Build and Deploy #525
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Deploy | |
| on: | |
| push: | |
| branches: ["master"] | |
| pull_request: | |
| branches: ["master"] | |
| schedule: | |
| - cron: '0 6 * * *' | |
| env: | |
| TARGET: linux/amd64 | |
| BUILD_FLAGS: --no-cache | |
| jobs: | |
| build: | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| # Need tags for Makefile logic to work | |
| fetch-depth: 0 | |
| - name: Build the Docker images | |
| run: make images | |
| scan: | |
| needs: [ "build" ] | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| # Need tags for Makefile logic to work | |
| fetch-depth: 0 | |
| - name: Build the Docker image | |
| env: | |
| # amd build so that local 'docker images' can access images | |
| TARGET: linux/amd64 | |
| BUILD_FLAGS: --load --no-cache | |
| run: make images | |
| - name: Scan image | |
| id: scan | |
| uses: anchore/scan-action@v3 | |
| with: | |
| image: "pegasystems/k8s-wait-for:latest" | |
| fail-build: true | |
| severity-cutoff: "high" | |
| output-format: sarif | |
| - name: Log Scan Results | |
| if: always() | |
| run: | | |
| echo "Failures:" | |
| cat ${{ steps.scan.outputs.sarif }} | jq 'if .runs[0].tool.driver.rules != null then .runs[0].tool.driver.rules[].shortDescription.text else "" end' | grep -i "critical" || true | |
| cat ${{ steps.scan.outputs.sarif }} | jq 'if .runs[0].tool.driver.rules != null then .runs[0].tool.driver.rules[].shortDescription.text else "" end' | grep -i "high" || true | |
| echo "Warnings:" | |
| cat ${{ steps.scan.outputs.sarif }} | jq 'if .runs[0].tool.driver.rules != null then .runs[0].tool.driver.rules[].shortDescription.text else "" end' | grep -i "medium" || true | |
| cat ${{ steps.scan.outputs.sarif }} | jq 'if .runs[0].tool.driver.rules != null then .runs[0].tool.driver.rules[].shortDescription.text else "" end' | grep -i "low" || true | |
| cat ${{ steps.scan.outputs.sarif }} | jq 'if .runs[0].tool.driver.rules != null then .runs[0].tool.driver.rules[].shortDescription.text else "" end' | grep -iv "critical\|high\|medium\|low" || true | |
| - name: Publish Scan Results as Artifact | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: docker-scan-results | |
| path: ${{ steps.scan.outputs.sarif }} | |
| - name: View sarif file | |
| if: always() | |
| run: | | |
| cat ${{ steps.scan.outputs.sarif }} | |
| - name: Upload Anchore Scan SARIF Report | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} | |
| deploy: | |
| name: Push to DockerHub | |
| if: ${{ github.ref == 'refs/heads/master' && github.repository == 'pegasystems/k8s-wait-for' }} | |
| runs-on: ubuntu-latest | |
| needs: [scan, test] | |
| steps: | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v1 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Check out working repository | |
| uses: actions/checkout@v2 | |
| - name: Push image to dockerhub | |
| run: make push | |
| test: | |
| name: Container Tests | |
| runs-on: ubuntu-latest | |
| if: always() | |
| needs: [build, scan] | |
| env: | |
| CHANGE_MINIKUBE_NONE_USER: true | |
| MINIKUBE_WANTUPDATENOTIFICATION: false | |
| MINIKUBE_WANTREPORTERRORPROMPT: false | |
| steps: | |
| #- name: Login to Docker Hub | |
| # uses: docker/login-action@v1 | |
| # with: | |
| # username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| # password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| #- name: Check out working repository | |
| # uses: actions/checkout@v2 | |
| - uses: actions/checkout@v3 | |
| with: | |
| # Need tags for Makefile logic to work | |
| fetch-depth: 0 | |
| - name: Setup environment variables | |
| run: | | |
| echo "MINIKUBE_HOME=$HOME" >> $GITHUB_ENV | |
| echo "KUBECONFIG=$HOME/.kube/config" >> $GITHUB_ENV | |
| - name: Build the Docker image | |
| env: | |
| # amd build so that local 'docker images' can access images | |
| TARGET: linux/amd64 | |
| BUILD_FLAGS: --load --no-cache | |
| run: make test | |
| - name: Run Container Tests | |
| run: | | |
| curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 | |
| chmod +x container-structure-test-linux-amd64 | |
| sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test | |
| - name: Install prerequisites | |
| run: | | |
| curl -o bash_unit "https://raw.githubusercontent.com/pgrange/bash_unit/master/bash_unit" | |
| chmod +x bash_unit | |
| curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/v1.23.15/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/ | |
| curl -Lo minikube https://storage.googleapis.com/minikube/releases/v1.28.0/minikube-linux-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/ | |
| mkdir -p $HOME/.kube $HOME/.minikube | |
| touch $KUBECONFIG | |
| sudo apt-get install -y conntrack | |
| minikube start --vm-driver=none --kubernetes-version=v1.23.15 | |
| echo "minikube startup complete." | |
| docker save -o k8s-wait-for-test pegasystems/k8s-wait-for:test | |
| minikube image load k8s-wait-for-test | |
| echo "Sleeping for 10s..." | |
| sleep 10 | |
| - name: Ensure kubernetes is ready | |
| run: | | |
| kubectl cluster-info | |
| JSONPATH='{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status};{end}{end}'; until kubectl -n kube-system get pods -lk8s-app=kube-dns -o jsonpath="$JSONPATH" 2>&1 | grep -q "Ready=True"; do sleep 1;echo "waiting for kube-dns to be available"; kubectl get pods --all-namespaces; done | |
| - name: Run functional tests | |
| run: | | |
| kubectl apply -f tests/kubernetes-role-access.yaml | |
| ./bash_unit tests/test_* |