-
Notifications
You must be signed in to change notification settings - Fork 1
163 lines (158 loc) · 6.29 KB
/
main.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
name: Create docker image
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
push:
env:
REGISTRY: europe-north1-docker.pkg.dev/nais-io/nais/images
IMAGE_NAME: dataproduct-apps
EARTHLY_USE_INLINE_CACHE: true
EARTHLY_SAVE_INLINE_CACHE: true
EARTHLY_VERBOSE: true
EARTHLY_FULL_TARGET: true
EARTHLY_OUTPUT: true
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
packages: "write"
steps:
- name: Install earthly
uses: earthly/actions-setup@be3fe0c1f84e9776b5a184d21bf7a4a779ea2e6b # ratchet:earthly/actions-setup@v1
with:
version: "latest" # or pin to an specific version, e.g. "v0.6.10"
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # ratchet:actions/checkout@v4
- id: "auth"
name: "Authenticate to Google Cloud"
if: github.ref == 'refs/heads/main'
uses: "google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033" # ratchet:google-github-actions/[email protected]
with:
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
service_account: "[email protected]"
token_format: "access_token"
- name: Login to Google Artifact Registry
if: github.ref == 'refs/heads/main'
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # ratchet:docker/login-action@v2
with:
registry: ${{ env.REGISTRY }}
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.access_token }}"
- name: Login to GitHub Packages Docker Registry for cache images
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # Use commit-sha1 instead of tag for security concerns
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: "Set image version"
id: set-image-tag
run: |
export IMAGE_TAG="$(date +%Y%m%d%H%M%S)-$(git describe --always --dirty --exclude '*')"
echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV
export IMAGE="${REGISTRY}/${IMAGE_NAME}"
echo "IMAGE=${IMAGE}" >> $GITHUB_ENV
echo "image=${IMAGE}:${IMAGE_TAG}" >> ${GITHUB_OUTPUT}
- name: Build and possibly push
env:
EARTHLY_PUSH: "${{ github.ref == 'refs/heads/main' }}"
run: |
earthly --verbose +docker --IMAGE_TAG="${IMAGE_TAG}" --IMAGE="${IMAGE}"
- name: Install cosign
if: github.ref == 'refs/heads/main'
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # ratchet:sigstore/cosign-installer@main
with:
cosign-release: 'v2.0.0'
- name: Retrieve image digest
id: imgdigest
if: github.ref == 'refs/heads/main'
run: |
docker pull ${{ steps.set-image-tag.outputs.image }}
echo "digest=$(docker inspect ${{ steps.set-image-tag.outputs.image }} | jq -r '.[].RepoDigests[0]')" >> $GITHUB_OUTPUT
- name: Sign the container image
if: github.ref == 'refs/heads/main'
run: cosign sign --yes ${{ steps.imgdigest.outputs.digest }}
- name: Create SBOM
if: github.ref == 'refs/heads/main'
run: |
sudo apt-get update && sudo apt-get install -y python3-pip
pip3 install cyclonedx-bom
cyclonedx-py -p --format json -o sbom.json
- name: Attest image
if: github.ref == 'refs/heads/main'
run: cosign attest --yes --predicate sbom.json --type cyclonedx ${{ steps.imgdigest.outputs.digest }}
outputs:
image: "${{ steps.set-image-tag.outputs.image }}"
deploy-topics:
name: Deploy Topic collector
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
strategy:
matrix:
cluster:
- dev-gcp
- prod-gcp
steps:
- uses: "actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11"
- uses: nais/deploy/actions/deploy@v1
name: Deploy topic collector
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: ${{ matrix.cluster }}
RESOURCE: nais/dataproduct-apps-topics.yaml,nais/network-policy-apiserver-topics.yaml
VAR: image=${{ needs.build.outputs.image }},clusterName=prod-gcp
deploy-collector-gcp:
name: Deploy Collector
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
strategy:
matrix:
cluster:
- dev-gcp
- prod-gcp
steps:
- uses: "actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11"
- uses: nais/deploy/actions/deploy@v1
name: Deploy to ${{ matrix.cluster }}
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: ${{ matrix.cluster }}
RESOURCE: nais/dataproduct-apps-collect-gcp.yaml,nais/network-policy-apiserver-collect.yaml
VAR: image=${{ needs.build.outputs.image }},clusterName=${{ matrix.cluster }}
deploy-collector-onprem:
name: Deploy Collector
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
strategy:
matrix:
cluster:
- dev-fss
- prod-fss
steps:
- uses: "actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11"
- uses: nais/deploy/actions/deploy@v1
name: Deploy to ${{ matrix.cluster }}
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: ${{ matrix.cluster }}
RESOURCE: nais/dataproduct-apps-collect-onprem.yaml,nais/network-policy-apiserver-collect.yaml
VAR: image=${{ needs.build.outputs.image }},clusterName=${{ matrix.cluster }}
deploy-other:
name: Deploy Persistor and Topic
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
steps:
- uses: "actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11"
- uses: nais/deploy/actions/deploy@v1
name: Deploy topic and persist application to prod-gcp
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: prod-gcp
RESOURCE: nais/topic.yaml,nais/dataproduct-apps-persist.yaml
VAR: image=${{ needs.build.outputs.image }},clusterName=prod-gcp