Skip to content

Set up core-infra stack (#585) #96

Set up core-infra stack (#585)

Set up core-infra stack (#585) #96

Workflow file for this run

name: CD / CLI
on:
push:
tags:
- 'v*.*.*'
jobs:
# Release binaries with GoReleaser
release:
runs-on: ubuntu-latest
env:
DOCKER_CLI_EXPERIMENTAL: "enabled"
permissions:
contents: write # needed to write releases
id-token: write # needed for keyless signing
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: actions/[email protected]
with:
go-version-file: go.mod
- name: Get Previous Tag
id: prev
uses: WyriHaximus/github-action-get-previous-tag@v1
env:
INPUT_PREFIX: v
- name: Install Cosign
uses: sigstore/[email protected]
- name: GoReleaser (Release)
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser-pro
version: '~> v2'
args: release --clean --timeout 90m
env:
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
GITLAB_CLIENT_SECRET: ${{ secrets.GITLAB_CLIENT_SECRET }}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: ${{ github.ref_name }}
GORELEASER_PREVIOUS_TAG: ${{ steps.release.outputs.prev }}
# Publish CLI / Cloud CLI container images
publish:
strategy:
matrix:
image: [ plural-cli, plural-cli-cloud ]
include:
- image: plural-cli
dockerfile: ./Dockerfile
- image: plural-cli-cloud
dockerfile: ./dockerfiles/Dockerfile.cloud
runs-on: ubuntu-latest
needs: release
permissions:
contents: 'read'
id-token: 'write'
packages: 'write'
security-events: write
actions: read
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup kubectl
uses: azure/setup-kubectl@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
# list of Docker images to use as base name for tags
images: |
ghcr.io/pluralsh/${{ matrix.image }}
# generate Docker tags based on the following events/attributes
tags: |
type=semver,pattern={{version}}
# - name: Login to plural registry
# uses: docker/login-action@v2
# with:
# registry: dkr.plural.sh
# username: [email protected]
# password: ${{ secrets.PLURAL_ACCESS_TOKEN }}
- name: Login to GHCR
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Get current date
id: date
run: echo "date=$(date -u +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push
uses: docker/build-push-action@v6
with:
context: "."
file: "${{ matrix.dockerfile }}"
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
build-args: |
APP_VSN=${{ github.ref_name }}
APP_COMMIT=${{ github.sha }}
APP_DATE=${{ steps.date.outputs.date }}
- name: Run Trivy vulnerability scanner on image
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
scanners: 'vuln'
timeout: 10m
ignore-unfixed: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
# packer:
# name: Build EKS AMI
# runs-on: ubuntu-latest
# needs: release
# permissions:
# contents: 'read'
# id-token: 'write'
# steps:
# - name: Checkout
# uses: actions/checkout@v3
# - name: Configure AWS Credentials
# uses: aws-actions/configure-aws-credentials@v4
# with:
# aws-region: us-east-2
# role-to-assume: arn:aws:iam::654897662046:role/github-actions/plural-cli-amis-packer
# role-session-name: CLIAmisPacker
# - name: Setup `packer`
# uses: hashicorp/setup-packer@main
# id: setup
# with:
# version: 1.9.2
# - name: Run `packer init`
# id: init
# run: "packer init ./packer/"
# - name: Run `packer validate`
# id: validate
# env:
# PKR_VAR_k8s_cli_version: ${{ github.ref_name}}
# run: "packer validate ./packer/"
# - name: Run `packer build`
# id: build
# # always is used here to ensure the builds can't get cancelled and leave dangling resources
# if: always()
# env:
# PKR_VAR_k8s_cli_version: ${{ github.ref_name}}
# run: "packer build ./packer/"