search for SANs in the cert closest to the http listener #4481
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build | |
on: | |
push: | |
branches: | |
- main | |
- release-v* | |
pull_request: | |
workflow_dispatch: | |
# cancel older, redundant runs of same workflow on same branch | |
concurrency: | |
group: ${{ github.workflow }}-${{github.event_name}}-${{ github.head_ref || github.ref_name }} | |
cancel-in-progress: true | |
env: | |
GOFLAGS: "-tags=pkcs11 -trimpath" | |
GOX_OUTPUT: "release/{{.Arch}}/{{.OS}}/{{.Dir}}" | |
GOX_TEST_OUTPUT: "test/{{.Arch}}/{{.OS}}/bin/{{.Dir}}" | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
AWS_DEFAULT_REGION: "us-east-2" | |
gh_ci_key: ${{ secrets.GH_CI_KEY }} | |
CONSUL_ENCRYPTION_KEY: ${{ secrets.CONSUL_ENCRYPTION_KEY }} | |
ELASTIC_ENDPOINT: ${{ secrets.ELASTIC_ENDPOINT }} | |
ELASTIC_USERNAME: ${{ secrets.ELASTIC_USERNAME }} | |
ELASTIC_PASSWORD: ${{ secrets.ELASTIC_PASSWORD }} | |
CONSUL_ENDPOINT: ${{ secrets.CONSUL_ENDPOINT }} | |
CONSUL_AGENT_CERT: ${{ secrets.CONSUL_AGENT_CERT }} | |
BUILD_NUMBER: ${{ format('{0}-{1}-{2}', github.run_id, github.run_number, github.run_attempt) }} | |
ZITI_BASE_VERSION: ${{ vars.ZITI_BASE_VERSION || null }} | |
jobs: | |
mac-os-build: | |
name: Build Mac OS binaries | |
# allow fors to opt-out of time-consuming macOS builds | |
if: vars.ZITI_SKIP_MACOS_BUILD != 'true' | |
runs-on: macos-latest | |
steps: | |
- name: Git Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: ./go.mod | |
- name: Install Ziti CI | |
uses: openziti/ziti-ci@v1 | |
- name: Build and Test | |
shell: bash | |
run: | | |
go install github.com/mitchellh/gox@latest | |
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=darwin -arch=amd64 -output=$GOX_OUTPUT ./... | |
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=darwin -arch=arm64 -output=$GOX_OUTPUT ./... | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: darwin-release-${{ github.run_id }} | |
path: release/ | |
retention-days: 5 | |
windows-build: | |
name: Build Windows binaries | |
# allow fors to opt-out of time-consuming Windows builds | |
if: vars.ZITI_SKIP_WINDOWS_BUILD != 'true' | |
runs-on: windows-2019 | |
steps: | |
- name: Git Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: ./go.mod | |
- name: Install Ziti CI | |
uses: openziti/ziti-ci@v1 | |
- name: Build and Test | |
shell: bash | |
run: | | |
go install github.com/mitchellh/gox@latest | |
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=windows -arch=amd64 -output=$GOX_OUTPUT ./... | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: windows-release-${{ github.run_id }} | |
path: release/ | |
retention-days: 5 | |
linux-build: | |
name: Build Linux binaries | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Git Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: ./go.mod | |
- name: Install Ziti CI | |
uses: openziti/ziti-ci@v1 | |
- name: Build and Test | |
shell: bash | |
run: | | |
sudo apt-get update | |
sudo apt-get -yq install gcc-arm-linux-gnueabihf g++-arm-linux-gnueabihf gcc-aarch64-linux-gnu | |
go install github.com/mitchellh/gox@latest | |
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=linux -arch=amd64 -output=$GOX_OUTPUT ./... | |
CC=arm-linux-gnueabihf-gcc \ | |
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=linux -arch=arm -output=$GOX_OUTPUT ./... | |
CC=aarch64-linux-gnu-gcc \ | |
