Skip to content

SEC-090: Automated trusted workflow pinning (2024-10-28) (#957) #2933

SEC-090: Automated trusted workflow pinning (2024-10-28) (#957)

SEC-090: Automated trusted workflow pinning (2024-10-28) (#957) #2933

Workflow file for this run

name: build
on:
push:
branches-ignore:
- 'docs/**'
workflow_dispatch:
inputs:
version:
description: "Version to build, e.g. 0.1.0"
type: string
required: false
env:
PKG_NAME: "vault-secrets-operator"
# used by scripts that fetch build tools from GH
GH_GET_RETRIES: 5
jobs:
get-product-version:
runs-on: ubuntu-latest
outputs:
product-version: ${{ steps.get-product-version.outputs.product-version }}
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: get product version
id: get-product-version
run: |
VERSION="${{ github.event.inputs.version || '0.0.0-dev' }}"
echo "Using version ${VERSION}"
echo "product-version=${VERSION}" >> $GITHUB_OUTPUT
build-pre-checks:
runs-on: ubuntu-latest
needs: get-product-version
outputs:
go-version: ${{ steps.setup-go.outputs.go-version }}
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- id: setup-go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: .go-version
- name: go mod download all
run: |
# download all dependencies to warm up the module cache
# make sure to run go mod tidy after this since the go.sum file will be updated
go mod download all
- name: go mod tidy
run: |
go mod tidy
test -z "$(git status --porcelain)"
- name: go fmt
run: |
make check-fmt
- name: tf fmt
run: |
make check-tffmt
- name: check versions
run: |
make check-versions VERSION=${{ needs.get-product-version.outputs.product-version }}
- name: generate manifests
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
make generate manifests
if [ -n "$(git status --porcelain)" ]; then
echo "Generated manifests are out of date. Please run 'make generate manifests' and commit the changes."
exit 1
fi
- name: go vet
run: |
make vet
unit-tests:
runs-on: ubuntu-latest
needs:
- build-pre-checks
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: .go-version
- run: make ci-test
- uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: '20'
- run: npm install -g bats@${BATS_VERSION}
shell: bash
env:
BATS_VERSION: '1.10.0'
- run: bats -v
shell: bash
- run: make unit-test
generate-metadata-file:
needs: get-product-version
runs-on: ubuntu-latest
outputs:
filepath: ${{ steps.generate-metadata-file.outputs.filepath }}
steps:
- name: Checkout directory
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Generate metadata file
id: generate-metadata-file
uses: hashicorp/actions-generate-metadata@v1
with:
version: ${{ needs.get-product-version.outputs.product-version }}
product: ${{ env.PKG_NAME }}
repositoryOwner: "hashicorp"
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: metadata.json
path: ${{ steps.generate-metadata-file.outputs.filepath }}
build:
name: Go ${{ needs.build-pre-checks.outputs.go-version }} linux ${{ matrix.arch }} build
needs:
- get-product-version
- build-pre-checks
runs-on: ubuntu-latest
strategy:
matrix:
arch: ["arm64", "amd64"]
fail-fast: true
steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Setup go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: .go-version
- name: Build binary
id: build-binary
env:
GOOS: "linux"
GOARCH: ${{ matrix.arch }}
VERSION: ${{ needs.get-product-version.outputs.product-version }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
run: |
BUILD_DIR=dist
make ci-build BUILD_DIR="${BUILD_DIR}"
OUT_DIR="${BUILD_DIR}/out"
mkdir -p "${OUT_DIR}"
cp -a LICENSE "${BUILD_DIR}/LICENSE.txt"
ZIP_FILE="${OUT_DIR}/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_linux_${{ matrix.arch }}.zip"
zip -r -j "${ZIP_FILE}" dist/${{ env.GOOS }}/${{ env.GOARCH }}/${{ env.PKG_NAME }} ${BUILD_DIR}/LICENSE.txt
echo "path=${ZIP_FILE}" >> $GITHUB_OUTPUT
echo "name=$(basename ${ZIP_FILE})" >> $GITHUB_OUTPUT
- name: Upload binary
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ${{ steps.build-binary.outputs.name }}
path: ${{ steps.build-binary.outputs.path }}
build-docker:
name: Docker ${{ matrix.arch }} build
needs:
- get-product-version
- build-pre-checks
- build
runs-on: ubuntu-latest
strategy:
matrix:
arch: ["arm64", "amd64"]
env:
repo: ${{github.event.repository.name}}
version: ${{needs.get-product-version.outputs.product-version}}
