improve readme by adding contact email for security issues #2280
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated by: gromit policy | |
| # Distribution channels covered by this workflow | |
| # - Ubuntu and Debian | |
| # - RHEL and AL | |
| # - docker hub | |
| # - devenv ECR | |
| # - Cloudsmith | |
| name: Release | |
| on: | |
| # Trigger release every monday at midnight for master CI images | |
| schedule: | |
| - cron: "0 0 * * 1" | |
| pull_request: | |
| push: | |
| branches: | |
| - master | |
| - release-** | |
| tags: | |
| - 'v*' | |
| env: | |
| GOPRIVATE: github.com/TykTechnologies | |
| jobs: | |
| goreleaser: | |
| name: '${{ matrix.golang_cross }}' | |
| runs-on: ubuntu-latest-m | |
| permissions: | |
| id-token: write # AWS OIDC JWT | |
| contents: read # actions/checkout | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| golang_cross: | |
| - 1.21-bullseye | |
| include: | |
| - golang_cross: 1.21-bullseye | |
| goreleaser: 'ci/goreleaser/goreleaser.yml' | |
| cgo: 0 | |
| rpmvers: 'el/7 el/8 el/9 amazon/2 amazon/2023' | |
| debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy debian/jessie debian/buster debian/bullseye debian/bookworm' | |
| outputs: | |
| tags: ${{ steps.metadata.outputs.tags }} | |
| commit_author: ${{ steps.fetch-author.outputs.commit_author}} | |
| steps: | |
| - name: Checkout of tyk-pump | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Get commit author | |
| id: fetch-author | |
| run: echo "commit_author=$(git show -s --format='%ae' HEAD)" >> $GITHUB_OUTPUT | |
| - uses: docker/setup-qemu-action@v3 | |
| - uses: docker/setup-buildx-action@v3 | |
| - name: Login to DockerHub | |
| if: startsWith(github.ref, 'refs/tags') | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Login to Cloudsmith | |
| if: startsWith(github.ref, 'refs/tags') | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: docker.tyk.io | |
| username: ${{ secrets.CLOUDSMITH_USERNAME }} | |
| password: ${{ secrets.CLOUDSMITH_API_KEY }} | |
| - uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cache/go-build | |
| ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| - name: Build | |
| env: | |
| NFPM_STD_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }} | |
| PKG_SIGNING_KEY: ${{ secrets.SIGNING_KEY }} | |
| PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }} | |
| run: | | |
| echo '#!/bin/sh | |
| ci/bin/unlock-agent.sh | |
| git config --global url."https://${{ secrets.ORG_GH_TOKEN }}@github.com".insteadOf "https://github.com" | |
| git config --global --add safe.directory /go/src/github.com/TykTechnologies/tyk-pump | |
| goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip-sign' || '' }}' | tee /tmp/build.sh | |
| chmod +x /tmp/build.sh | |
| docker run --rm --privileged -e GITHUB_TOKEN=${{ github.token }} \ | |
| -e GOPRIVATE=github.com/TykTechnologies \ | |
| -e DEBVERS='${{ matrix.debvers }}' \ | |
| -e RPMVERS='${{ matrix.rpmvers }}' \ | |
| -e CGO_ENABLED=${{ matrix.cgo }} \ | |
| -e NFPM_STD_PASSPHRASE="$NFPM_STD_PASSPHRASE" \ | |
| -e GPG_FINGERPRINT=12B5D62C28F57592D1575BD51ED14C59E37DAC20 \ | |
| -e PKG_SIGNING_KEY="$PKG_SIGNING_KEY" \ | |
| -e PACKAGECLOUD_TOKEN=$PACKAGECLOUD_TOKEN \ | |
| -v ${{github.workspace}}:/go/src/github.com/TykTechnologies/tyk-pump \ | |
