Skip to content

Add VEX file with vulnerabilities information to SBOM #94

Add VEX file with vulnerabilities information to SBOM

Add VEX file with vulnerabilities information to SBOM #94

Workflow file for this run

name: CI
on:
push:
branches:
- main
- release-*
pull_request: {}
workflow_dispatch: {}
env:
# Common versions
GO_VERSION: '1.21'
GOLANGCI_VERSION: 'v1.54'
DOCKER_BUILDX_VERSION: 'v0.4.2'
KIND_VERSION: 'v0.12.0'
HELM_VERSION: 'v3.8.1'
CROSSPLANE_VERSION: 'stable'
KUBECTL_VERSION: 'v1.23.4'
KUBEFWD_VERSION: '1.22.0'
# Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run
# a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether
# credentials have been provided before trying to run steps that need them.
CONTRIB_DOCKER_USR: ${{ secrets.CONTRIB_DOCKER_USR }}
XPKG_ACCESS_ID: ${{ secrets.XPKG_ACCESS_ID }}
AWS_USR: ${{ secrets.AWS_USR }}
jobs:
detect-noop:
runs-on: ubuntu-20.04
outputs:
noop: ${{ steps.noop.outputs.should_skip }}
steps:
- name: Detect No-op Changes
id: noop
uses: fkirc/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
paths_ignore: '["**.md", "**.png", "**.jpg"]'
do_not_skip: '["workflow_dispatch", "schedule", "push"]'
lint:
runs-on: ubuntu-20.04
needs: detect-noop
if: needs.detect-noop.outputs.noop != 'true'
steps:
- name: Checkout
uses: actions/checkout@v2
with:
submodules: true
- name: Find the Go Build Cache
id: go
run: echo "::set-output name=cache::$(make go.cachedir)"
- name: Cache the Go Build Cache
uses: actions/cache@v2
with:
path: ${{ steps.go.outputs.cache }}
key: ${{ runner.os }}-build-lint-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-build-lint-
- name: Cache Go Dependencies
uses: actions/cache@v2
with:
path: .work/pkg
key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-pkg-
# Go version coming with golangci-lint-action may not be our desired
# go version. We deploy our desired go version and then skip go
# installation in golangci-lint-action in the next step as suggested
# in https://github.com/golangci/golangci-lint-action/issues/183
- uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- name: Vendor Dependencies
run: make vendor vendor.check
# We could run 'make lint' to ensure our desired Go version, but we
# prefer this action because it leaves 'annotations' (i.e. it comments
# on PRs to point out linter violations).
- name: Lint
uses: golangci/golangci-lint-action@v2
with:
version: ${{ env.GOLANGCI_VERSION }}
skip-go-installation: true
args: --timeout 10m0s
check-diff:
runs-on: ubuntu-20.04
needs: detect-noop
if: needs.detect-noop.outputs.noop != 'true'
steps:
- name: Checkout
uses: actions/checkout@v2
with:
submodules: true
- name: Setup Go
uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- name: Install goimports
run: go install golang.org/x/tools/cmd/goimports
- name: Find the Go Build Cache
id: go
run: echo "::set-output name=cache::$(make go.cachedir)"
- name: Cache the Go Build Cache
uses: actions/cache@v2
with:
path: ${{ steps.go.outputs.cache }}
key: ${{ runner.os }}-build-check-diff-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-build-check-diff-
- name: Cache Go Dependencies
uses: actions/cache@v2
with:
path: .work/pkg
key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-pkg-
- name: Vendor Dependencies
run: make vendor vendor.check
- name: Check Diff
run: make check-diff
unit-tests:
runs-on: ubuntu-20.04
needs: detect-noop
if: needs.detect-noop.outputs.noop != 'true'
steps:
- name: Checkout
uses: actions/checkout@v2
with:
submodules: true
- name: Fetch History
run: git fetch --prune --unshallow
- name: Setup Go
uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- name: Find the Go Build Cache
id: go
run: echo "::set-output name=cache::$(make go.cachedir)"
- name: Cache the Go Build Cache
uses: actions/cache@v2
with:
path: ${{ steps.go.outputs.cache }}
key: ${{ runner.os }}-build-unit-tests-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-build-unit-tests-
- name: Cache Go Dependencies
uses: actions/cache@v2
with:
path: .work/pkg
key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-pkg-
- name: Vendor Dependencies
run: make vendor vendor.check
- name: Set up Kind Cluster
uses: helm/[email protected]
with:
version: ${{ env.KIND_VERSION }}
cluster_name: 'kafka'
- name: Install Crossplane
run: |
kubectl create ns crossplane-system
helm repo add crossplane-stable https://charts.crossplane.io/stable
helm repo update
helm install crossplane --namespace crossplane-system crossplane-stable/crossplane
- name: Install Provider-Kafka CRDs
run: kubectl apply -f package/crds
- name: Install Kafka
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
kubectl create ns kafka-cluster
helm upgrade --install kafka-dev -n kafka-cluster bitnami/kafka \
--version 20.0.5 \
--set auth.clientProtocol=sasl \
--set deleteTopicEnable=true \
