diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index f86d23864..8e37dd620 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -1,16 +1,125 @@ -name: Trivy - +--- +name: Build release on: - push: + workflow_dispatch: + inputs: + artifact-tag: + description: "The tag associated with the artifact to deploy (eg. v1.2.3)." + type: string + required: true + # This is a workaround so that the actor who initiated a workflow run via a workflow dispatch event can determine the run ID of the started workflow run + workflow-tag: + description: "This field adds the provided value to a run step, allowing the calling actor to associate the started run with the GHA run ID." + type: string + required: false + pull_request: branches: - master - pull_request: - workflow_dispatch: +env: + ARTIFACT_TAG: ${{ inputs.artifact-tag }} + +concurrency: + group: "Limit to one build at a time for artifact tag ${{ inputs.artifact-tag }}" + cancel-in-progress: true + +# TODO add telemetry step and determine appropriately sized runner for each job jobs: - trivy: - uses: gravitational/shared-workflows/.github/workflows/trivy.yaml@main + setup: + runs-on: ubuntu-latest + outputs: + buildbox-image: ${{ steps.buildbox.outputs.buildbox-image }} + steps: + - name: FAIL INTENTIONALLY + run: exit 1 + - name: Validate artifact tag + env: + SEMVER_REGEX: ^v?(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)(?:-(?:(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?:[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ + run: | + (echo "$ARTIFACT_TAG" | grep -qE "$SEMVER_REGEX") || (echo "The artifact tag $ARTIFACT_TAG is not a valid semver-coerced value"; exit 1) + - name: Determine buildbox image to use + id: buildbox + run: | + ARTIFACT_MAJOR_VERSION="$(echo "${VERSION#v}" | cut -d'.' -f1)" + echo "buildbox-image=ghcr.io/gravitational/teleport-buildbox:teleport$ARTIFACT_MAJOR_VERSION" >> "$GITHUB_OUTPUT" + - name: ${{ inputs.workflow-tag }} + if: inputs.workflow-tag != '' + run: | + # Do nothing + # Each section here could be split out into a separate job, at the cost of slightly increased complexity. + # This would improve the (already somewhat fast) performance a bit, but I'm not sure if it's worth the + # tradeoff. + build-plugins: + needs: + - setup + runs-on: ubuntu-latest + container: + image: ${{ needs.setup.outputs.buildbox-image }} permissions: - actions: read contents: read - security-events: write + id-token: write + env: + ARTIFACT_DIRECTORY: /tmp/build + steps: + - name: Checkout repo + uses: actions/checkout@v4 + with: + ref: "refs/tags/${{ inputs.artifact-tag }}" + # File artifacts + - name: Create release tarballs + run: | + # Binaries and Helm charts + make -j"$(nproc)" releases helm-package-charts + + # Terraform provider and event handler, as appropriate + go install github.com/konoui/lipo@latest # At some point this should be merged into the buildbox + make -j"$(nproc)" OS=linux ARCH=amd64 release/terraform release/event-handler + make -j"$(nproc)" OS=linux ARCH=arm64 release/terraform + make -j"$(nproc)" OS=darwin ARCH=amd64 release/terraform release/event-handler + make -j"$(nproc)" OS=darwin ARCH=arm64 release/terraform + make -j"$(nproc)" OS=darwin ARCH=universal release/terraform + - name: Collect built binaries + run: | + mkdir -pv "$ARTIFACT_DIRECTORY" + cp $(find . '(' -name "*.tar.gz" -o -name "*.tgz" ')' -type f) "$ARTIFACT_DIRECTORY/ + - name: Generate checksum files for built tarballs + working-directory: ${{ env.ARTIFACT_DIRECTORY }} + run: | + find . -name '(' -name "*.tar.gz" -o -name "*.tgz" ')' -type f -exec sh -c 'sha256sum "$(basename {})" > "{}.sha256"' \; + ls -l + - name: Assume AWS role for uploading the artifacts + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 + with: + role-skip-session-tagging: true + aws-region: us-west-2 + role-to-assume: ${{ vars.ARTIFACT_UPLOAD_AWS_ROLE }} + role-session-name: "artifact-upload-${{ github.run_number }}" + role-duration-seconds: 900 + - name: Upload to S3 + working-directory: ${{ env.ARTIFACT_DIRECTORY }} + env: + ARTIFACT_BUCKET: ${{ vars.ARTIFACT_SOURCE_BUCKET }} + run: aws s3 cp . "s3://$ARTIFACT_BUCKET/teleport-plugins/tag/$ARTIFACT_TAG/" --recursive + # Container artifacts + - name: Assume AWS role for pushing the container images + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 + with: + role-skip-session-tagging: true + aws-region: us-west-2 + role-to-assume: ${{ vars.CONTAINER_IMAGE_UPLOAD_AWS_ROLE }} + role-session-name: "container-image-upload-${{ github.run_number }}" + role-duration-seconds: 900 + - name: Authenticate with ECR + env: + CONTAINER_IMAGE_PRIVATE_REGISTRY: ${{ vars.CONTAINER_IMAGE_PRIVATE_REGISTRY }} + run: | + aws ecr get-login-password | docker login -u="AWS" --password-stdin "$CONTAINER_IMAGE_PRIVATE_REGISTRY" + - name: Build and push the container images + env: + CONTAINER_IMAGE_PRIVATE_REGISTRY: ${{ vars.CONTAINER_IMAGE_PRIVATE_REGISTRY }} + run: | + # Access plugins + make -j"$(nproc)" DOCKER_PRIVATE_REGISTRY="$CONTAINER_IMAGE_PRIVATE_REGISTRY" docker-push-access-all + + # Event handler + make -j"$(nproc)" DOCKER_PRIVATE_REGISTRY="$CONTAINER_IMAGE_PRIVATE_REGISTRY" docker-push-event-handler