-
Notifications
You must be signed in to change notification settings - Fork 64
222 lines (208 loc) · 8.57 KB
/
build-pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
name: build-pr
on:
pull_request_target:
types: [labeled]
pull_request:
branches:
- main
- 1.0.0*
push:
branches:
- 1.0.0*
- main
workflow_dispatch:
permissions: read-all
jobs:
check-license:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: Check license header
uses: apache/skywalking-eyes/header@ed436a5593c63a25f394ea29da61b0ac3731a9fe
with:
mode: check
config: .github/licenserc.yml
- name: Check dependencies license
uses: apache/skywalking-eyes/dependency@ed436a5593c63a25f394ea29da61b0ac3731a9fe
with:
config: .github/licenserc.yml
flags:
--weak-compatible=true
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: setup go environment
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
- name: Run tidy
run: go mod tidy
- name: Build CLI
run: make
- name: Check build
run: bin/ratify version
- name: Upload coverage to codecov.io
uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044 # v4.0.1
- name: Run helm lint
run: helm lint charts/ratify
build_test_cli:
name: "Build and run tests for CLI"
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: setup go environment
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
- name: Run tidy
run: go mod tidy
- name: Build CLI
run: make
- name: Check build
run: bin/ratify version
- name: Test CLI
run: |
make install ratify-config install-bats
make test-e2e-cli LOCAL_REGISTRY_IMAGE=registry GOCOVERDIR=${GITHUB_WORKSPACE}/test/e2e/.cover
- name: Upload coverage to codecov.io
uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044 # v4.0.1
build_test_e2e:
name: "Build and run e2e Test"
runs-on: ubuntu-latest
timeout-minutes: 35
permissions:
contents: read
strategy:
fail-fast: false
matrix:
KUBERNETES_VERSION: ["1.26.10", "1.27.7"]
GATEKEEPER_VERSION: ["3.12.0", "3.13.0", "3.14.0"]
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Go 1.21
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: '1.21'
- name: Bootstrap e2e
run: |
mkdir -p $GITHUB_WORKSPACE/bin
echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
make e2e-bootstrap KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }}
make generate-certs
- name: Run e2e with config policy
run: |
make e2e-deploy-gatekeeper GATEKEEPER_VERSION=${{ matrix.GATEKEEPER_VERSION }}
make e2e-deploy-ratify GATEKEEPER_VERSION=${{ matrix.GATEKEEPER_VERSION }}
make test-e2e GATEKEEPER_VERSION=${{ matrix.GATEKEEPER_VERSION }}
- name: Save logs
if: ${{ always() }}
run: |
kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-config-policy.json
kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-config-policy.json
- name: Run e2e with Rego policy
run: |
make deploy-rego-policy
make test-e2e
- name: Save logs
if: ${{ always() }}
run: |
kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-externaldata-controller-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}.json
kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-externaldata-audit-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}.json
kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-rego-policy.json
kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-rego-policy.json
- name: Upload artifacts
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
if: ${{ always() }}
with:
name: e2e-logs-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}
path: |
logs-*.json
build_test_aks_e2e:
name: "Build and run e2e Test on AKS"
env:
AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
runs-on: ubuntu-latest
if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
timeout-minutes: 30
permissions:
id-token: write
contents: read
strategy:
fail-fast: false
matrix:
KUBERNETES_VERSION: ["1.26.10", "1.27.7"]
GATEKEEPER_VERSION: ["3.12.0", "3.13.0", "3.14.0"]
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Go 1.21
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: '1.21'
- name: Az CLI login
uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
with:
creds: '{"clientId":"${{ env.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ env.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ env.AZURE_TENANT_ID }}"}'
- name: Dependencies e2e
run: |
mkdir -p $GITHUB_WORKSPACE/bin
echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
make e2e-docker-credential-store-setup
make e2e-dependencies
- name: Run e2e on Azure
run: |
make e2e-aks KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }} GATEKEEPER_VERSION=${{ matrix.GATEKEEPER_VERSION }} TENANT_ID=${{ env.AZURE_TENANT_ID }}
- name: Upload artifacts
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
if: ${{ always() }}
with:
name: e2e-logs-aks-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}
path: |
logs-*.json
markdown-link-check:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
submodules: recursive
- name: Run link check
uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec #3.10.3
with:
use-quiet-mode: 'no'
use-verbose-mode: 'yes'
config-file: '.github/workflows/markdown.links.config.json'
folder-path: 'docs/'
test-cleanup:
env:
AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
needs: ['build_test_aks_e2e']
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Go 1.21
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: '1.21'
- name: Az CLI login
uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
with:
creds: '{"clientId":"${{ env.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ env.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ env.AZURE_TENANT_ID }}"}'
- name: clean up
run: |
make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ env.AZURE_SUBSCRIPTION_ID }}