chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 8eab65d #417
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| push: | |
| branches: [master] | |
| release: | |
| types: [created] | |
| pull_request: | |
| branches: [master] | |
| # Declare default permissions as read only. | |
| permissions: read-all | |
| env: | |
| IMAGE_NAME: ghcr.io/${{ github.repository }} | |
| jobs: | |
| build: | |
| name: build | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| packages: write | |
| contents: read | |
| pull-requests: write | |
| outputs: | |
| api-image-tags: ${{ steps.container_meta.outputs.tags }} | |
| api-image-version: ${{ steps.container_meta.outputs.version }} | |
| api-image-digest: ${{ steps.build.outputs.digest }} | |
| api-image-name: ${{ env.IMAGE_NAME }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Container meta for api image | |
| id: container_meta | |
| uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4 | |
| with: | |
| images: | | |
| ${{ env.IMAGE_NAME }} | |
| - name: Container meta for the unit test image | |
| id: container_tests_meta | |
| uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4 | |
| with: | |
| images: | | |
| ghcr.io/${{ github.repository }}-tests | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2 | |
| if: ${{ github.event_name != 'pull_request' }} | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # ran first to avoid pushing failing images when running on master. | |
| - name: Run unit tests | |
| uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3 | |
| with: | |
| push: false | |
| load: true | |
| tags: ${{ steps.container_tests_meta.outputs.tags }} | |
| labels: ${{ steps.container_tests_meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| target: unit-test | |
| # can't use `load` and `push` at the same time, so differentiate by whether its a PR or not | |
| - name: Build and push api image | |
| uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3 | |
| id: build | |
| with: | |
| load: ${{ github.event_name == 'pull_request' }} | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.container_meta.outputs.tags }} | |
| labels: ${{ steps.container_meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 # 0.13.1 | |
| with: | |
| image-ref: ${{ fromJson(steps.container_meta.outputs.json).tags[0] }} | |
| severity: "CRITICAL,HIGH" | |
| exit-code: "1" | |
| ignore-unfixed: "true" | |
| - name: Copy unit test coverage reports from container | |
| env: | |
| UNIT_TEST_IMAGE: ${{ fromJson(steps.container_tests_meta.outputs.json).tags[0] }} | |
| run: | | |
| docker create --name=unit-test-container "${UNIT_TEST_IMAGE}" | |
| docker cp unit-test-container:/build/src/Vfps.Tests/coverage ./coverage | |
| - name: Code Coverage Report | |
| uses: irongut/CodeCoverageSummary@51cc3a756ddcd398d447c044c02cb6aa83fdae95 # tag=v1.3.0 | |
| with: | |
| filename: coverage/**/coverage.cobertura.xml | |
| badge: true | |
| fail_below_min: true | |
| format: markdown | |
| hide_branch_rate: false | |
| hide_complexity: true | |
| indicators: true | |
| output: both | |
| thresholds: "60 80" | |
| - name: Add Coverage PR Comment | |
| uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2.8.0 | |
| if: ${{ github.event_name == 'pull_request' }} | |
| with: | |
| recreate: true | |
| path: code-coverage-results.md | |
| - name: Save container images as tar archives | |
| if: ${{ github.event_name == 'pull_request' }} | |
| env: | |
| API_IMAGE: ${{ fromJson(steps.container_meta.outputs.json).tags[0] }} | |
| run: | | |
| docker save "$API_IMAGE" -o /tmp/api-image.tar | |
| - name: Upload container images | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: container-image-artifacts | |
| path: | | |
| /tmp/api-image.tar | |
| test-api-container: | |
| name: test api container | |
| runs-on: ubuntu-22.04 | |
| needs: | |
| - build | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2 | |