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=linux -arch=arm64 -output=$GOX_OUTPUT ./... | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: linux-release-${{ github.run_id }} | |
path: release/ | |
retention-days: 5 | |
tests: | |
name: Run Unit and Integration Tests | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Git Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: ./go.mod | |
- name: Install Ziti CI | |
uses: openziti/ziti-ci@v1 | |
- name: Run Go Quickstart Test | |
timeout-minutes: 5 | |
shell: bash | |
run: | | |
go test -v -tags "quickstart automated" ./ziti/cmd/edge/...; | |
- name: Run Unit and Integration Tests | |
timeout-minutes: 10 | |
shell: bash | |
run: | | |
go test ./... --tags apitests | |
fablab-smoketest: | |
name: Fablab Smoketest | |
# not applicable to forks. shouldn't run on release build | |
if: github.repository_owner == 'openziti' && !startsWith(github.ref_name, 'release-v') | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Git Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: ./go.mod | |
- name: Install Ziti CI | |
uses: openziti/ziti-ci@v1 | |
- name: Build and Test | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
ziti_ci_gpg_key: ${{ secrets.ZITI_CI_GPG_KEY }} | |
ziti_ci_gpg_key_id: ${{ secrets.ZITI_CI_GPG_KEY_ID }} | |
shell: bash | |
run: | | |
$(go env GOPATH)/bin/ziti-ci configure-git | |
$(go env GOPATH)/bin/ziti-ci generate-build-info common/version/info_generated.go version | |
go test ./... | |
pushd zititest && go mod tidy && go install ./... && popd | |
go install -tags=all,tests ./... | |
- name: Create Test Environment | |
shell: bash | |
run: | | |
echo "ZITI_ROOT=$(go env GOPATH)/bin" >> "$GITHUB_ENV" | |
$(go env GOPATH)/bin/smoketest create -d smoketest-${GITHUB_RUN_NUMBER} -n smoketest-${GITHUB_RUN_NUMBER} -l environment=gh-fablab-smoketest,ziti_version=$($(go env GOPATH)/bin/ziti-ci -q get-current-version) | |
$(go env GOPATH)/bin/smoketest up | |
- name: Test Ziti Command | |
shell: bash | |
run: | | |
echo "ZITI_ROOT=$(go env GOPATH)/bin" >> "$GITHUB_ENV" | |
pushd zititest && go test -timeout 30m -v ./tests/... 2>&1 | tee test.out && popd | |
- name: Create fablab instance archive | |
# always create, even if cancelled, because the teardown job needs it to destroy the created test environment | |
if: always() | |
timeout-minutes: 30 | |
env: | |
FABLAB_PASSPHRASE: ${{ secrets.FABLAB_PASSPHRASE }} | |
shell: bash | |
run: | | |
cp $(go env GOPATH)/bin/smoketest smoketest-${GITHUB_RUN_NUMBER} | |
cp ~/.fablab/config.yml smoketest-${GITHUB_RUN_NUMBER}/ | |
tar --exclude *terraform-provider-aws* -czvf - smoketest-${GITHUB_RUN_NUMBER}/ | gpg --symmetric --cipher-algo aes256 --batch --quiet --passphrase ${FABLAB_PASSPHRASE} -o smoketest-${GITHUB_RUN_NUMBER}.tar.gz.gpg | |
aws s3 cp ./smoketest-${GITHUB_RUN_NUMBER}.tar.gz.gpg s3://ziti-smoketest-fablab-instances/ | |
- name: Create Logs Archive | |
if: always() | |
run: | | |
$(go env GOPATH)/bin/smoketest get files '*' "./logs/{{ .Id }}/" ./logs | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: logs-${{ github.run_id }} | |
path: logs/ | |
compression-level: 7 | |
retention-days: 5 | |
- name: Test Report Generation | |
if: ${{ !cancelled() }} | |
shell: bash | |
run: | | |
go install github.com/jstemmer/go-junit-report/v2@latest | |
$(go env GOPATH)/bin/go-junit-report -in zititest/test.out -out test-report.xml | |
