forked from Azure/aks-app-routing-operator
-
Notifications
You must be signed in to change notification settings - Fork 0
114 lines (103 loc) · 3.98 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
name: Release
on:
workflow_dispatch:
inputs:
version:
description: 'Version to release. Must be in the CHANGELOG.md file. Example: 1.0.0'
required: true
sha:
description: 'Commit SHA to release. Example: 7dec363daaca95c59f68607ac1f29a12bc0b195b'
required: true
overwrite:
description: 'Overwrite the image in the container registry and the GitHub release'
required: true
type: boolean
validate:
description: 'Validate the image follows best practices'
type: boolean
default: true
required: true
permissions:
id-token: write
contents: write
jobs:
# print inputs so reviewers can easily validate
print:
runs-on: ubuntu-latest
steps:
- name: Generate list using Markdown
run: |
echo "## Inputs" >> $GITHUB_STEP_SUMMARY
echo "${{ toJSON(github.event.inputs) }}" >> $GITHUB_STEP_SUMMARY
# validate ensures best practices are being followed before we release
validate:
if: ${{ inputs.validate }}
runs-on: ubuntu-latest
env:
TAG: aks-app-routing-operator-validate:${{ inputs.version }}
steps:
# validate image from sha input
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ inputs.sha }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a # v2.8.0
- name: Build image locally
run: docker buildx build --tag "${TAG}" --load .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0
with:
image-ref: ${{ env.TAG }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM'
# if we need to ignore a vulnerability we can use a .trivyignore and reference it here
release:
needs: [validate, print]
if: ${{ always() && (contains(needs.validate.result, 'success') || contains(needs.validate.result, 'skipped')) }}
environment: prod
runs-on: ["self-hosted", "1ES.Pool=${{ vars.RUNNER_BASE_NAME }}-ubuntu"]
steps:
# always read the changelog in main
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: 'main'
- name: Read changelog
id: changelog
uses: mindsers/changelog-reader-action@b97ce03a10d9bdbb07beb491c76a5a01d78cd3ef # v2.2.2
with:
validation_level: warn
version: ${{ inputs.version }}
# build image from sha input
- uses: actions/checkout@v3
with:
ref: ${{ inputs.sha }}
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a # v2.8.0
- name: Authenticate to ACR
run: |
az login --identity
az acr login -n ${{ secrets.AZURE_REGISTRY_SERVER }}
- name: Create or update release
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
name: ${{ steps.changelog.outputs.version }}
tag: v${{ steps.changelog.outputs.version }}
body: ${{ steps.changelog.outputs.changes }}
commit: ${{ inputs.sha }}
prerelease: false
draft: false
token: ${{ secrets.GITHUB_TOKEN }}
allowUpdates: ${{ inputs.overwrite }}
# Push happens after creating GitHub release so we don't overwrite an image.
# Create release step doesn't allow for tag updates so we will never push
# to an image that already exists.
- name: Build and push image
env:
VERSION: ${{ inputs.version }}
run: |
TAG="${{ secrets.AZURE_REGISTRY_SERVER }}/public/aks/aks-app-routing-operator:$VERSION"
docker buildx build --platform "amd64,arm64" --tag "${TAG}" --output type=registry .