-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: András Jáky <[email protected]>
- Loading branch information
Showing
5 changed files
with
930 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| version: 2 | ||
|
|
||
| updates: | ||
| - package-ecosystem: "gomod" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "daily" | ||
|
|
||
| - package-ecosystem: "docker" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "daily" | ||
|
|
||
| - package-ecosystem: "github-actions" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "daily" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,268 @@ | ||
| name: Artifacts | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| publish: | ||
| description: Publish artifacts to the artifact store | ||
| default: false | ||
| required: false | ||
| type: boolean | ||
| release: | ||
| description: Whether this is a release build | ||
| default: false | ||
| required: false | ||
| type: boolean | ||
| outputs: | ||
| container-image-name: | ||
| description: Container image name | ||
| value: ${{ jobs.container-image.outputs.name }} | ||
| container-image-digest: | ||
| description: Container image digest | ||
| value: ${{ jobs.container-image.outputs.digest }} | ||
| container-image-tag: | ||
| description: Container image tag | ||
| value: ${{ jobs.container-image.outputs.tag }} | ||
| container-image-ref: | ||
| description: Container image ref | ||
| value: ${{ jobs.container-image.outputs.ref }} | ||
| helm-chart-name: | ||
| description: Helm chart OCI name | ||
| value: ${{ jobs.helm-chart.outputs.name }} | ||
| helm-chart-tag: | ||
| description: Helm chart tag | ||
| value: ${{ jobs.helm-chart.outputs.tag }} | ||
| helm-chart-package: | ||
| description: Helm chart package name | ||
| value: ${{ jobs.helm-chart.outputs.package }} | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| container-image: | ||
| name: Container image | ||
| runs-on: ubuntu-latest | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| security-events: write | ||
|
|
||
| outputs: | ||
| name: ${{ steps.image-name.outputs.value }} | ||
| digest: ${{ steps.build.outputs.digest }} | ||
| tag: ${{ steps.meta.outputs.version }} | ||
| ref: ${{ steps.image-ref.outputs.value }} | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | ||
|
|
||
| - name: Set image name | ||
| id: image-name | ||
| run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Gather build metadata | ||
| id: meta | ||
| uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 | ||
| with: | ||
| images: ${{ steps.image-name.outputs.value }} | ||
| flavor: | | ||
| latest = false | ||
| tags: | | ||
| type=ref,event=branch | ||
| type=ref,event=pr,prefix=pr- | ||
| type=semver,pattern={{raw}} | ||
| type=raw,value=latest,enable={{is_default_branch}} | ||
| # Multiple exporters are not supported yet | ||
| # See https://github.com/moby/buildkit/pull/2760 | ||
| - name: Determine build output | ||
| uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1 | ||
| id: build-output | ||
| with: | ||
| cond: ${{ inputs.publish }} | ||
| if_true: type=image,push=true | ||
| if_false: type=oci,dest=image.tar | ||
|
|
||
| - name: Login to GitHub Container Registry | ||
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ github.token }} | ||
| if: inputs.publish | ||
|
|
||
| - name: Build and push image | ||
| id: build | ||
| uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 | ||
| with: | ||
| context: . | ||
| platforms: linux/amd64,linux/arm64,linux/arm/v7 | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max | ||
| outputs: ${{ steps.build-output.outputs.value }} | ||
| # push: ${{ inputs.publish }} | ||
|
|
||
| - name: Set image ref | ||
| id: image-ref | ||
| run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Fetch image | ||
| run: skopeo --insecure-policy copy docker://${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} oci-archive:image.tar | ||
| if: inputs.publish | ||
|
|
||
| - name: Upload image as artifact | ||
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||
| with: | ||
| name: "[${{ github.job }}] OCI tarball" | ||
| path: image.tar | ||
|
|
||
| - name: Extract OCI tarball | ||
| run: | | ||
| mkdir -p image | ||
| tar -xf image.tar -C image | ||
| # See https://github.com/anchore/syft/issues/1545 | ||
