-
Notifications
You must be signed in to change notification settings - Fork 40
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(all): establish new build process
Signed-off-by: Oliver Bähler <[email protected]>
- Loading branch information
1 parent
adc0d33
commit dbb7d11
Showing
25 changed files
with
818 additions
and
253 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
<!-- | ||
Read the contribution guidelines before creating a pull request. | ||
https://github.com/projectcapsule/capsule-proxy/blob/main/CONTRIBUTING.md | ||
Thanks for spending some time for improving and fixing Capsule! | ||
--> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
name: Checks if an input is defined | ||
|
||
description: Checks if an input is defined and outputs 'true' or 'false'. | ||
|
||
inputs: | ||
value: | ||
description: value to test | ||
required: true | ||
|
||
outputs: | ||
result: | ||
description: outputs 'true' or 'false' if input value is defined or not | ||
value: ${{ steps.check.outputs.result }} | ||
|
||
runs: | ||
using: composite | ||
steps: | ||
- shell: bash | ||
id: check | ||
run: | | ||
echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
name: Setup caches | ||
|
||
description: Setup caches for go modules and build cache. | ||
|
||
inputs: | ||
build-cache-key: | ||
description: build cache prefix | ||
|
||
runs: | ||
using: composite | ||
steps: | ||
- uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2 | ||
with: | ||
path: ~/go/pkg/mod | ||
key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }} | ||
- uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2 | ||
if: ${{ inputs.build-cache-key }} | ||
with: | ||
path: ~/.cache/go-build | ||
key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
remote: origin | ||
target-branch: master | ||
target-branch: main | ||
chart-dirs: | ||
- charts | ||
helm-extra-args: "--timeout 600s" | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
version: 2 | ||
updates: | ||
- package-ecosystem: gomod | ||
directory: / | ||
schedule: | ||
interval: weekly | ||
rebase-strategy: disabled | ||
commit-message: | ||
prefix: "feat(deps)" | ||
- package-ecosystem: github-actions | ||
directory: / | ||
schedule: | ||
interval: weekly | ||
rebase-strategy: disabled | ||
commit-message: | ||
prefix: "ci(deps)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
name: Check actions | ||
permissions: {} | ||
|
||
on: | ||
pull_request: | ||
branches: [ "*" ] | ||
|
||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.ref }} | ||
cancel-in-progress: true | ||
|
||
jobs: | ||
check: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
- name: Ensure SHA pinned actions | ||
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4 | ||
with: | ||
# slsa-github-generator requires using a semver tag for reusable workflows. | ||
# See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators | ||
allowlist: | | ||
slsa-framework/slsa-github-generator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
name: Check Commit | ||
permissions: {} | ||
|
||
on: | ||
pull_request: | ||
branches: [ "*" ] | ||
|
||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.ref }} | ||
cancel-in-progress: true | ||
|
||
jobs: | ||
commit_lint: | ||
runs-on: ubuntu-20.04 | ||
steps: | ||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
with: | ||
fetch-depth: 0 | ||
- uses: wagoid/commitlint-github-action@6319f54d83768b60acd6fd60e61007ccc583e62f #v5.4.3 | ||
with: | ||
firstParent: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
name: "Check Pull Request" | ||
|
||
on: | ||
pull_request_target: | ||
types: | ||
- opened | ||
- edited | ||
- synchronize | ||
|
||
permissions: | ||
pull-requests: write | ||
|
||
jobs: | ||
main: | ||
name: Validate PR title | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: amannn/action-semantic-pull-request@47b15d52c5c30e94a17ec87eb8dd51ff5221fed9 | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
with: | ||
types: | | ||
chore | ||
ci | ||
docs | ||
feat | ||
fix | ||
test | ||
sec | ||
requireScope: false | ||
wip: false | ||
# If the PR only contains a single commit, the action will validate that | ||
# it matches the configured pattern. | ||
validateSingleCommit: true | ||
# Related to `validateSingleCommit` you can opt-in to validate that the PR | ||
# title matches a single commit to avoid confusion. | ||
validateSingleCommitMatchesPrTitle: true |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
name: Codecov | ||
permissions: {} | ||
|
||
on: | ||
pull_request: | ||
branches: [ "main" ] | ||
|
||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.ref }} | ||
cancel-in-progress: true | ||
|
||
jobs: | ||
codecov: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
- name: Setup caches | ||
uses: ./.github/actions/setup-caches | ||
timeout-minutes: 5 | ||
continue-on-error: true | ||
with: | ||
build-cache-key: codecov | ||
- name: Check secret | ||
id: checksecret | ||
uses: ./.github/actions/exists | ||
with: | ||
value: ${{ secrets.CODECOV_TOKEN }} | ||
- name: Generate Code Coverage Report | ||
if: steps.checksecret.outputs.result == 'true' | ||
run: make test | ||
- name: Upload Report to Codecov | ||
if: steps.checksecret.outputs.result == 'true' | ||
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 | ||
with: | ||
file: ./coverage.out | ||
fail_ci_if_error: true | ||
verbose: true |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
name: Publish images | ||
permissions: {} | ||
|
||
on: | ||
push: | ||
tags: | ||
- "v*" | ||
|
||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.ref }} | ||
cancel-in-progress: true | ||
|
||
jobs: | ||
publish-images: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
packages: write | ||
id-token: write | ||
outputs: | ||
capsule-digest: ${{ steps.publish-capsule.outputs.digest }} | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
- name: Setup caches | ||
uses: ./.github/actions/setup-caches | ||
timeout-minutes: 5 | ||
continue-on-error: true | ||
with: | ||
build-cache-key: publish-images | ||
- name: Run Trivy vulnerability (Repo) | ||
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0 | ||
with: | ||
scan-type: 'fs' | ||
ignore-unfixed: true | ||
format: 'sarif' | ||
output: 'trivy-results.sarif' | ||
severity: 'CRITICAL,HIGH' | ||
- name: Install Cosign | ||
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | ||
- name: Publish Capsule | ||
id: publish-capsule | ||
uses: oliverbaehler/github-actions/ko-publish-image@979018716f7d0cbe8d2711f572b350afad4ef211 # v0.1.1 | ||
with: | ||
makefile-target: ko-publish-capsule | ||
registry: ghcr.io | ||
registry-username: ${{ github.actor }} | ||
registry-password: ${{ secrets.GITHUB_TOKEN }} | ||
repository: ${{ github.repository_owner }} | ||
version: ${{ github.ref_name }} | ||
sign-image: true | ||
sbom-name: capsule | ||
sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom | ||
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures | ||
main-path: ./ | ||
env: | ||
REPOSITORY: ${{ github.repository }} | ||
generate-capsule-provenance: | ||
needs: publish-images | ||
permissions: | ||
id-token: write # To sign the provenance. | ||
packages: write # To upload assets to release. | ||
actions: read # To read the workflow path. | ||
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | ||
with: | ||
image: ghcr.io/${{ github.repository_owner }}/capsule | ||
digest: "${{ needs.publish-images.outputs.capsule-digest }}" | ||
registry-username: ${{ github.actor }} | ||
secrets: | ||
registry-password: ${{ secrets.GITHUB_TOKEN }} |
Oops, something went wrong.