-
Notifications
You must be signed in to change notification settings - Fork 215
178 lines (155 loc) · 5.53 KB
/
container.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
name: Container
on:
push:
branches:
- main
- release-*
pull_request:
branches:
- main
- release-*
merge_group:
branches:
- main
concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
cancel-in-progress: true
env:
# renovate: datasource=go depName=github.com/goreleaser/goreleaser
GORELEASER_VERSION: v1.26.2
# renovate: datasource=npm depName=pnpm versioning=npm
PNPM_VERSION: '8.15.9'
jobs:
skip-check:
name: Skip check
continue-on-error: true
runs-on: ubuntu-latest
timeout-minutes: 10
outputs:
should_skip: ${{ steps.skip-check.outputs.should_skip }}
permissions:
actions: write
contents: read
steps:
- id: skip-check
uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
with:
do_not_skip: '["schedule", "workflow_dispatch"]'
paths: |-
[
"**.go",
".dockerignore",
".github/workflows/container.yml",
".go-version",
".node-version",
"Dockerfile*",
"go.mod",
"go.sum",
"ui/**"
]
skip_after_successful_duplicate: false
build-binary:
name: Build binary using goreleaser
needs: skip-check
runs-on: ubuntu-latest
timeout-minutes: 45
if: ${{ needs.skip-check.outputs.should_skip != 'true' }}
steps:
- name: Remove unnecessary files
run: |
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf "/usr/local/share/boost"
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
- name: Check out code into the Go module directory
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version-file: .go-version
- uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
with:
version: ${{ env.PNPM_VERSION }}
- name: Set up Node.js
uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
with:
node-version-file: .node-version
cache: 'pnpm'
cache-dependency-path: ui/pnpm-lock.yaml
- name: Set Tag
run: |
echo "goreleaser_current_tag=`git describe --match 'v*' --tags`" >> $GITHUB_ENV
- name: Get branch name
shell: bash
run: echo "GITHUB_BRANCH_NAME=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
- name: Build binaries
uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4.6.0
with:
distribution: goreleaser
version: ${{ env.GORELEASER_VERSION }}
args: build --clean --skip-validate --snapshot --debug --timeout=60m
env:
GORELEASER_CURRENT_TAG: "${{ env.goreleaser_current_tag }}"
- name: Archive generated artifacts
uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3.2.1
with:
name: parca-dist-container
if-no-files-found: error
path: |
dist
!dist/*.txt
build-and-push-container:
name: Container build and push (when merged)
needs: build-binary
runs-on: ubuntu-latest
timeout-minutes: 30
container:
# https://github.com/containers/podman/tree/main/contrib/podmanimage
image: quay.io/containers/podman:v4.9.4
options: >-
--device /dev/fuse:rw
--privileged
--security-opt label=disable
--security-opt seccomp=unconfined
permissions:
id-token: write
packages: write
contents: read
steps:
- name: Install dependencies
run: dnf install --assumeyes --repo fedora git make jq
- name: Check out code into the Go module directory
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
# The checkout action is supposed to take care of it, but it is not enough :/
- name: Add repository directory to the git global config as a safe directory
run: git config --global --add safe.directory /__w/parca/parca
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: parca-dist-container
path: dist
- name: Get branch name
shell: bash
run: echo "GITHUB_BRANCH_NAME=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
- name: Build container
run: make container
- name: Check images created
run: podman images | grep 'ghcr.io/parca-dev/parca'
- name: Install cosign
if: ${{ github.event_name != 'pull_request' }}
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- name: Install crane
if: ${{ github.event_name != 'pull_request' }}
uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
- name: Login to registry
if: ${{ github.event_name != 'pull_request' }}
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | podman login -u parca-dev --password-stdin ghcr.io
echo "${{ secrets.QUAY_PASSWORD }}" | cosign login -u "${{ secrets.QUAY_USERNAME }}" --password-stdin quay.io
- name: Push and sign container
if: ${{ github.event_name != 'pull_request' }}
run: |
make push-container
make sign-container
make push-signed-quay-container