docs update #190
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "1. Create app" | |
| on: | |
| push: | |
| branches: [dev,feature/*] | |
| tags: | |
| - '**' | |
| paths: | |
| - "go/src/app/**.go" | |
| - Dockerfile | |
| - ".github/workflows/*" | |
| # Avoid duplicate running | |
| # pull_request: | |
| # branches: [main] | |
| workflow_dispatch: | |
| env: | |
| GO_VERSION: 1.22.5 | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_SHA: ${{ github.sha }} | |
| jobs: | |
| build-app: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Log in to the Container registry | |
| uses: docker/[email protected] | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Will create and boot a builder that can be used in the build-push action. | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/[email protected] | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=ref,event=tag | |
| type=sha,format=long | |
| # Run the build and outputs a test coverage file | |
| - name: Build and push Docker image | |
| uses: docker/[email protected] | |
| with: | |
| file: Dockerfile | |
| push: false | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| target: test-coverage | |
| outputs: | | |
| type=local,dest=. | |
| - uses: codecov/codecov-action@v3 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| files: ./coverage.out | |
| fail_ci_if_error: true # optional (default = false) | |
| verbose: true # optional (default = false) | |
| # Any file mutation in the steps that precede the build step will be ignored, | |
| # since the context is based on the Git reference. Use the Path context to remove this restriction. | |
| # https://github.com/marketplace/actions/build-and-push-docker-images#git-context | |
| - name: Build and push Docker image | |
| uses: docker/[email protected] | |
| with: | |
| file: Dockerfile | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| image-scan: | |
| runs-on: ubuntu-latest | |
| needs: ['build-app'] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| # Security scanner | |
| # https://github.com/aquasecurity/trivy-action | |
| - name: Run container image vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| # image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
| image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}' | |
| format: 'table' | |
| ignore-unfixed: true | |
| vuln-type: 'os' | |
| severity: 'CRITICAL,HIGH' | |
| timeout: 5m | |
| output: 'trivy-results.sarif' | |
| # Pages https://github.com/tuxerrante/kapparmor/settings/pages | |
| # https://helm.sh/docs/topics/chart_repository/#github-pages-example | |
| # https://helm.sh/docs/howto/chart_releaser_action/ | |
| release-chart: | |
| needs: ['build-app'] | |
| if: github.event_name == 'pull_request' || startsWith(github.event.ref, 'refs/tags/v') | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Configure Git | |
| run: | | |
| git config user.name "$GITHUB_ACTOR" | |
| git config user.email "[email protected]" | |
| - name: Install Helm | |
| uses: azure/setup-helm@v3 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.9' | |
| check-latest: true | |
| - name: Set up chart-testing | |
| uses: helm/[email protected] | |
| - name: Run chart-testing (list-changed) | |
| id: list-changed | |
| run: | | |
| changed=$(ct list-changed --config ct.yaml --target-branch ${{ github.event.repository.default_branch }}) | |
| if [[ -n "$changed" ]]; then | |
| echo "::set-output name=changed::true" | |
| fi | |
| - name: Run chart-testing (lint) | |
| run: ct lint --config ct.yaml --target-branch ${{ github.event.repository.default_branch }} | |
| - name: Create kind cluster | |
| uses: helm/[email protected] | |
| if: steps.list-changed.outputs.changed == 'true' | |
| - name: Run chart-testing (install) | |
| run: ct install --config ct.yaml --print-config --target-branch ${{ github.event.repository.default_branch }} --debug | |
| - name: Replace GITHUB_SHA in values.yaml file | |
| run: | | |
| sed -i "s/GITHUB_SHA/$GITHUB_SHA/" charts/kapparmor/values.yaml | |
| cat charts/kapparmor/values.yaml | |
| - name: Run chart-releaser | |
| uses: helm/[email protected] | |
| env: | |
| CR_TOKEN: "${{ env.GITHUB_TOKEN }}" | |
| with: | |
| config: cr.yaml |