Skip to content

Commit

Permalink
Add Release workflow to CI (#1923)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lucacome
lucacome authored Sep 2, 2021
1 parent a156618 commit a31cd87
Show file tree
Hide file tree
Showing 4 changed files with 116 additions and 288 deletions.
198 changes: 99 additions & 99 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ on:
- 'examples/**'
- 'examples-of-custom-resources/**'
- '**.md'
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
pull_request:
branches:
- master
Expand All @@ -29,11 +31,9 @@ defaults:
shell: bash

env:
DOCKER_BUILDKIT: 1
K8S_VERSION: 1.22.1
K8S_TIMEOUT: 75s
HELM_CHART_DIR: deployments/helm-chart
HELM_CHART_VERSION: 0.0.0-edge
GIT_NAME: NGINX Kubernetes Team
GIT_MAIL: [email protected]

Expand All @@ -43,7 +43,6 @@ jobs:
name: Checks and variables
runs-on: ubuntu-20.04
outputs:
sha_short: ${{ steps.vars.outputs.sha }}
go_version: ${{ steps.vars.outputs.go_version }}
go_path: ${{ steps.go.outputs.go_path }}
steps:
Expand All @@ -56,7 +55,6 @@ jobs:
- name: Output Variables
id: vars
run: |
echo "::set-output name=sha::$(echo ${GITHUB_SHA} | cut -c1-7)"
echo "::set-output name=go_version::$(grep "go 1." go.mod | cut -d " " -f 2)"
- name: Setup Golang Environment
uses: actions/setup-go@v2
Expand Down Expand Up @@ -113,63 +111,10 @@ jobs:
- name: Run Tests
run: go test ./...

build-image-scan:
name: Build and scan Docker images
runs-on: ubuntu-20.04
needs: [binary, checks]
strategy:
matrix:
image: [debian, alpine, opentracing, ubi]
ubi_version: ["8"]
include:
- image: ubi
ubi_version: 7
steps:
- name: Checkout Repository
uses: actions/checkout@v2
- name: Fetch Cached Artifacts
uses: actions/cache@v2
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}-single
- name: Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Build ${{ matrix.image }} Container
uses: docker/build-push-action@v2
with:
file: build/Dockerfile
context: '.'
# Disable cache until https://github.com/docker/buildx/issues/681 is fixed
# cache-from: type=gha
# cache-to: type=gha,mode=max
target: goreleaser
tags: docker.io/nginx/nginx-ingress:${{ matrix.image }}-${{ github.sha }}
load: true
pull: true
build-args: |
BUILD_OS=${{ matrix.image }}
UBI_VERSION=${{ matrix.ubi_version }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/nginx/nginx-ingress:${{ matrix.image }}-${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-${{ matrix.image }}.sarif'
ignore-unfixed: 'true'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results-${{ matrix.image }}.sarif'
- name: Upload Scan Results
uses: actions/upload-artifact@v2
with:
name: 'trivy-results-${{ matrix.image }}.sarif'
path: 'trivy-results-${{ matrix.image }}.sarif'
if: always()

