Skip to content
This repository has been archived by the owner on Jun 4, 2024. It is now read-only.

Commit

Permalink
test
Browse files Browse the repository at this point in the history
  • Loading branch information
fheinecke committed Jan 18, 2024
1 parent 53f27a2 commit 20bc867
Showing 1 changed file with 118 additions and 9 deletions.
127 changes: 118 additions & 9 deletions .github/workflows/trivy.yaml
Original file line number Diff line number Diff line change
@@ -1,16 +1,125 @@
name: Trivy

---
name: Build release
on:
push:
workflow_dispatch:
inputs:
artifact-tag:
description: "The tag associated with the artifact to deploy (eg. v1.2.3)."
type: string
required: true
# This is a workaround so that the actor who initiated a workflow run via a workflow dispatch event can determine the run ID of the started workflow run
workflow-tag:
description: "This field adds the provided value to a run step, allowing the calling actor to associate the started run with the GHA run ID."
type: string
required: false
pull_request:
branches:
- master
pull_request:
workflow_dispatch:

env:
ARTIFACT_TAG: ${{ inputs.artifact-tag }}

concurrency:
group: "Limit to one build at a time for artifact tag ${{ inputs.artifact-tag }}"
cancel-in-progress: true

# TODO add telemetry step and determine appropriately sized runner for each job
jobs:
trivy:
uses: gravitational/shared-workflows/.github/workflows/trivy.yaml@main
setup:
runs-on: ubuntu-latest
outputs:
buildbox-image: ${{ steps.buildbox.outputs.buildbox-image }}
steps:
- name: FAIL INTENTIONALLY
run: exit 1
- name: Validate artifact tag
env:
SEMVER_REGEX: ^v?(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)(?:-(?:(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?:[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
run: |
(echo "$ARTIFACT_TAG" | grep -qE "$SEMVER_REGEX") || (echo "The artifact tag $ARTIFACT_TAG is not a valid semver-coerced value"; exit 1)
- name: Determine buildbox image to use
id: buildbox
run: |
ARTIFACT_MAJOR_VERSION="$(echo "${VERSION#v}" | cut -d'.' -f1)"
echo "buildbox-image=ghcr.io/gravitational/teleport-buildbox:teleport$ARTIFACT_MAJOR_VERSION" >> "$GITHUB_OUTPUT"
- name: ${{ inputs.workflow-tag }}
if: inputs.workflow-tag != ''
run: |
# Do nothing
# Each section here could be split out into a separate job, at the cost of slightly increased complexity.
# This would improve the (already somewhat fast) performance a bit, but I'm not sure if it's worth the
# tradeoff.
build-plugins:
needs:
- setup
runs-on: ubuntu-latest
container:
image: ${{ needs.setup.outputs.buildbox-image }}
permissions:
actions: read
contents: read
security-events: write
id-token: write
env:
ARTIFACT_DIRECTORY: /tmp/build
steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
ref: "refs/tags/${{ inputs.artifact-tag }}"
# File artifacts
- name: Create release tarballs
run: |
# Binaries and Helm charts
make -j"$(nproc)" releases helm-package-charts
# Terraform provider and event handler, as appropriate
go install github.com/konoui/lipo@latest # At some point this should be merged into the buildbox
make -j"$(nproc)" OS=linux ARCH=amd64 release/terraform release/event-handler
make -j"$(nproc)" OS=linux ARCH=arm64 release/terraform
make -j"$(nproc)" OS=darwin ARCH=amd64 release/terraform release/event-handler
make -j"$(nproc)" OS=darwin ARCH=arm64 release/terraform
make -j"$(nproc)" OS=darwin ARCH=universal release/terraform
- name: Collect built binaries
run: |
mkdir -pv "$ARTIFACT_DIRECTORY"
cp $(find . '(' -name "*.tar.gz" -o -name "*.tgz" ')' -type f) "$ARTIFACT_DIRECTORY/
- name: Generate checksum files for built tarballs
working-directory: ${{ env.ARTIFACT_DIRECTORY }}
run: |
find . -name '(' -name "*.tar.gz" -o -name "*.tgz" ')' -type f -exec sh -c 'sha256sum "$(basename {})" > "{}.sha256"' \;
ls -l
- name: Assume AWS role for uploading the artifacts
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-skip-session-tagging: true
aws-region: us-west-2
role-to-assume: ${{ vars.ARTIFACT_UPLOAD_AWS_ROLE }}
role-session-name: "artifact-upload-${{ github.run_number }}"
role-duration-seconds: 900
- name: Upload to S3
working-directory: ${{ env.ARTIFACT_DIRECTORY }}
env:
ARTIFACT_BUCKET: ${{ vars.ARTIFACT_SOURCE_BUCKET }}
run: aws s3 cp . "s3://$ARTIFACT_BUCKET/teleport-plugins/tag/$ARTIFACT_TAG/" --recursive
# Container artifacts
- name: Assume AWS role for pushing the container images
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-skip-session-tagging: true
aws-region: us-west-2
role-to-assume: ${{ vars.CONTAINER_IMAGE_UPLOAD_AWS_ROLE }}
role-session-name: "container-image-upload-${{ github.run_number }}"
role-duration-seconds: 900
- name: Authenticate with ECR
env:
CONTAINER_IMAGE_PRIVATE_REGISTRY: ${{ vars.CONTAINER_IMAGE_PRIVATE_REGISTRY }}
run: |
aws ecr get-login-password | docker login -u="AWS" --password-stdin "$CONTAINER_IMAGE_PRIVATE_REGISTRY"
- name: Build and push the container images
env:
CONTAINER_IMAGE_PRIVATE_REGISTRY: ${{ vars.CONTAINER_IMAGE_PRIVATE_REGISTRY }}
run: |
# Access plugins
make -j"$(nproc)" DOCKER_PRIVATE_REGISTRY="$CONTAINER_IMAGE_PRIVATE_REGISTRY" docker-push-access-all
# Event handler
make -j"$(nproc)" DOCKER_PRIVATE_REGISTRY="$CONTAINER_IMAGE_PRIVATE_REGISTRY" docker-push-event-handler

0 comments on commit 20bc867

Please sign in to comment.