-
Notifications
You must be signed in to change notification settings - Fork 1
198 lines (190 loc) Β· 6.09 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
name: release
on:
push:
tags:
- v[0-9]+.[0-9]+.[0-9]+
env:
DOCKER_REPO: ww24/calendar-notifier
GAR_REPOSITORY: ww24
IMAGE_NAME: calendar-notifier
GCP_LOCATION: asia-northeast1
TERRAFORM_VERSION: 0.14.3
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: "~1.16"
- name: golangci-lint
uses: golangci/golangci-lint-action@v3
with:
version: v1.45
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- uses: actions/setup-go@v3
with:
go-version: "~1.16"
- name: go generate
run: make generate
- name: Check uncommitted changes
run: |
if [ -n "$(git status --porcelain)" ]; then
echo "uncommitted changes"
git status
exit 1
fi
- name: Test
run: make test
docker_build:
name: Build docker image
outputs:
image_tag: ${{ steps.tag.outputs.image_tag }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Shellcheck
env:
SHELLCHECK_OPTS: -e SC2187
run: find . -name "*.sh" | xargs shellcheck
- name: Lint
run: |
docker run -v $(pwd):/working --rm hadolint/hadolint \
hadolint /working/Dockerfile \
--ignore DL3018
- name: Setup docker buildx
uses: docker/setup-buildx-action@v1
- name: Build docker image
uses: docker/build-push-action@v3
with:
context: .
push: false
outputs: type=docker
tags: "${{ env.IMAGE_NAME }}:${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "${{ env.IMAGE_NAME }}:${{ github.sha }}"
exit-code: "1"
severity: CRITICAL,HIGH
format: template
template: "@/contrib/sarif.tpl"
output: trivy-results.sarif
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results.sarif
- name: Output image tag
id: tag
run: |
tag=$(echo "${GITHUB_REF}" | sed "s/^refs\/tags\/v//")
if [ -z "$tag" ]; then
exit 1
fi
echo "::set-output name=image_tag::$tag"
docker_push:
needs: [lint, test, docker_build]
name: Build and push docker image
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Setup docker buildx
uses: docker/setup-buildx-action@v1
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GHCR_TOKEN }}
- name: Build and push docker image (docker.io, ghcr.io)
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ needs.docker_build.outputs.image_tag }}
${{ env.DOCKER_REPO }}:${{ needs.docker_build.outputs.image_tag }}
docker_push_gar:
needs: [lint, test, docker_build]
name: Build and push docker image
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Setup docker buildx
uses: docker/setup-buildx-action@v1
- name: Login to Google Artifact Registry
uses: docker/login-action@v2
with:
registry: ${{ env.GCP_LOCATION }}-docker.pkg.dev
username: _json_key
password: ${{ secrets.GCP_SA_KEY }}
- name: Build and push docker image (${{ env.GCP_LOCATION }}-docker.pkg.dev)
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/amd64
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
push: true
tags: |
${{ env.GCP_LOCATION }}-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/${{ env.GAR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.docker_build.outputs.image_tag }}
release:
name: Release
needs: [docker_build, docker_push_gar]
defaults:
run:
working-directory: terraform
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
- name: Set image_tag
run: |
echo 'image_tag = "${{ needs.docker_build.outputs.image_tag }}"' \
>> release.auto.tfvars
- name: Init
run: terraform init
- name: Validate
run: terraform validate -no-color
- name: Apply
run: terraform apply -no-color