diagd: atomically write the ADS config #3681
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: job-promote-to-passed | |
"on": | |
push: | |
branches: | |
- master | |
- release/v* | |
pull_request: {} | |
workflow_dispatch: | |
jobs: | |
lint: ######################################################################## | |
runs-on: ubuntu-latest | |
env: | |
# See docker/base-python.docker.gen | |
BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }} | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Install Deps | |
uses: ./.github/actions/setup-deps | |
- shell: bash | |
run: | | |
make lint-deps | |
- shell: bash | |
run: | | |
make lint | |
- uses: ./.github/actions/after-job | |
if: always() | |
generate: #################################################################### | |
runs-on: ubuntu-latest | |
env: | |
# See docker/base-python.docker.gen | |
BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }} | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Install Deps | |
uses: ./.github/actions/setup-deps | |
- name: "Git Login" | |
run: | | |
if [[ -n '${{ secrets.GHA_SSH_KEY }}' ]]; then | |
install -m700 -d ~/.ssh | |
install -m600 /dev/stdin ~/.ssh/id_rsa <<<'${{ secrets.GHA_SSH_KEY }}' | |
fi | |
- name: "Docker Login" | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ (!startsWith(secrets.RELEASE_REGISTRY, 'docker.io/')) && secrets.RELEASE_REGISTRY || null }} | |
username: ${{ secrets.GH_DOCKER_RELEASE_USERNAME }} | |
password: ${{ secrets.GH_DOCKER_RELEASE_TOKEN }} | |
- name: "'make generate'" | |
shell: bash | |
run: | | |
make generate | |
- name: "Update dependency information after dependabot change" | |
uses: datawire/go-mkopensource/actions/[email protected] | |
id: changed-by-dependabot | |
with: | |
branches_to_skip: master | |
- name: "Abort if dependencies changed" | |
if: steps.changed-by-dependabot.outputs.is_dirty == 'true' | |
run: | | |
echo "Dependabot triggered a dependency update. Aborting workflow." | |
exit 1 | |
- uses: ./.github/actions/git-dirty-check | |
name: "Check Git not dirty from 'make generate'" | |
- name: "'make generate' (again!)" | |
shell: bash | |
run: | | |
make generate | |
- uses: ./.github/actions/git-dirty-check | |
name: "Check Git not dirty from 'make generate' (again!)" | |
- uses: ./.github/actions/after-job | |
if: always() | |
check-envoy-version: ######################################################### | |
runs-on: ubuntu-latest | |
env: | |
# See docker/base-python.docker.gen | |
BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }} | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Install Deps | |
uses: ./.github/actions/setup-deps | |
- name: "Git Login" | |
run: | | |
if [[ -n '${{ secrets.GHA_SSH_KEY }}' ]]; then | |
install -m700 -d ~/.ssh | |
install -m600 /dev/stdin ~/.ssh/id_rsa <<<'${{ secrets.GHA_SSH_KEY }}' | |
fi | |
- name: "Docker Login" | |
# This is important if ENVOY_DOCKER_REPO is a private repo. | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }} | |
username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | |
password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | |
- run: make check-envoy-version | |
- uses: ./.github/actions/after-job | |
if: always() | |
# Tests ###################################################################### | |
check-gotest: | |
runs-on: ubuntu-latest | |
env: | |
# See docker/base-python.docker.gen | |
BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }} | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Install Deps | |
uses: ./.github/actions/setup-deps | |
- name: "Docker Login" | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }} | |
username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | |
password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | |
- name: make gotest | |
shell: bash | |
run: | | |
make gotest | |
- uses: ./.github/actions/after-job | |
if: always() | |
check-pytest: | |
runs-on: ubuntu-latest | |
env: | |
# See docker/base-python.docker.gen | |
BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }} | |
# See pkg/kubeapply/resource_kubeapply.go | |
DEV_USE_IMAGEPULLSECRET: ${{ secrets.DEV_USE_IMAGEPULLSECRET }} | |
DOCKER_BUILD_USERNAME: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | |
DOCKER_BUILD_PASSWORD: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | |
strategy: | |
fail-fast: false | |
matrix: | |
test: | |
- integration-tests | |
- kat-envoy3-tests-1-of-5 | |
- kat-envoy3-tests-2-of-5 | |
- kat-envoy3-tests-3-of-5 | |
- kat-envoy3-tests-4-of-5 | |
- kat-envoy3-tests-5-of-5 | |
name: pytest-${{ matrix.test }} | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Install Deps | |
uses: ./.github/actions/setup-deps | |
- name: "Docker Login" | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }} | |
username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | |
password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | |
- name: Create integration test cluster | |
run: | | |
sudo sysctl -w fs.file-max=1600000 | |
sudo sysctl -w fs.inotify.max_user_instances=4096 | |
make ci/setup-k3d | |
- name: Setup integration test environment | |
run: | | |
export DEV_KUBE_NO_PVC=yes | |
export KAT_REQ_LIMIT=900 | |
export DEV_KUBECONFIG=~/.kube/config | |
export DEV_REGISTRY=${{ secrets.DEV_REGISTRY }} | |
make python-integration-test-environment | |
- name: Run ${{ matrix.test }} | |
run: | | |
export DEV_KUBE_NO_PVC=yes | |
export KAT_REQ_LIMIT=900 | |
export DEV_KUBECONFIG=~/.kube/config | |
export DEV_REGISTRY=${{ secrets.DEV_REGISTRY }} | |
make pytest-${{ matrix.test }} | |
- uses: ./.github/actions/after-job | |
if: always() | |
with: | |
jobname: check-pytest-${{ matrix.test }} | |
check-pytest-unit: | |
runs-on: ubuntu-latest | |
env: | |
# See docker/base-python.docker.gen | |
BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }} | |
name: pytest-unit | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Install Deps | |
uses: ./.github/actions/setup-deps | |
- name: "Docker Login" | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }} | |
username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | |
password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | |
- name: Create Python virtual environment | |
run: | | |
export DEV_REGISTRY=${{ secrets.DEV_REGISTRY }} | |
make python-virtual-environment | |
- name: Run Python unit tests | |
run: | | |
export PYTEST_ARGS=' --cov-branch --cov=ambassador --cov-report html:/tmp/cov_html ' | |
make pytest-unit-tests | |
- uses: ./.github/actions/after-job | |
if: always() | |
check-chart: | |
runs-on: ubuntu-latest | |
env: | |
DEV_REGISTRY: ${{ secrets.DEV_REGISTRY }} | |
# See docker/base-python.docker.gen | |
BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }} | |
# See pkg/kubeapply/resource_kubeapply.go | |
DEV_USE_IMAGEPULLSECRET: ${{ secrets.DEV_USE_IMAGEPULLSECRET }} | |
DOCKER_BUILD_USERNAME: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | |
DOCKER_BUILD_PASSWORD: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | |
steps: | |
- uses: docker/login-action@v2 | |
with: | |
registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }} | |
username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | |
password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Install Deps | |
uses: ./.github/actions/setup-deps | |
- name: make test-chart | |
run: | | |
make ci/setup-k3d | |
export DEV_KUBECONFIG=~/.kube/config | |
make test-chart | |
- uses: ./.github/actions/after-job | |
if: always() | |
build: ####################################################################### | |
runs-on: ubuntu-latest | |
env: | |
DEV_REGISTRY: ${{ secrets.DEV_REGISTRY }} | |
# See docker/base-python.docker.gen | |
BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }} | |
outputs: | |
image-tag: ${{ steps.build-image.outputs.image-tag }} | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Install Deps | |
uses: ./.github/actions/setup-deps | |
- name: "Docker Login" | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }} | |
username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }} | |
password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }} | |
- name: "make push" | |
shell: bash | |
run: | | |
make push | |
- name: "capture image tag" | |
id: build-image | |
shell: bash | |
run: | | |
echo "image-tag=$(build-aux/version.sh)" >> $GITHUB_OUTPUT | |
- name: "make push-dev" | |
shell: bash | |
run: | | |
make push-dev | |
- uses: ./.github/actions/after-job | |
if: always() | |
###################################################################### | |
######################### CVE Scanning ############################### | |
trivy-container-scan: | |
runs-on: ubuntu-latest | |
needs: [build] | |
steps: | |
# upload of results to github uses git so checkout of code is needed | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: "Log image-tag" | |
shell: bash | |
run: echo ${{needs.build.outputs.image-tag}} | |
- name: Scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "${{secrets.DEV_REGISTRY}}/emissary:${{needs.build.outputs.image-tag}}" | |
format: "sarif" | |
exit-code: 0 # only warn for now until we have backed it into our processes | |
output: "trivy-results.sarif" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "CRITICAL,HIGH" | |
- name: Upload Scan to GitHub Security Tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: "trivy-results.sarif" | |
############################################################################## | |
pass: | |
name: "job-promote-to-passed" # This is the job name that the branch protection looks for | |
needs: | |
- lint | |
- build | |
- generate | |
- check-envoy-version | |
- check-gotest | |
- check-pytest | |
- check-pytest-unit | |
- check-chart | |
- trivy-container-scan | |
runs-on: ubuntu-latest | |
steps: | |
- name: No-Op | |
if: ${{ false }} | |
run: "echo Pass" |