-
Notifications
You must be signed in to change notification settings - Fork 51
151 lines (136 loc) · 4.92 KB
/
publish-gh-image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: Create, Scan and Publish KAITO image
on:
workflow_dispatch:
inputs:
release_version:
description: 'tag to be created for this image (i.e. vxx.xx.xx)'
required: true
pull_request:
types: [ closed ]
permissions:
id-token: write
contents: write
packages: write
env:
GO_VERSION: '1.20'
IMAGE_NAME: 'workspace'
REGISTRY: ghcr.io
jobs:
check-tag:
if: >-
github.event_name == 'workflow_dispatch' ||
(
github.event_name == 'pull_request' &&
github.event.pull_request.merged == true &&
contains(github.event.pull_request.title, 'update manifest and helm charts')
)
runs-on: ubuntu-latest
environment: preset-env
outputs:
tag: ${{ steps.get-tag.outputs.tag }}
steps:
- name: validate version
if: github.event_name == 'workflow_dispatch'
run: |
echo "${{ github.event.inputs.release_version }}" | grep -E 'v[0-9]+\.[0-9]+\.[0-9]+$'
- id: get-tag
name: Get tag
run: |
if [[ ${{ github.event_name }} == 'workflow_dispatch' ]]; then
echo "tag=$(echo ${{ github.event.inputs.release_version }})" >> $GITHUB_OUTPUT
else
echo "tag=$(echo ${{ github.event.pull_request.head.ref }} | tr -d release-)" >> $GITHUB_OUTPUT
fi
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- id: check-tag
name: Check for Tag
run: |
TAG="${{ steps.get-tag.outputs.tag }}"
if git show-ref --tags --verify --quiet "refs/tags/${TAG}"; then
echo "create_tag=$(echo 'false' )" >> $GITHUB_OUTPUT
else
echo "create_tag=$(echo 'true' )" >> $GITHUB_OUTPUT
fi
- name: 'Create tag'
if: steps.check-tag.outputs.create_tag == 'true'
uses: actions/github-script@v7
with:
script: |
github.rest.git.createRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: 'refs/tags/${{ steps.get-tag.outputs.tag }}',
sha: context.sha
})
build-scan-publish-gh-images:
runs-on: ubuntu-latest
needs: [ check-tag ]
environment: preset-env
steps:
- id: get-registry
run: |
# registry must be in lowercase
echo "registry_repository=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" >> $GITHUB_OUTPUT
- id: get-tag
name: Get tag
run: |
echo "IMG_TAG=$(echo ${{ needs.check-tag.outputs.tag }} | tr -d v)" >> $GITHUB_ENV
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
submodules: true
fetch-depth: 0
ref: ${{ needs.check-tag.outputs.tag }}
- name: Login to ${{ steps.get-registry.outputs.registry_repository }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build image
run: |
OUTPUT_TYPE=type=registry make docker-build-kaito
env:
VERSION: ${{ needs.check-tag.outputs.tag }}
REGISTRY: ${{ steps.get-registry.outputs.registry_repository }}
- name: Scan ${{ steps.get-registry.outputs.registry_repository }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.get-registry.outputs.registry_repository }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
timeout: '5m0s'
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
run-e2e-gh-image:
needs: [ check-tag, build-scan-publish-gh-images ]
uses: ./.github/workflows/e2e-workflow.yml
with:
git_sha: ${{ github.sha }}
isRelease: true
registry: ${{ needs.get-registry.outputs.registry_repository }}
tag: ${{ needs.check-tag.outputs.tag }}
secrets:
E2E_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
E2E_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
E2E_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
E2E_AMRT_SECRET_NAME: ${{ secrets.AMRT_SECRET_NAME }}
E2E_ACR_AMRT_USERNAME: ${{ secrets.ACR_AMRT_USERNAME }}
E2E_ACR_AMRT_PASSWORD: ${{ secrets.ACR_AMRT_PASSWORD }}
publish-mcr-image:
runs-on: ubuntu-latest
environment: preset-env
needs: [ check-tag, run-e2e-gh-image ]
steps:
- name: 'Dispatch release tag'
uses: peter-evans/repository-dispatch@v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
event-type: publish-mcr-image
client-payload: '{"tag": "${{ needs.check-tag.outputs.tag }}"}'