Skip to content

build: fix docker container provenance generation using json matrix s… #277

build: fix docker container provenance generation using json matrix s…

build: fix docker container provenance generation using json matrix s… #277

Workflow file for this run

name: CI
on:
push:
branches: [ 'v8' ]
paths-ignore:
- '**.md' # Don't run CI on markdown changes.
pull_request:
branches: [ 'v8', 'feat/**' ]
paths-ignore:
- '**.md'
jobs:
go-versions:
uses: ./.github/workflows/go-versions.yml
# Runs the common tasks (unit tests, lint, benchmarks, installation test)
# against each Go version in the matrix.
go-matrix:
name: ${{ format('Go {0}', matrix.go-version) }}
needs: go-versions
strategy:
# Let jobs fail independently, in case it's a single version that's broken.
fail-fast: false
matrix:
go-version: ${{ fromJSON(needs.go-versions.outputs.matrix) }}
uses: ./.github/workflows/common_ci.yml
with:
go-version: ${{ matrix.go-version }}
# Integration tests run only on the latest Go version since they are more
# time intensive, and we'd likely be rate-limited by LaunchDarkly SaaS if we
# ran them in parallel for multiple Go versions.
integration-test:
needs: go-versions
uses: ./.github/workflows/integration-test.yml
with:
environment: 'staging'
go-version: ${{ needs.go-versions.outputs.latest }}
security-scan:
needs: go-versions
runs-on: ubuntu-latest
name: "Trivy Scan of Docker Image"
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: 'true'
- name: Setup Go ${{ inputs.go-version }}
uses: actions/setup-go@v4
with:
go-version: ${{ needs.go-versions.outputs.latest }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@v3
with:
platforms: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/386
- name: Build Docker Images
run: make products-for-release
- name: Get current Relay version
id: image-tag
run:
echo "value=$(jq -r '.version' < dist/metadata.json)" >> $GITHUB_OUTPUT
- uses: aquasecurity/trivy-action@master
id: scan-alpine
continue-on-error: true
with:
# Using an explicit tag rather than ld-relay:latest to ensure we're scanning the local image that we just built.
# It's not clear why, but it seems goreleaser doesn't create the :latest tag when skipping the publish step
# as we do for CI, so the scan will end up checking the public image instead of the one we just built.
image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-amd64
format: 'table'
exit-code: '1'
ignore-unfixed: true
- uses: aquasecurity/trivy-action@master
id: scan-distroless
continue-on-error: true
with:
image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-nonroot-amd64
format: 'table'
exit-code: '1'
ignore-unfixed: true
- uses: aquasecurity/trivy-action@master
continue-on-error: true
id: scan-debug-distroless
with:
image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-debug-nonroot-amd64
format: 'table'
exit-code: '1'
ignore-unfixed: true
- name: Fail if any of scan-alpine, scan-distroless, or scan-distroless-debug failed
if: ${{ steps.scan-alpine.outcome != 'success' || steps.scan-distroless.outcome != 'success' || steps.scan-debug-distroless.outcome != 'success' }}
run: exit 1