-
Notifications
You must be signed in to change notification settings - Fork 0
426 lines (377 loc) · 15.2 KB
/
reusable-extension-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
##
# This workflow can be used to build and release extensions.
#
# Pre-requisites:
# - There is a branch `gh-pages` in the repository
# - `/gpg.key` is included in .gitignore
name: Extension CI
on:
workflow_call:
inputs:
build_linux_packages:
type: boolean
required: true
description: |
If set to true, the workflow will build Linux packages
runs_on:
type: string
required: false
default: ubuntu-latest
use_kvm:
type: boolean
required: false
default: false
run_make_prepare_audit:
type: boolean
required: false
default: false
go_version:
type: string
required: false
default: '1.21'
packages_with_index:
type: boolean
required: false
default: false
description: |
Can be used for private repos. The helm chart will be uploaded to the gh-pages branch
VERSION_BUMPER_APPID:
type: string
required: false
default: false
description: |
Github app ID to use for version bump
secrets:
SONAR_TOKEN:
required: false
description: Optional SonarCloud token
PAT_TOKEN_EXTENSION_DEPLOYER:
required: false
description: Optional token to trigger extension restarts
MAVEN_GPG_PRIVATE_KEY:
required: false
description: GPG private key to sign packages, required if build_linux_packages is true
MAVEN_GPG_PRIVATE_KEY_PASSWORD:
required: false
description: GPG private key password, required if build_linux_packages is true
PAT_TOKEN_GORELEASER:
required: false
description: PAT Token, required if build_linux_packages is true
STEADYBIT_ARTIFACT_SERVER_USERNAME:
required: false
description: Username for artifact server, required if build_linux_packages is true
STEADYBIT_ARTIFACT_SERVER_PASSWORD:
required: false
description: Password for artifact server, required if build_linux_packages is true
SNYK_TOKEN:
required: false
description: Optional snyk token
VERSION_BUMPER_SECRET:
required: false
description: Private key of the github app to use for version bump
jobs:
audit:
name: Audit
runs-on: ${{ inputs.runs_on }}
timeout-minutes: 60
env:
sonar_available: ${{ secrets.SONAR_TOKEN != '' && 'true' || 'false' }}
snyk_available: ${{ secrets.SNYK_TOKEN != '' && 'true' || 'false' }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Remove non-semver tags (from helmchart) for goreleaser to work properly
run: |
git tag -d $(git tag -l | grep -v "^v[0-9]*.[0-9]*.[0-9]*")
- uses: actions/setup-go@v5
with:
go-version: ${{ inputs.go_version }}
- name: Enable KVM group perms
if: ${{ inputs.use_kvm }}
run: |
echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
sudo udevadm control --reload-rules
sudo udevadm trigger --name-match=kvm
sudo apt-get update
sudo apt-get install -y libvirt-clients libvirt-daemon-system libvirt-daemon virtinst bridge-utils qemu qemu-system-x86
sudo usermod -a -G kvm,libvirt $USER
- name: Prepare audit
if: ${{ inputs.run_make_prepare_audit }}
run: |
make prepare_audit
- name: Audit
run: |
go mod download
echo ${{ inputs.use_kvm }}
if [ "${{ inputs.use_kvm }}" != 'true' ]; then
make audit
else
echo 'exec in a new sell for the group change to take effect'
sudo -u $USER env "PATH=$PATH" make audit
fi
- name: "[release] Snyk test"
if: ${{ startsWith(github.ref, 'refs/tags/') && env.snyk_available == 'true' }}
uses: snyk/actions/golang@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --org=${{ vars.SNYK_ORG_ID }} --severity-threshold=high --project-name=${{ github.repository }} --target-reference=${{ github.ref_name }}
command: test
- name: SonarCloud Scan
if: ${{ env.sonar_available == 'true' }}
uses: SonarSource/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: "[release] SonarCloud Quality Gate check"
if: ${{ startsWith(github.ref, 'refs/tags/') && env.sonar_available == 'true' }}
uses: sonarsource/[email protected]
timeout-minutes: 5
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
