feat: run full validation on staging (#1361)

Signed-off-by: Susan Shi <[email protected]>
ratify-project · Apr 4, 2024 · 2b11902 · 2b11902
1 parent 8a696f1
commit 2b11902
Show file tree

Hide file tree

Showing 7 changed files with 355 additions and 172 deletions.
diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
@@ -5,141 +5,45 @@ on:
     types: [labeled]
   pull_request:
     branches:
-      - main
-      - 1.0.0*
-  push:
-    branches:
-      - 1.0.0*
-      - main
+      - staging
   workflow_dispatch:
 
 permissions: read-all
 
 jobs:
-  check-license:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
-      - name: Check license header
-        uses: apache/skywalking-eyes/header@6753eaeab2d30d8b777f33637bf48794f70888d0
-        with:
-          mode: check
-          config: .github/licenserc.yml
-      - name: Check dependencies license
-        uses: apache/skywalking-eyes/dependency@6753eaeab2d30d8b777f33637bf48794f70888d0
-        with:
-          config: .github/licenserc.yml
-          flags:
-            --weak-compatible=true
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
-      - name: setup go environment
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
-        with:
-          go-version: "1.21"
-      - name: Run tidy
-        run: go mod tidy
-      - name: Build CLI
-        run: make
-      - name: Check build
-        run: bin/ratify version
-      - name: Upload coverage to codecov.io
-        uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0
-      - name: Run helm lint
-        run: helm lint charts/ratify
-
-  build_test_cli:
-    name: "Build and run tests for CLI"
-    runs-on: ubuntu-latest
+  call_test_cli:
+    uses: ./.github/workflows/e2e-cli.yml
+
+  call_test_e2e_basic:
+    name: "run e2e on basic matrix"
     permissions:
       contents: read
-    steps:
-      - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-      - name: setup go environment
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
-        with:
-          go-version: "1.21"
-      - name: Run tidy
-        run: go mod tidy
-      - name: Build CLI
-        run: make
-      - name: Check build
-        run: bin/ratify version
-      - name: Test CLI
-        run: |
-          make install ratify-config install-bats
-          make test-e2e-cli GOCOVERDIR=${GITHUB_WORKSPACE}/test/e2e/.cover
-      - name: Upload coverage to codecov.io
-        uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0
+    strategy:
+      fail-fast: false
+      matrix:
+        KUBERNETES_VERSION: ["1.27.7"]
+        GATEKEEPER_VERSION: ["3.15.0"]
+    uses: ./.github/workflows/e2e-k8s.yml 
+    with:
+      k8s_version: ${{ matrix.KUBERNETES_VERSION }}
+      gatekeeper_version: ${{ matrix.GATEKEEPER_VERSION }}
 
-  build_test_e2e:
-    name: "Build and run e2e Test"
-    runs-on: ubuntu-latest
-    timeout-minutes: 35
-    permissions:
-      contents: read
+  build_test_e2e_full_conditional:
+    name: "run e2e on full test matrix with conditions"
+    if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch'
     strategy:
       fail-fast: false
       matrix:
         KUBERNETES_VERSION: ["1.26.10", "1.27.7"]
         GATEKEEPER_VERSION: ["3.13.0", "3.14.0", "3.15.0"]
-    steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-      - name: Set up Go 1.21
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
-        with:
-          go-version: '1.21'
+    uses: ./.github/workflows/e2e-k8s.yml 
+    with:
+      k8s_version: ${{ matrix.KUBERNETES_VERSION }}
+      gatekeeper_version: ${{ matrix.GATEKEEPER_VERSION }} 
 
