mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
cf0c819c60
Bumps [fkirc/skip-duplicate-actions](https://github.com/fkirc/skip-duplicate-actions) from 4.0.0 to 5.2.0. - [Release notes](https://github.com/fkirc/skip-duplicate-actions/releases) - [Commits](https://github.com/fkirc/skip-duplicate-actions/compare/v4.0.0...v5.2.0) --- updated-dependencies: - dependency-name: fkirc/skip-duplicate-actions dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
284 lines
8.9 KiB
YAML
284 lines
8.9 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- release-*
|
|
pull_request: {}
|
|
workflow_dispatch: {}
|
|
|
|
env:
|
|
# Common versions
|
|
GOLANGCI_VERSION: 'v1.49.0'
|
|
KUBERNETES_VERSION: '1.24.x'
|
|
DOCKER_BUILDX_VERSION: 'v0.4.2'
|
|
|
|
# Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run
|
|
# a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether
|
|
# credentials have been provided before trying to run steps that need them.
|
|
GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
|
|
|
|
# Sonar
|
|
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
|
|
|
|
jobs:
|
|
detect-noop:
|
|
runs-on: ubuntu-18.04
|
|
outputs:
|
|
noop: ${{ steps.noop.outputs.should_skip }}
|
|
steps:
|
|
- name: Detect No-op Changes
|
|
id: noop
|
|
uses: fkirc/skip-duplicate-actions@v5.2.0
|
|
with:
|
|
github_token: ${{ secrets.GITHUB_TOKEN }}
|
|
paths_ignore: '["**.md", "**.png", "**.jpg"]'
|
|
do_not_skip: '["workflow_dispatch", "schedule", "push"]'
|
|
concurrent_skipping: false
|
|
|
|
lint:
|
|
runs-on: ubuntu-18.04
|
|
needs: detect-noop
|
|
if: needs.detect-noop.outputs.noop != 'true'
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Setup Go
|
|
uses: actions/setup-go@v3
|
|
with:
|
|
go-version-file: "go.mod"
|
|
|
|
- name: Find the Go Cache
|
|
id: go
|
|
run: |
|
|
echo "::set-output name=build-cache::$(go env GOCACHE)"
|
|
echo "::set-output name=mod-cache::$(go env GOMODCACHE)"
|
|
|
|
- name: Cache the Go Build Cache
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: ${{ steps.go.outputs.build-cache }}
|
|
key: ${{ runner.os }}-build-lint-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: ${{ runner.os }}-build-lint-${{ github.sha }}-
|
|
|
|
- name: Cache Go Dependencies
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: ${{ steps.go.outputs.mod-cache }}
|
|
key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}-
|
|
|
|
# This action uses its own setup-go, which always seems to use the latest
|
|
# stable version of Go. We could run 'make lint' to ensure our desired Go
|
|
# version, but we prefer this action because it leaves 'annotations' (i.e.
|
|
# it comments on PRs to point out linter violations).
|
|
- name: Lint
|
|
uses: golangci/golangci-lint-action@v3.2.0
|
|
with:
|
|
version: ${{ env.GOLANGCI_VERSION }}
|
|
skip-pkg-cache: true
|
|
skip-build-cache: true
|
|
skip-go-installation: true
|
|
|
|
check-diff:
|
|
runs-on: ubuntu-18.04
|
|
needs: detect-noop
|
|
if: needs.detect-noop.outputs.noop != 'true'
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Setup Go
|
|
uses: actions/setup-go@v3
|
|
with:
|
|
go-version-file: "go.mod"
|
|
|
|
- name: Find the Go Cache
|
|
id: go
|
|
run: |
|
|
echo "::set-output name=build-cache::$(go env GOCACHE)"
|
|
echo "::set-output name=mod-cache::$(go env GOMODCACHE)"
|
|
|
|
- name: Cache the Go Build Cache
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: ${{ steps.go.outputs.build-cache }}
|
|
key: ${{ runner.os }}-build-check-diff-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: ${{ runner.os }}-build-check-diff-${{ github.sha }}-
|
|
|
|
- name: Cache Go Dependencies
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: ${{ steps.go.outputs.mod-cache }}
|
|
key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}-
|
|
|
|
# Check DIff also runs Reviewable which needs golangci-lint installed
|
|
- name: Check Diff
|
|
run: |
|
|
wget -O- -nv https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s ${{ env.GOLANGCI_VERSION }}
|
|
export PATH=$PATH:./bin
|
|
make check-diff
|
|
|
|
unit-tests:
|
|
runs-on: ubuntu-18.04
|
|
needs: detect-noop
|
|
if: needs.detect-noop.outputs.noop != 'true'
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Fetch History
|
|
run: git fetch --prune --unshallow