| - name: Download container images | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: container-image-artifacts | |
| path: /tmp | |
| - name: Load images | |
| if: ${{ github.event_name == 'pull_request' }} | |
| run: | | |
| ls -lar /tmp | |
| docker load --input /tmp/api-image.tar | |
| docker image ls -a | |
| - name: Install grpcurl | |
| working-directory: /tmp | |
| env: | |
| GRPCURL_URL: https://github.com/fullstorydev/grpcurl/releases/download/v1.8.7/grpcurl_1.8.7_linux_x86_64.tar.gz | |
| run: | | |
| curl -LSs "$GRPCURL_URL" | tar xz && \ | |
| mv ./grpcurl /usr/local/bin/grpcurl && \ | |
| chmod +x /usr/local/bin/grpcurl && \ | |
| grpcurl --version | |
| - name: Install ghz | |
| working-directory: /tmp | |
| env: | |
| GHZ_URL: https://github.com/bojand/ghz/releases/download/v0.110.0/ghz-linux-x86_64.tar.gz | |
| run: | | |
| curl -LSs "$GHZ_URL" | tar xz && \ | |
| mv ./ghz /usr/local/bin/ghz && \ | |
| chmod +x /usr/local/bin/ghz && \ | |
| ghz --version | |
| - name: Start compose deployment | |
| env: | |
| VFPS_IMAGE_TAG: ${{ needs.build.outputs.api-image-version }} | |
| run: | | |
| echo "Using VFPS image tag ${VFPS_IMAGE_TAG}" | |
| docker compose -f docker-compose.yaml --profile=test up -d | |
| - name: Wait for the healthz endpoint to be ready | |
| run: | | |
| curl --fail --retry 5 --retry-all-errors --connect-timeout 30 --max-time 60 --retry-delay 10 http://127.0.0.1:8080/healthz | |
| - name: Create a namespace for testing | |
| run: | | |
| grpcurl \ | |
| -plaintext \ | |
| -import-path src/Vfps/ \ | |
| -proto src/Vfps/Protos/vfps/api/v1/namespaces.proto \ | |
| -d '{"name": "test", "pseudonymGenerationMethod": "PSEUDONYM_GENERATION_METHOD_SECURE_RANDOM_BASE64URL_ENCODED", "pseudonymLength": 32}' \ | |
| 127.0.0.1:8081 \ | |
| vfps.api.v1.NamespaceService/Create | |
| - name: Create pseudonyms from random inputs | |
| run: | | |
| ghz -n 5000 \ | |
| --cpus 1 \ | |
| --insecure \ | |
| --import-paths src/Vfps/ \ | |
| --proto src/Vfps/Protos/vfps/api/v1/pseudonyms.proto \ | |
| --call vfps.api.v1.PseudonymService/Create \ | |
| -d '{"originalValue": "{{randomString 32}}", "namespace": "test"}' \ | |
| 127.0.0.1:8081 | tee ghz-output.txt | |
| - name: Enhance ghz output for use as a PR comment | |
| run: | | |
| GHZ_OUTPUT_TXT=$(cat ghz-output.txt) | |
| { | |
| echo -e '---'; | |
| echo -e '## ghz run statistics'; | |
| echo -e '```console'; | |
| echo -e "${GHZ_OUTPUT_TXT}"; | |
| echo -e '```' | |
| } >> ghz-output.md | |
| - name: Append sticky comment with ghz output | |
| uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2.8.0 | |
| if: ${{ github.event_name == 'pull_request' }} | |
| with: | |
| append: true | |
| path: ghz-output.md | |
| - name: Print compose logs | |
| if: always() | |
| run: | | |
| docker compose --profile=test -f docker-compose.yaml logs | |
| docker compose --profile=test down --volumes --remove-orphans | |
| test-migrations: | |
| name: test migrations | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: read | |
| needs: | |
| - build | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 | |
| - name: Download container images | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: container-image-artifacts | |
| path: /tmp | |
| - name: Load migrations image | |
| if: ${{ github.event_name == 'pull_request' }} | |
| run: | | |
| docker load --input /tmp/api-image.tar | |
| docker image ls -a | |
| - name: Install .NET | |
| uses: actions/setup-dotnet@a351d9ea84bc76ec7508debf02a39d88f8b6c0c0 # tag=v2 | |
| with: | |
| dotnet-version: "7.0.x" | |
| include-prerelease: true | |
| - name: Run migrations tests | |
| env: | |
| VFPS_IMAGE_TAG: ${{ needs.build.outputs.api-image-version }} | |
| run: dotnet test src/Vfps.IntegrationTests --configuration=Release -l "console;verbosity=detailed" | |
| run-iter8-tests: | |
| name: run iter8 tests | |
| runs-on: ubuntu-22.04 | |
| if: ${{ github.event_name == 'pull_request' }} | |
