-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #27 from bank-vaults/build
Build
- Loading branch information
Showing
29 changed files
with
1,080 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
root = true | ||
|
||
[*] | ||
charset = utf-8 | ||
end_of_line = lf | ||
indent_size = 4 | ||
indent_style = space | ||
insert_final_newline = true | ||
trim_trailing_whitespace = true | ||
|
||
[*.go] | ||
indent_style = tab | ||
|
||
[*.yaml] | ||
indent_size = 2 | ||
|
||
[{Makefile,*.mk}] | ||
indent_style = tab | ||
|
||
[*.nix] | ||
indent_size = 2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
if ! has nix_direnv_version || ! nix_direnv_version 2.3.0; then | ||
source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.3.0/direnvrc" "sha256-Dmd+j63L84wuzgyjITIfSxSD57Tx7v51DMxVZOsiUD8=" | ||
fi | ||
use flake . --impure |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
[{*.yml,*.yaml}] | ||
indent_size = 2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
version: 2 | ||
|
||
updates: | ||
- package-ecosystem: "gomod" | ||
directory: "/" | ||
schedule: | ||
interval: "daily" | ||
|
||
- package-ecosystem: "docker" | ||
directory: "/" | ||
schedule: | ||
interval: "daily" | ||
|
||
- package-ecosystem: "github-actions" | ||
directory: "/" | ||
schedule: | ||
interval: "daily" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
{ | ||
"$schema": "https://docs.renovatebot.com/renovate-schema.json", | ||
"extends": [ | ||
"schedule:earlyMondays", | ||
":disableDependencyDashboard" | ||
], | ||
"enabledManagers": [ | ||
"nix" | ||
], | ||
"nix": { | ||
"enabled": true | ||
}, | ||
"lockFileMaintenance": { | ||
"enabled": true | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
name: OpenSSF Scorecard | ||
|
||
on: | ||
branch_protection_rule: | ||
push: | ||
branches: [main] | ||
schedule: | ||
- cron: '30 0 * * 5' | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
analyze: | ||
name: Analyze | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
actions: read | ||
contents: read | ||
id-token: write | ||
security-events: write | ||
|
||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | ||
with: | ||
persist-credentials: false | ||
|
||
- name: Run analysis | ||
uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 | ||
with: | ||
results_file: results.sarif | ||
results_format: sarif | ||
publish_results: true | ||
|
||
- name: Upload results as artifact | ||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | ||
with: | ||
name: OpenSSF Scorecard results | ||
path: results.sarif | ||
retention-days: 5 | ||
|
||
- name: Upload results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.3.4 | ||
with: | ||
sarif_file: results.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,195 @@ | ||
name: Artifacts | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
publish: | ||
description: Publish artifacts to the artifact store | ||
default: false | ||
required: false | ||
type: boolean | ||
release: | ||
description: Whether this is a release build | ||
default: false | ||
required: false | ||
type: boolean | ||
outputs: | ||
container-image-name: | ||
description: Container image name | ||
value: ${{ jobs.container-image.outputs.name }} | ||
container-image-digest: | ||
description: Container image digest | ||
value: ${{ jobs.container-image.outputs.digest }} | ||
container-image-tag: | ||
description: Container image tag | ||
value: ${{ jobs.container-image.outputs.tag }} | ||
container-image-ref: | ||
description: Container image ref | ||
value: ${{ jobs.container-image.outputs.ref }} | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
container-image: | ||
name: Container image | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
contents: read | ||
packages: write | ||
id-token: write | ||
security-events: write | ||
|
||
outputs: | ||
name: ${{ steps.image-name.outputs.value }} | ||
digest: ${{ steps.build.outputs.digest }} | ||
tag: ${{ steps.meta.outputs.version }} | ||
ref: ${{ steps.image-ref.outputs.value }} | ||
|
||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | ||
|
||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0 | ||
|
||
- name: Set image name | ||
id: image-name | ||
run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT" | ||
|
||
- name: Gather build metadata | ||
id: meta | ||
uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 | ||
with: | ||
images: ${{ steps.image-name.outputs.value }} | ||
flavor: | | ||
latest = false | ||
tags: | | ||
type=ref,event=branch | ||
type=ref,event=pr,prefix=pr- | ||
type=semver,pattern={{raw}} | ||
type=raw,value=latest,enable={{is_default_branch}} | ||
# Multiple exporters are not supported yet | ||
# See https://github.com/moby/buildkit/pull/2760 | ||
- name: Determine build output | ||
uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1 | ||
id: build-output | ||
with: | ||
cond: ${{ inputs.publish }} | ||
if_true: type=image,push=true | ||
if_false: type=oci,dest=image.tar | ||
|
||
- name: Login to GitHub Container Registry | ||
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ github.token }} | ||
if: inputs.publish | ||
|
||
- name: Build and push image | ||
id: build | ||
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 | ||
with: | ||
context: . | ||
platforms: linux/amd64,linux/arm64,linux/arm/v7 | ||
tags: ${{ steps.meta.outputs.tags }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
cache-from: type=gha | ||
cache-to: type=gha,mode=max | ||
outputs: ${{ steps.build-output.outputs.value }} | ||
# push: ${{ inputs.publish }} | ||
|
||
- name: Set image ref | ||
id: image-ref | ||
run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" | ||
|
||
- name: Fetch image | ||
run: skopeo --insecure-policy copy docker://${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} oci-archive:image.tar | ||
if: inputs.publish | ||
|
||
- name: Upload image as artifact | ||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | ||
with: | ||
name: "[${{ github.job }}] OCI tarball" | ||
path: image.tar | ||
|
||
- name: Extract OCI tarball | ||
run: | | ||
mkdir -p image | ||
tar -xf image.tar -C image | ||
# See https://github.com/anchore/syft/issues/1545 | ||
- name: Extract image from multi-arch image | ||
run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy --additional-tag ${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} oci:image docker-archive:docker.tar | ||
|
||
- name: Upload image as artifact | ||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | ||
with: | ||
name: "[${{ github.job }}] Docker tarball" | ||
path: docker.tar | ||
|
||
- name: Run Trivy vulnerability scanner | ||
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0 | ||
with: | ||
input: image | ||
format: sarif | ||
output: trivy-results.sarif | ||
|
||
- name: Upload Trivy scan results as artifact | ||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | ||
with: | ||
name: "[${{ github.job }}] Trivy scan results" | ||
path: trivy-results.sarif | ||
retention-days: 5 | ||
|
||
- name: Upload Trivy scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 | ||
with: | ||
sarif_file: trivy-results.sarif | ||
|
||
binary: | ||
name: Binary | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
contents: write | ||
|
||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | ||
|
||
- name: Set up Nix | ||
uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23 | ||
with: | ||
extra_nix_config: | | ||
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | ||
- name: Prepare Nix shell | ||
run: nix develop --impure .#ci | ||
|
||
- name: Determine build command | ||
uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1 | ||
id: build-command | ||
with: | ||
cond: ${{ inputs.release }} | ||
if_true: goreleaser release | ||
if_false: goreleaser release --skip-publish --snapshot | ||
|
||
- name: Build | ||
run: nix develop --impure .#ci -c ${{ steps.build-command.outputs.value }} | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Upload artifacts | ||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | ||
with: | ||
name: "${{ github.job }}" | ||
path: | | ||
build/dist/*.tar.gz | ||
build/dist/checksums.txt |
Oops, something went wrong.