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Setup scripts directory
shell: bash
run: |
make ci-build-scripts-dir GOARCH="${{ matrix.arch }}"
- name: Docker Build (Action)
uses: hashicorp/actions-docker-build@v2
env:
VERSION: ${{ needs.get-product-version.outputs.product-version }}
GO_VERSION: ${{ needs.build-pre-checks.outputs.go-version }}
with:
version: ${{env.version}}
target: release-default
arch: ${{matrix.arch}}
tags: |
docker.io/hashicorp/${{env.repo}}:${{env.version}}
public.ecr.aws/hashicorp/${{env.repo}}:${{env.version}}
- name: Check binary version in container
shell: bash
run: |
version_output=$(docker run hashicorp/${{env.repo}}:${{env.version}} --version --output=json)
echo $version_output
git_version=$(echo $version_output | jq -r .gitVersion)
if [ "$git_version" != "${{ env.version }}" ]; then
echo "$gitVersion expected to be ${{ env.version }}"
exit 1
fi
build-docker-ubi:
name: UBI ${{ matrix.arch }} build
needs:
- get-product-version
- build-pre-checks
- build
runs-on: ubuntu-latest
strategy:
matrix:
arch: ["arm64", "amd64"]
env:
repo: ${{github.event.repository.name}}
version: ${{needs.get-product-version.outputs.product-version}}
image_tag: ${{needs.get-product-version.outputs.product-version}}-ubi
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Setup scripts directory
shell: bash
run: |
make ci-build-scripts-dir GOARCH="${{ matrix.arch }}"
- name: Docker Build (Action)
uses: hashicorp/actions-docker-build@v2
env:
VERSION: ${{ needs.get-product-version.outputs.product-version }}
GO_VERSION: ${{ needs.build-pre-checks.outputs.go-version }}
with:
version: ${{env.version}}
target: release-ubi
arch: ${{matrix.arch}}
tags: |
docker.io/hashicorp/${{env.repo}}:${{env.image_tag}}
public.ecr.aws/hashicorp/${{env.repo}}:${{env.image_tag}}
- name: Check binary version in container
shell: bash
run: |
version_output=$(docker run hashicorp/${{env.repo}}:${{env.image_tag}} --version --output=json)
echo $version_output
git_version=$(echo $version_output | jq -r .gitVersion)
if [ "$git_version" != "${{ env.version }}" ]; then
echo "$gitVersion expected to be ${{ env.version }}"
exit 1
fi
build-docker-ubi-redhat:
name: UBI ${{ matrix.arch }} RedHat build
needs:
- get-product-version
- build-pre-checks
- build
runs-on: ubuntu-latest
strategy:
matrix:
# Building only amd64 for the RedHat registry for now
arch: ["amd64"]
env:
repo: ${{github.event.repository.name}}
version: ${{needs.get-product-version.outputs.product-version}}
image_tag: ${{needs.get-product-version.outputs.product-version}}-ubi
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Setup scripts directory
shell: bash
run: |
make ci-build-scripts-dir GOARCH="${{ matrix.arch }}"
- name: Docker Build (Action)
uses: hashicorp/actions-docker-build@v2
env:
VERSION: ${{ needs.get-product-version.outputs.product-version }}
GO_VERSION: ${{ needs.build-pre-checks.outputs.go-version }}
with:
version: ${{env.version}}
target: release-ubi-redhat
arch: ${{matrix.arch}}
# The quay id here corresponds to the project id on RedHat's portal
redhat_tag: quay.io/redhat-isv-containers/64b072322e2773c28d30d988:${{env.image_tag}}
- name: Check binary version in container
shell: bash
run: |
version_output=$(docker run quay.io/redhat-isv-containers/64b072322e2773c28d30d988:${{env.image_tag}} --version --output=json)
echo $version_output
git_version=$(echo $version_output | jq -r .gitVersion)
if [ "$git_version" != "${{ env.version }}" ]; then
echo "$gitVersion expected to be ${{ env.version }}"
exit 1
fi
chart-upgrade-tests:
runs-on: ubuntu-latest
needs:
- get-product-version
- build-pre-checks
- build-docker
strategy:
fail-fast: false
matrix:
# Test upgrading from the previous version to the current build.
# This list should be updated with each new release.
# We probably only want to maintain the last 5-6 versions.
start-chart-version:
- "0.2.0"
- "0.3.1"
- "0.4.0"
- "0.5.0"
- "0.6.0"
- "0.7.1"
- "0.8.0"
steps:
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ${{ github.event.repository.name }}_release-default_linux_amd64_${{ needs.get-product-version.outputs.product-version }}_${{ github.sha }}.docker.tar
- name: Load docker image
shell: bash
run: |
