Skip to content

Merge pull request #272 from hashicorp/abhishek/fix-sec-scan-aws #823

Merge pull request #272 from hashicorp/abhishek/fix-sec-scan-aws

Merge pull request #272 from hashicorp/abhishek/fix-sec-scan-aws #823

Workflow file for this run

name: build
on:
workflow_dispatch:
push:
env:
PKG_NAME: "consul-ecs"
# cancel existing runs of the same workflow on the same ref
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
cancel-in-progress: true
jobs:
get-go-version:
uses: ./.github/workflows/reusable-get-go-version.yml
get-product-version:
runs-on: ubuntu-latest
outputs:
product-version: ${{ steps.get-product-version.outputs.product-version }}
ldflags: ${{ steps.get-product-version.outputs.ldflags }}
git-short-sha: ${{ steps.get-product-version.outputs.git-short-sha }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: get product version
id: get-product-version
run: |
make version
echo "product-version=$(make version)" >> $GITHUB_OUTPUT
echo "git-short-sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
echo "ldflags=-s -w -X github.com/hashicorp/consul-ecs/version.GitCommit=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
generate-metadata-file:
needs: get-product-version
runs-on: ubuntu-latest
outputs:
filepath: ${{ steps.generate-metadata-file.outputs.filepath }}
steps:
- name: "Checkout directory"
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Generate metadata file
id: generate-metadata-file
uses: hashicorp/actions-generate-metadata@v1
with:
version: ${{ needs.get-product-version.outputs.product-version }}
product: ${{ env.PKG_NAME }}
repositoryOwner: "hashicorp"
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: metadata.json
path: ${{ steps.generate-metadata-file.outputs.filepath }}
build-linux:
needs:
- get-go-version
- get-product-version
# Warning: Updating the ubuntu version for this job may cause FIPS builds on arm64 to
# have issues running mesh-init, which copies the Cgo dynamically linked binary to a
# remote host. Compiling against a secure-but-older GLibC version (by using an older
# Ubuntu image) is the easiest way to avoid this issue.
# See https://groups.google.com/g/pat-users/c/dawmYvN4DBc
runs-on: ubuntu-20.04
strategy:
matrix:
include:
- {goos: "linux", goarch: "arm"}
- {goos: "linux", goarch: "arm64"}
- {goos: "linux", goarch: "386"}
- {goos: "linux", goarch: "amd64"}
- {goos: "linux", goarch: "arm64", gotags: "fips", env: "CGO_ENABLED=1 GOEXPERIMENT=boringcrypto CC=aarch64-linux-gnu-gcc", fips: "+fips1402" }
- {goos: "linux", goarch: "amd64", gotags: "fips", env: "CGO_ENABLED=1 GOEXPERIMENT=boringcrypto", fips: "+fips1402"}
fail-fast: true
name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} ${{ matrix.fips }} build
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Setup go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- name: CGO Dependencies
if: ${{ matrix.fips }} == "+fips1402" && ${{ matrix.goarch }} == "arm64"
run: |
sudo apt-get update --allow-releaseinfo-change-suite --allow-releaseinfo-change-version && sudo apt-get install -y gcc-aarch64-linux-gnu
- name: Build
env:
# Env may be overridden by matrix values, e.g. CGO_ENABLED for FIPS builds.
GOOS: ${{ matrix.goos }}
GOARCH: ${{ matrix.goarch }}
LDFLAGS: ${{ needs.get-product-version.outputs.ldflags }}
CGO_ENABLED: "0"
run: |
${{ matrix.env }} go env
mkdir dist out
cp $GITHUB_WORKSPACE/LICENSE dist/LICENSE.txt
${{ matrix.env }} go build -tags=${{ matrix.gotags }} -ldflags="$LDFLAGS" -o dist/ .
zip -r -j out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip dist/
if [ "${{ matrix.goarch }}" = "amd64" ]; then
bin=$(find dist -name consul-ecs)
$bin version
fi
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
path: out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
build-docker-default:
name: Docker ${{ matrix.arch }} default release build
needs:
- get-product-version
- build-linux
runs-on: ubuntu-latest
strategy:
matrix:
arch: ["arm", "arm64", "386", "amd64"]
env:
repo: ${{ github.event.repository.name }}
version: ${{ needs.get-product-version.outputs.product-version }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Docker Build (Action)
uses: hashicorp/actions-docker-build@v2
with:
smoke_test: |
TEST_VERSION="$(docker run "${IMAGE_NAME}" version | awk '{print $2}')"