- name: Test Summary | |
uses: test-summary/action@v2 | |
if: ${{ !cancelled() }} | |
with: | |
paths: | | |
test-report.xml | |
show: "fail, skip" | |
fablab-smoketest-teardown: | |
name: Teardown SmokeTest | |
# ensure reasonable timeout-minutes on steps in this un-cancellable job | |
if: always() | |
runs-on: ubuntu-20.04 | |
needs: [ fablab-smoketest ] | |
steps: | |
# allow time for investigation unless the workflow is cancelled or the smoketest succeeded or was skipped | |
#- name: Sleep If Failed | |
# if: needs.fablab-smoketest.result != 'success' && needs.fablab-smoketest.result != 'skipped' && needs.fablab-smoketest.result != 'cancelled' | |
# shell: bash | |
# run: | | |
# sleep 30m | |
# release cloud resources if the smoketest succeeded, failed, or was cancelled; unnecessary if skipped | |
- name: Teardown Test Environment | |
if: needs.fablab-smoketest.result != 'skipped' | |
timeout-minutes: 30 | |
env: | |
FABLAB_PASSPHRASE: ${{ secrets.FABLAB_PASSPHRASE }} | |
shell: bash | |
run: | | |
if aws s3api head-object \ | |
--bucket ziti-smoketest-fablab-instances \ | |
--key smoketest-${GITHUB_RUN_NUMBER}.tar.gz.gpg | |
then | |
aws s3 cp s3://ziti-smoketest-fablab-instances/smoketest-${GITHUB_RUN_NUMBER}.tar.gz.gpg . | |
gpg --quiet --batch --yes --decrypt --passphrase=${FABLAB_PASSPHRASE} --output smoketest-${GITHUB_RUN_NUMBER}.tar.gz smoketest-${GITHUB_RUN_NUMBER}.tar.gz.gpg | |
tar -xzf smoketest-${GITHUB_RUN_NUMBER}.tar.gz | |
./smoketest-${GITHUB_RUN_NUMBER}/smoketest import smoketest-${GITHUB_RUN_NUMBER} | |
./smoketest-${GITHUB_RUN_NUMBER}/smoketest dispose | |
aws s3 rm s3://ziti-smoketest-fablab-instances/smoketest-${GITHUB_RUN_NUMBER}.tar.gz.gpg | |
else | |
echo "WARN: No instance archive found for smoketest-${GITHUB_RUN_NUMBER}.tar.gz.gpg" >&2 | |
fi | |
fablab-ha-smoketest: | |
name: Fablab HA Smoketest | |
# not applicable to forks. shouldn't run on release build | |
if: false && github.repository_owner == 'openziti' && !startsWith(github.ref_name, 'release-v') | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Git Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: ./go.mod | |
- name: Install Ziti CI | |
uses: openziti/ziti-ci@v1 | |
- name: Build and Test | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
ziti_ci_gpg_key: ${{ secrets.ZITI_CI_GPG_KEY }} | |
ziti_ci_gpg_key_id: ${{ secrets.ZITI_CI_GPG_KEY_ID }} | |
shell: bash | |
run: | | |
$(go env GOPATH)/bin/ziti-ci configure-git | |
$(go env GOPATH)/bin/ziti-ci generate-build-info common/version/info_generated.go version ${ZITI_BASE_VERSION:+--base-version $ZITI_BASE_VERSION} | |
pushd zititest && go mod tidy && go install ./... && popd | |
go install -tags=all,tests ./... | |
- name: Create Test Environment | |
shell: bash | |
run: | | |
echo "ZITI_ROOT=$(go env GOPATH)/bin" >> "$GITHUB_ENV" | |
$(go env GOPATH)/bin/smoketest create -d smoketest-ha-${GITHUB_RUN_NUMBER} -n smoketest-ha-${GITHUB_RUN_NUMBER} -l ha=true,environment=gh-fablab-ha-smoketest,ziti_version=$($(go env GOPATH)/bin/ziti-ci -q get-current-version) | |
$(go env GOPATH)/bin/smoketest up | |
# - name: Test Ziti Command | |
# shell: bash | |
# run: | | |
# echo "ZITI_ROOT=$(go env GOPATH)/bin" >> "$GITHUB_ENV" | |
# pushd zititest && go test -timeout 30m -v ./tests/... 2>&1 | tee test.out && popd | |
- name: Create fablab instance archive | |