| needs: | |
| - build | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 | |
| - name: install iter8 cli | |
| env: | |
| ITER8_CLI_URL: "https://github.com/iter8-tools/iter8/releases/download/v0.13.18/iter8-linux-amd64.tar.gz" | |
| run: | | |
| curl -LSs "${ITER8_CLI_URL}" | tar xz | |
| mv linux-amd64/iter8 /usr/local/bin/iter8 | |
| chmod +x /usr/local/bin/iter8 | |
| iter8 version | |
| - name: Create KinD cluster | |
| uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 | |
| with: | |
| cluster_name: kind | |
| - name: Download container images | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: container-image-artifacts | |
| path: /tmp | |
| - name: Load images into KinD | |
| run: | | |
| # vfps api image | |
| kind load image-archive /tmp/api-image.tar | |
| - name: List images in cluster | |
| run: docker exec kind-control-plane crictl images | |
| - name: Install vfps | |
| env: | |
| IMAGE_TAG: ${{ needs.build.outputs.api-image-version }} | |
| run: | | |
| helm install \ | |
| --set="image.tag=${IMAGE_TAG}" \ | |
| -f tests/iter8/values.yaml \ | |
| --wait \ | |
| --timeout=15m \ | |
| vfps oci://ghcr.io/miracum/charts/vfps | |
| - name: Launch iter8 experiment | |
| run: kubectl apply -f tests/iter8/experiment.yaml | |
| - name: Wait for experiment completion | |
| run: iter8 k assert -c completed --timeout 10m | |
| - name: Assert no failures and SLOs are satisfied | |
| run: iter8 k assert -c nofailure,slos | |
| - name: Create iter8 reports | |
| if: always() | |
| run: | | |
| iter8 k report | tee iter8-report.txt | |
| iter8 k report -o html > iter8-report.html | |
| - name: Enhance iter8 report output for use as a PR comment | |
| run: | | |
| ITER8_REPORT_TXT=$(cat iter8-report.txt) | |
| { | |
| echo -e '---'; | |
| echo -e '## iter8 report'; | |
| echo -e '```console'; | |
| echo -e "${ITER8_REPORT_TXT}"; | |
| echo -e '```' | |
| } >> iter8-output.md | |
| - name: Append sticky comment with iter8 report | |
| uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2.8.0 | |
| if: ${{ github.event_name == 'pull_request' }} | |
| with: | |
| append: true | |
| path: iter8-output.md | |
| - name: Upload report | |
| if: always() | |
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: iter8-report.html | |
| path: | | |
| iter8-report.html | |
| - name: Print cluster and iter8 logs | |
| if: always() | |
| run: | | |
| kubectl cluster-info dump -o yaml | tee kind-cluster-dump.txt | |
| iter8 k log -l trace | |
| - name: Upload cluster dump | |
| if: always() | |
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: kind-cluster-dump.txt | |
| path: | | |
| kind-cluster-dump.txt | |
| sign-images: | |
| name: sign images | |
| runs-on: ubuntu-22.04 | |
| if: ${{ github.event_name != 'pull_request' }} | |
| needs: | |
| - build | |
| - test-migrations | |
| - test-api-container | |
| permissions: | |
| contents: read | |
| id-token: write | |
| packages: write | |
| steps: | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1 | |
| - name: Sign vfps image | |
| env: | |
| COSIGN_EXPERIMENTAL: "true" | |
| IMAGES: ${{ needs.build.outputs.api-image-tags }} | |
| run: | | |
| while read -r image; do | |
| echo "Signing '$image' using keyless approach" | |
| cosign sign "$image" | |
| done <<< "$IMAGES" | |
| container-provenance: | |
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| needs: | |
| - build | |
| - test-migrations | |
| - test-api-container | |
| permissions: | |
| actions: read # for detecting the Github Actions environment. | |
| id-token: write | |
| packages: write # for uploading attestations. | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 | |
| with: | |
| image: ${{ needs.build.outputs.api-image-name }} | |
| digest: ${{ needs.build.outputs.api-image-digest }} | |
| registry-username: ${{ github.actor }} | |
| secrets: | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} |