| -v /var/run/docker.sock:/var/run/docker.sock \ | |
| -v ~/.docker/config.json:/root/.docker/config.json \ | |
| -e GOCACHE=/cache/go-build \ | |
| -e GOMODCACHE=/go/pkg/mod \ | |
| -v ~/go/pkg/mod:/go/pkg/mod \ | |
| -v ~/.cache/go-build:/cache/go-build \ | |
| -v /tmp/build.sh:/tmp/build.sh \ | |
| -w /go/src/github.com/TykTechnologies/tyk-pump \ | |
| tykio/golang-cross:${{ matrix.golang_cross }} /tmp/build.sh | |
| - uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk | |
| role-session-name: cipush | |
| aws-region: eu-central-1 | |
| # Don't mask to pass it across job boundaries | |
| mask-aws-account-id: false | |
| - uses: aws-actions/amazon-ecr-login@v2 | |
| id: ecr | |
| if: ${{ matrix.golang_cross == '1.21-bullseye' }} | |
| with: | |
| mask-password: 'true' | |
| - name: Docker metadata for CI | |
| id: metadata | |
| if: ${{ matrix.golang_cross == '1.21-bullseye' }} | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ steps.ecr.outputs.registry }}/tyk-pump | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=sha,format=long | |
| type=semver,pattern=v{{major}}.{{minor}},prefix=v | |
| type=semver,pattern=v{{version}},prefix=v | |
| - name: CI push | |
| if: ${{ matrix.golang_cross == '1.21-bullseye' }} | |
| shell: bash | |
| env: | |
| t: ${{ steps.metadata.outputs.tags }} | |
| build_tag: ${{ startswith(github.ref, 'refs/tags') && github.ref_name || 'v0.0.0' }} | |
| run: | | |
| set +e | |
| IFS=$'\n' tags=($t) | |
| for tag in "${tags[@]}"; do | |
| for arch in amd64 arm64; do | |
| docker tag tykio/tyk-pump-docker-pub:${build_tag}-${arch} ${tag}-${arch} && docker push ${tag}-${arch} | |
| done | |
| docker manifest create ${tag} ${tag}-amd64 ${tag}-arm64 && docker manifest push ${tag} | |
| done | |
| - uses: actions/upload-artifact@v4 | |
| if: ${{ matrix.golang_cross == '1.21-bullseye' }} | |
| with: | |
| name: deb | |
| retention-days: 1 | |
| path: | | |
| dist/*.deb | |
| !dist/*PAYG*.deb | |
| - uses: actions/upload-artifact@v4 | |
| if: ${{ matrix.golang_cross == '1.21-bullseye' }} | |
| with: | |
| name: rpm | |
| retention-days: 1 | |
| path: | | |
| dist/*.rpm | |
| !dist/*PAYG*.rpm | |
| test-controller-api: | |
| needs: goreleaser | |
| runs-on: ubuntu-latest-m-2 | |
| container: tykio/gromit:v1.7 | |
| outputs: | |
| conf: ${{ steps.params.outputs.api_conf }} | |
| db: ${{ steps.params.outputs.api_db }} | |
| pump: ${{ steps.params.outputs.pump }} | |
| sink: ${{ steps.params.outputs.sink }} | |
| gd_tag: ${{ steps.params.outputs.gd_tag }} | |
| versions: ${{ steps.params.outputs.versions }} | |
| exclude: ${{ steps.params.outputs.exclude }} | |
| steps: | |
| - name: set params | |
| id: params | |
| env: | |
| REPO: ${{ github.repository }} | |
| # Cover pull_request_target too | |
| BASE_REF: ${{startsWith(github.event_name, 'pull_request') && github.base_ref || github.ref}} | |
| TAGS: ${{ needs.goreleaser.outputs.tags }} | |
| IS_PR: ${{startsWith(github.event_name, 'pull_request') && 'yes' }} | |
| IS_TAG: ${{startsWith(github.ref, 'refs/tags') && 'yes' }} | |
| JOB: api | |
| run: gromit policy controller --loglevel debug | tee -a "$GITHUB_OUTPUT" | |
| api-tests: | |
| needs: [goreleaser, test-controller-api] | |
| runs-on: ubuntu-latest-m-2 | |
| env: | |
| METADATA_REPORT_PATH: /tmp/metadata.toml | |
