1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
external-secrets/.github/workflows/ci.yml

285 lines
8.9 KiB
YAML
Raw Normal View History

name: CI
on:
push:
branches:
- main
- release-*
pull_request: {}
workflow_dispatch: {}
env:
# Common versions
GOLANGCI_VERSION: 'v1.49.0'
:sparkles: Kubernetes v1.24 upgrade (#1345) * build(deps): bump sigs.k8s.io/controller-runtime from 0.11.2 to 0.12.3 Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.11.2 to 0.12.3. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/master/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.11.2...v0.12.3) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * feat: bump kubernetes 1.24 Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> * fix: backwards-compatible vault implementation Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> * feat: add audiences field to serviceAccountRef This will be used by aws, azure, gcp, kubernetes & vault providers in combination with TokenRequest API: it will _append_ audience claims to provider-specific audiences. Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> * feat: refactor kubernetes client to match provider/client interfaces the kubernetes provider mixed up provider and client interfaces which made it really hard to reason about. This commit separates into two structs, each implements one interface. The client struct fields have been renamed and annotated so their use and scope is clear. Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> * fix: deprecate expirationSeconds expirationSeconds is not needed because we generate a service account token on the fly for a single use. There will be no replacement for this. Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> * fix: rename token fetch audiences field Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> * fix: generate CRDs Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2022-08-19 15:32:06 +00:00
KUBERNETES_VERSION: '1.24.x'
DOCKER_BUILDX_VERSION: 'v0.4.2'
# Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run
# a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether
# credentials have been provided before trying to run steps that need them.
GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
2021-12-17 11:23:57 +00:00
2021-09-28 16:55:16 +00:00
# Sonar
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
jobs:
detect-noop:
runs-on: ubuntu-18.04
outputs:
noop: ${{ steps.noop.outputs.should_skip }}
steps:
- name: Detect No-op Changes
id: noop
uses: fkirc/skip-duplicate-actions@v4.0.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
paths_ignore: '["**.md", "**.png", "**.jpg"]'
do_not_skip: '["workflow_dispatch", "schedule", "push"]'
concurrent_skipping: false
lint:
runs-on: ubuntu-18.04
needs: detect-noop
if: needs.detect-noop.outputs.noop != 'true'
steps:
- name: Checkout
uses: actions/checkout@v3
2021-06-25 23:56:42 +00:00
- name: Setup Go
uses: actions/setup-go@v3
2021-06-25 23:56:42 +00:00
with:
go-version-file: "go.mod"
2021-06-25 23:56:42 +00:00
- name: Find the Go Cache
id: go
run: |
echo "::set-output name=build-cache::$(go env GOCACHE)"
echo "::set-output name=mod-cache::$(go env GOMODCACHE)"
- name: Cache the Go Build Cache
uses: actions/cache@v3
with:
path: ${{ steps.go.outputs.build-cache }}
key: ${{ runner.os }}-build-lint-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-build-lint-${{ github.sha }}-
- name: Cache Go Dependencies
uses: actions/cache@v3
with:
path: ${{ steps.go.outputs.mod-cache }}
key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}-
# This action uses its own setup-go, which always seems to use the latest
# stable version of Go. We could run 'make lint' to ensure our desired Go
# version, but we prefer this action because it leaves 'annotations' (i.e.
# it comments on PRs to point out linter violations).
- name: Lint
uses: golangci/golangci-lint-action@v3.2.0
with:
version: ${{ env.GOLANGCI_VERSION }}
skip-pkg-cache: true
skip-build-cache: true
2021-06-25 23:56:42 +00:00
skip-go-installation: true
check-diff:
runs-on: ubuntu-18.04
needs: detect-noop
if: needs.detect-noop.outputs.noop != 'true'
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version-file: "go.mod"
- name: Find the Go Cache
id: go
run: |
echo "::set-output name=build-cache::$(go env GOCACHE)"
echo "::set-output name=mod-cache::$(go env GOMODCACHE)"
- name: Cache the Go Build Cache
uses: actions/cache@v3
with:
path: ${{ steps.go.outputs.build-cache }}
key: ${{ runner.os }}-build-check-diff-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-build-check-diff-${{ github.sha }}-
- name: Cache Go Dependencies
uses: actions/cache@v3
with:
path: ${{ steps.go.outputs.mod-cache }}
key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}-
# Check DIff also runs Reviewable which needs golangci-lint installed
- name: Check Diff
run: |
wget -O- -nv https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s ${{ env.GOLANGCI_VERSION }}
export PATH=$PATH:./bin
make check-diff
unit-tests:
runs-on: ubuntu-18.04
needs: detect-noop
if: needs.detect-noop.outputs.noop != 'true'
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Fetch History
run: git fetch --prune --unshallow
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version-file: "go.mod"
- name: Find the Go Cache
id: go
run: |
echo "::set-output name=build-cache::$(go env GOCACHE)"
echo "::set-output name=mod-cache::$(go env GOMODCACHE)"
- name: Cache the Go Build Cache
uses: actions/cache@v3
with:
path: ${{ steps.go.outputs.build-cache }}
key: ${{ runner.os }}-build-unit-tests-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-build-unit-tests-${{ github.sha }}-
- name: Cache Go Dependencies
uses: actions/cache@v3
with:
path: ${{ steps.go.outputs.mod-cache }}
key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}-
2022-01-28 18:51:07 +00:00
- name: Add setup-envtest
run: |
go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
setup-envtest use ${{env.KUBERNETES_VERSION}} -p env --os $(go env GOOS) --arch $(go env GOARCH)
2021-06-25 23:56:42 +00:00
- name: Cache envtest binaries
uses: actions/cache@v3
with:
2022-01-28 18:51:07 +00:00
path: /home/runner/.local/share/kubebuilder-envtest/
key: ${{ runner.os }}-kubebuilder-${{env.KUBERNETES_VERSION}}
restore-keys: ${{ runner.os }}-kubebuilder-
- name: Run Unit Tests
2021-06-25 23:56:42 +00:00
run: |
export KUBEBUILDER_ATTACH_CONTROL_PLANE_OUTPUT=true
2022-01-28 18:51:07 +00:00
source <(setup-envtest use ${{env.KUBERNETES_VERSION}} -p env --os $(go env GOOS) --arch $(go env GOARCH))
2021-06-25 23:56:42 +00:00
make test
2021-04-24 23:39:06 +00:00
publish-artifacts:
runs-on: ubuntu-18.04
needs: detect-noop
if: needs.detect-noop.outputs.noop != 'true'
permissions:
id-token: write
contents: read
steps:
- name: Setup QEMU
uses: docker/setup-qemu-action@v2
with:
platforms: all
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@v2
with:
version: ${{ env.DOCKER_BUILDX_VERSION }}
install: true
- name: Checkout
uses: actions/checkout@v3
- name: Fetch History
run: git fetch --prune --unshallow
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version-file: "go.mod"
- name: Find the Go Cache
id: go
run: |
echo "::set-output name=build-cache::$(go env GOCACHE)"
echo "::set-output name=mod-cache::$(go env GOMODCACHE)"
- name: Cache the Go Build Cache
uses: actions/cache@v3
with:
path: ${{ steps.go.outputs.build-cache }}
key: ${{ runner.os }}-build-publish-artifacts-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-build-publish-artifacts-${{ github.sha }}-
- name: Cache Go Dependencies
uses: actions/cache@v3
with:
path: ${{ steps.go.outputs.mod-cache }}
key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}-
- name: Login to Docker
uses: docker/login-action@v2
if: env.GHCR_USERNAME != ''
with:
registry: ghcr.io
username: ${{ secrets.GHCR_USERNAME }}
password: ${{ secrets.GHCR_TOKEN }}
2021-07-21 15:00:43 +00:00
- name: Build & Publish Artifacts
if: env.GHCR_USERNAME != ''
2021-07-21 15:00:43 +00:00
env:
BUILD_ARGS: "--push --platform linux/amd64,linux/arm64"
run: make docker.build
- name: Get docker image tag
if: env.GHCR_USERNAME != ''
id: image_version
run: echo "::set-output name=image::$(make docker.image)"
- name: Run Trivy vulnerability scanner
if: env.GHCR_USERNAME != ''
uses: aquasecurity/trivy-action@master
with:
image-ref: '${{ steps.image_version.outputs.image }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Promote Artifacts to main release channel
if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != ''
run: make docker.promote
env:
RELEASE_TAG: main
- name: Set up crane
if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != ''
run: go install github.com/google/go-containerregistry/cmd/crane@v0.8.0
- name: Install cosign
if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != ''
uses: sigstore/cosign-installer@v2.6.0
- name: Sign Artifacts to main release channel
if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != ''
run: make docker.sign
env:
RELEASE_TAG: main
COSIGN_EXPERIMENTAL: true