setup-matrix:
name: Setup Matrix for Smoke Tests
runs-on: ubuntu-20.04
needs: [binary, unit-tests]
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
Expand All @@ -181,16 +126,15 @@ jobs:
{\"image\": \"alpine\", \"marker\":\"vsr\"}, \
{\"image\": \"opentracing\", \"marker\": \"vs\"}, \
{\"image\": \"ubi\", \"marker\": \"ts\"}, \
{\"image\": \"debian\", \"marker\": \"policies\"}], \
\"k8s\": [\"${{env.K8S_VERSION}}\"]}"
{\"image\": \"debian\", \"marker\": \"policies\"}]}"
else
echo "::set-output name=matrix::{\"k8s\": [\"1.19.11\", \"1.20.7\", \"1.21.2\", \"1.22.1\"], \"images\": [{\"image\": \"debian\"}]}"
echo "::set-output name=matrix::{\"k8s\": [\"1.19.11\", \"1.20.7\", \"1.21.2\", \"1.22.1\"]}"
fi
smoke-tests:
name: Smoke Tests
runs-on: ubuntu-20.04
needs: [checks, binary, build-image-scan, unit-tests, setup-matrix]
needs: setup-matrix
strategy:
matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix) }}
steps:
Expand All @@ -200,9 +144,9 @@ jobs:
id: smoke-tests
uses: ./.github/actions/smoke-tests
with:
image: ${{ matrix.images.image }}
marker: ${{ matrix.images.marker }}
k8s-version: ${{ matrix.k8s }}
image: ${{ matrix.images.image != '' && matrix.images.image || 'debian' }}
marker: ${{ matrix.images.marker != '' && matrix.images.marker || '""' }}
k8s-version: ${{ matrix.k8s != '' && matrix.k8s || env.K8S_VERSION }}
- name: Upload Test Results
uses: actions/upload-artifact@v2
with:
Expand All @@ -213,7 +157,7 @@ jobs:
helm-tests:
name: Helm Tests
runs-on: ubuntu-20.04
needs: [binary, build-image-scan, unit-tests]
needs: [binary, unit-tests]
env:
NGINX_HTTP_PORT: 8080
NGINX_HTTPS_PORT: 8443
Expand Down Expand Up @@ -268,11 +212,10 @@ jobs:
run: |
. tests/ci-files/helm-http-test.sh ${{ env.HELM_TEST_RETRIES }} ${{ env.NGINX_HTTPS_PORT }} ${{ env.HELM_HTTP_POSTFIX }}
binaries-release:
name: Build Binaries for release
build-binaries:
name: Build Binaries
runs-on: ubuntu-20.04
needs: [checks, smoke-tests, helm-tests]
if: github.event_name != 'pull_request'
needs: [checks, smoke-tests]
steps:
- name: Checkout Repository
uses: actions/checkout@v2
Expand All @@ -286,7 +229,7 @@ jobs:
uses: goreleaser/goreleaser-action@v2
with:
version: latest
args: build --snapshot --rm-dist --id kubernetes-ingress
args: build --rm-dist --id kubernetes-ingress ${{ github.event_name == 'pull_request' && '--single-target' || '' }} ${{ !startsWith(github.ref, 'refs/tags/') && '--snapshot' || '' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GOPATH: ${{ needs.check.outputs.go_path }}
Expand All @@ -296,11 +239,10 @@ jobs:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}-multi

release-docker:
name: Release Images
build-docker:
name: Build Docker Images
runs-on: ubuntu-20.04
needs: [checks, binaries-release]
if: github.event_name != 'pull_request'
needs: build-binaries
strategy:
matrix:
include:
Expand All @@ -321,10 +263,6 @@ jobs:
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Output Variables
id: commit
run: |
echo "::set-output name=tag::$(git describe --tags --abbrev=0)"
- name: Fetch Cached Artifacts
uses: actions/cache@v2
with:
Expand All @@ -334,26 +272,43 @@ jobs:
uses: docker/setup-qemu-action@v1
with:
platforms: arm,arm64,ppc64le,s390x
if: github.event_name != 'pull_request'
- name: Docker Buildx
uses: docker/setup-buildx-action@v1
- name: DockerHub Login
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: github.event_name != 'pull_request'
- name: Docker meta
id: meta
uses: docker/metadata-action@v3
with:
images: nginx/nginx-ingress
flavor: suffix=${{ matrix.suffix }}
tags: |
type=edge,suffix=${{ matrix.suffix }}
type=schedule,suffix=${{ matrix.suffix }}
type=edge
type=ref,event=pr
type=schedule
type=semver,pattern={{version}}
labels: |
org.opencontainers.image.title=NGINX Ingress Controller for Kubernetes
org.opencontainers.image.description=NGINX Ingress Controller for Kubernetes
org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller
org.opencontainers.image.vendor=NGINX Inc <[email protected]>
- name: Push to Dockerhub
- name: Output Variables
id: var
run: |
version=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
if ${{ startsWith(github.ref, 'refs/tags/') }}; then
ic_version=v$version
else
tag=$(git describe --tags --abbrev=0)
sha_short=$(echo ${{ github.sha }} | cut -c1-7)
ic_version=$tag-$version-$sha_short
fi
echo "::set-output name=ic_version::$ic_version"
- name: Build Docker images (and push to Dockerhub if not a PR)
uses: docker/build-push-action@v2
with:
file: build/Dockerfile
Expand All @@ -364,38 +319,70 @@ jobs:
target: goreleaser
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ matrix.platforms }}
platforms: ${{ github.event_name != 'pull_request' && matrix.platforms || '' }}
load: ${{ github.event_name == 'pull_request' }}
push: ${{ github.event_name != 'pull_request' }}
pull: true
push: true
build-args: |
BUILD_OS=${{ matrix.type }}
IC_VERSION=${{ steps.commit.outputs.tag }}-SNAPSHOT-${{ needs.checks.outputs.sha_short }}
IC_VERSION=${{ steps.var.outputs.ic_version }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: nginx/nginx-ingress:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-${{ matrix.type }}.sarif'
ignore-unfixed: 'true'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results-${{ matrix.type }}.sarif'
- name: Upload Scan Results
uses: actions/upload-artifact@v2
with:
name: 'trivy-results-${{ matrix.type }}.sarif'
path: 'trivy-results-${{ matrix.type }}.sarif'
if: always()