| XUNIT_REPORT_PATH: ${{ github.workspace }}/reports/pytest-report.xml | |
| permissions: | |
| id-token: write # This is required for requesting the Github JWT | |
| contents: read # This is required for actions/checkout | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| conf: ${{ fromJson(needs.test-controller-api.outputs.conf) }} | |
| db: ${{ fromJson(needs.test-controller-api.outputs.db) }} | |
| sink: ${{ fromJson(needs.test-controller-api.outputs.sink) }} | |
| include: | |
| - db: postgres15 | |
| markers: "and not sql" | |
| exclude: ${{ fromJson(needs.test-controller-api.outputs.exclude) }} | |
| steps: | |
| - uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk | |
| role-session-name: cipush | |
| aws-region: eu-central-1 | |
| - id: ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| with: | |
| mask-password: 'true' | |
| # Only ${{ github.actor }} has access | |
| # See https://github.com/mxschmitt/action-tmate#use-registered-public-ssh-keys | |
| - name: Setup tmate session only in debug mode | |
| uses: mxschmitt/action-tmate@v3 | |
| if: runner.debug == '1' | |
| with: | |
| detached: true | |
| limit-access-to-actor: true | |
| - name: fetch env from tyk-ci | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| gh release download --repo github.com/TykTechnologies/tyk-ci -p 'ci-env.tgz' -O env.tgz | |
| tar xzvf env.tgz | |
| - name: env up | |
| shell: bash | |
| working-directory: auto | |
| id: env_up | |
| env: | |
| pull_policy: 'if_not_present' | |
| GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }} | |
| TYK_DB_LICENSEKEY: ${{ secrets.DASH_LICENSE }} | |
| TYK_MDCB_LICENSE: ${{ secrets.MDCB_LICENSE }} | |
| ECR: ${{ steps.ecr.outputs.registry }} | |
| VERSIONS: ${{ needs.test-controller-api.outputs.versions }} | |
| run: | | |
| echo "ECR=${ECR} | |
| $VERSIONS | |
| tyk_sink_image=${{matrix.sink}} | |
| confs_dir=./pro-ha | |
| env_file=local-${{ matrix.db }}.env" > versions.env | |
| echo "::group::versions" | |
| cat versions.env | |
| echo "::endgroup::" | |
| # Add Tyk component config variations to $env_file | |
| cat confs/${{ matrix.conf }}.env >> local-${{ matrix.db }}.env | |
| # bring up env, the project name is important | |
| docker compose -p auto -f pro-ha.yml -f deps_pro-ha.yml -f ${{ matrix.db }}.yml --env-file versions.env --profile master-datacenter up --quiet-pull -d | |
| ./dash-bootstrap.sh http://localhost:3000 | |
| docker compose -p auto -f pro-ha.yml -f deps_pro-ha.yml -f ${{ matrix.db }}.yml --env-file versions.env --profile slave-datacenter up --quiet-pull -d | |
| - name: Run tests | |
| working-directory: auto | |
| id: test_execution | |
| run: | | |
| # Generate report id | |
| echo "id=$(date +%s%N)" >> $GITHUB_OUTPUT | |
| # Run tests | |
| set -o pipefail | |
| echo "### API tests ${{ matrix.db }} ${{ matrix.conf }}" >> $GITHUB_STEP_SUMMARY | |
| if docker run --rm --network auto_default --env-file pytest.env -v ${{ github.workspace }}/reports:/app/reports \ | |
| ${{ steps.ecr.outputs.registry }}/tyk-automated-tests:${{ needs.test-controller-api.outputs.gd_tag }} \ | |
| pytest -c pytest_ci.ini --junitxml=./${XUNIT_REPORT_PATH#"${{ github.workspace }}"} --ci -m "not local and not dind ${{ matrix.markers }}" | tee tests.out; then | |
