-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #15 from kube-logging/minimal-ci
feat(ci): add minimal CI
- Loading branch information
Showing
18 changed files
with
1,092 additions
and
374 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,145 @@ | ||
| name: Artifacts | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| publish: | ||
| description: Publish artifacts to the artifact store | ||
| default: false | ||
| required: false | ||
| type: boolean | ||
| release: | ||
| description: Whether this is a release build | ||
| default: false | ||
| required: false | ||
| type: boolean | ||
| outputs: | ||
| container-image-name: | ||
| description: Container image name | ||
| value: ${{ jobs.container-image.outputs.name }} | ||
| container-image-digest: | ||
| description: Container image digest | ||
| value: ${{ jobs.container-image.outputs.digest }} | ||
| container-image-tag: | ||
| description: Container image tag | ||
| value: ${{ jobs.container-image.outputs.tag }} | ||
| container-image-ref: | ||
| description: Container image ref | ||
| value: ${{ jobs.container-image.outputs.ref }} | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| container-image: | ||
| name: Container image | ||
| runs-on: ubuntu-latest | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| security-events: write | ||
|
|
||
| outputs: | ||
| name: ${{ steps.image-name.outputs.value }} | ||
| digest: ${{ steps.build.outputs.digest }} | ||
| tag: ${{ steps.meta.outputs.version }} | ||
| ref: ${{ steps.image-ref.outputs.value }} | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 | ||
|
|
||
| - name: Set image name | ||
| id: image-name | ||
| run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Gather build metadata | ||
| id: meta | ||
| uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 | ||
| with: | ||
| images: ${{ steps.image-name.outputs.value }} | ||
| flavor: | | ||
| latest = false | ||
| tags: | | ||
| type=ref,event=branch | ||
| type=ref,event=pr,prefix=pr- | ||
| type=semver,pattern={{raw}} | ||
| type=raw,value=latest,enable={{is_default_branch}} | ||
| labels: | | ||
| org.opencontainers.image.description=Telemetry controller | ||
| org.opencontainers.image.title=Telemetry controller | ||
| org.opencontainers.image.authors=Kube logging authors | ||
| org.opencontainers.image.documentation=https://todo.docs | ||
| # Multiple exporters are not supported yet | ||
| # See https://github.com/moby/buildkit/pull/2760 | ||
| - name: Determine build output | ||
| uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1 | ||
| id: build-output | ||
| with: | ||
| cond: ${{ inputs.publish }} | ||
| if_true: type=image,push=true | ||
| if_false: type=oci,dest=image.tar | ||
|
|
||
| - name: Login to GitHub Container Registry | ||
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ github.token }} | ||
| if: inputs.publish | ||
|
|
||
| - name: Build and push image | ||
| id: build | ||
| uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 | ||
| with: | ||
| context: . | ||
| platforms: linux/amd64,linux/arm64,linux/arm/v7 | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max | ||
| outputs: ${{ steps.build-output.outputs.value }},name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} | ||
| # push: ${{ inputs.publish }} | ||
|
|
||
| - name: Set image ref | ||
| id: image-ref | ||
| run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Fetch image | ||
| run: skopeo --insecure-policy copy docker://${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} oci-archive:image.tar | ||
| if: inputs.publish | ||
|
|
||
| - name: Extract OCI tarball | ||
| run: | | ||
| mkdir -p image | ||
| tar -xf image.tar -C image | ||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1 | ||
| with: | ||
| input: image | ||
| format: sarif | ||
| output: trivy-results.sarif | ||
|
|
||
| - name: Upload Trivy scan results as artifact | ||
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||
| with: | ||
| name: "[${{ github.job }}] Trivy scan results" | ||
| path: trivy-results.sarif | ||
| retention-days: 5 | ||
|
|
||
| # TODO: Enable it once it can successfully run | ||
| # - name: Upload Trivy scan results to GitHub Security tab | ||
| # uses: github/codeql-action/upload-sarif@6b5b95806324a3ee7e164709fbfc152595556fe9 # v2.16.1 | ||
| # with: | ||
| # sarif_file: trivy-results.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,90 @@ | ||
| name: CI | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| - "release-[0-9]+.[0-9]+*" | ||
|
|
||
| pull_request: | ||
|
|
||
| jobs: | ||
| test: | ||
| name: Test | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Set up Go | ||
| uses: actions/setup-go@v4 | ||
| with: | ||
| go-version: '1.21' | ||
|
|
||
| - name: Check diff | ||
| run: make check-diff | ||
|
|
||
| - name: Test | ||
| run: make test | ||
|
|
||
| lint: | ||
| name: Lint | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Set up Go | ||
| uses: actions/setup-go@v4 | ||
| with: | ||
| go-version: '1.21' | ||
|
|
||
| - name: Lint | ||
| run: make lint | ||
| env: | ||
| LINTER_FLAGS: '--timeout 5m' | ||
|
|
||
| license-check: | ||
| name: License check | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Set up Go | ||
| uses: actions/setup-go@v4 | ||
| with: | ||
| go-version: '1.21' | ||
|
|
||
| - name: Cache licenses | ||
| uses: actions/cache@v3 | ||
| with: | ||
| key: licensei-v2-${{ hashFiles('go.sum') }} | ||
| path: | | ||
| .licensei.cache | ||
| restore-keys: | | ||
| licensei-v2 | ||
| - name: Download license information for dependencies | ||
| env: | ||
| GITHUB_TOKEN: ${{ github.token }} | ||
| run: make license-cache | ||
|
|
||
| - name: Check licenses | ||
| env: | ||
| GITHUB_TOKEN: ${{ github.token }} | ||
| run: make license-check | ||
|
|
||
| artifacts: | ||
| name: Artifacts | ||
| uses: ./.github/workflows/artifacts.yaml | ||
| with: | ||
| publish: ${{ github.event_name == 'push' }} | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| security-events: write |
Oops, something went wrong.