package-helm:
name: Package Helm Chart
runs-on: ubuntu-20.04
needs: release-docker
if: github.event_name == 'push' && github.ref == 'refs/heads/master'
needs: [build-docker, helm-tests]
outputs:
version: ${{ steps.var.outputs.helm_version }}
type: ${{ steps.var.outputs.helm_type }}
if: github.event_name == 'push'
steps:
- name: Checkout Repository
uses: actions/checkout@v2
- name: Lint
- name: Output Variables
id: var
run: |
helm lint ${{ env.HELM_CHART_DIR }} || true
if ${{ startsWith(github.ref, 'refs/tags/') }}; then
helm_version="$(helm show chart ${{ env.HELM_CHART_DIR }} | grep 'version:' | cut -d ' ' -f 2)"
helm_type="stable"
else
helm_version="0.0.0-edge"
helm_type="edge"
fi
echo "::set-output name=helm_version::$helm_version"
echo "::set-output name=helm_type::$helm_type"
- name: Lint
run: helm lint ${{ env.HELM_CHART_DIR }}
- name: Package
run: |
helm package --version ${{ env.HELM_CHART_VERSION }} ${{ env.HELM_CHART_DIR }}
run: helm package --version ${{ steps.var.outputs.helm_version }} ${{ env.HELM_CHART_DIR }}
- name: Upload Chart
uses: actions/upload-artifact@v2
with:
name: helm-chart
path: ${{ github.workspace }}/nginx-ingress-${{ env.HELM_CHART_VERSION }}.tgz
path: ${{ github.workspace }}/nginx-ingress-${{ steps.var.outputs.helm_version }}.tgz

release-helm:
name: Release Helm Chart
runs-on: ubuntu-20.04
needs: package-helm
if: github.event_name == 'push' && github.ref == 'refs/heads/master'
if: github.event_name == 'push'
steps:
- name: Checkout Repository
uses: actions/checkout@v2
Expand All @@ -404,16 +391,29 @@ jobs:
fetch-depth: 1
token: ${{ secrets.NGINX_PAT }}
- name: Remove previous Chart
run: rm -f ${{ github.workspace }}/edge/nginx-ingress-${{ env.HELM_CHART_VERSION }}.tgz
run: rm -f ${{ github.workspace }}/${{ needs.package-helm.outputs.type }}/nginx-ingress-${{ needs.package-helm.outputs.version }}.tgz
- name: Retrieve latest Helm Chart
uses: actions/download-artifact@v2
with:
name: helm-chart
path: ${{ github.workspace }}/edge
path: ${{ github.workspace }}/${{ needs.package-helm.outputs.type }}
- name: Push Helm Chart
run: |
helm repo index edge --url https://helm.nginx.com/edge
helm repo index ${{ needs.package-helm.outputs.type }} --url https://helm.nginx.com/${{ needs.package-helm.outputs.type }}
git add -A
git -c user.name='${{ env.GIT_NAME }}' -c user.email='${{ env.GIT_MAIL }}' \
commit -m "NGINX Ingress Controller - Edge Release (latest)"
commit -m "NGINX Ingress Controller - Release ${{ needs.package-helm.outputs.type }} ${{ needs.package-helm.outputs.version }}"
git push -u origin master
publish-release-notes:
name: Publish Release Notes
runs-on: ubuntu-20.04
needs: release-helm
if: ${{ startsWith(github.ref, 'refs/tags/') }}
steps:
- name: Publish Release Notes
uses: release-drafter/release-drafter@v5
with:
publish: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Loading

0 comments on commit a31cd87

Please sign in to comment.