--set authorizerClassName="kafka.security.authorizer.AclAuthorizer" \
--wait
- name: Get Kafka Client Password
id: kafka
run: echo "::set-output name=password::$(kubectl get secret kafka-dev-jaas --namespace kafka-cluster -o jsonpath='{.data.client-passwords}' | base64 --decode | cut -d , -f 1)"
- name: Create Kafka Credentials File
env:
KAFKA_PASSWORD: ${{ steps.kafka.outputs.password }}
run: |
echo "{
"brokers": [
"kafka-dev-0.kafka-dev-headless:9092"
],
"sasl": {
"mechanism": "PLAIN",
"username": "user",
"password": "${KAFKA_PASSWORD}"
}
}" > kc.json
- name: Show kc.json file
run: cat kc.json
- name: create Kafka K8s secret
run: kubectl -n kafka-cluster create secret generic kafka-creds --from-file=credentials=kc.json
- name: Test downloading external binary
uses: giantswarm/[email protected]
with:
binary: "kubefwd"
version: "${{ env.KUBEFWD_VERSION }}"
download_url: "https://github.com/txn2/kubefwd/releases/download/${version}/${binary}_Linux_x86_64.tar.gz"
tarball_binary_path: "${binary}"
smoke_test: "${binary} version"
- name: run Kubefwd
run: sudo -E /opt/hostedtoolcache/kubefwd/${{ env.KUBEFWD_VERSION }}/x64/kubefwd svc -n kafka-cluster &
- name: Run Unit Tests
env:
KAFKA_PASSWORD: ${{ steps.kafka.outputs.password }}
run: make -j2 test
- name: Publish Unit Test Coverage
uses: codecov/codecov-action@v1
with:
flags: unittests
file: _output/tests/linux_amd64/coverage.txt
e2e-tests:
runs-on: ubuntu-20.04
needs: detect-noop
if: needs.detect-noop.outputs.noop != 'true'
steps:
- name: Setup QEMU
uses: docker/setup-qemu-action@v1
with:
platforms: all
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@v1
with:
version: ${{ env.DOCKER_BUILDX_VERSION }}
install: true
- name: Checkout
uses: actions/checkout@v2
with:
submodules: true
- name: Fetch History
run: git fetch --prune --unshallow
- name: Setup Go
uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- name: Find the Go Build Cache
id: go
run: echo "::set-output name=cache::$(make go.cachedir)"
- name: Cache the Go Build Cache
uses: actions/cache@v2
with:
path: ${{ steps.go.outputs.cache }}
key: ${{ runner.os }}-build-e2e-tests-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-build-e2e-tests-
- name: Cache Go Dependencies
uses: actions/cache@v2
with:
path: .work/pkg
key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-pkg-
- name: Vendor Dependencies
run: make vendor vendor.check
- name: Build Helm Chart
run: make -j2 build
env:
# We're using docker buildx, which doesn't actually load the images it
# builds by default. Specifying --load does so.
BUILD_ARGS: "--load"
# - name: Run E2E Tests
# run: make e2e USE_HELM3=true
publish-artifacts:
runs-on: ubuntu-20.04
needs: detect-noop
if: needs.detect-noop.outputs.noop != 'true'
steps:
- name: Setup QEMU
uses: docker/setup-qemu-action@v1
with:
platforms: all
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@v1
with:
version: ${{ env.DOCKER_BUILDX_VERSION }}
install: true
- name: Checkout
uses: actions/checkout@v2
with:
submodules: true
- name: Fetch History
run: git fetch --prune --unshallow
- name: Setup Go
uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- name: Find the Go Build Cache
id: go
run: echo "::set-output name=cache::$(make go.cachedir)"
- name: Cache the Go Build Cache
uses: actions/cache@v2
with:
path: ${{ steps.go.outputs.cache }}
key: ${{ runner.os }}-build-publish-artifacts-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-build-publish-artifacts-
- name: Cache Go Dependencies
uses: actions/cache@v2
with:
path: .work/pkg
key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-pkg-
- name: Vendor Dependencies
run: make vendor vendor.check
- name: Build Artifacts
run: make -j2 build.all
env:
# We're using docker buildx, which doesn't actually load the images it
# builds by default. Specifying --load does so.
BUILD_ARGS: "--load"
- name: Publish Artifacts to GitHub
uses: actions/upload-artifact@v2
with:
name: output
path: _output/**
- name: Login to Docker
uses: docker/login-action@v1
if: env.CONTRIB_DOCKER_USR != ''
with:
username: ${{ secrets.CONTRIB_DOCKER_USR }}
password: ${{ secrets.CONTRIB_DOCKER_PSW }}
- name: Login to Upbound
uses: docker/login-action@v1
if: env.XPKG_ACCESS_ID != ''
with:
registry: xpkg.upbound.io
username: ${{ secrets.XPKG_ACCESS_ID }}
password: ${{ secrets.XPKG_TOKEN }}
- name: Publish Artifacts to S3 and Docker Hub
run: make -j2 publish BRANCH_NAME=${GITHUB_REF##*/}
if: env.AWS_USR != '' && env.CONTRIB_DOCKER_USR != ''
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }}
GIT_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Promote Artifacts in S3 and Docker Hub
if: github.ref == 'refs/heads/main' && env.AWS_USR != '' && env.CONTRIB_DOCKER_USR != ''
run: make -j2 promote
env:
BRANCH_NAME: main
CHANNEL: main
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }}