Skip to content

Commit

Permalink
chore(ci): workflow security audit
Browse files Browse the repository at this point in the history
  • Loading branch information
sumimakito committed Jan 9, 2025
1 parent 224c829 commit 9179dc5
Show file tree
Hide file tree
Showing 9 changed files with 57 additions and 228 deletions.
6 changes: 1 addition & 5 deletions .github/actions/select-gateway-image/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,6 @@ description:
inputs:
current-image:
description: If this optional input is not empty, the action will select the provided image.
enterprise:
description: Whether or not to use enterprise Gateway images.
default: 'false' # a string instead of a boolean

outputs:
image:
Expand All @@ -19,8 +16,7 @@ runs:
id: select-image
shell: bash
env:
DEFAULT_GATEWAY_IMAGE: |-
${{ format('{0}', inputs.enterprise) == 'true' && 'kong/kong-gateway-internal:nightly-ubuntu' || 'kong/kong:master-ubuntu' }}
DEFAULT_GATEWAY_IMAGE: kong/kong:master-ubuntu
run: |
GATEWAY_IMAGE="${{ inputs.current-image }}"
Expand Down
1 change: 0 additions & 1 deletion .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ registries:
npm:
type: npm-registry
url: https://registry.npmjs.org
token: ${{secrets.NPM_TOKEN_PRIVATE_READ}}
replaces-base: true

updates:
Expand Down
3 changes: 0 additions & 3 deletions .github/workflows/.reusable_build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,6 @@ name: Install Dependencies, Run Lint & Build
on:
workflow_call:

env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN_PRIVATE_READ }}

jobs:
lint:
name: Run lint
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# This is a BASE reusable workflow used by other workflows for E2E testing with Gateway CE

name: Run E2E Tests - OSS
name: Run E2E Tests

on:
workflow_call:
Expand All @@ -13,9 +13,9 @@ on:
retries:
type: number
default: 0

env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN_PRIVATE_READ }}
load-test-image-from-artifact:
type: boolean
default: false

jobs:
e2e-tests:
Expand Down Expand Up @@ -72,15 +72,20 @@ jobs:
pnpm install:e2e
pnpm playwright install chromium
- name: Log in to GitHub Container Registry
timeout-minutes: 1
uses: docker/login-action@v2
- name: Download test image
if: ${{ inputs.load-test-image-from-artifact }}
timeout-minutes: 5
uses: actions/download-artifact@v4
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
name: docker-test-image

- name: Load test image
if: ${{ inputs.load-test-image-from-artifact }}
run: |
gunzip -c docker-test-image.tar.gz | docker load
- name: Select Gateway image
if: ${{ !inputs.load-test-image-from-artifact }}
id: select-gateway-image
uses: ./.github/actions/select-gateway-image
with:
Expand Down Expand Up @@ -114,7 +119,7 @@ jobs:
docker compose -f .ci/docker-compose.yml logs
exit $_compose_exit
- name: Run E2E tests - OSS
- name: Run E2E tests
timeout-minutes: 10
env:
KM_TEST_GUI_URL: ${{ inputs.base-url }}
Expand Down
110 changes: 0 additions & 110 deletions .github/workflows/.reusable_e2e_tests_ee.yml

This file was deleted.

54 changes: 18 additions & 36 deletions .github/workflows/.reusable_test_image.yml
Original file line number Diff line number Diff line change
@@ -1,33 +1,26 @@
# This is a reusable workflow

# This workflow builds the test image for testing purposes and pushes it to ghcr.io
# This workflow builds the test image for testing purposes

name: Build and Push Test Image to GHCR
name: Build Test Image

on:
workflow_call:
inputs:
gateway-image:
description: Name of the Gateway image (base) to use
type: string
enterprise:
description: Whether or not to use enterprise Gateway images
type: boolean
default: false
outputs:
image:
description: Name of the Gateway test image being built
value: ${{ jobs.build-and-push-test-image.outputs.image }}
value: ${{ jobs.build-test-image.outputs.image }}

jobs:
build-and-push-test-image:
name: Build and push test image
build-test-image:
name: Build test image
runs-on: ${{ vars.RUNS_ON }}
permissions:
contents: read
packages: write
outputs:
image: ${{ steps.build-and-push.outputs.image }}
image: ${{ steps.build-and-save.outputs.image }}

steps:
- name: Checkout source code
Expand All @@ -47,39 +40,28 @@ jobs:
uses: ./.github/actions/select-gateway-image
with:
current-image: ${{ inputs.gateway-image }}
enterprise: ${{ format('{0}', inputs.enterprise) }} # ensure it is a string

