Merge pull request #5708 from emissary-ingress/flynn/dev/chainsaw-2 #4602
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: job-promote-to-passed | ||
"on": | ||
push: | ||
branches: | ||
- master | ||
- release/v* | ||
pull_request: {} | ||
workflow_dispatch: | ||
jobs: | ||
lint: ######################################################################## | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
- name: Install Deps | ||
uses: ./.github/actions/setup-deps | ||
- shell: bash | ||
run: | | ||
make lint-deps | ||
- shell: bash | ||
run: | | ||
make lint | ||
- uses: ./.github/actions/after-job | ||
if: always() | ||
generate: #################################################################### | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
- name: Install Deps | ||
uses: ./.github/actions/setup-deps | ||
- name: "Git Login" | ||
run: | | ||
if [[ -n '${{ secrets.GHA_SSH_KEY }}' ]]; then | ||
install -m700 -d ~/.ssh | ||
install -m600 /dev/stdin ~/.ssh/id_rsa <<<'${{ secrets.GHA_SSH_KEY }}' | ||
fi | ||
- name: "Docker Login" | ||
uses: docker/login-action@v2 | ||
with: | ||
registry: ${{ (!startsWith(secrets.RELEASE_REGISTRY, 'docker.io/')) && secrets.RELEASE_REGISTRY || null }} | ||
username: ${{ secrets.GH_DOCKER_RELEASE_USERNAME }} | ||
password: ${{ secrets.GH_DOCKER_RELEASE_TOKEN }} | ||
- name: "'make generate'" | ||
shell: bash | ||
run: | | ||
make generate | ||
- name: "Update dependency information after dependabot change" | ||
uses: datawire/go-mkopensource/actions/[email protected] | ||
id: changed-by-dependabot | ||
with: | ||
branches_to_skip: master | ||
- name: "Abort if dependencies changed" | ||
if: steps.changed-by-dependabot.outputs.is_dirty == 'true' | ||
run: | | ||
echo "Dependabot triggered a dependency update. Aborting workflow." | ||
exit 1 | ||
- uses: ./.github/actions/git-dirty-check | ||
name: "Check Git not dirty from 'make generate'" | ||
- name: "'make generate' (again!)" | ||
shell: bash | ||
run: | | ||
make generate | ||
- uses: ./.github/actions/git-dirty-check | ||
name: "Check Git not dirty from 'make generate' (again!)" | ||
- uses: ./.github/actions/after-job | ||
if: always() | ||
check-envoy-protos: #################################################################### | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
- name: Install Deps | ||
uses: ./.github/actions/setup-deps | ||
- name: "Git Login" | ||
run: | | ||
if [[ -n '${{ secrets.GHA_SSH_KEY }}' ]]; then | ||
install -m700 -d ~/.ssh | ||
install -m600 /dev/stdin ~/.ssh/id_rsa <<<'${{ secrets.GHA_SSH_KEY }}' | ||
fi | ||
- name: "Docker Login" | ||
uses: docker/login-action@v2 | ||
with: | ||
registry: ${{ (!startsWith(secrets.RELEASE_REGISTRY, 'docker.io/')) && secrets.RELEASE_REGISTRY || null }} | ||
username: ${{ secrets.GH_DOCKER_RELEASE_USERNAME }} | ||
password: ${{ secrets.GH_DOCKER_RELEASE_TOKEN }} | ||
- name: "'make compile-envoy-protos'" | ||
shell: bash | ||
run: | | ||
make compile-envoy-protos | ||
- name: "Check Git not dirty from 'make compile-envoy-protos'" | ||
uses: ./.github/actions/git-dirty-check | ||
- uses: ./.github/actions/after-job | ||
if: always() | ||
check-envoy-version: ######################################################### | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
- name: Install Deps | ||
uses: ./.github/actions/setup-deps | ||
- name: "Git Login" | ||
run: | | ||
if [[ -n '${{ secrets.GHA_SSH_KEY }}' ]]; then | ||
install -m700 -d ~/.ssh | ||
install -m600 /dev/stdin ~/.ssh/id_rsa <<<'${{ secrets.GHA_SSH_KEY }}' | ||
fi | ||
- name: "Docker Login" | ||
# This is important if ENVOY_DOCKER_REPO is a private repo. | ||
uses: docker/login-action@v2 | ||
with: | ||
registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }} | ||
username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | ||