-      - name: Bootstrap e2e
-        run: |
-          mkdir -p $GITHUB_WORKSPACE/bin
-          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
-          make e2e-bootstrap KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }}
-          make generate-certs
-      - name: Run e2e with config policy
-        run: |
-          make e2e-deploy-gatekeeper GATEKEEPER_VERSION=${{ matrix.GATEKEEPER_VERSION }}
-          make e2e-deploy-ratify GATEKEEPER_VERSION=${{ matrix.GATEKEEPER_VERSION }}
-          make test-e2e GATEKEEPER_VERSION=${{ matrix.GATEKEEPER_VERSION }}
-      - name: Save logs
-        if: ${{ always() }}
-        run: |
-          kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-config-policy.json
-          kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-config-policy.json
-      - name: Run e2e with Rego policy
-        run: |
-          make deploy-rego-policy
-          make test-e2e
-      - name: Save logs
-        if: ${{ always() }}
-        run: |
-          kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-externaldata-controller-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}.json
-          kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-externaldata-audit-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}.json
-          kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-rego-policy.json
-          kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-rego-policy.json
-      - name: Upload artifacts
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
-        if: ${{ always() }}
-        with:
-          name: e2e-logs-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}
-          path: |
-            logs-*.json
-
-  build_test_aks_e2e:
-    name: "Build and run e2e Test on AKS"
-    env:
-      AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
-      AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
-      AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
-    runs-on: ubuntu-latest
+  build_test_aks_e2e_conditional:
+    name: "Build and run e2e Test on AKS with conditions"
     if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
-    timeout-minutes: 30
     permissions:
       id-token: write
       contents: read
@@ -148,58 +52,18 @@ jobs:
       matrix:
         KUBERNETES_VERSION: ["1.26.10", "1.27.7"]
         GATEKEEPER_VERSION: ["3.13.0", "3.14.0", "3.15.0"]
-    steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-      - name: Set up Go 1.21
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
-        with:
-          go-version: '1.21'
-
-      - name: Az CLI login
-        uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0
-        with:
-          creds: '{"clientId":"${{ env.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ env.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ env.AZURE_TENANT_ID }}"}'
-
-      - name: Dependencies e2e
-        run: |
-          mkdir -p $GITHUB_WORKSPACE/bin
-          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
-          make e2e-docker-credential-store-setup
-          make e2e-dependencies
-
-      - name: Run e2e on Azure
-        run: |
-          make e2e-aks KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }} GATEKEEPER_VERSION=${{ matrix.GATEKEEPER_VERSION }} TENANT_ID=${{ env.AZURE_TENANT_ID }}
-
-      - name: Upload artifacts
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
-        if: ${{ always() }}
-        with:
-          name: e2e-logs-aks-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}
-          path: |
-            logs-*.json
-
-  markdown-link-check:
-      runs-on: ubuntu-latest
-      steps:
-      - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-        with:
-          submodules: recursive
-      - name: Run link check
-        uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec #3.10.3
-        with:
-          use-quiet-mode: 'no'
-          use-verbose-mode: 'yes'
-          config-file: '.github/workflows/markdown.links.config.json'
-          folder-path: 'docs/'
-  test-cleanup:
+    uses: ./.github/workflows/e2e-aks.yml
+    with:
+      k8s_version: ${{ matrix.KUBERNETES_VERSION }}
+      gatekeeper_version: ${{ matrix.GATEKEEPER_VERSION }}
+    secrets: inherit
+
+  aks-test-cleanup:
     env:
       AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
       AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
       AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
-    needs: ['build_test_aks_e2e']
+    needs: ['build_test_aks_e2e_conditional']
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -219,4 +83,4 @@ jobs:
 
       - name: clean up
         run: |
-          make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ env.AZURE_SUBSCRIPTION_ID }}
+          make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ env.AZURE_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml
@@ -0,0 +1,56 @@
+name: e2e-aks
+
+on:
+  workflow_call:
+    inputs:
+      k8s_version:
+        description: 'Kubernetes version'
+        required: true
+        default: '1.27.7'
+        type: string
+      gatekeeper_version:
+        description: 'Gatekeeper version'
+        required: true
+        default: '3.15.0'
+        type: string
+
+jobs:
+  build_test_aks_e2e:
+    name: "Build and run e2e Test on AKS"
+    env:
+      AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
+      AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
+      AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: Set up Go 1.21
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version: '1.21'
+
+      - name: Az CLI login
+        uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0
+        with:
+          creds: '{"clientId":"${{ env.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ env.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ env.AZURE_TENANT_ID }}"}'
+
+      - name: Dependencies e2e
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/bin
+          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
+          make e2e-docker-credential-store-setup
+          make e2e-dependencies
+
+      - name: Run e2e on Azure
+        run: |
+          make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ env.AZURE_TENANT_ID }}
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        if: ${{ always() }}
+        with:
+          name: e2e-logs-aks-${{ inputs.k8s_version }}-${{ inputs.gatekeeper_version }}
+          path: |
+            logs-*.json
diff --git a/.github/workflows/e2e-cli.yml b/.github/workflows/e2e-cli.yml
@@ -0,0 +1,79 @@
+name: e2e-cli
+
+on:
+  workflow_call:
+
+jobs:
+  check-license:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
+      - name: Check license header
+        uses: apache/skywalking-eyes/header@ed436a5593c63a25f394ea29da61b0ac3731a9fe
+        with:
+          mode: check
+          config: .github/licenserc.yml
+      - name: Check dependencies license
+        uses: apache/skywalking-eyes/dependency@ed436a5593c63a25f394ea29da61b0ac3731a9fe
+        with:
+          config: .github/licenserc.yml
+          flags:
+            --weak-compatible=true
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
+      - name: setup go environment
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version: "1.21"
+      - name: Run tidy
+        run: go mod tidy
+      - name: Build CLI
+        run: make
+      - name: Check build
+        run: bin/ratify version
+      - name: Upload coverage to codecov.io
+        uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0
+      - name: Run helm lint
+        run: helm lint charts/ratify
+  build_test_cli:
+    name: "Build and run tests for CLI"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: setup go environment
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version: "1.21"
+      - name: Run tidy
+        run: go mod tidy
+      - name: Build CLI
+        run: make
+      - name: Check build
+        run: bin/ratify version
+      - name: Test CLI
+        run: |
+          make install ratify-config install-bats
+          make test-e2e-cli GOCOVERDIR=${GITHUB_WORKSPACE}/test/e2e/.cover
+      - name: Upload coverage to codecov.io
+        uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0
+  markdown-link-check:
+      runs-on: ubuntu-latest
+      steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          submodules: recursive
+      - name: Run link check
+        uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec #3.10.3
+        with:
+          use-quiet-mode: 'no'
+          use-verbose-mode: 'yes'
+          config-file: '.github/workflows/markdown.links.config.json'
+          folder-path: 'docs/'