1name: job-promote-to-passed
2
3"on":
4 push:
5 branches:
6 - master
7 - release/v*
8 pull_request: {}
9 workflow_dispatch:
10
11jobs:
12 lint: ########################################################################
13 runs-on: ubuntu-latest
14 env:
15 # See docker/base-python.docker.gen
16 BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }}
17 steps:
18 - uses: actions/checkout@v3
19 with:
20 fetch-depth: 0
21 - name: Install Deps
22 uses: ./.github/actions/setup-deps
23 - shell: bash
24 run: |
25 make lint-deps
26 - shell: bash
27 run: |
28 make lint
29 - uses: ./.github/actions/after-job
30 if: always()
31
32 generate: ####################################################################
33 runs-on: ubuntu-latest
34 env:
35 # See docker/base-python.docker.gen
36 BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }}
37 steps:
38 - uses: actions/checkout@v3
39 with:
40 fetch-depth: 0
41 - name: Install Deps
42 uses: ./.github/actions/setup-deps
43 - name: "Git Login"
44 run: |
45 if [[ -n '${{ secrets.GHA_SSH_KEY }}' ]]; then
46 install -m700 -d ~/.ssh
47 install -m600 /dev/stdin ~/.ssh/id_rsa <<<'${{ secrets.GHA_SSH_KEY }}'
48 fi
49 - name: "Docker Login"
50 uses: docker/login-action@v2
51 with:
52 registry: ${{ (!startsWith(secrets.RELEASE_REGISTRY, 'docker.io/')) && secrets.RELEASE_REGISTRY || null }}
53 username: ${{ secrets.GH_DOCKER_RELEASE_USERNAME }}
54 password: ${{ secrets.GH_DOCKER_RELEASE_TOKEN }}
55 - name: "'make generate'"
56 shell: bash
57 run: |
58 make generate
59 - name: "Update dependency information after dependabot change"
60 uses: datawire/go-mkopensource/actions/save-dependabot-changes@v0.0.7
61 id: changed-by-dependabot
62 with:
63 branches_to_skip: master
64 - name: "Abort if dependencies changed"
65 if: steps.changed-by-dependabot.outputs.is_dirty == 'true'
66 run: |
67 echo "Dependabot triggered a dependency update. Aborting workflow."
68 exit 1
69 - uses: ./.github/actions/git-dirty-check
70 name: "Check Git not dirty from 'make generate'"
71 - name: "'make generate' (again!)"
72 shell: bash
73 run: |
74 make generate
75 - uses: ./.github/actions/git-dirty-check
76 name: "Check Git not dirty from 'make generate' (again!)"
77 - uses: ./.github/actions/after-job
78 if: always()
79
80 check-envoy-version: #########################################################
81 runs-on: ubuntu-latest
82 env:
83 # See docker/base-python.docker.gen
84 BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }}
85 steps:
86 - uses: actions/checkout@v3
87 with:
88 fetch-depth: 0
89 - name: Install Deps
90 uses: ./.github/actions/setup-deps
91 - name: "Git Login"
92 run: |
93 if [[ -n '${{ secrets.GHA_SSH_KEY }}' ]]; then
94 install -m700 -d ~/.ssh
95 install -m600 /dev/stdin ~/.ssh/id_rsa <<<'${{ secrets.GHA_SSH_KEY }}'
96 fi
97 - name: "Docker Login"
98 # This is important if ENVOY_DOCKER_REPO is a private repo.
99 uses: docker/login-action@v2
100 with:
101 registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }}
102 username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
103 password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
104 - run: make check-envoy-version
105 - uses: ./.github/actions/after-job
106 if: always()
107
108 # Tests ######################################################################
109 check-gotest:
110 runs-on: ubuntu-latest
111 env:
112 # See docker/base-python.docker.gen
113 BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }}
114 steps:
115 - uses: actions/checkout@v3
116 with:
117 fetch-depth: 0
118 - name: Install Deps
119 uses: ./.github/actions/setup-deps
120 - name: "Docker Login"
121 uses: docker/login-action@v2
122 with:
123 registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }}
124 username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
125 password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
126 - name: make gotest
127 shell: bash
128 run: |
129 export DEV_KUBE_NO_PVC=yes
130 export KAT_REQ_LIMIT=900
131 make gotest
132 - uses: ./.github/actions/after-job
133 if: always()
134 check-pytest:
135 runs-on: ubuntu-latest
136 env:
137 # See docker/base-python.docker.gen
138 BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }}
139 # See pkg/kubeapply/resource_kubeapply.go
140 DEV_USE_IMAGEPULLSECRET: ${{ secrets.DEV_USE_IMAGEPULLSECRET }}
141 DOCKER_BUILD_USERNAME: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
142 DOCKER_BUILD_PASSWORD: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
143 strategy:
144 fail-fast: false
145 matrix:
146 test:
147 - integration
148 - kat-envoy3-1-of-5
149 - kat-envoy3-2-of-5
150 - kat-envoy3-3-of-5
151 - kat-envoy3-4-of-5
152 - kat-envoy3-5-of-5
153 name: pytest-${{ matrix.test }}
154 steps:
155 - uses: actions/checkout@v3
156 with:
157 fetch-depth: 0
158 - name: Install Deps
159 uses: ./.github/actions/setup-deps
160 - name: "Docker Login"
161 uses: docker/login-action@v2
162 with:
163 registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }}
164 username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
165 password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
166 - name: make pytest-${{ matrix.test }}
167 run: |
168 export USE_LOCAL_K3S_CLUSTER=1
169 sudo sysctl -w fs.file-max=1600000
170 sudo sysctl -w fs.inotify.max_user_instances=4096
171
172 make ci/setup-k3d
173
174 export DEV_KUBE_NO_PVC=yes
175 export KAT_REQ_LIMIT=900
176 export DEV_KUBECONFIG=~/.kube/config
177 export DEV_REGISTRY=${{ secrets.DEV_REGISTRY }}
178 make pytest-${{ matrix.test }}
179 - uses: ./.github/actions/after-job
180 if: always()
181 with:
182 jobname: check-pytest-${{ matrix.test }}
183 check-pytest-unit:
184 # pytest-unit is separate from pytests (above) because we know for certain that no cluster is needed.