docker load --input ${{ github.event.repository.name }}_release-default_linux_amd64_${{ needs.get-product-version.outputs.product-version }}_${{ github.sha }}.docker.tar
- name: Install kind
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
with:
version: "v0.22.0"
install_only: true
- uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
id: setup-helm
with:
version: "v3.15.1"
- name: Add repo
shell: bash
run: |
helm repo add hashicorp https://helm.releases.hashicorp.com
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Setup go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: .go-version
- name: Run tests
shell: bash
run: |
export TEST_START_CHART_VERSION="${{ matrix.start-chart-version }}"
make integration-test-chart VERSION="${{ needs.get-product-version.outputs.product-version }}"
versions:
runs-on: ubuntu-latest
steps:
- run: echo "setting versions"
outputs:
# JSON encoded array of k8s versions
K8S_VERSIONS: '["1.30.0", "1.29.4", "1.28.9", "1.27.13", "1.26.15"]'
VAULT_N: "1.17.2"
VAULT_N_1: "1.16.6"
VAULT_N_2: "1.15.12"
latest-vault:
name: vault:${{ matrix.vault-version }} kind:${{ matrix.k8s-version }} ${{ matrix.installation-method }} enterprise=${{ matrix.vault-enterprise }}
needs:
- get-product-version
- build-pre-checks
- build-docker
- versions
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
vault-version:
- ${{ needs.versions.outputs.VAULT_N }}
k8s-version: ${{ fromJson(needs.versions.outputs.K8S_VERSIONS) }}
installation-method: [helm, kustomize]
vault-enterprise: [true, false]
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: ./.github/actions/integration-test
name: vault:${{ matrix.vault-version }} kind:${{ matrix.k8s-version }}
with:
version: ${{ needs.get-product-version.outputs.product-version }}
k8s-version: ${{ matrix.k8s-version }}
vault-version: ${{ matrix.vault-version }}
vault-enterprise: ${{ matrix.vault-enterprise }}
installation-method: ${{ matrix.installation-method }}
operator-image-archive: ${{ github.event.repository.name }}_release-default_linux_amd64_${{ needs.get-product-version.outputs.product-version }}_${{ github.sha }}.docker.tar
vault-license-ci: ${{ secrets.VAULT_LICENSE_CI }}
hcp-organization-id: ${{ secrets.HCP_ORGANIZATION_ID }}
hcp-project-id: ${{ secrets.HCP_PROJECT_ID }}
hcp-client-id: ${{ secrets.HCP_CLIENT_ID }}
hcp-client-secret: ${{ secrets.HCP_CLIENT_SECRET }}
github-token: ${{ secrets.GITHUB_TOKEN }}
log-prefix: "latest-vault-"
latest-k8s:
name: vault:${{ matrix.vault-version }} kind:${{ matrix.k8s-version }} ${{ matrix.installation-method }} enterprise=${{ matrix.vault-enterprise }}
runs-on: ubuntu-latest
needs:
- get-product-version
- build-pre-checks
- build-docker
- versions
strategy:
fail-fast: false
matrix:
vault-version:
- ${{ needs.versions.outputs.VAULT_N_1 }}
- ${{ needs.versions.outputs.VAULT_N_2 }}
k8s-version:
- ${{ fromJson(needs.versions.outputs.K8S_VERSIONS)[0] }}
installation-method: [kustomize]
vault-enterprise: [true]
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: ./.github/actions/integration-test
name: vault:${{ matrix.vault-version }} kind:${{ matrix.k8s-version }}
with:
version: ${{ needs.get-product-version.outputs.product-version }}
k8s-version: ${{ matrix.k8s-version }}
vault-version: ${{ matrix.vault-version }}
vault-enterprise: ${{ matrix.vault-enterprise }}
installation-method: ${{ matrix.installation-method }}
operator-image-archive: ${{ github.event.repository.name }}_release-default_linux_amd64_${{ needs.get-product-version.outputs.product-version }}_${{ github.sha }}.docker.tar
vault-license-ci: ${{ secrets.VAULT_LICENSE_CI }}
hcp-organization-id: ${{ secrets.HCP_ORGANIZATION_ID }}
hcp-project-id: ${{ secrets.HCP_PROJECT_ID }}
hcp-client-id: ${{ secrets.HCP_CLIENT_ID }}
hcp-client-secret: ${{ secrets.HCP_CLIENT_SECRET }}
github-token: ${{ secrets.GITHUB_TOKEN }}
log-prefix: "latest-k8s-"
# This job is used as a requirement for the repo's branch protection setup.
build-done:
runs-on: ubuntu-latest
if: always()
needs:
- build
- build-docker
- build-docker-ubi
- build-docker-ubi-redhat
- chart-upgrade-tests
- unit-tests
- latest-vault
- latest-k8s
steps:
- name: cancelled
if: ${{ (contains(needs.*.result, 'cancelled')) }}
run: exit 2
- name: passed
if: ${{ !(contains(needs.*.result, 'failure')) }}
run: exit 0
- name: failed
if: ${{ contains(needs.*.result, 'failure') }}
run: exit 1