This repository has been archived by the owner on Jun 4, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 78
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
118 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,125 @@ | ||
name: Trivy | ||
|
||
--- | ||
name: Build release | ||
on: | ||
push: | ||
workflow_dispatch: | ||
inputs: | ||
artifact-tag: | ||
description: "The tag associated with the artifact to deploy (eg. v1.2.3)." | ||
type: string | ||
required: true | ||
# This is a workaround so that the actor who initiated a workflow run via a workflow dispatch event can determine the run ID of the started workflow run | ||
workflow-tag: | ||
description: "This field adds the provided value to a run step, allowing the calling actor to associate the started run with the GHA run ID." | ||
type: string | ||
required: false | ||
pull_request: | ||
branches: | ||
- master | ||
pull_request: | ||
workflow_dispatch: | ||
|
||
env: | ||
ARTIFACT_TAG: ${{ inputs.artifact-tag }} | ||
|
||
concurrency: | ||
group: "Limit to one build at a time for artifact tag ${{ inputs.artifact-tag }}" | ||
cancel-in-progress: true | ||
|
||
# TODO add telemetry step and determine appropriately sized runner for each job | ||
jobs: | ||
trivy: | ||
uses: gravitational/shared-workflows/.github/workflows/trivy.yaml@main | ||
setup: | ||
runs-on: ubuntu-latest | ||
outputs: | ||
buildbox-image: ${{ steps.buildbox.outputs.buildbox-image }} | ||
steps: | ||
- name: FAIL INTENTIONALLY | ||
run: exit 1 | ||
- name: Validate artifact tag | ||
env: | ||
SEMVER_REGEX: ^v?(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)(?:-(?:(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?:[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ | ||
run: | | ||
(echo "$ARTIFACT_TAG" | grep -qE "$SEMVER_REGEX") || (echo "The artifact tag $ARTIFACT_TAG is not a valid semver-coerced value"; exit 1) | ||
- name: Determine buildbox image to use | ||
id: buildbox | ||
run: | | ||
ARTIFACT_MAJOR_VERSION="$(echo "${VERSION#v}" | cut -d'.' -f1)" | ||
echo "buildbox-image=ghcr.io/gravitational/teleport-buildbox:teleport$ARTIFACT_MAJOR_VERSION" >> "$GITHUB_OUTPUT" | ||
- name: ${{ inputs.workflow-tag }} | ||
if: inputs.workflow-tag != '' | ||
run: | | ||
# Do nothing | ||
# Each section here could be split out into a separate job, at the cost of slightly increased complexity. | ||
# This would improve the (already somewhat fast) performance a bit, but I'm not sure if it's worth the | ||
# tradeoff. | ||
build-plugins: | ||
needs: | ||
- setup | ||
runs-on: ubuntu-latest | ||
container: | ||
image: ${{ needs.setup.outputs.buildbox-image }} | ||
permissions: | ||
actions: read | ||
contents: read | ||
security-events: write | ||
id-token: write | ||
env: | ||
ARTIFACT_DIRECTORY: /tmp/build | ||
steps: | ||
- name: Checkout repo | ||
uses: actions/checkout@v4 | ||
with: | ||
ref: "refs/tags/${{ inputs.artifact-tag }}" | ||
# File artifacts | ||
- name: Create release tarballs | ||
run: | | ||
# Binaries and Helm charts | ||
make -j"$(nproc)" releases helm-package-charts | ||
# Terraform provider and event handler, as appropriate | ||
go install github.com/konoui/lipo@latest # At some point this should be merged into the buildbox | ||
make -j"$(nproc)" OS=linux ARCH=amd64 release/terraform release/event-handler | ||
make -j"$(nproc)" OS=linux ARCH=arm64 release/terraform | ||
make -j"$(nproc)" OS=darwin ARCH=amd64 release/terraform release/event-handler | ||
make -j"$(nproc)" OS=darwin ARCH=arm64 release/terraform | ||
make -j"$(nproc)" OS=darwin ARCH=universal release/terraform | ||
- name: Collect built binaries | ||
run: | | ||
mkdir -pv "$ARTIFACT_DIRECTORY" | ||
cp $(find . '(' -name "*.tar.gz" -o -name "*.tgz" ')' -type f) "$ARTIFACT_DIRECTORY/ | ||
- name: Generate checksum files for built tarballs | ||
working-directory: ${{ env.ARTIFACT_DIRECTORY }} | ||
run: | | ||
find . -name '(' -name "*.tar.gz" -o -name "*.tgz" ')' -type f -exec sh -c 'sha256sum "$(basename {})" > "{}.sha256"' \; | ||
ls -l | ||
- name: Assume AWS role for uploading the artifacts | ||
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 | ||
with: | ||
role-skip-session-tagging: true | ||
aws-region: us-west-2 | ||
role-to-assume: ${{ vars.ARTIFACT_UPLOAD_AWS_ROLE }} | ||
role-session-name: "artifact-upload-${{ github.run_number }}" | ||
role-duration-seconds: 900 | ||
- name: Upload to S3 | ||
working-directory: ${{ env.ARTIFACT_DIRECTORY }} | ||
env: | ||
ARTIFACT_BUCKET: ${{ vars.ARTIFACT_SOURCE_BUCKET }} | ||
run: aws s3 cp . "s3://$ARTIFACT_BUCKET/teleport-plugins/tag/$ARTIFACT_TAG/" --recursive | ||
# Container artifacts | ||
- name: Assume AWS role for pushing the container images | ||
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 | ||
with: | ||
role-skip-session-tagging: true | ||
aws-region: us-west-2 | ||
role-to-assume: ${{ vars.CONTAINER_IMAGE_UPLOAD_AWS_ROLE }} | ||
role-session-name: "container-image-upload-${{ github.run_number }}" | ||
role-duration-seconds: 900 | ||
- name: Authenticate with ECR | ||
env: | ||
CONTAINER_IMAGE_PRIVATE_REGISTRY: ${{ vars.CONTAINER_IMAGE_PRIVATE_REGISTRY }} | ||
run: | | ||
aws ecr get-login-password | docker login -u="AWS" --password-stdin "$CONTAINER_IMAGE_PRIVATE_REGISTRY" | ||
- name: Build and push the container images | ||
env: | ||
CONTAINER_IMAGE_PRIVATE_REGISTRY: ${{ vars.CONTAINER_IMAGE_PRIVATE_REGISTRY }} | ||
run: | | ||
# Access plugins | ||
make -j"$(nproc)" DOCKER_PRIVATE_REGISTRY="$CONTAINER_IMAGE_PRIVATE_REGISTRY" docker-push-access-all | ||
# Event handler | ||
make -j"$(nproc)" DOCKER_PRIVATE_REGISTRY="$CONTAINER_IMAGE_PRIVATE_REGISTRY" docker-push-event-handler |