build-images:
name: Build Docker Images
needs: [audit]
runs-on: ubuntu-latest
timeout-minutes: 60
permissions:
contents: read
packages: write
outputs:
version: ${{ steps.meta.outputs.version }}
deployer_available: ${{ secrets.PAT_TOKEN_EXTENSION_DEPLOYER != '' }}
version_bump_available: ${{ vars.VERSION_BUMPER_APPID != '' && secrets.VERSION_BUMPER_SECRET != '' }}
env:
snyk_available: ${{ secrets.SNYK_TOKEN != '' && 'true' || 'false' }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Remove non-semver tags (from helmchart) for goreleaser to work properly
run: |
git tag -d $(git tag -l | grep -v "^v[0-9]*.[0-9]*.[0-9]*")
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to the container registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository }}
- name: "[release] Build Docker image release candidate"
if: ${{ startsWith(github.ref, 'refs/tags/') && env.snyk_available == 'true' }}
uses: docker/build-push-action@v6
with:
context: ./
push: false
load: true
tags: ghcr.io/${{ github.repository }}:rc
build-args: |
BUILD_SNAPSHOT=${{ !startsWith(github.ref, 'refs/tags/') }}
NAME=${{ github.repository }}
VERSION=${{ steps.meta.outputs.version }}
REVISION=${{ github.sha }}
- name: "[release] Snyk monitor docker image release candidate"
# we need to run monitor before test to be able to ignore issues
if: ${{ startsWith(github.ref, 'refs/tags/') && env.snyk_available == 'true' }}
uses: snyk/actions/docker@master
with:
image: ghcr.io/${{ github.repository }}:rc
args: --file=Dockerfile --severity-threshold=high --project-name=${{ github.repository }} --target-reference=${{ github.ref_name }} --username=${{ github.actor }} --password=${{ secrets.GITHUB_TOKEN }}
command: monitor
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: "[release] Snyk test docker image release candidate"
if: ${{ startsWith(github.ref, 'refs/tags/') && env.snyk_available == 'true' }}
uses: snyk/actions/docker@master
with:
image: ghcr.io/${{ github.repository }}:rc
args: --file=Dockerfile --severity-threshold=high --project-name=${{ github.repository }} --target-reference=${{ github.ref_name }}
command: test
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
context: ./
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
build-args: |
BUILD_SNAPSHOT=${{ !startsWith(github.ref, 'refs/tags/') }}
NAME=${{ github.repository }}
VERSION=${{ steps.meta.outputs.version }}
REVISION=${{ github.sha }}
snyk-monitor:
name: "[Release] Snyk Monitor latest"
uses: steadybit/extension-kit/.github/workflows/reusable-snyk-scan.yml@main
if: ${{ startsWith(github.ref, 'refs/tags/') }}
needs: [build-images]
with:
command: monitor
container_image: ghcr.io/${{ github.repository }}:latest
target_ref: latest
secrets:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
build-packages:
if: ${{ inputs.build_linux_packages }}
name: Build Linux Packages
needs: [audit]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Remove non-semver tags (from helmchart) for goreleaser to work properly
run: |
git tag -d $(git tag -l | grep -v "^v[0-9]*.[0-9]*.[0-9]*")
- uses: actions/setup-go@v5
with:
go-version: ${{ inputs.go_version }}
- name: Export GPG key
run: |
mkdir -p gpg
echo -n "${{ secrets.MAVEN_GPG_PRIVATE_KEY }}" > gpg.key
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: latest
args: release --clean ${{ !startsWith(github.ref, 'refs/tags/') && '--snapshot' || '' }} ${{ github.event_name == 'pull_request' && '--skip sign' || '' }}
env:
NFPM_KEY_FILE: gpg.key
NFPM_DEFAULT_PASSPHRASE: ${{ secrets.MAVEN_GPG_PRIVATE_KEY_PASSWORD }}
GITHUB_TOKEN: ${{ secrets.PAT_TOKEN_GORELEASER }}
- name: "[build] Upload packages to internal repositories"
if: github.event_name != 'pull_request'
run: |
REPO_USER="${{ secrets.STEADYBIT_ARTIFACT_SERVER_USERNAME }}:${{ secrets.STEADYBIT_ARTIFACT_SERVER_PASSWORD }}"
echo "Uploading deb packages to artifacts server"
find ./dist -name '*.deb' -type f | xargs -i curl -u "$REPO_USER" -X POST -H "Content-Type: multipart/form-data" --data-binary "@{}" https://artifacts.steadybit.io/repository/deb-internal/
echo "Uploading rpm packages to artifacts server"
find ./dist -name '*.rpm' -type f | xargs -i curl -u "$REPO_USER" --upload-file {} https://artifacts.steadybit.io/repository/yum-internal/
- name: "[release] Upload packages to public repositories"
if: ${{ startsWith(github.ref, 'refs/tags/') }}
run: |
REPO_USER="${{ secrets.STEADYBIT_ARTIFACT_SERVER_USERNAME }}:${{ secrets.STEADYBIT_ARTIFACT_SERVER_PASSWORD }}"
echo "Uploading deb packages to artifacts server"
find ./dist -name '*.deb' -type f | xargs -i curl -u "$REPO_USER" -X POST -H "Content-Type: multipart/form-data" --data-binary "@{}" https://artifacts.steadybit.io/repository/deb/
echo "Uploading rpm packages to artifacts server"
find ./dist -name '*.rpm' -type f | xargs -i curl -u "$REPO_USER" --upload-file {} https://artifacts.steadybit.io/repository/yum/
echo "Invalidating artifacts server cache"
curl -X POST -u $REPO_USER https://artifacts.steadybit.io/service/rest/v1/repositories/yum-proxy/invalidate-cache
curl -X POST -u $REPO_USER https://artifacts.steadybit.io/service/rest/v1/repositories/yum-public/invalidate-cache
curl -X POST -u $REPO_USER https://artifacts.steadybit.io/service/rest/v1/repositories/deb-public/invalidate-cache
test-helm-charts:
name: "Test Helm Charts"
runs-on: ubuntu-latest
needs: [audit]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Helm
uses: azure/setup-helm@v4
with:
version: v3.12.2
- name: Add dependency chart repos
run: |
helm repo add steadybit https://steadybit.github.io/helm-charts
- uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Add unit testing plugin
run: |
helm plugin install https://github.com/helm-unittest/helm-unittest.git
- name: Run unit tests
run: make charttesting
- name: Set up chart-testing
uses: helm/[email protected]
- name: Run chart-testing (lint)
run: make chartlint
bump-chart-version:
name: Bump Chart Patch Version on main branch
needs: [build-images]
if: needs.build-images.outputs.version_bump_available && startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-latest
timeout-minutes: 60
permissions:
contents: write
steps:
- uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ inputs.VERSION_BUMPER_APPID }}
private-key: ${{ secrets.VERSION_BUMPER_SECRET }}
- uses: actions/checkout@v4
with:
ref: main
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}
# this commit will effectively cause another run of the workflow which then actually performs the helm chart release
- run: |
npm install -g semver
make chart-bump-version APP_VERSION="${{ needs.build-images.outputs.version }}"
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
git commit -am "chore: update helm chart version"
git push
release-helm-chart:
name: "Release Helm Chart"
runs-on: ubuntu-latest
needs: [test-helm-charts]
if: github.ref == 'refs/heads/main'
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Set up Helm
uses: azure/setup-helm@v4
with:
version: v3.12.2
- name: Add dependency chart repos
run: |
helm repo add steadybit https://steadybit.github.io/helm-charts
- name: Run chart-releaser
uses: helm/[email protected]
with:
charts_dir: charts
mark_as_latest: false
packages_with_index: ${{ inputs.packages_with_index }}
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
trigger-test-environment-updates:
name: Trigger test environment updates
if: (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) && needs.build-images.outputs.deployer_available
needs: [build-images]
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- uses: benc-uk/workflow-dispatch@v1
with:
ref: main
workflow: extension-restart.yml
repo: steadybit/extension-deployer
inputs: '{"extension":"${{ github.repository }}","version":"${{ needs.build-images.outputs.version }}","revision":"${{ github.sha }}"}'
token: ${{ secrets.PAT_TOKEN_EXTENSION_DEPLOYER }}