Fix CVEs #148
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: ci | |
on: | |
push: | |
branches: | |
- main | |
tags: | |
- v* | |
paths-ignore: | |
- '**.md' | |
pull_request: | |
paths-ignore: | |
- '**.md' | |
jobs: | |
setup_github_runner: | |
name: Setup actions runner | |
runs-on: ubuntu-latest | |
env: | |
METAL_AUTH_TOKEN: ${{ secrets.PACKET_AUTH_TOKEN }} | |
METAL_PROJECT_ID: ${{ secrets.PACKET_PROJECT_ID }} | |
SERVER_NAME: "nsm-govpp-builder" | |
SERVER_TYPE: "c3.medium.x86" | |
METRO: da | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v2 | |
with: | |
path: ${{ github.repository }} | |
- name: Install metal CLI | |
run: | | |
curl -L https://github.com/equinix/metal-cli/releases/download/v0.15.0/metal-linux-amd64 -o metal | |
chmod +x ./metal | |
mv ./metal /usr/local/bin/metal | |
metal -v | |
# Setup ssh to be able to connect to the Packet server | |
- name: Setup ssh | |
id: setup_ssh | |
run: | | |
echo "${{ secrets.PACKET_SSH_KEY }}" > /tmp/sshkey | |
chmod 600 /tmp/sshkey | |
ssh-keygen -f /tmp/sshkey -y > /tmp/sshkey.pub | |
metal ssh-key create --key "$(cat /tmp/sshkey.pub)" --label $SERVER_NAME-ssh -o json | jq -r '.id' | |
# Create server and wait to be ready | |
- name: Create server | |
run: | | |
metal device create -p $METAL_PROJECT_ID -P $SERVER_TYPE -m $METRO -H $SERVER_NAME -O ubuntu_20_04 | |
max_retry=20 | |
for i in $(seq 1 $max_retry); do | |
state=$(metal device get -p $METAL_PROJECT_ID -o json | jq -r '.[] | select(.hostname==env.SERVER_NAME) | .state') | |
[ "$state" == "active" ] && break | |
[[ ${i} -eq $max_retry ]] && echo "Failed!" && exit 1 | |
sleep 30s | |
echo "Try #$i" | |
done | |
# Install GitHub action runner on the Packet server. The script uses RUNNER_TOKEN that we can get from GitHub api (gh api ...) | |
# Redirect the script output to file to not show the token | |
- name: Setup actions runner | |
working-directory: ${{ github.repository }} | |
run: | | |
RUNNER_TOKEN=$(gh api \ | |
--method POST \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
/repos/networkservicemesh/govpp/actions/runners/registration-token | jq -r '.token') | |
SSH_OPTS="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -i /tmp/sshkey" | |
server_ip=$(metal device get -p $METAL_PROJECT_ID -o json | jq -r '.[] | select(.hostname==env.SERVER_NAME) | .ip_addresses[] | select(.public==true and .address_family==4) | .address') | |
scp ${SSH_OPTS} scripts/setup-actions-runner.sh root@${server_ip}:setup-actions-runner.sh | |
ssh ${SSH_OPTS} root@${server_ip} "./setup-actions-runner.sh $RUNNER_TOKEN &> f.log" | |
env: | |
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} | |
build: | |
name: build | |
needs: setup_github_runner | |
runs-on: self-hosted | |
outputs: | |
docker_tag: ${{ steps.docker_push.outputs.docker_tag }} | |
steps: | |
- name: Docker install | |
run: | | |
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - | |
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable" | |
apt update | |
apt install docker-ce -y | |
- name: Check out code | |
uses: actions/checkout@v2 | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: 1.20.8 | |
# Use buildx to build for two platforms (amd64, arm64) in one image | |
- name: Docker Build | |
run: | | |
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes | |
docker buildx create --use --bootstrap | |
echo "docker buildx inspect --bootstrap" | |
docker buildx inspect --bootstrap | |
echo "docker buildx build --platform linux/amd64,linux/arm64 ." | |
docker buildx build --platform linux/amd64,linux/arm64 . | |
docker buildx build -t vpp:version --target version --load . | |
branch=${{github.event.workflow_run.head_branch}} | |
if [[ $branch == *release/* ]]; then | |
TAG=${branch#release/} | |
else | |
VPP_VERSION=$(docker run vpp:version) | |
TAG=v${VPP_VERSION/\~/-} | |
fi | |
