name: CI on: push: branches: - main - release-* pull_request: {} workflow_dispatch: {} env: # Common versions GOLANGCI_VERSION: 'v1.49.0' KUBERNETES_VERSION: '1.24.x' DOCKER_BUILDX_VERSION: 'v0.4.2' # Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run # a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether # credentials have been provided before trying to run steps that need them. GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }} # Sonar SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} jobs: detect-noop: runs-on: ubuntu-18.04 outputs: noop: ${{ steps.noop.outputs.should_skip }} steps: - name: Detect No-op Changes id: noop uses: fkirc/skip-duplicate-actions@v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} paths_ignore: '["**.md", "**.png", "**.jpg"]' do_not_skip: '["workflow_dispatch", "schedule", "push"]' concurrent_skipping: false lint: runs-on: ubuntu-18.04 needs: detect-noop if: needs.detect-noop.outputs.noop != 'true' steps: - name: Checkout uses: actions/checkout@v3 - name: Setup Go uses: actions/setup-go@v3 with: go-version-file: "go.mod" - name: Find the Go Cache id: go run: | echo "::set-output name=build-cache::$(go env GOCACHE)" echo "::set-output name=mod-cache::$(go env GOMODCACHE)" - name: Cache the Go Build Cache uses: actions/cache@v3 with: path: ${{ steps.go.outputs.build-cache }} key: ${{ runner.os }}-build-lint-${{ github.sha }}-${{ hashFiles('**/go.sum') }} restore-keys: ${{ runner.os }}-build-lint-${{ github.sha }}- - name: Cache Go Dependencies uses: actions/cache@v3 with: path: ${{ steps.go.outputs.mod-cache }} key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }} restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}- # This action uses its own setup-go, which always seems to use the latest # stable version of Go. We could run 'make lint' to ensure our desired Go # version, but we prefer this action because it leaves 'annotations' (i.e. # it comments on PRs to point out linter violations). - name: Lint uses: golangci/golangci-lint-action@v3.2.0 with: version: ${{ env.GOLANGCI_VERSION }} skip-pkg-cache: true skip-build-cache: true skip-go-installation: true check-diff: runs-on: ubuntu-18.04 needs: detect-noop if: needs.detect-noop.outputs.noop != 'true' steps: - name: Checkout uses: actions/checkout@v3 - name: Setup Go uses: actions/setup-go@v3 with: go-version-file: "go.mod" - name: Find the Go Cache id: go run: | echo "::set-output name=build-cache::$(go env GOCACHE)" echo "::set-output name=mod-cache::$(go env GOMODCACHE)" - name: Cache the Go Build Cache uses: actions/cache@v3 with: path: ${{ steps.go.outputs.build-cache }} key: ${{ runner.os }}-build-check-diff-${{ github.sha }}-${{ hashFiles('**/go.sum') }} restore-keys: ${{ runner.os }}-build-check-diff-${{ github.sha }}- - name: Cache Go Dependencies uses: actions/cache@v3 with: path: ${{ steps.go.outputs.mod-cache }} key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }} restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}- # Check DIff also runs Reviewable which needs golangci-lint installed - name: Check Diff run: | wget -O- -nv https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s ${{ env.GOLANGCI_VERSION }} export PATH=$PATH:./bin make check-diff unit-tests: runs-on: ubuntu-18.04 needs: detect-noop if: needs.detect-noop.outputs.noop != 'true' steps: - name: Checkout uses: actions/checkout@v3 - name: Fetch History run: git fetch --prune --unshallow - name: Setup Go uses: actions/setup-go@v3 with: go-version-file: "go.mod" - name: Find the Go Cache id: go run: | echo "::set-output name=build-cache::$(go env GOCACHE)" echo "::set-output name=mod-cache::$(go env GOMODCACHE)" - name: Cache the Go Build Cache uses: actions/cache@v3 with: path: ${{ steps.go.outputs.build-cache }} key: ${{ runner.os }}-build-unit-tests-${{ github.sha }}-${{ hashFiles('**/go.sum') }} restore-keys: ${{ runner.os }}-build-unit-tests-${{ github.sha }}- - name: Cache Go Dependencies uses: actions/cache@v3 with: path: ${{ steps.go.outputs.mod-cache }} key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }} restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}- - name: Add setup-envtest run: | go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest setup-envtest use ${{env.KUBERNETES_VERSION}} -p env --os $(go env GOOS) --arch $(go env GOARCH) - name: Cache envtest binaries uses: actions/cache@v3 with: path: /home/runner/.local/share/kubebuilder-envtest/ key: ${{ runner.os }}-kubebuilder-${{env.KUBERNETES_VERSION}} restore-keys: ${{ runner.os }}-kubebuilder- - name: Run Unit Tests run: | export KUBEBUILDER_ATTACH_CONTROL_PLANE_OUTPUT=true source <(setup-envtest use ${{env.KUBERNETES_VERSION}} -p env --os $(go env GOOS) --arch $(go env GOARCH)) make test publish-artifacts: runs-on: ubuntu-18.04 needs: detect-noop if: needs.detect-noop.outputs.noop != 'true' permissions: id-token: write contents: read steps: - name: Setup QEMU uses: docker/setup-qemu-action@v2 with: platforms: all - name: Setup Docker Buildx uses: docker/setup-buildx-action@v2 with: version: ${{ env.DOCKER_BUILDX_VERSION }} install: true - name: Checkout uses: actions/checkout@v3 - name: Fetch History run: git fetch --prune --unshallow - name: Setup Go uses: actions/setup-go@v3 with: go-version-file: "go.mod" - name: Find the Go Cache id: go run: | echo "::set-output name=build-cache::$(go env GOCACHE)" echo "::set-output name=mod-cache::$(go env GOMODCACHE)" - name: Cache the Go Build Cache uses: actions/cache@v3 with: path: ${{ steps.go.outputs.build-cache }} key: ${{ runner.os }}-build-publish-artifacts-${{ github.sha }}-${{ hashFiles('**/go.sum') }} restore-keys: ${{ runner.os }}-build-publish-artifacts-${{ github.sha }}- - name: Cache Go Dependencies uses: actions/cache@v3 with: path: ${{ steps.go.outputs.mod-cache }} key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }} restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}- - name: Login to Docker uses: docker/login-action@v2 if: env.GHCR_USERNAME != '' with: registry: ghcr.io username: ${{ secrets.GHCR_USERNAME }} password: ${{ secrets.GHCR_TOKEN }} - name: Build & Publish Artifacts if: env.GHCR_USERNAME != '' env: BUILD_ARGS: "--push --platform linux/amd64,linux/arm64" run: make docker.build - name: Get docker image tag if: env.GHCR_USERNAME != '' id: image_version run: echo "::set-output name=image::$(make docker.image)" - name: Run Trivy vulnerability scanner if: env.GHCR_USERNAME != '' uses: aquasecurity/trivy-action@master with: image-ref: '${{ steps.image_version.outputs.image }}' format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - name: Promote Artifacts to main release channel if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != '' run: make docker.promote env: RELEASE_TAG: main - name: Set up crane if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != '' run: go install github.com/google/go-containerregistry/cmd/crane@v0.8.0 - name: Install cosign if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != '' uses: sigstore/cosign-installer@v2.6.0 - name: Sign Artifacts to main release channel if: github.ref == 'refs/heads/main' && env.GHCR_USERNAME != '' run: make docker.sign env: RELEASE_TAG: main COSIGN_EXPERIMENTAL: true