| echo "All tests passed!" >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "::error title=API tests ${{ matrix.db }} ${{ matrix.conf }}::Test execution failed" | |
| cat tests.out >> $GITHUB_STEP_SUMMARY | |
| exit 1 | |
| fi | |
| - name: Generate metadata | |
| if: always() && steps.test_execution.outcome != 'skipped' | |
| id: metadata_report | |
| env: | |
| REPORT_NAME: ${{ github.repository }}_${{ github.run_id }}_${{ github.run_attempt }}-${{steps.test_execution.outputs.id}} | |
| run: | | |
| # Generate metadata report | |
| echo "[metadata] | |
| repo = ${{ github.repository }} | |
| branch = ${{ github.ref }} | |
| commit = ${{ github.sha }} | |
| test_suite_version = ${{ needs.test-controller-api.outputs.gd_tag }} | |
| test_suite_name = ${{ github.job }} | |
| test_suite_run = ${{ github.run_id }}-${{ github.run_attempt }} | |
| db = ${{ matrix.db }} | |
| conf = ${{ matrix.conf }} | |
| pump_compatibility = ${{ matrix.pump }} | |
| sink_compatibility = ${{ matrix.sink }} | |
| " > ${METADATA_REPORT_PATH} | |
| # Print metadata report | |
| if [[ "${{ runner.debug }}" == "1" ]]; then | |
| echo "::group::metadata report" | |
| cat ${METADATA_REPORT_PATH} | |
| echo "::endgroup::" | |
| fi | |
| #Upload xunit report | |
| aws s3 cp ${XUNIT_REPORT_PATH} s3://assets.dev.tyk.technology/testreports/${REPORT_NAME#*/}.xml | |
| #Upload metadata report | |
| aws s3 cp ${METADATA_REPORT_PATH} s3://assets.dev.tyk.technology/testreports/${REPORT_NAME#*/}.metadata.toml | |
| - name: Docker logs for all components | |
| if: failure() && (steps.test_execution.outcome != 'success' || steps.env_up.outcome != 'success') | |
| working-directory: auto | |
| env: | |
| pull_policy: 'if_not_present' | |
| GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }} | |
| TYK_DB_LICENSEKEY: ${{ secrets.DASH_LICENSE }} | |
| TYK_MDCB_LICENSE: ${{ secrets.MDCB_LICENSE }} | |
| ECR: ${{ steps.ecr.outputs.registry }} | |
| VERSIONS: ${{ needs.test-controller-api.outputs.versions }} | |
| run: | | |
| docker compose -p auto -f pro-ha.yml -f deps_pro-ha.yml -f ${{ matrix.db }}.yml --env-file versions.env --profile all logs | sort > ${{ github.workspace }}/docker-compose.log | |
| echo "::group::DockerLogs" | |
| cat ${{ github.workspace }}/docker-compose.log | |
| echo "::endgroup::" | |
| - name: Upload Artifact | |
| uses: actions/upload-artifact@v4 | |
| if: failure() && (steps.test_execution.outcome != 'success' || steps.env_up.outcome != 'success') | |
| with: | |
| name: docker-compose-logs-${{ github.job }}-${{ matrix.db }}-${{ matrix.conf }}-${{ github.run_id }} | |
| path: ${{ github.workspace }}/docker-compose.log | |
| retention-days: 3 | |
| overwrite: true | |
| - name: Archive Integration tests report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: api-test-report-${{ matrix.db }}-${{ matrix.conf }}-${{ github.run_id }} | |
| retention-days: 3 | |
| path: ${{ github.workspace }}/reports | |
| overwrite: true | |
| - name: Fetch commit author | |
| if: failure() && steps.test_execution.outcome != 'success' && github.event_name == 'push' | |
| env: | |
| USER_EMAIL: ${{ needs.goreleaser.outputs.commit_author }} | |
| run: echo "GIT_USER_EMAIL=$USER_EMAIL" >> $GITHUB_ENV | |
| - name: Fetch slack user | |
| if: failure() && steps.test_execution.outcome != 'success' && github.event_name == 'push' | |