if: always() | |
env: | |
FABLAB_PASSPHRASE: ${{ secrets.FABLAB_PASSPHRASE }} | |
shell: bash | |
run: | | |
cp $(go env GOPATH)/bin/smoketest smoketest-ha-${GITHUB_RUN_NUMBER} | |
cp ~/.fablab/config.yml smoketest-ha-${GITHUB_RUN_NUMBER}/ | |
tar --exclude *terraform-provider-aws* -czvf - smoketest-ha-${GITHUB_RUN_NUMBER}/ | gpg --symmetric --cipher-algo aes256 --batch --quiet --passphrase ${FABLAB_PASSPHRASE} -o smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz.gpg | |
aws s3 cp ./smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz.gpg s3://ziti-smoketest-fablab-instances/ | |
# - name: Test Report Generation | |
# if: always() | |
# shell: bash | |
# run: | | |
# go install github.com/jstemmer/go-junit-report/v2@latest | |
#$(go env GOPATH)/bin/go-junit-report -in zititest/test.out -out test-report.xml | |
# - name: Test Summary | |
# uses: test-summary/action@v2 | |
# with: | |
# paths: | | |
# test-report.xml | |
# show: "fail, skip" | |
# if: always() | |
# END linux-build-steps | |
fablab-ha-smoketest-teardown: | |
name: Teardown HA SmokeTest | |
if: always() | |
runs-on: ubuntu-20.04 | |
needs: [ fablab-ha-smoketest ] | |
steps: | |
# allow time for investigation unless the workflow is cancelled or the smoketest succeeded or was skipped | |
- name: Sleep If Failed | |
if: needs.fablab-ha-smoketest.result != 'success' && needs.fablab-ha-smoketest.result != 'skipped' && needs.fablab-ha-smoketest.result != 'cancelled' | |
shell: bash | |
run: | | |
sleep 30m | |
# release cloud resources if the smoketest succeeded, failed, or was cancelled; unnecessary if skipped | |
- name: Teardown Test Environment | |
if: needs.fablab-smoketest-ha.result != 'skipped' | |
env: | |
FABLAB_PASSPHRASE: ${{ secrets.FABLAB_PASSPHRASE }} | |
shell: bash | |
run: | | |
if aws s3api head-object \ | |
--bucket ziti-smoketest-fablab-instances \ | |
--key smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz.gpg | |
then | |
aws s3 cp s3://ziti-smoketest-fablab-instances/smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz.gpg . | |
gpg --quiet --batch --yes --decrypt --passphrase=${FABLAB_PASSPHRASE} --output smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz.gpg | |
tar -xzf smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz | |
./smoketest-ha-${GITHUB_RUN_NUMBER}/smoketest import smoketest-ha-${GITHUB_RUN_NUMBER} | |
./smoketest-ha-${GITHUB_RUN_NUMBER}/smoketest dispose | |
aws s3 rm s3://ziti-smoketest-fablab-instances/smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz.gpg | |
else | |
echo "WARN: No instance archive found for smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz.gpg" >&2 | |
fi | |
publish: | |
name: Publish Binaries | |
# - !cancelled() allows evaluating further conditional expressions even if needed jobs were skipped; this unblocks | |
# the job allowing it to run even if needed jobs failed, unless explicitly required in the "if" expression | |
if: ${{ | |
!cancelled() | |
&& (needs.mac-os-build.result == 'success' || needs.mac-os-build.result == 'skipped') | |
&& (needs.windows-build.result == 'success' || needs.windows-build.result == 'skipped') | |
&& (needs.fablab-smoketest.result == 'success' || needs.fablab-smoketest.result == 'skipped') | |
&& (needs.tests.result == 'success') | |
}} | |
runs-on: ubuntu-20.04 | |