password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | ||
- run: make check-envoy-version | ||
- uses: ./.github/actions/after-job | ||
if: always() | ||
# Tests ###################################################################### | ||
apiext-e2e: | ||
runs-on: ubuntu-latest | ||
APIEXT_E2E: "" | ||
APIEXT_BUILD_ARCH: linux/amd64 | ||
steps: | ||
- uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v3 | ||
with: | ||
driver-opts: | | ||
network=host | ||
- name: Install Deps | ||
uses: ./.github/actions/setup-deps | ||
- name: Install k3d | ||
shell: bash | ||
run: | | ||
curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | TAG=v5.6.0 bash | ||
k3d --version | ||
- name: go mod vendor | ||
shell: bash | ||
run: | | ||
make vendor | ||
- name: run apiext-e2e tests | ||
shell: bash | ||
run: | | ||
go test -p 1 -parallel 1 -v -tags=apiext ./test/apiext/... -timeout 15m | ||
check-gotest: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
- name: Install Deps | ||
uses: ./.github/actions/setup-deps | ||
- name: "Docker Login" | ||
uses: docker/login-action@v2 | ||
with: | ||
registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }} | ||
username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | ||
password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | ||
- name: make gotest | ||
shell: bash | ||
run: | | ||
make gotest | ||
- uses: ./.github/actions/after-job | ||
if: always() | ||
check-pytest: | ||
runs-on: ubuntu-latest | ||
# See pkg/kubeapply/resource_kubeapply.go | ||
DEV_USE_IMAGEPULLSECRET: ${{ secrets.DEV_USE_IMAGEPULLSECRET }} | ||
DOCKER_BUILD_USERNAME: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | ||
DOCKER_BUILD_PASSWORD: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
test: | ||
- integration-tests | ||
- kat-envoy3-tests-1-of-5 | ||
- kat-envoy3-tests-2-of-5 | ||
- kat-envoy3-tests-3-of-5 | ||
- kat-envoy3-tests-4-of-5 | ||
- kat-envoy3-tests-5-of-5 | ||
name: pytest-${{ matrix.test }} | ||
steps: | ||
- uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
- name: Install Deps | ||
uses: ./.github/actions/setup-deps | ||
- name: "Docker Login" | ||
uses: docker/login-action@v2 | ||
with: | ||
registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }} | ||
username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | ||
password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | ||
- name: Create integration test cluster | ||
run: | | ||
sudo sysctl -w fs.file-max=1600000 | ||
sudo sysctl -w fs.inotify.max_user_instances=4096 | ||
make ci/setup-k3d | ||
- name: Setup integration test environment | ||
run: | | ||
export DEV_KUBE_NO_PVC=yes | ||
export KAT_REQ_LIMIT=900 | ||
export DEV_KUBECONFIG=~/.kube/config | ||
export DEV_REGISTRY=${{ secrets.DEV_REGISTRY }} | ||
make python-integration-test-environment | ||
- name: Run ${{ matrix.test }} | ||
run: | | ||
export DEV_KUBE_NO_PVC=yes | ||
export KAT_REQ_LIMIT=900 | ||
export DEV_KUBECONFIG=~/.kube/config | ||
export DEV_REGISTRY=${{ secrets.DEV_REGISTRY }} | ||
make pytest-${{ matrix.test }} | ||
- uses: ./.github/actions/after-job | ||
if: always() | ||
with: | ||
jobname: check-pytest-${{ matrix.test }} | ||
check-pytest-unit: | ||
runs-on: ubuntu-latest | ||
name: pytest-unit | ||
steps: | ||
- uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
- name: Install Deps | ||
uses: ./.github/actions/setup-deps | ||
- name: "Docker Login" | ||
uses: docker/login-action@v2 | ||
with: | ||
registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }} | ||
username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | ||
password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | ||
- name: Create Python virtual environment | ||
run: | | ||
export DEV_REGISTRY=${{ secrets.DEV_REGISTRY }} | ||
make python-virtual-environment | ||