| - name: Extract image from multi-arch image | ||
| run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy --additional-tag ${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} oci:image docker-archive:docker.tar | ||
|
|
||
| - name: Upload image as artifact | ||
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||
| with: | ||
| name: "[${{ github.job }}] Docker tarball" | ||
| path: docker.tar | ||
|
|
||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0 | ||
| with: | ||
| input: image | ||
| format: sarif | ||
| output: trivy-results.sarif | ||
|
|
||
| - name: Upload Trivy scan results as artifact | ||
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||
| with: | ||
| name: "[${{ github.job }}] Trivy scan results" | ||
| path: trivy-results.sarif | ||
| retention-days: 5 | ||
|
|
||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 | ||
| with: | ||
| sarif_file: trivy-results.sarif | ||
|
|
||
| helm-chart: | ||
| name: Helm chart | ||
| runs-on: ubuntu-latest | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| security-events: write | ||
|
|
||
| outputs: | ||
| name: ${{ steps.oci-chart-name.outputs.value }} | ||
| tag: ${{ steps.version.outputs.value }} | ||
| package: ${{ steps.build.outputs.package }} | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | ||
|
|
||
| - name: Set up Helm | ||
| uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 | ||
| with: | ||
| version: v3.12.0 | ||
|
|
||
| - name: Set chart name | ||
| id: chart-name | ||
| run: echo "value=${{ github.event.repository.name }}" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Set OCI registry name | ||
| id: oci-registry-name | ||
| run: echo "value=ghcr.io/${{ github.repository_owner }}/helm-charts" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Set OCI chart name | ||
| id: oci-chart-name | ||
| run: echo "value=${{ steps.oci-registry-name.outputs.value }}/${{ steps.chart-name.outputs.value }}" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Helm lint | ||
| run: helm lint deploy/charts/${{ steps.chart-name.outputs.value }} | ||
|
|
||
| - name: Determine raw version | ||
| uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1 | ||
| id: raw-version | ||
| with: | ||
| cond: ${{ inputs.release }} | ||
| if_true: ${{ github.ref_name }} | ||
| if_false: v0.0.0 | ||
|
|
||
| - name: Determine version | ||
| id: version | ||
| run: | | ||
| VERSION=${{ steps.raw-version.outputs.value }} | ||
| echo "value=${VERSION#v}" >> "$GITHUB_OUTPUT" | ||
| - name: Helm package | ||
| id: build | ||
| run: | | ||
| helm package deploy/charts/${{ steps.chart-name.outputs.value }} --version ${{ steps.version.outputs.value }} --app-version ${{ steps.raw-version.outputs.value }} | ||
| echo "package=${{ steps.chart-name.outputs.value }}-${{ steps.version.outputs.value }}.tgz" >> "$GITHUB_OUTPUT" | ||
| - name: Upload chart as artifact | ||
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||
| with: | ||
| name: "[${{ github.job }}] Helm chart" | ||
| path: ${{ steps.build.outputs.package }} | ||
|
|
||
| - name: Login to GitHub Container Registry | ||
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ github.token }} | ||
| if: inputs.publish && inputs.release | ||
|
|
||
| - name: Helm push | ||
| run: helm push ${{ steps.build.outputs.package }} oci://${{ steps.oci-registry-name.outputs.value }} | ||
| env: | ||
| HELM_REGISTRY_CONFIG: ~/.docker/config.json | ||
| if: inputs.publish && inputs.release | ||
|
|
||
| - name: Upload package as artifact | ||
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||
| with: | ||
| name: "[${{ github.job }}] package" | ||
| path: ${{ steps.build.outputs.package }} | ||
|
|
||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0 | ||
| with: | ||
| scan-type: config | ||
| scan-ref: deploy/charts/${{ steps.chart-name.outputs.value }} | ||
| format: sarif | ||
| output: trivy-results.sarif | ||
|
|
||
| - name: Upload Trivy scan results as artifact | ||
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||
| with: | ||
| name: "[${{ github.job }}] Trivy scan results" | ||
| path: trivy-results.sarif | ||
| retention-days: 5 | ||
|
|
||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 | ||
| with: | ||
| sarif_file: trivy-results.sarif |
Oops, something went wrong.