Skip to content

build(deps): bump google.golang.org/grpc from 1.66.1 to 1.66.2 #7109

build(deps): bump google.golang.org/grpc from 1.66.1 to 1.66.2

build(deps): bump google.golang.org/grpc from 1.66.1 to 1.66.2 #7109

Workflow file for this run

name: build
on:
push:
branches:
- main
release:
types: [published]
pull_request:
env:
GO_VERSION: '1.23'
NIX_VERSION: '2.18.1'
BOM_VERSION: v0.5.1
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
macos:
runs-on: macos-12
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: ${{ env.GO_VERSION }}
- run: make test-unit
- run: make verify-go-lint
nix:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
with:
install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
with:
name: security-profiles-operator
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
pushFilter: security-profiles-operator
- run: make nix
- uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: build
path: build.tar.gz
nix-spoc:
if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags')
runs-on: ubuntu-22.04
permissions:
contents: write # required for updating the release
id-token: write # required for sigstore signing
steps:
- uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
with:
install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
with:
name: security-profiles-operator
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
pushFilter: security-profiles-operator
- run: |
sudo curl -sSfL --retry 5 --retry-delay 3 -o /usr/bin/bom \
https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux
sudo chmod +x /usr/bin/bom
- run: make nix-spoc
- uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: spoc
path: |
build/*
- uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
build/*
bpf:
runs-on: ubuntu-22.04
steps:
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: ${{ env.GO_VERSION }}
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
with:
install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
with:
name: security-profiles-operator
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
pushFilter: security-profiles-operator
- run: make verify-bpf
build-image:
runs-on: ubuntu-22.04
steps:
- name: Remove unnecessary files
run: |
sudo rm -rf /usr/share/dotnet
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
sudo rm -rf /opt/ghc
sudo rm -rf /usr/local/share/boost
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Login to Quay
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io/security-profiles-operator
username: security-profiles-operator+github
password: ${{ secrets.QUAY_TOKEN }}
if: github.ref == 'refs/heads/main'
- name: Image metadata
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
quay.io/security-profiles-operator/build
tags: |
type=ref,event=branch
type=ref,event=pr
type=ref,event=tag
type=sha,format=long
- name: Build (and push if needed)
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
context: .
file: Dockerfile.build-image
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
push: ${{ github.ref == 'refs/heads/main' }}
# Only load on PR builds
load: ${{ github.ref != 'refs/heads/main' }}
- name: Run container image vulnerability scanner
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0
with:
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
format: 'table'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
timeout: 30m
operator-image:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Login to Quay
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io/security-profiles-operator
username: security-profiles-operator+github
password: ${{ secrets.QUAY_TOKEN }}
if: github.ref == 'refs/heads/main'
- name: Image metadata
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
quay.io/security-profiles-operator/spo
tags: |
type=ref,event=branch
type=ref,event=pr
type=ref,event=tag
type=sha,format=long
- name: Build
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
context: .
file: Dockerfile
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
load: true
- name: Run container image vulnerability scanner
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0
with:
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ubi-image:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Login to Quay
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io/security-profiles-operator
username: security-profiles-operator+github
password: ${{ secrets.QUAY_TOKEN }}
if: github.ref == 'refs/heads/main'
- name: Image metadata
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
quay.io/security-profiles-operator/build
flavor: |
suffix=-ubi
tags: |
type=ref,event=branch
type=ref,event=pr
type=ref,event=tag
type=sha,format=long
# TODO(jaosorior): Push UBI image too
- name: Build
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
context: .
file: Dockerfile.ubi
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
load: true
- name: Run container image vulnerability scanner
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0
with:
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'