Skip to content

Commit

Permalink
ci: add basic build
Browse files Browse the repository at this point in the history 
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
  • Loading branch information
@sagikazarmark
sagikazarmark committed Sep 7, 2023
1 parent 2ee4c2c commit 6ba57aa
Show file tree
Hide file tree
Showing 12 changed files with 597 additions and 1 deletion.
2 changes: 2 additions & 0 deletions .github/.editorconfig
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[{*.yml,*.yaml}]
indent_size = 2
17 changes: 17 additions & 0 deletions .github/dependabot.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
version: 2

updates:
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "daily"

- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "daily"

- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
16 changes: 16 additions & 0 deletions .github/renovate.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"schedule:earlyMondays",
":disableDependencyDashboard"
],
"enabledManagers": [
"nix"
],
"nix": {
"enabled": true
},
"lockFileMaintenance": {
"enabled": true
}
}
47 changes: 47 additions & 0 deletions .github/workflows/analysis-scorecard.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: OpenSSF Scorecard

on:
branch_protection_rule:
push:
branches: [main]
schedule:
- cron: '30 0 * * 5'

permissions:
contents: read

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest

permissions:
actions: read
contents: read
id-token: write
security-events: write

steps:
- name: Checkout repository
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
persist-credentials: false

- name: Run analysis
uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
with:
results_file: results.sarif
results_format: sarif
publish_results: true

- name: Upload results as artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: OpenSSF Scorecard results
path: results.sarif
retention-days: 5

- name: Upload results to GitHub Security tab
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.3.4
with:
sarif_file: results.sarif
195 changes: 195 additions & 0 deletions .github/workflows/artifacts.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,195 @@
name: Artifacts

on:
workflow_call:
inputs:
publish:
description: Publish artifacts to the artifact store
default: false
required: false
type: boolean
release:
description: Whether this is a release build
default: false
required: false
type: boolean
outputs:
container-image-name:
description: Container image name
value: ${{ jobs.container-image.outputs.name }}
container-image-digest:
description: Container image digest
value: ${{ jobs.container-image.outputs.digest }}
container-image-tag:
description: Container image tag
value: ${{ jobs.container-image.outputs.tag }}
container-image-ref:
description: Container image ref
value: ${{ jobs.container-image.outputs.ref }}

permissions:
contents: read

jobs:
container-image:
name: Container image
runs-on: ubuntu-latest

permissions:
contents: read
packages: write
id-token: write
security-events: write

outputs:
name: ${{ steps.image-name.outputs.value }}
digest: ${{ steps.build.outputs.digest }}
tag: ${{ steps.meta.outputs.version }}
ref: ${{ steps.image-ref.outputs.value }}

steps:
- name: Checkout repository
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

- name: Set up QEMU
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0

- name: Set image name
id: image-name
run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"

- name: Gather build metadata
id: meta
uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0
with:
images: ${{ steps.image-name.outputs.value }}
flavor: |
latest = false
tags: |
type=ref,event=branch
type=ref,event=pr,prefix=pr-
type=semver,pattern={{raw}}
type=raw,value=latest,enable={{is_default_branch}}
# Multiple exporters are not supported yet
# See https://github.com/moby/buildkit/pull/2760
- name: Determine build output
uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1
id: build-output
with:
cond: ${{ inputs.publish }}
if_true: type=image,push=true
if_false: type=oci,dest=image.tar

- name: Login to GitHub Container Registry
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
if: inputs.publish

- name: Build and push image
id: build
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
with:
context: .
platforms: linux/amd64,linux/arm64,linux/arm/v7
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
outputs: ${{ steps.build-output.outputs.value }}
# push: ${{ inputs.publish }}

- name: Set image ref
id: image-ref
run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"

- name: Fetch image
run: skopeo --insecure-policy copy docker://${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} oci-archive:image.tar
if: inputs.publish

- name: Upload image as artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: "[${{ github.job }}] OCI tarball"
path: image.tar

- name: Extract OCI tarball
run: |
mkdir -p image
tar -xf image.tar -C image
# See https://github.com/anchore/syft/issues/1545
- name: Extract image from multi-arch image
run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy --additional-tag ${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} oci:image docker-archive:docker.tar

- name: Upload image as artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: "[${{ github.job }}] Docker tarball"
path: docker.tar

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0
with:
input: image
format: sarif
output: trivy-results.sarif

- name: Upload Trivy scan results as artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: "[${{ github.job }}] Trivy scan results"
path: trivy-results.sarif
retention-days: 5

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
with:
sarif_file: trivy-results.sarif

binary:
name: Binary
runs-on: ubuntu-latest

permissions:
contents: write

steps:
- name: Checkout repository
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

- name: Set up Nix
uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
with:
extra_nix_config: |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- name: Prepare Nix shell
run: nix develop --impure .#ci

- name: Determine build command
uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1
id: build-command
with:
cond: ${{ inputs.release }}
if_true: goreleaser release
if_false: goreleaser release --skip-publish --snapshot

- name: Build
run: nix develop --impure .#ci -c ${{ steps.build-command.outputs.value }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Upload artifacts
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: "${{ github.job }}"
path: |
build/dist/*.tar.gz
build/dist/checksums.txt
Loading

0 comments on commit 6ba57aa

Please sign in to comment.