-
Notifications
You must be signed in to change notification settings - Fork 0
182 lines (162 loc) · 7.38 KB
/
server-ci-artifacts.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
name: Server CI Artifacts
on:
workflow_run:
workflows:
- "Server CI PR"
types:
- completed
env:
COSIGN_VERSION: 2.2.0
jobs:
## We only need the condition on the first job
## This will run only when a pull request is created with server changes
update-initial-status:
if: github.repository_owner == 'mattermost' && github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
runs-on: ubuntu-22.04
steps:
- uses: mattermost/actions/delivery/update-commit-status@fec7b836001c9380d4bfaf28d443945c103a098c
env:
GITHUB_TOKEN: ${{ github.token }}
with:
repository_full_name: ${{ github.repository }}
commit_sha: ${{ github.event.workflow_run.head_sha }}
context: Server CI/Artifacts Build
description: Artifacts upload and build for mattermost team platform
status: pending
upload-artifacts:
runs-on: ubuntu-22.04
needs:
- update-initial-status
steps:
- name: cd/configure-aws-credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-region: us-east-1
aws-access-key-id: ${{ secrets.PR_BUILDS_BUCKET_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.PR_BUILDS_BUCKET_AWS_SECRET_ACCESS_KEY }}
- name: cd/download-artifacts-from-PR-workflow
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
run-id: ${{ github.event.workflow_run.id }}
github-token: ${{ github.token }}
name: server-dist-artifact
path: server/dist
- name: cd/generate-packages-file-list
working-directory: ./server/dist
run: |
echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
ls | grep -E "*.(tar.gz|zip)$" >> "${GITHUB_ENV}"
echo "EOF" >> "${GITHUB_ENV}"
- name: cd/upload-artifacts-to-s3
run: aws s3 sync server/dist/ s3://pr-builds.mattermost.com/mattermost/commit/${{ github.event.workflow_run.head_sha }}/ --cache-control no-cache --no-progress --acl public-read
- name: cd/generate-summary
run: |
echo "### Download links for Mattermost team package" >> "${GITHUB_STEP_SUMMARY}"
echo " " >> "${GITHUB_STEP_SUMMARY}"
echo "Mattermost Repo SHA: \`${{ github.event.workflow_run.head_sha }}\`" >> "${GITHUB_STEP_SUMMARY}"
echo "|Download Link|" >> "${GITHUB_STEP_SUMMARY}"
echo "| --- |" >> "${GITHUB_STEP_SUMMARY}"
for package in ${PACKAGES_FILE_LIST}
do
echo "|[${package}](https://pr-builds.mattermost.com/mattermost/commit/${{ github.event.workflow_run.head_sha }}/${package})|" >> "${GITHUB_STEP_SUMMARY}"
done
build-docker:
runs-on: ubuntu-22.04
needs:
- upload-artifacts
outputs:
TAG: ${{ steps.set_tag.outputs.TAG }}
steps:
- name: cd/docker-login
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: mattermostdev
password: ${{ secrets.DOCKERHUB_DEV_TOKEN }}
- name: cd/setup-cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
with:
cosign-release: v${{ env.COSIGN_VERSION }}
- name: cd/download-artifacts-from-PR-workflow
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
run-id: ${{ github.event.workflow_run.id }}
github-token: ${{ github.token }}
name: server-build-artifact
path: server/build/
- name: cd/setup-docker-buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: cd/set-docker-tag
id: set_tag
run: |
echo "TAG=$(echo '${{ github.event.workflow_run.head_sha }}' | cut -c1-7)" >> $GITHUB_OUTPUT
- name: cd/docker-build-and-push
id: docker
env:
MM_PACKAGE: https://pr-builds.mattermost.com/mattermost/commit/${{ github.event.workflow_run.head_sha }}/mattermost-team-linux-amd64.tar.gz
TAG: ${{ steps.set_tag.outputs.TAG }}
run: |
cd server/build
docker buildx build --no-cache --platform linux/amd64 --push --build-arg MM_PACKAGE=${MM_PACKAGE} -t mattermostdevelopment/mm-te-test:${TAG} -t mattermostdevelopment/mattermost-team-edition:${TAG} .
echo "DOCKERHUB_IMAGE_DIGEST=$(cosign triangulate mattermostdevelopment/mattermost-team-edition:${TAG} | cut -d: -f2 | sed 's/\.sig$//' | tr '-' ':')" >> "${GITHUB_OUTPUT}"
- name: cd/generate-summary
env:
TAG: ${{ steps.set_tag.outputs.TAG }}
run: |
echo "### Docker Image for Mattermost team package" >> "${GITHUB_STEP_SUMMARY}"
echo " " >> "${GITHUB_STEP_SUMMARY}"
echo "Mattermost Repo SHA: \`${{ github.event.workflow_run.head_sha }}\`" >> "${GITHUB_STEP_SUMMARY}"
echo " " >> "${GITHUB_STEP_SUMMARY}"
echo "Docker Image: \`mattermostdevelopment/mattermost-team-edition:${TAG}\`" >> "${GITHUB_STEP_SUMMARY}"
echo "Image Digest: \`${{ steps.docker.outputs.DOCKERHUB_IMAGE_DIGEST }}\`" >> "${GITHUB_STEP_SUMMARY}"
echo "Secure Image: \`mattermostdevelopment/mattermost-team-edition:${TAG}@${{ steps.docker.outputs.DOCKERHUB_IMAGE_DIGEST }}\`" >> "${GITHUB_STEP_SUMMARY}"
scan-docker-image:
runs-on: ubuntu-22.04
needs:
- build-docker
env:
POLICY: "DevOps Vulnerabilities Policy"
steps:
- name: cd/setup-wizcli
run: |
curl -o wizcli https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64
chmod +x wizcli
./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
env:
WIZ_CLIENT_ID: ${{ secrets.WIZ_DEVOPS_CLIENT_ID }}
WIZ_CLIENT_SECRET: ${{ secrets.WIZ_DEVOPS_CLIENT_SECRET }}
- name: cd/download-container-image
run: |
docker pull mattermostdevelopment/mattermost-team-edition:${{ needs.build-docker.outputs.TAG }}
- name: cd/scan-image
run: |
./wizcli docker scan --image mattermostdevelopment/mattermost-team-edition:${{ needs.build-docker.outputs.TAG }} --policy "$POLICY"
update-failure-final-status:
if: failure() || cancelled()
runs-on: ubuntu-22.04
needs:
- build-docker
steps:
- uses: mattermost/actions/delivery/update-commit-status@fec7b836001c9380d4bfaf28d443945c103a098c
env:
GITHUB_TOKEN: ${{ github.token }}
with:
repository_full_name: ${{ github.repository }}
commit_sha: ${{ github.event.workflow_run.head_sha }}
context: Server CI/Artifacts Build
description: Artifacts upload and build for mattermost team platform
status: failure
update-success-final-status:
if: success()
runs-on: ubuntu-22.04
needs:
- build-docker
steps:
- uses: mattermost/actions/delivery/update-commit-status@fec7b836001c9380d4bfaf28d443945c103a098c
env:
GITHUB_TOKEN: ${{ github.token }}
with:
repository_full_name: ${{ github.repository }}
commit_sha: ${{ github.event.workflow_run.head_sha }}
context: Server CI/Artifacts Build
description: Artifacts upload and build for mattermost team platform
status: success