severity: CRITICAL,HIGH
exit-code: 0
docker-image-push:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
needs: [docker-image-scan, helm-chart-validate]
steps:
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Docker push to ECR
shell: bash
run: docker push ${{ env.REPO }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
helm-chart-validate:
runs-on: ubuntu-latest
needs: [tag-validate]
if: always() && !contains(needs.version-validation.result, 'failure')
steps:
- name: Checkout source
uses: accuknox/common-gh-actions/actions/checkout-source@main
- name: Validate helm chart
uses: accuknox/common-gh-actions/actions/helm-check@main
with:
chart-path: ${{ env.CHART_PATH }}
revision-name: ${{ env.CHART_REVISION_NAME }}
helm-chart-push:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
needs: [docker-image-push]
steps:
- name: Checkout source
uses: accuknox/common-gh-actions/actions/checkout-source@main
- name: Push helm chart to ECR
uses: accuknox/common-gh-actions/actions/helm-push@main
with:
chart-path: ${{ env.CHART_PATH }}
version: ${{ github.ref_name }}
ecr-region: ${{ env.AWS_REGION }}
ecr-repo: ${{ env.REPO }}
success:
runs-on: ubuntu-20.04
needs: [artifacts]
permissions:
contents: read
steps:
- name: Declare victory!
run: echo "# Successful" >> $GITHUB_STEP_SUMMARY