echo "TAG=${TAG}" >> $GITHUB_ENV | |
- name: Generate files | |
run: go generate ./... | |
- name: Check for changes in generated code | |
run: | | |
git diff -- binapi || (echo "Rerun go generate ./... locally and resubmit" && exit -1) | |
- name: Go Build | |
run: go build ./... | |
- name: Login to GitHub Container Registry | |
id: docker_login | |
if: ${{ github.event_name == 'push' }} | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# Use the --push flag to publish the image. Currently, buildx only supports this way. | |
- name: Docker Push | |
id: docker_push | |
if: steps.docker_login.outcome == 'success' | |
run: | | |
docker buildx build --platform linux/amd64,linux/arm64 -t ghcr.io/${{github.repository}}/vpp:${TAG} . --target vpp --push | |
echo docker_tag=${TAG} >> $GITHUB_OUTPUT | |
- name: Push tag ${TAG} | |
id: tag_commit | |
if: ${{ steps.docker_push.outcome == 'success' && !contains(github.event.workflow_run.head_branch, 'release/') }} | |
run: | | |
git status | |
git tag ${TAG} ${{github.sha}} | |
git push origin ${TAG} -f | |
delete_github_runner: | |
name: Delete actions runner | |
if: ${{ always() }} | |
needs: [setup_github_runner, build] | |
runs-on: ubuntu-latest | |
env: | |
METAL_AUTH_TOKEN: ${{ secrets.PACKET_AUTH_TOKEN }} | |
METAL_PROJECT_ID: ${{ secrets.PACKET_PROJECT_ID }} | |
SERVER_NAME: "nsm-govpp-builder" | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v2 | |
with: | |
path: ${{ github.repository }} | |
- name: Install metal CLI | |
run: | | |
curl -L https://github.com/equinix/metal-cli/releases/download/v0.15.0/metal-linux-amd64 -o metal | |
chmod +x ./metal | |
mv ./metal /usr/local/bin/metal | |
metal -v | |
# Delete GitHub action runner from the Packet server | |
- name: Delete actions runner | |
working-directory: ${{ github.repository }} | |
run: | | |
RUNNER_TOKEN=$(gh api \ | |
--method POST \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
/repos/networkservicemesh/govpp/actions/runners/remove-token | jq -r '.token') | |
echo "${{ secrets.PACKET_SSH_KEY }}" > /tmp/sshkey | |
chmod 600 /tmp/sshkey | |
SSH_OPTS="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -i /tmp/sshkey" | |
server_ip=$(metal device get -p $METAL_PROJECT_ID -o json | jq -r '.[] | select(.hostname==env.SERVER_NAME) | .ip_addresses[] | select(.public==true and .address_family==4) | .address') | |
scp ${SSH_OPTS} scripts/delete-actions-runner.sh root@${server_ip}:delete-actions-runner.sh | |
ssh ${SSH_OPTS} root@${server_ip} "./delete-actions-runner.sh $RUNNER_TOKEN &> f.log" | |
env: | |
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} | |
- name: Delete server | |
run: | | |
device_id=$(metal device get -p $METAL_PROJECT_ID -o json | jq -r '.[] | select(.hostname==env.SERVER_NAME) | .id') | |
metal device delete -i $device_id -f | |
- name: Delete ssh | |
run: | | |
export ssh_label=$SERVER_NAME-ssh | |
ssh_id=$(metal ssh-key get -o json | jq -r '.[] | select(.label==env.ssh_label) | .id') | |
metal ssh-key delete -i $ssh_id -f | |
check-gomod-deps: | |
needs: [build] | |
if: ${{ contains(github.event.workflow_run.head_branch, 'release/') }} | |
uses: networkservicemesh/.github/.github/workflows/check-gomod-deps.yaml@main | |
with: | |
tag: ${{ needs.build.outputs.docker_tag }} | |
create-release: | |
needs: check-gomod-deps | |
if: ${{ contains(github.event.workflow_run.head_branch, 'release/') }} | |
uses: networkservicemesh/.github/.github/workflows/release.yaml@main | |
secrets: | |
token: ${{ secrets.NSM_BOT_GITHUB_TOKEN }} | |
update_dependent_repositories: | |
name: update_dependent_repositories | |
needs: build | |
if: ${{ github.event_name == 'push' }} | |
uses: networkservicemesh/govpp/.github/workflows/update-dependent-repositories.yaml@main | |
with: | |
docker_tag: ${{ needs.build.outputs.docker_tag }} | |
secrets: | |
token: ${{ secrets.NSM_BOT_GITHUB_TOKEN }} |