- name: Log in to Docker Hub
if: ${{ format('{0}', inputs.enterprise) == 'true' }}
timeout-minutes: 1
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
username: ${{ secrets.DOCKER_PULL_USER }}
password: ${{ secrets.DOCKER_PULL_PASSWORD }}

- name: Log in to GitHub Container Registry
timeout-minutes: 1
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Pull and inspect base image
timeout-minutes: 5
run: |
docker pull ${{ steps.select-gateway-image.outputs.image }}
docker inspect ${{ steps.select-gateway-image.outputs.image }}
- name: Build and push image
id: build-and-push
- name: Build and save image
id: build-and-save
env:
GATEWAY_IMAGE: ${{ steps.select-gateway-image.outputs.image }}
GATEWAY_TEST_IMAGE: |-
ghcr.io/kong/${{ format('{0}', inputs.enterprise) == 'true' && 'kong-admin-kong-ee' || 'kong-manager' }}:${{ github.sha }}
GATEWAY_TEST_IMAGE: kong/internal-testing-kong-manager:${{ github.sha }} # Image name here is only used for internal testing
run: |
export KONG_MANAGER_BUILD_SHA1=$(cat dist/build.sha1)
docker compose -f .ci/docker-compose.yml build kong-test-image
docker compose -f .ci/docker-compose.yml push kong-test-image
docker save kong-test-image | gzip > docker-test-image.tar.gz
echo "image=$GATEWAY_TEST_IMAGE" >> $GITHUB_OUTPUT
- name: Upload test image
timeout-minutes: 5
uses: actions/upload-artifact@v4
with:
name: docker-test-image
path: ./docker-test-image.tar.gz
if-no-files-found: error # It's meaningless to continue if the image is missing
42 changes: 14 additions & 28 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ on:
tags-ignore:
- nightly

pull_request: # TODO: REMOVE ME BEFORE MERGING

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Expand All @@ -17,42 +19,25 @@ jobs:
uses: ./.github/workflows/.reusable_build.yml
secrets: inherit

build-and-push-test-image-oss:
name: Build and Push Test Image to GHCR - OSS
uses: ./.github/workflows/.reusable_test_image.yml
needs: build
secrets: inherit

build-and-push-test-image-ee:
name: Build and Push Test Image to GHCR - EE
build-test-image:
name: Build Test Image
uses: ./.github/workflows/.reusable_test_image.yml
needs: build
secrets: inherit
with:
enterprise: true

e2e-tests-oss:
name: E2E Tests - OSS
needs: build-and-push-test-image-oss
uses: ./.github/workflows/.reusable_e2e_tests_oss.yml
with:
gateway-image: ${{ needs.build-and-push-test-image-oss.outputs.image }}
secrets: inherit

e2e-tests-ee:
name: E2E Tests - EE
needs: build-and-push-test-image-ee
uses: ./.github/workflows/.reusable_e2e_tests_ee.yml
e2e-tests:
name: E2E Tests
needs: build-test-image
uses: ./.github/workflows/.reusable_e2e_tests.yml
with:
gateway-image: ${{ needs.build-and-push-test-image-ee.outputs.image }}
gateway-image: ${{ needs.build-test-image.outputs.image }}
load-test-image-from-artifact: true
secrets: inherit

release:
name: Release
runs-on: ${{ vars.RUNS_ON }}
needs: [e2e-tests-oss, e2e-tests-ee]
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN_PRIVATE_READ }}
needs: e2e-tests

steps:
- name: Checkout source code
Expand All @@ -78,11 +63,12 @@ jobs:
run: bash .ci/release-non-nightly.sh

- name: Release nightly
if: github.ref == 'refs/heads/main'
if: |
true || github.ref == 'refs/heads/main'
timeout-minutes: 5
env:
GH_TOKEN: ${{ github.token }}
GH_REPOSITORY: ${{ github.repository }}
RELEASE_TAG_NAME: nightly
RELEASE_TAG_NAME: test-nightly # nightly
RELEASE_TARGET: ${{ github.sha }}
run: bash .ci/release-nightly.sh
Loading

0 comments on commit 9179dc5

Please sign in to comment.