echo "TEST_VERSION=${TEST_VERSION}"
echo "version=${version}"
if [ "${TEST_VERSION}" != "v${version}" ]; then
echo "Test FAILED"
exit 1
fi
echo "Test PASSED"
version: ${{ env.version }}
target: release-default
arch: ${{ matrix.arch }}
tags: |
docker.io/hashicorp/${{ env.repo }}:${{ env.version }}
public.ecr.aws/hashicorp/${{ env.repo }}:${{ env.version }}
dev_tags: |
hashicorppreview/${{ env.repo }}:${{ env.version }}
docker.io/hashicorppreview/${{ env.repo }}:${{ env.version }}-${{ github.sha }}
build-docker-fips:
name: Docker ${{ matrix.arch }} FIPS release build
needs:
- get-product-version
- build-linux
runs-on: ubuntu-latest
strategy:
matrix:
include:
- { arch: "arm64" }
- { arch: "amd64" }
env:
repo: ${{ github.event.repository.name }}
version: ${{ needs.get-product-version.outputs.product-version }}+fips1402
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Docker FIPS Build (Action)
uses: hashicorp/actions-docker-build@v2
with:
smoke_test: |
TEST_VERSION="$(docker run "${IMAGE_NAME}" version | awk '{print $2}')"
echo "TEST_VERSION=${TEST_VERSION}"
echo "version=${version}"
if [ "${TEST_VERSION}" != "v${version}" ]; then
echo "Test FAILED"
exit 1
fi
echo "Test PASSED"
version: ${{ env.version }}
target: release-fips-default
arch: ${{ matrix.arch }}
tags: |
docker.io/hashicorp/${{ env.repo }}-fips:${{ env.version }}
public.ecr.aws/hashicorp/${{ env.repo }}-fips:${{ env.version }}
dev_tags: |
hashicorppreview/${{ env.repo }}-fips:${{ env.version }}
docker.io/hashicorppreview/${{ env.repo }}-fips:${{ env.version }}-${{ github.sha }}
upload-dev-docker:
name: Upload dev image (hashicorpdev/consul-ecs:<commit>)
environment: dockerhub/hashicorpdev
needs:
- get-product-version
- build-docker-default
runs-on: ubuntu-latest
strategy:
matrix:
arch: ["amd64"]
env:
repo: ${{ github.event.repository.name }}
version: ${{ needs.get-product-version.outputs.product-version }}
target: release-default
git-short-sha: ${{ needs.get-product-version.outputs.git-short-sha }}
steps:
- name: download image artifact
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: ${{ env.repo }}_${{ env.target }}_linux_${{ matrix.arch }}_${{ env.version }}_${{ github.sha }}.docker.dev.tar
- name: docker push
shell: bash
run: |
TAG=hashicorpdev/${{ env.repo }}:${{ env.git-short-sha }}
echo "==> Load docker image from tar archive"
docker load -i "${{ env.repo }}_${{ env.target }}_linux_${{ matrix.arch }}_${{ env.version }}_${{ github.sha }}.docker.dev.tar"
echo "==> Tag docker image $TAG"
docker tag "hashicorppreview/${{ env.repo }}:${{ env.version }}-${{ github.sha }}" "$TAG"
echo "==> Docker login"
echo ${{ secrets.DOCKER_PASS }} | docker login -u=${{ secrets.DOCKER_USER }} --password-stdin
echo "==> Push docker image $TAG"
docker push "$TAG"
- name: docker push (latest)
shell: bash
if: ${{ github.ref == 'refs/heads/main' }}
run: |
TAG=hashicorpdev/${{ env.repo }}:latest
echo "==> Tag docker image $TAG as :latest"
docker tag "hashicorpdev/${{ env.repo }}:${{ env.git-short-sha }}" "$TAG"
echo "==> Push docker image $TAG"
docker push "$TAG"
# This is job is required for branch protection as a required GitHub check
# because GitHub actions show up as checks at the job level and not the
# workflow level. This is currently a feature request:
# https://github.com/orgs/community/discussions/12395
#
# This job must:
# - be placed after the fanout of a workflow so that everything fans back in
# to this job.
# - "need" any job that is part of the fan out / fan in
# - include if: always() logic because we may have conditional jobs that this job
# needs, and this would potentially get skipped if a previous job got skipped.
# The if clause ensures it does not get skipped.
build-success:
needs:
- generate-metadata-file
- build-linux
- build-docker-default
- build-docker-fips
runs-on: ubuntu-latest
if: always()
steps:
- name: evaluate upstream job results
run: |
# exit 1 if failure or cancelled result for any upstream job
# this ensures that we fail the PR check regardless of cancellation, rather than skip-passing it
# see https://docs.github.com/en/actions/using-jobs/using-conditions-to-control-job-execution#overview
if printf '${{ toJSON(needs) }}' | grep -E -i '\"result\": \"(failure|cancelled)\"'; then
printf "Tests failed or workflow cancelled:\n\n${{ toJSON(needs) }}"
exit 1
fi