|
|
|
|
- name: Setup Go
|
|
uses: actions/setup-go@v3
|
|
with:
|
|
go-version-file: "go.mod"
|
|
|
|
- name: Find the Go Cache
|
|
id: go
|
|
run: |
|
|
echo "::set-output name=build-cache::$(go env GOCACHE)"
|
|
echo "::set-output name=mod-cache::$(go env GOMODCACHE)"
|
|
|
|
- name: Cache the Go Build Cache
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: ${{ steps.go.outputs.build-cache }}
|
|
key: ${{ runner.os }}-build-unit-tests-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: ${{ runner.os }}-build-unit-tests-${{ github.sha }}-
|
|
|
|
- name: Cache Go Dependencies
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: ${{ steps.go.outputs.mod-cache }}
|
|
key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}-
|
|
|
|
- name: Add setup-envtest
|
|
run: |
|
|
go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
|
|
setup-envtest use ${{env.KUBERNETES_VERSION}} -p env --os $(go env GOOS) --arch $(go env GOARCH)
|
|
|
|
- name: Cache envtest binaries
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: /home/runner/.local/share/kubebuilder-envtest/
|
|
key: ${{ runner.os }}-kubebuilder-${{env.KUBERNETES_VERSION}}
|
|
restore-keys: ${{ runner.os }}-kubebuilder-
|
|
|
|
- name: Run Unit Tests
|
|
run: |
|
|
export KUBEBUILDER_ATTACH_CONTROL_PLANE_OUTPUT=true
|
|
source <(setup-envtest use ${{env.KUBERNETES_VERSION}} -p env --os $(go env GOOS) --arch $(go env GOARCH))
|
|
make test
|
|
|
|
|
|
publish-artifacts:
|
|
runs-on: ubuntu-18.04
|
|
needs: detect-noop
|
|
if: needs.detect-noop.outputs.noop != 'true'
|
|
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Setup QEMU
|
|
uses: docker/setup-qemu-action@v2
|
|
with:
|
|
platforms: all
|
|
|
|
- name: Setup Docker Buildx
|
|
uses: docker/setup-buildx-action@v2
|
|
with:
|
|
version: ${{ env.DOCKER_BUILDX_VERSION }}
|
|
install: true
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Fetch History
|
|
run: git fetch --prune --unshallow
|
|
|
|
- name: Setup Go
|
|
uses: actions/setup-go@v3
|
|
with:
|
|
go-version-file: "go.mod"
|
|
|
|
- name: Find the Go Cache
|
|
id: go
|
|
run: |
|
|
echo "::set-output name=build-cache::$(go env GOCACHE)"
|
|
echo "::set-output name=mod-cache::$(go env GOMODCACHE)"
|
|
|
|
- name: Cache the Go Build Cache
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: ${{ steps.go.outputs.build-cache }}
|
|
key: ${{ runner.os }}-build-publish-artifacts-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: ${{ runner.os }}-build-publish-artifacts-${{ github.sha }}-
|
|
|
|
- name: Cache Go Dependencies
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: ${{ steps.go.outputs.mod-cache }}
|
|
key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}-
|
|
|
|
- name: Login to Docker
|
|
uses: docker/login-action@v2
|
|
if: env.GHCR_USERNAME != ''
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ secrets.GHCR_USERNAME }}
|
|
password: ${{ secrets.GHCR_TOKEN }}
|
|
|
|
- name: Build & Publish Artifacts
|
|
if: env.GHCR_USERNAME != ''
|
|
env:
|
|
BUILD_ARGS: "--push --platform linux/amd64,linux/arm64"
|
|
run: make docker.build
|
|
|
|
- name: Get docker image tag
|
|
if: env.GHCR_USERNAME != ''
|
|
id: image_version
|
|
run: echo "::set-output name=image::$(make docker.image)"
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
if: env.GHCR_USERNAME != ''
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: '${{ steps.image_version.outputs.image }}'
|
|
format: 'table'
|
|
exit-code: '1'
|
|
ignore-unfixed: true
|
|
vuln-type: 'os,library'
|
|
severity: 'CRITICAL,HIGH'
|
|
|
|
- name: Promote Artifacts to main release channel
|
|
if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != ''
|
|
run: make docker.promote
|
|
env:
|
|
RELEASE_TAG: main
|
|
|
|
- name: Set up crane
|
|
if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != ''
|
|
run: go install github.com/google/go-containerregistry/cmd/crane@v0.8.0
|
|
|
|
- name: Install cosign
|
|
if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != ''
|
|
uses: sigstore/cosign-installer@v2.6.0
|
|
|
|
- name: Sign Artifacts to main release channel
|
|
if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != ''
|
|
run: make docker.sign
|
|
env:
|
|
RELEASE_TAG: main
|
|
COSIGN_EXPERIMENTAL: true
|