# ensure required job outcomes are specified in "if" expression | |
needs: [ tests, linux-build, mac-os-build, windows-build, fablab-smoketest, fablab-ha-smoketest ] | |
outputs: | |
ZITI_VERSION: ${{ steps.get_version.outputs.ZITI_VERSION }} | |
steps: | |
- name: Git Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: ./go.mod | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7' | |
- name: Install Ziti CI | |
uses: openziti/ziti-ci@v1 | |
- name: Download linux release artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: linux-release-${{ github.run_id }} | |
path: release/ | |
- name: Download darwin release artifact | |
if: needs.mac-os-build.result == 'success' | |
uses: actions/download-artifact@v4 | |
with: | |
name: darwin-release-${{ github.run_id }} | |
path: release/ | |
- name: Download windows release artifact | |
if: needs.windows-build.result == 'success' | |
uses: actions/download-artifact@v4 | |
with: | |
name: windows-release-${{ github.run_id }} | |
path: release/ | |
- name: List downloaded release artifacts | |
shell: bash | |
run: | | |
ls -lAhR release/ | |
- name: Restore execute filemode on macOS and Linux release artifacts before publishing | |
shell: bash | |
run: | | |
find ./release \ | |
-type f \ | |
-print0 \ | |
-path "./release/*/darwin/ziti" \ | |
-o \ | |
-path "./release/*/linux/ziti" \ | |
| xargs -0 chmod -c +x | |
# only ziti-ci computed version for release branches and {version}-{run_id} for non-release branches | |
- name: Get next version for downstream release candidates | |
id: get_version | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GITHUB_REF: ${{ github.ref }} | |
GITHUB_RUN_ID: ${{ github.run_id }} | |
shell: bash | |
run: | | |
function validateSemver() { | |
if ! [[ "${1}" =~ ^v?[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
echo "ERROR: ${1} is not a release semver" >&2 | |
return 1 | |
fi | |
} | |
echo "DEBUG: GITHUB_REPOSITORY=${GITHUB_REPOSITORY} GITHUB_REF=${GITHUB_REF} GITHUB_RUN_ID=${GITHUB_RUN_ID}" | |
(set -x; git remote -v show;) | |
# compute next release candidate version on non-release branches | |
ZITI_VERSION="$($(go env GOPATH)/bin/ziti-ci -q get-next-version ${ZITI_BASE_VERSION:+--base-version $ZITI_BASE_VERSION})" | |
validateSemver "${ZITI_VERSION}" | |
# drop the leading 'v', if any, and append run id | |
ZITI_VERSION=${ZITI_VERSION#v}-${GITHUB_RUN_ID} | |
echo ZITI_VERSION="${ZITI_VERSION}" | tee -a $GITHUB_OUTPUT | |
call-publish-docker-images: | |
# - !cancelled() allows evaluating further conditional expressions even if | |
# needed jobs were skipped | |
if: ${{ | |
!cancelled() | |
&& needs.publish.result == 'success' | |
&& github.ref_name == 'main' | |
}} | |
name: Publish Release Candidate Docker Images | |
needs: publish | |
uses: ./.github/workflows/publish-docker-images.yml | |
secrets: inherit | |
with: | |
ziti-tag: main | |
# call on default branch "main" to publish linux packages to "testing" package repos in Artifactory | |
call-publish-linux-packages: | |
# - !cancelled() allows evaluating further conditional expressions even if | |
# needed jobs were skipped | |
if: ${{ | |
!cancelled() | |
&& needs.publish.result == 'success' | |
&& github.ref_name == 'main' | |
}} | |
name: Publish Release Candidate Linux Packages | |
needs: publish | |
uses: ./.github/workflows/publish-linux-packages.yml | |
secrets: inherit | |
with: | |
ziti-version: ${{ needs.publish.outputs.ZITI_VERSION }} |