This repository has been archived by the owner on Mar 4, 2024. It is now read-only.
Bump aquasecurity/trivy-action from 0.16.0 to 0.16.1 (#383) #1900
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: CI | |
| on: | |
| schedule: | |
| - cron: "0 12 * * 0" | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - v[0-9]+.[0-9]+.[0-9]+* | |
| pull_request: | |
| permissions: | |
| contents: read | |
| packages: write | |
| checks: write | |
| pull-requests: write | |
| repository-projects: read | |
| jobs: | |
| test: | |
| name: Test | |
| timeout-minutes: 10 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| go-version: [ 1.21.x ] | |
| may-fail: [ false ] | |
| continue-on-error: ${{ matrix.may-fail }} | |
| runs-on: ubuntu-20.04 | |
| env: | |
| # no `-mod=readonly` to test PRs made by @dependabot; | |
| # `git diff --exit-code` step below still checks what we need | |
| GOPRIVATE: github.com/percona,github.com/percona/everest-operator | |
| steps: | |
| - name: Configure git for private modules | |
| env: | |
| ROBOT_TOKEN: ${{ secrets.ROBOT_TOKEN }} | |
| run: git config --global url."https://percona-platform-robot:${ROBOT_TOKEN}@github.com".insteadOf "https://github.com" | |
| - name: Set up Go release | |
| uses: percona-platform/setup-go@v4 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| - name: Set GO_VERSION environment variable | |
| run: | | |
| go version | |
| echo "GO_VERSION=$(go version)" >> $GITHUB_ENV | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@v4 | |
| with: | |
| lfs: true | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Enable Go modules cache | |
| uses: percona-platform/cache@v3 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ matrix.os }}-go-${{ matrix.go-version }}-modules-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ matrix.os }}-go-${{ matrix.go-version }}-modules- | |
| - name: Enable Go build cache | |
| uses: percona-platform/cache@v3 | |
| with: | |
| path: ~/.cache/go-build | |
| key: ${{ matrix.os }}-go-${{ matrix.go-version }}-build-${{ github.ref }}-${{ hashFiles('**') }} | |
| restore-keys: | | |
| ${{ matrix.os }}-go-${{ matrix.go-version }}-build-${{ github.ref }}- | |
| ${{ matrix.os }}-go-${{ matrix.go-version }}-build- | |
| - name: Download Go modules | |
| run: go mod download | |
| - name: Install development tools | |
| run: make init | |
| - name: Generate code | |
| run: make gen | |
| - name: Install binaries | |
| run: make build | |
| - name: Run tests | |
| run: | | |
| go clean -testcache | |
| make test-crosscover | |
| - name: Check that there are no source code changes | |
| run: | | |
| # Break job if any files were changed during its run (code generation, etc), except go.sum. | |
| # `go mod tidy` could remove old checksums from that file, and that's okay on CI, | |
| # and actually expected for PRs made by @dependabot. | |
| # Checksums of actually used modules are checked by previous `go` subcommands. | |
| pushd tools && go mod tidy -v && git checkout go.sum | |
| popd && go mod tidy -v && git checkout go.sum | |
| git diff --exit-code | |
| - name: Run debug commands on failure | |
| if: ${{ failure() }} | |
| run: | | |
| env | |
| go version | |
| go env | |
| pwd | |
| git status | |
| check: | |
| name: Check | |
| timeout-minutes: 10 | |
| if: github.event_name == 'pull_request' | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| go-version: [1.21.x] | |
| may-fail: [false] | |
| continue-on-error: ${{ matrix.may-fail }} | |
| runs-on: ubuntu-20.04 | |
| env: | |
| GOPRIVATE: github.com/percona,github.com/percona/everest-operator | |
| steps: | |
| - name: Configure git for private modules | |
| env: | |
| ROBOT_TOKEN: ${{ secrets.ROBOT_TOKEN }} | |
| run: git config --global url."https://percona-platform-robot:${ROBOT_TOKEN}@github.com".insteadOf "https://github.com" | |
| - name: Set up Go release | |
| uses: percona-platform/setup-go@v4 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| - name: Set GO_VERSION environment variable | |
| run: | | |
