Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: test pushing image to plural registry #366

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
+154 −146
Draft

WIP: test pushing image to plural registry #366

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a9e3326
test pushing image to plural registry
davidspek Mar 10, 2023
d6947e3
login to plural registry
davidspek Mar 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
300 changes: 154 additions & 146 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@ jobs:
with:
# list of Docker images to use as base name for tags
images: |
ghcr.io/pluralsh/plural-cli
dkr.plural.sh/test-repo-3/plural-cli
# ghcr.io/pluralsh/plural-cli
# generate Docker tags based on the following events/attributes
tags: |
type=sha
Expand Down Expand Up @@ -74,112 +75,19 @@ jobs:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Get current date
id: date
run: echo "date=$(date -u +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT
- uses: docker/build-push-action@v4
with:
context: .
file: ./Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
# cache-from: type=gha
# cache-to: type=gha,mode=max
build-args: |
APP_VSN=dev
APP_COMMIT=${{ github.sha }}
APP_DATE=${{ steps.date.outputs.date }}
- name: Run Trivy vulnerability scanner on cli image
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
scanners: 'vuln'
ignore-unfixed: true
#severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
cloud:
name: Build cloud image
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
packages: 'write'
security-events: write
actions: read
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: us-east-2
role-to-assume: arn:aws:iam::312272277431:role/github-actions/buildx-deployments
role-session-name: PluralCLI
- name: setup kubectl
uses: azure/setup-kubectl@v3
- name: Get EKS credentials
run: aws eks update-kubeconfig --name pluraldev
- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
# list of Docker images to use as base name for tags
images: |
ghcr.io/pluralsh/plural-cli-cloud
# generate Docker tags based on the following events/attributes
tags: |
type=sha
type=ref,event=pr
type=ref,event=branch
- name: Set up Docker Buildx
id: builder
uses: docker/setup-buildx-action@v2
with:
driver: kubernetes
platforms: linux/amd64
driver-opts: |
namespace=buildx
requests.cpu=1.5
requests.memory=3.5Gi
"nodeselector=plural.sh/scalingGroup=buildx-spot-x86"
"tolerations=key=plural.sh/capacityType,value=SPOT,effect=NoSchedule;key=plural.sh/reserved,value=BUILDX,effect=NoSchedule"
- name: Append ARM buildx builder from AWS
run: |
docker buildx create \
--append \
--bootstrap \
--name ${{ steps.builder.outputs.name }} \
--driver=kubernetes \
--platform linux/arm64 \
--node=${{ steps.builder.outputs.name }}-arm64 \
--buildkitd-flags "--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host" \
--driver-opt namespace=buildx \
--driver-opt requests.cpu=1.5 \
--driver-opt requests.memory=3.5Gi \
'--driver-opt="nodeselector=plural.sh/scalingGroup=buildx-spot-arm64"' \
'--driver-opt="tolerations=key=plural.sh/capacityType,value=SPOT,effect=NoSchedule;key=plural.sh/reserved,value=BUILDX,effect=NoSchedule"'
- name: Login to GHCR
- name: Login to plural registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: dkr.plural.sh
username: [email protected]
password: ${{ secrets.PLURAL_ACCESS_TOKEN }}
- name: Get current date
id: date
run: echo "date=$(date -u +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT
- uses: docker/build-push-action@v4
with:
context: .
file: ./dockerfiles/Dockerfile.cloud
file: ./Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
Expand All @@ -190,7 +98,7 @@ jobs:
APP_VSN=dev
APP_COMMIT=${{ github.sha }}
APP_DATE=${{ steps.date.outputs.date }}
- name: Run Trivy vulnerability scanner on cli cloud image
- name: Run Trivy vulnerability scanner on cli image
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
Expand All @@ -199,55 +107,155 @@ jobs:
format: 'sarif'
output: 'trivy-results.sarif'
scanners: 'vuln'
timeout: 10m
ignore-unfixed: true
#severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
trivy-scan:
name: Trivy fs scan
runs-on: ubuntu-latest
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
scanners: 'vuln,secret'
ignore-unfixed: true
#severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
test:
name: Unit test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: 1.18
- run: make test
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: 1.18
- name: golangci-lint
uses: golangci/golangci-lint-action@v3
with:
version: v1.50.1
# cloud:
# name: Build cloud image
# runs-on: ubuntu-latest
# permissions:
# contents: 'read'
# id-token: 'write'
# packages: 'write'
# security-events: write
# actions: read
# steps:
# - name: Checkout
# uses: actions/checkout@v3
# - name: Configure AWS Credentials
# uses: aws-actions/configure-aws-credentials@v1
# with:
# aws-region: us-east-2
# role-to-assume: arn:aws:iam::312272277431:role/github-actions/buildx-deployments
# role-session-name: PluralCLI
# - name: setup kubectl
# uses: azure/setup-kubectl@v3
# - name: Get EKS credentials
# run: aws eks update-kubeconfig --name pluraldev
# - name: Docker meta
# id: meta
# uses: docker/metadata-action@v4
# with:
# # list of Docker images to use as base name for tags
# images: |
# ghcr.io/pluralsh/plural-cli-cloud
# dkr.plural.sh/test-repo-3/plural-cli-cloud
# # generate Docker tags based on the following events/attributes
# tags: |
# type=sha
# type=ref,event=pr
# type=ref,event=branch
# - name: Set up Docker Buildx
# id: builder
# uses: docker/setup-buildx-action@v2
# with:
# driver: kubernetes
# platforms: linux/amd64
# driver-opts: |
# namespace=buildx
# requests.cpu=1.5
# requests.memory=3.5Gi
# "nodeselector=plural.sh/scalingGroup=buildx-spot-x86"
# "tolerations=key=plural.sh/capacityType,value=SPOT,effect=NoSchedule;key=plural.sh/reserved,value=BUILDX,effect=NoSchedule"
# - name: Append ARM buildx builder from AWS
# run: |
# docker buildx create \
# --append \
# --bootstrap \
# --name ${{ steps.builder.outputs.name }} \
# --driver=kubernetes \
# --platform linux/arm64 \
# --node=${{ steps.builder.outputs.name }}-arm64 \
# --buildkitd-flags "--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host" \
# --driver-opt namespace=buildx \
# --driver-opt requests.cpu=1.5 \
# --driver-opt requests.memory=3.5Gi \
# '--driver-opt="nodeselector=plural.sh/scalingGroup=buildx-spot-arm64"' \
# '--driver-opt="tolerations=key=plural.sh/capacityType,value=SPOT,effect=NoSchedule;key=plural.sh/reserved,value=BUILDX,effect=NoSchedule"'
# - name: Login to GHCR
# uses: docker/login-action@v2
# with:
# registry: ghcr.io
# username: ${{ github.repository_owner }}
# password: ${{ secrets.GITHUB_TOKEN }}
# - name: Get current date
# id: date
# run: echo "date=$(date -u +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT
# - uses: docker/build-push-action@v4
# with:
# context: .
# file: ./dockerfiles/Dockerfile.cloud
# push: true
# tags: ${{ steps.meta.outputs.tags }}
# labels: ${{ steps.meta.outputs.labels }}
# platforms: linux/amd64,linux/arm64
# # cache-from: type=gha
# # cache-to: type=gha,mode=max
# build-args: |
# APP_VSN=dev
# APP_COMMIT=${{ github.sha }}
# APP_DATE=${{ steps.date.outputs.date }}
# - name: Run Trivy vulnerability scanner on cli cloud image
# uses: aquasecurity/trivy-action@master
# with:
# scan-type: 'image'
# image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
# hide-progress: false
# format: 'sarif'
# output: 'trivy-results.sarif'
# scanners: 'vuln'
# timeout: 10m
# ignore-unfixed: true
# #severity: 'CRITICAL,HIGH'
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: 'trivy-results.sarif'
# trivy-scan:
# name: Trivy fs scan
# runs-on: ubuntu-latest
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# steps:
# - name: Checkout code
# uses: actions/checkout@v3
# - name: Run Trivy vulnerability scanner in fs mode
# uses: aquasecurity/trivy-action@master
# with:
# scan-type: 'fs'
# hide-progress: false
# format: 'sarif'
# output: 'trivy-results.sarif'
# scanners: 'vuln,secret'
# ignore-unfixed: true
# #severity: 'CRITICAL,HIGH'
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: 'trivy-results.sarif'
# test:
# name: Unit test
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - uses: actions/setup-go@v3
# with:
# go-version: 1.18
# - run: make test
# lint:
# name: Lint
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - uses: actions/setup-go@v3
# with:
# go-version: 1.18
# - name: golangci-lint
# uses: golangci/golangci-lint-action@v3
# with:
# version: v1.50.1