185 # XXX This is pretty much a crock.
186 runs-on: ubuntu-latest
187 env:
188 # See docker/base-python.docker.gen
189 BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }}
190 strategy:
191 matrix:
192 test:
193 - unit
194 name: pytest-${{ matrix.test }}
195 steps:
196 - uses: actions/checkout@v3
197 with:
198 fetch-depth: 0
199 - name: Install Deps
200 uses: ./.github/actions/setup-deps
201 - name: "Docker Login"
202 uses: docker/login-action@v2
203 with:
204 registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }}
205 username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
206 password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
207 - name: make pytest-${{ matrix.test }}
208 run: |
209 sudo sysctl -w fs.file-max=1600000
210 sudo sysctl -w fs.inotify.max_user_instances=4096
211
212 export DEV_KUBE_NO_PVC=yes
213 export KAT_REQ_LIMIT=900
214 export DEV_KUBECONFIG=~/.kube/config
215 export DEV_REGISTRY=${{ secrets.DEV_REGISTRY }}
216 export PYTEST_ARGS=' --cov-branch --cov=ambassador --cov-report html:/tmp/cov_html '
217 make pytest-${{ matrix.test }}
218 - uses: ./.github/actions/after-job
219 if: always()
220 with:
221 jobname: check-pytest-${{ matrix.test }}
222 check-chart:
223 runs-on: ubuntu-latest
224 env:
225 DEV_REGISTRY: ${{ secrets.DEV_REGISTRY }}
226 # See docker/base-python.docker.gen
227 BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }}
228 # See pkg/kubeapply/resource_kubeapply.go
229 DEV_USE_IMAGEPULLSECRET: ${{ secrets.DEV_USE_IMAGEPULLSECRET }}
230 DOCKER_BUILD_USERNAME: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
231 DOCKER_BUILD_PASSWORD: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
232 steps:
233 - uses: docker/login-action@v2
234 with:
235 registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }}
236 username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
237 password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
238 - uses: actions/checkout@v3
239 with:
240 fetch-depth: 0
241 ref: ${{ github.event.pull_request.head.sha }}
242 - name: Install Deps
243 uses: ./.github/actions/setup-deps
244 - name: make test-chart
245 run: |
246 make ci/setup-k3d
247 export DEV_KUBECONFIG=~/.kube/config
248
249 make test-chart
250 - uses: ./.github/actions/after-job
251 if: always()
252
253 build: #######################################################################
254 runs-on: ubuntu-latest
255 env:
256 DEV_REGISTRY: ${{ secrets.DEV_REGISTRY }}
257 # See docker/base-python.docker.gen
258 BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }}
259 outputs:
260 image-tag: ${{ steps.build-image.outputs.image-tag }}
261 steps:
262 - uses: actions/checkout@v3
263 with:
264 fetch-depth: 0
265 ref: ${{ github.event.pull_request.head.sha }}
266 - name: Install Deps
267 uses: ./.github/actions/setup-deps
268 - name: "Docker Login"
269 uses: docker/login-action@v2
270 with:
271 registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }}
272 username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
273 password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
274 - name: "make push"
275 shell: bash
276 run: |
277 make push
278 - name: "capture image tag"
279 id: build-image
280 shell: bash
281 run: |
282 echo "image-tag=$(build-aux/version.sh)" >> $GITHUB_OUTPUT
283 - name: "make push-dev"
284 shell: bash
285 run: |
286 make push-dev
287 - uses: ./.github/actions/after-job
288 if: always()
289
290 ######################################################################
291 ######################### CVE Scanning ###############################
292 trivy-container-scan:
293 runs-on: ubuntu-latest
294 needs: [build]
295 steps:
296 # upload of results to github uses git so checkout of code is needed
297 - uses: actions/checkout@v3
298 with:
299 fetch-depth: 0
300 ref: ${{ github.event.pull_request.head.sha }}
301 - name: "Log image-tag"
302 shell: bash
303 run: echo ${{needs.build.outputs.image-tag}}
304 - name: Scan
305 uses: aquasecurity/trivy-action@master
306 with:
307 image-ref: "${{secrets.DEV_REGISTRY}}/emissary:${{needs.build.outputs.image-tag}}"
308 format: "sarif"
309 exit-code: 0 # only warn for now until we have backed it into our processes
310 output: "trivy-results.sarif"
311 ignore-unfixed: true
312 vuln-type: "os,library"
313 severity: "CRITICAL,HIGH"
314 - name: Upload Scan to GitHub Security Tab
315 uses: github/codeql-action/upload-sarif@v2
316 with:
317 sarif_file: "trivy-results.sarif"
318
319 ##############################################################################
320 pass:
321 name: "job-promote-to-passed" # This is the job name that the branch protection looks for
322 needs:
323 - lint
324 - build
325 - generate
326 - check-envoy-version
327 - check-gotest
328 - check-pytest
329 - check-pytest-unit
330 - check-chart
331 - trivy-container-scan
332 runs-on: ubuntu-latest
333 steps:
334 - name: No-Op
335 if: ${{ false }}
336 run: "echo Pass"
View as plain text