| go version | |
| echo "GO_VERSION=$(go version)" >> $GITHUB_ENV | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@v4 | |
| with: | |
| lfs: true | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Enable Go modules cache | |
| uses: percona-platform/cache@v3 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ matrix.os }}-go-${{ matrix.go-version }}-modules-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ matrix.os }}-go-${{ matrix.go-version }}-modules- | |
| - name: Enable Go build cache | |
| uses: percona-platform/cache@v3 | |
| with: | |
| path: ~/.cache/go-build | |
| key: ${{ matrix.os }}-go-${{ matrix.go-version }}-build-${{ github.ref }}-${{ hashFiles('**') }} | |
| restore-keys: | | |
| ${{ matrix.os }}-go-${{ matrix.go-version }}-build-${{ github.ref }}- | |
| ${{ matrix.os }}-go-${{ matrix.go-version }}-build- | |
| - name: Download Go modules | |
| run: go mod download | |
| - name: Install tools | |
| run: make init | |
| - name: Check the latest operator version is used | |
| run: | | |
| go get github.com/percona/everest-operator@main | |
| echo "Checking there is no source code changes" | |
| go mod tidy | |
| git diff --exit-code | |
| - name: Check the Makefile references dev version | |
| run: | | |
| if ! grep -q "RELEASE_VERSION ?= v0.0.0" Makefile; then | |
| echo "default RELEASE_VERSION in Makefile should be 0.0.0" | |
| exit 1 | |
| fi | |
| - name: Check the quickstart script references dev version | |
| run: | | |
| if ! grep -q "perconalab/everest:0.0.0" deploy/quickstart-k8s.yaml; then | |
| echo "deploy/quickstart-k8s.yaml should reference 0.0.0 version" | |
| exit 1 | |
| fi | |
| - name: Run checks/linters | |
| run: | | |
| # use GITHUB_TOKEN because only it has access to GitHub Checks API | |
| bin/golangci-lint run --out-format=line-number | env REVIEWDOG_GITHUB_API_TOKEN=${{ secrets.GITHUB_TOKEN }} bin/reviewdog -f=golangci-lint -reporter=github-pr-review -filter-mode=nofilter -fail-on-error=true | |
| - name: Check that there are no source code changes | |
| run: | | |
| make format | |
| pushd tools && go mod tidy -v | |
| popd && go mod tidy -v | |
| git status | |
| git diff --exit-code | |
| - name: Run debug commands on failure | |
| if: ${{ failure() }} | |
| run: | | |
| env | |
| go version | |
| go env | |
| pwd | |
| git status | |
| integration_tests: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| go-version: [1.21.x] | |
| may-fail: [false] | |
| name: API Integration Tests | |
| runs-on: ubuntu-20.04 | |
| env: | |
| # no `-mod=readonly` to test PRs made by @dependabot; | |
| # `git diff --exit-code` step below still checks what we need | |
| GOPRIVATE: github.com/percona,github.com/percona/everest-operator | |
| PERCONA_VERSION_SERVICE_URL: https://check-dev.percona.com/versions/v1 | |
| steps: | |
| - name: Set up Go release | |
| uses: percona-platform/setup-go@v4 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| - name: Set GO_VERSION environment variable | |
| run: | | |
| go version | |
| echo "GO_VERSION=$(go version)" >> $GITHUB_ENV | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@v4 | |
| with: | |
| lfs: true | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: 0 | |
| - name: Enable Go modules cache | |
| uses: percona-platform/cache@v3 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ matrix.os }}-go-${{ matrix.go-version }}-modules-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ matrix.os }}-go-${{ matrix.go-version }}-modules- | |
| - name: Enable Go build cache | |
| uses: percona-platform/cache@v3 | |
| with: | |
| path: ~/.cache/go-build | |
| key: ${{ matrix.os }}-go-${{ matrix.go-version }}-build-${{ github.ref }}-${{ hashFiles('**') }} | |
| restore-keys: | | |
| ${{ matrix.os }}-go-${{ matrix.go-version }}-build-${{ github.ref }}- | |
| ${{ matrix.os }}-go-${{ matrix.go-version }}-build- | |
| - name: Start local Kubernetes cluster with the local registry | |
| uses: medyagh/setup-minikube@latest | |
| id: minikube | |
| with: | |
| cpus: 2 | |
