Skip to content

feat: harden image using apko and wolfi #7151

feat: harden image using apko and wolfi

feat: harden image using apko and wolfi #7151

Workflow file for this run

name: CI
on:
pull_request:
merge_group:
push:
branches:
- main
- release-*
permissions:
contents: read
jobs:
test-unit:
runs-on: ubuntu-latest
container:
image: golang:1.23.2-bookworm
steps:
# Install Git from "trixie" repository to get a more recent version than
# the one available in "stable". This can be removed once the version in
# "stable" is updated to >= 2.42.0 (which supports `--orphan` for `git
# worktree add`).
- name: Update Git to >= 2.42
run: |
echo "deb http://deb.debian.org/debian trixie main" > /etc/apt/sources.list.d/trixie.list
apt update && apt install -y -t trixie git
- name: Checkout code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
with:
path: /go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Run unit tests
run: make test-unit
- name: Remove generated code from report
run: |
grep -v .pb.go coverage.txt | grep -v zz_generated | grep -v service.connect.go > coverage.tmp
mv coverage.tmp coverage.txt
- name: Upload coverage reports
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
with:
token: ${{ secrets.CODECOV_TOKEN }}
lint-ui:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
with:
path: ~/.pnpm-store
key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-
- name: Install pnpm
uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
with:
package_json_file: ui/package.json
- name: Install nodejs
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: "22.8.0"
cache: "pnpm"
cache-dependency-path: "**/pnpm-lock.yaml"
- name: Run linter
run: make lint-ui
lint-go:
permissions:
checks: write # Used to create checks (linting comments) on PRs
runs-on: ubuntu-latest
container:
image: golang:1.23.2-bookworm
steps:
- name: Checkout code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Cache golangci-lint
id: cache-golangci-lint
uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
with:
path: |
hack/bin/golangci-lint
hack/bin/golangci-lint-*
key: ${{ runner.os }}-golangci-lint-${{ hashFiles('hack/tools/go.mod') }}
- name: Install golangci-lint
if: steps.cache-golangci-lint.outputs.cache-hit != 'true'
run: make install-golangci-lint
- name: Configure Git
run: git config --global --add safe.directory '*'
- name: Run linter
env:
GO_LINT_ERROR_FORMAT: github-actions
run: make lint-go
lint-charts:
runs-on: ubuntu-latest
container:
image: golang:1.23.2-bookworm
steps:
- name: Checkout code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Cache helm
id: cache-helm
uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
with:
path: |
hack/bin/helm
hack/bin/helm-*
key:
${{ runner.os }}-helm-${{ hashFiles('hack/tools/go.mod') }}
- name: Install helm
if: steps.cache-helm.outputs.cache-hit != 'true'
run: make install-helm
- name: Run linter
run: make lint-charts
lint-proto:
permissions:
checks: write # Used to create checks (linting comments) on PRs
runs-on: ubuntu-latest
container:
image: golang:1.23.2-bookworm
steps:
- name: Checkout code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Cache buf
id: cache-buf
uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
with:
path: |
hack/bin/buf
hack/bin/buf-*
key: ${{ runner.os }}-buf-${{ hashFiles('hack/tools/go.mod') }}
- name: Install buf
if: steps.cache-buf.outputs.cache-hit != 'true'
run: make install-buf
- name: Run linter
env:
BUF_LINT_ERROR_FORMAT: github-actions
run: make lint-proto
check-codegen:
runs-on: ubuntu-latest
container:
image: golang:1.23.2-bookworm
steps:
- name: Checkout code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Install tools
run: apt update && apt install unzip
- name: Install pnpm
uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
with:
package_json_file: ui/package.json
- name: Install nodejs
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: "22.8.0"
cache: "pnpm"
cache-dependency-path: "**/pnpm-lock.yaml"
- name: Install nodejs dependencies
run: pnpm install --dev
working-directory: ./ui
- name: Cache Go modules
uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
with:
path: /go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Cache tools
uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
with:
path: |
hack/bin
hack/include
key: ${{ runner.os }}-tools-${{ hashFiles('hack/tools/go.mod', 'hack/tools.mk') }}
- name: Git stuff
# As of go 1.20, this seems to be necessary for invoking git commands
# within the container
run: git config --global --add safe.directory /__w/kargo/kargo
- name: Run Codegen
run: make codegen
- name: Check nothing has changed
run: git diff --exit-code -- .
build-image:
needs: [test-unit, lint-go, lint-charts, lint-proto, lint-ui, check-codegen]
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
with:
driver-opts: network=host
- name: Checkout code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Build base image
run: |
BASE_IMAGE=localhost:5000/kargo-base make build-base-image
docker push localhost:5000/kargo-base:latest-arm64
docker push localhost:5000/kargo-base:latest-amd64
- name: Build final image
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
with:
platforms: linux/amd64,linux/arm64
build-args: |
BASE_IMAGE=localhost:5000/kargo-base
push: false
cache-from: type=gha
cache-to: type=gha,mode=max
build-cli:
needs: [test-unit, lint-go, lint-charts, lint-proto, lint-ui, check-codegen]
runs-on: ubuntu-latest
container:
image: golang:1.23.2-bookworm
steps:
- name: Checkout code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
with:
path: /go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Build CLI
env:
GOFLAGS: -buildvcs=false
run: make build-cli