- name: Run Python unit tests | ||
run: | | ||
export PYTEST_ARGS=' --cov-branch --cov=ambassador --cov-report html:/tmp/cov_html ' | ||
make pytest-unit-tests | ||
- uses: ./.github/actions/after-job | ||
if: always() | ||
check-chart: | ||
runs-on: ubuntu-latest | ||
env: | ||
DEV_REGISTRY: ${{ secrets.DEV_REGISTRY }} | ||
# See pkg/kubeapply/resource_kubeapply.go | ||
DEV_USE_IMAGEPULLSECRET: ${{ secrets.DEV_USE_IMAGEPULLSECRET }} | ||
DOCKER_BUILD_USERNAME: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | ||
DOCKER_BUILD_PASSWORD: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | ||
steps: | ||
- uses: docker/login-action@v2 | ||
with: | ||
registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }} | ||
username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | ||
password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | ||
- uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
ref: ${{ github.event.pull_request.head.sha }} | ||
- name: Install Deps | ||
uses: ./.github/actions/setup-deps | ||
- name: make test-chart | ||
run: | | ||
make ci/setup-k3d | ||
export DEV_KUBECONFIG=~/.kube/config | ||
make test-chart | ||
- uses: ./.github/actions/after-job | ||
if: always() | ||
build: ####################################################################### | ||
runs-on: ubuntu-latest | ||
env: | ||
DEV_REGISTRY: ${{ secrets.DEV_REGISTRY }} | ||
outputs: | ||
image-tag: ${{ steps.build-image.outputs.image-tag }} | ||
steps: | ||
- uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
ref: ${{ github.event.pull_request.head.sha }} | ||
- name: Install Deps | ||
uses: ./.github/actions/setup-deps | ||
- name: "Docker Login" | ||
uses: docker/login-action@v2 | ||
with: | ||
registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }} | ||
username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | ||
password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | ||
- name: "make push" | ||
shell: bash | ||
run: | | ||
make push | ||
- name: "capture image tag" | ||
id: build-image | ||
shell: bash | ||
run: | | ||
echo "image-tag=$(build-aux/version.sh)" >> $GITHUB_OUTPUT | ||
- name: "make push-dev" | ||
shell: bash | ||
run: | | ||
make push-dev | ||
- uses: ./.github/actions/after-job | ||
if: always() | ||
###################################################################### | ||
######################### CVE Scanning ############################### | ||
trivy-container-scan: | ||
runs-on: ubuntu-latest | ||
needs: [build] | ||
steps: | ||
# upload of results to github uses git so checkout of code is needed | ||
- uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
ref: ${{ github.event.pull_request.head.sha }} | ||
- name: "Log image-tag" | ||
shell: bash | ||
run: echo ${{needs.build.outputs.image-tag}} | ||
- name: Scan | ||
uses: aquasecurity/trivy-action@master | ||
with: | ||
image-ref: "${{secrets.DEV_REGISTRY}}/emissary:${{needs.build.outputs.image-tag}}" | ||
format: "sarif" | ||
exit-code: 0 # only warn for now until we have backed it into our processes | ||
output: "trivy-results.sarif" | ||
ignore-unfixed: true | ||
vuln-type: "os,library" | ||
severity: "CRITICAL,HIGH" | ||
- name: Upload Scan to GitHub Security Tab | ||
uses: github/codeql-action/upload-sarif@v2 | ||
with: | ||
sarif_file: "trivy-results.sarif" | ||
############################################################################## | ||
pass: | ||
name: "job-promote-to-passed" # This is the job name that the branch protection looks for | ||
needs: | ||
- apiext-e2e | ||
- lint | ||
- build | ||
- generate | ||
- check-envoy-protos | ||
- check-envoy-version | ||
- check-gotest | ||
- check-pytest | ||
- check-pytest-unit | ||
- check-chart | ||
- trivy-container-scan | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: No-Op | ||
if: ${{ false }} | ||
run: "echo Pass" |