-
Notifications
You must be signed in to change notification settings - Fork 51
143 lines (128 loc) · 4.71 KB
/
publish-gh-image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: Create, Scan and Publish KAITO image
on:
workflow_dispatch:
inputs:
release_version:
description: 'tag to be created for this image (i.e. vxx.xx.xx)'
required: true
permissions:
id-token: write
contents: write
packages: write
env:
GO_VERSION: '1.22'
IMAGE_NAME: 'workspace'
REGISTRY: ghcr.io
jobs:
check-tag:
runs-on: ubuntu-latest
environment: preset-env
outputs:
tag: ${{ steps.get-tag.outputs.tag }}
steps:
- name: validate version
run: |
echo "${{ github.event.inputs.release_version }}" | grep -E 'v[0-9]+\.[0-9]+\.[0-9]+$'
- id: get-tag
name: Get tag
run: |
echo "tag=$(echo ${{ github.event.inputs.release_version }})" >> $GITHUB_OUTPUT
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- id: check-tag
name: Check for Tag
run: |
TAG="${{ steps.get-tag.outputs.tag }}"
if git show-ref --tags --verify --quiet "refs/tags/${TAG}"; then
echo "create_tag=$(echo 'false' )" >> $GITHUB_OUTPUT
else
echo "create_tag=$(echo 'true' )" >> $GITHUB_OUTPUT
fi
- name: 'Create tag'
if: steps.check-tag.outputs.create_tag == 'true'
uses: actions/github-script@v7
with:
script: |
github.rest.git.createRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: 'refs/tags/${{ steps.get-tag.outputs.tag }}',
sha: context.sha
})
build-scan-publish-gh-images:
runs-on: ubuntu-latest
needs: [ check-tag ]
environment: preset-env
outputs:
registry_repository: ${{ steps.get-registry.outputs.registry_repository }}
steps:
- id: get-registry
run: |
# registry must be in lowercase
echo "registry_repository=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" >> $GITHUB_OUTPUT
- id: get-tag
name: Get tag
run: |
echo "IMG_TAG=$(echo ${{ needs.check-tag.outputs.tag }} | tr -d v)" >> $GITHUB_ENV
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
submodules: true
fetch-depth: 0
ref: ${{ needs.check-tag.outputs.tag }}
- name: Login to ${{ steps.get-registry.outputs.registry_repository }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build image
run: |
OUTPUT_TYPE=type=registry make docker-build-kaito
env:
VERSION: ${{ needs.check-tag.outputs.tag }}
REGISTRY: ${{ steps.get-registry.outputs.registry_repository }}
- name: Scan ${{ steps.get-registry.outputs.registry_repository }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.get-registry.outputs.registry_repository }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
timeout: '5m0s'
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
run-e2e-gh-image:
needs: [ check-tag, build-scan-publish-gh-images ]
uses: ./.github/workflows/e2e-workflow.yml
with:
git_sha: ${{ github.sha }}
isRelease: true
registry: ${{ needs.build-scan-publish-gh-images.outputs.registry_repository }}
k8s_version: ${{ vars.AKS_K8S_VERSION }}
tag: ${{ needs.check-tag.outputs.tag }}
secrets:
E2E_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
E2E_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
E2E_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
E2E_AMRT_SECRET_NAME: ${{ secrets.AMRT_SECRET_NAME }}
E2E_ACR_AMRT_USERNAME: ${{ secrets.ACR_AMRT_USERNAME }}
E2E_ACR_AMRT_PASSWORD: ${{ secrets.ACR_AMRT_PASSWORD }}
publish-mcr-image:
runs-on: ubuntu-latest
needs: [ check-tag, run-e2e-gh-image ]
steps:
- name: 'Dispatch release tag'
uses: peter-evans/repository-dispatch@v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
event-type: publish-mcr-image
client-payload: '{"tag": "${{ needs.check-tag.outputs.tag }}"}'