| id: fetch_slack_user | |
| uses: TykTechnologies/github-actions/.github/actions/github-to-slack@main | |
| with: | |
| github_email: ${{ env.GIT_USER_EMAIL }} | |
| - name: Notify slack | |
| if: failure() && steps.test_execution.outcome != 'success' && github.event_name == 'push' | |
| uses: rtCamp/action-slack-notify@v2 | |
| env: | |
| SLACK_WEBHOOK: ${{ secrets.API_TEST_ALERT_SLACK_WEBHOOK }} | |
| SLACK_COLOR: ${{ job.status }} | |
| SLACK_TITLE: "Result: ${{ steps.test_execution.outcome }}" | |
| SLACK_USERNAME: API INTEGRATION TESTS | |
| SLACK_MESSAGE: "*Test*: ${{ matrix.db }}-${{ matrix.conf }}, *Author*: ${{ steps.fetch_slack_user.outputs.slack-user-name }}" | |
| SLACK_FOOTER: "<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|SEE EXECUTION DETAILS HERE>" | |
| upgrade-deb: | |
| services: | |
| httpbin.org: | |
| image: kennethreitz/httpbin | |
| runs-on: ubuntu-latest | |
| needs: goreleaser | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: | |
| - amd64 | |
| - arm64 | |
| distro: | |
| - ubuntu:bionic | |
| - ubuntu:focal | |
| - ubuntu:jammy | |
| - debian:bullseye | |
| - debian:bookworm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: deb | |
| - uses: docker/setup-qemu-action@v3 | |
| - uses: docker/setup-buildx-action@v3 | |
| - name: generate dockerfile | |
| run: | | |
| echo 'FROM ${{ matrix.distro }} | |
| ARG TARGETARCH | |
| COPY tyk-pump*_${TARGETARCH}.deb /tyk-pump.deb | |
| RUN apt-get update && apt-get install -y curl | |
| RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-pump/script.deb.sh | bash && apt-get install -y tyk-pump=1.6.0 | |
| RUN dpkg -i tyk-pump.deb | |
| ' > Dockerfile | |
| - name: install on ${{ matrix.distro }} | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: "." | |
| platforms: linux/${{ matrix.arch }} | |
| file: Dockerfile | |
| push: false | |
| upgrade-rpm: | |
| services: | |
| httpbin.org: | |
| image: kennethreitz/httpbin | |
| needs: goreleaser | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| distro: | |
| - amazonlinux:2023 | |
| - registry.access.redhat.com/ubi8/ubi | |
| - registry.access.redhat.com/ubi9/ubi | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: rpm | |
| - uses: docker/setup-buildx-action@v3 | |
| - name: generate dockerfile | |
| run: | | |
| echo 'FROM ${{ matrix.distro }} | |
| COPY tyk-pump*.x86_64.rpm /tyk-pump.rpm | |
| RUN command -v curl || yum install -y curl | |
| RUN command -v useradd || yum install -y shadow-utils | |
| RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-pump/script.rpm.sh | bash && yum install -y tyk-pump-1.6.0-1 | |
| RUN curl https://keyserver.tyk.io/tyk.io.rpm.signing.key.2020 -o tyk-pump.key && rpm --import tyk-pump.key | |
| RUN rpm --checksig tyk-pump.rpm | |
| RUN rpm -Uvh --force tyk-pump.rpm | |
| ' > Dockerfile | |
| - name: install on ${{ matrix.distro }} | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: "." | |
| file: Dockerfile | |
| push: false | |
| sbom: | |
| needs: goreleaser | |
| uses: TykTechnologies/github-actions/.github/workflows/sbom.yaml@main | |
| secrets: | |
| DEPDASH_URL: ${{ secrets.DEPDASH_URL }} | |
| DEPDASH_KEY: ${{ secrets.DEPDASH_KEY }} | |
| ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }} |