| memory: 2000m | |
| addons: registry | |
| insecure-registry: 'localhost:5000' | |
| - name: Expose local registry | |
| run: | | |
| kubectl port-forward --namespace kube-system service/registry 5000:80 & | |
| - name: Build Everest backend | |
| run: | | |
| CGO_ENABLED=0 GOOS=linux GOARCH=amd64 make build-debug | |
| - name: Build Everest docker container | |
| uses: docker/metadata-action@v5 | |
| id: meta | |
| with: | |
| images: localhost:5000/perconalab/everest | |
| tags: | |
| 0.0.0 | |
| - name: Build and Push everest dev image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| - name: Checkout CLI repo | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: percona/percona-everest-cli | |
| ref: 'main' | |
| path: percona-everest-cli | |
| ssh-key: ${{ secrets.CLI_SSH_KEY }} | |
| - name: Configure git for private modules | |
| env: | |
| ROBOT_TOKEN: ${{ secrets.ROBOT_TOKEN }} | |
| run: git config --global url."https://percona-platform-robot:${ROBOT_TOKEN}@github.com".insteadOf "https://github.com" | |
| # We need to have Everest CRDs available before running provisioning and everest backend | |
| # to have an ability to create monitoring configs and use them during the provisioning as | |
| # a mock pmm server without running a real PMM. | |
| - name: Install everest operator without Everest | |
| run: | | |
| kubectl create ns percona-everest | |
| curl https://raw.githubusercontent.com/percona/everest-operator/main/deploy/bundle.yaml -o bundle.yaml | |
| sed -i "s/namespace: everest-operator-system/namespace: percona-everest/g" bundle.yaml | |
| kubectl -n percona-everest apply -f bundle.yaml | |
| # We create a dummy monitoring instance so we can enable monitoring during provisioning | |
| # without having to install PMM. | |
| - name: Create a monitoring instance | |
| run: | | |
| cat <<EOF | kubectl apply -f - | |
| kind: Secret | |
| apiVersion: v1 | |
| metadata: | |
| name: pmm-local | |
| namespace: percona-everest | |
| type: Opaque | |
| stringData: | |
| "apiKey": "dummy-key" | |
| EOF | |
| cat <<EOF | kubectl apply -f - | |
| kind: MonitoringConfig | |
| apiVersion: everest.percona.com/v1alpha1 | |
| metadata: | |
| name: pmm-local | |
| namespace: percona-everest | |
| spec: | |
| type: pmm | |
| credentialsSecretName: pmm-local | |
| pmm: | |
| url: http://localhost | |
| image: percona/pmm-client:2 | |
| EOF | |
| - name: Provision Everest using CLI | |
| shell: bash | |
| run: | | |
| cd percona-everest-cli | |
| echo $(git describe --always) | |
| make build | |
| ./bin/everest install \ | |
| --name minikube \ | |
| --operator.mongodb \ | |
| --operator.postgresql \ | |
| --operator.xtradb-cluster \ | |
| --skip-wizard \ | |
| --namespace percona-everest | |
| # API_TOKEN is used later by "make test" | |
| echo "API_TOKEN=$(./bin/everest token reset --namespace percona-everest --json | jq .token -r)" >> $GITHUB_ENV | |
| - name: Provision monitoring | |
| shell: bash | |
| continue-on-error: true | |
| run: | | |
| cd percona-everest-cli | |
| while true; do kubectl port-forward -n percona-everest deployment/percona-everest 8080:8080; done & | |
| sleep 2 | |
| ./bin/everest monitoring enable \ | |
| --everest-url http://127.0.0.1:8080 \ | |
| --everest-token $API_TOKEN \ | |
| --instance-name pmm-local \ | |
| --skip-wizard | |
| - name: Patch Everest Deployment to use the PR image | |
| run: | | |
| kubectl -n percona-everest patch deployment percona-everest --type strategic --patch-file dev/patch-deployment-image.yaml | |
| kubectl -n percona-everest rollout status deploy/percona-everest --timeout=120s | |
| - name: Expose Everest backend | |
| run: | | |
| kubectl port-forward --namespace percona-everest deployment/percona-everest 8080:8080 & | |
| - name: Run integration tests | |
| run: | | |
| cd api-tests | |
| make init | |
| make test | |
| - name: Run debug commands on failure | |
| if: ${{ failure() }} | |
| run: | | |
| kubectl -n percona-everest describe pods | |
| kubectl -n percona-everest logs deploy/percona-everest |