Skip to content

Commit

Permalink
feat(all): establish new build process
Browse files Browse the repository at this point in the history
Signed-off-by: Oliver Bähler <[email protected]>
  • Loading branch information
oliverbaehler authored and prometherion committed Oct 27, 2023
1 parent adc0d33 commit dbb7d11
Show file tree
Hide file tree
Showing 25 changed files with 818 additions and 253 deletions.
7 changes: 7 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
<!--
Read the contribution guidelines before creating a pull request.
https://github.com/projectcapsule/capsule-proxy/blob/main/CONTRIBUTING.md
Thanks for spending some time for improving and fixing Capsule!
-->
21 changes: 21 additions & 0 deletions .github/actions/exists/action.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: Checks if an input is defined

description: Checks if an input is defined and outputs 'true' or 'false'.

inputs:
value:
description: value to test
required: true

outputs:
result:
description: outputs 'true' or 'false' if input value is defined or not
value: ${{ steps.check.outputs.result }}

runs:
using: composite
steps:
- shell: bash
id: check
run: |
echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT
20 changes: 20 additions & 0 deletions .github/actions/setup-caches/action.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Setup caches

description: Setup caches for go modules and build cache.

inputs:
build-cache-key:
description: build cache prefix

runs:
using: composite
steps:
- uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
- uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
if: ${{ inputs.build-cache-key }}
with:
path: ~/.cache/go-build
key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
2 changes: 1 addition & 1 deletion .github/configs/ct.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
remote: origin
target-branch: master
target-branch: main
chart-dirs:
- charts
helm-extra-args: "--timeout 600s"
Expand Down
16 changes: 16 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
version: 2
updates:
- package-ecosystem: gomod
directory: /
schedule:
interval: weekly
rebase-strategy: disabled
commit-message:
prefix: "feat(deps)"
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
rebase-strategy: disabled
commit-message:
prefix: "ci(deps)"
24 changes: 24 additions & 0 deletions .github/workflows/check-actions.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: Check actions
permissions: {}

on:
pull_request:
branches: [ "*" ]

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
check:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Ensure SHA pinned actions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4
with:
# slsa-github-generator requires using a semver tag for reusable workflows.
# See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
allowlist: |
slsa-framework/slsa-github-generator
21 changes: 21 additions & 0 deletions .github/workflows/check-commit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: Check Commit
permissions: {}

on:
pull_request:
branches: [ "*" ]

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
commit_lint:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- uses: wagoid/commitlint-github-action@6319f54d83768b60acd6fd60e61007ccc583e62f #v5.4.3
with:
firstParent: true
37 changes: 37 additions & 0 deletions .github/workflows/check-pr.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
name: "Check Pull Request"

on:
pull_request_target:
types:
- opened
- edited
- synchronize

permissions:
pull-requests: write

jobs:
main:
name: Validate PR title
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@47b15d52c5c30e94a17ec87eb8dd51ff5221fed9
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
types: |
chore
ci
docs
feat
fix
test
sec
requireScope: false
wip: false
# If the PR only contains a single commit, the action will validate that
# it matches the configured pattern.
validateSingleCommit: true
# Related to `validateSingleCommit` you can opt-in to validate that the PR
# title matches a single commit to avoid confusion.
validateSingleCommitMatchesPrTitle: true
23 changes: 0 additions & 23 deletions .github/workflows/ci.yaml

This file was deleted.

38 changes: 38 additions & 0 deletions .github/workflows/codecov.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: Codecov
permissions: {}

on:
pull_request:
branches: [ "main" ]

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
codecov:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup caches
uses: ./.github/actions/setup-caches
timeout-minutes: 5
continue-on-error: true
with:
build-cache-key: codecov
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
with:
value: ${{ secrets.CODECOV_TOKEN }}
- name: Generate Code Coverage Report
if: steps.checksecret.outputs.result == 'true'
run: make test
- name: Upload Report to Codecov
if: steps.checksecret.outputs.result == 'true'
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
with:
file: ./coverage.out
fail_ci_if_error: true
verbose: true
97 changes: 0 additions & 97 deletions .github/workflows/docker-ci.yaml

This file was deleted.

69 changes: 69 additions & 0 deletions .github/workflows/docker-publish.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
name: Publish images
permissions: {}

on:
push:
tags:
- "v*"

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
publish-images:
runs-on: ubuntu-latest
permissions:
packages: write
id-token: write
outputs:
capsule-digest: ${{ steps.publish-capsule.outputs.digest }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup caches
uses: ./.github/actions/setup-caches
timeout-minutes: 5
continue-on-error: true
with:
build-cache-key: publish-images
- name: Run Trivy vulnerability (Repo)
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Install Cosign
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: Publish Capsule
id: publish-capsule
uses: oliverbaehler/github-actions/ko-publish-image@979018716f7d0cbe8d2711f572b350afad4ef211 # v0.1.1
with:
makefile-target: ko-publish-capsule
registry: ghcr.io
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ github.repository_owner }}
version: ${{ github.ref_name }}
sign-image: true
sbom-name: capsule
sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
main-path: ./
env:
REPOSITORY: ${{ github.repository }}
generate-capsule-provenance:
needs: publish-images
permissions:
id-token: write # To sign the provenance.
packages: write # To upload assets to release.
actions: read # To read the workflow path.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ghcr.io/${{ github.repository_owner }}/capsule
digest: "${{ needs.publish-images.outputs.capsule-digest }}"
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
Loading

0 comments on commit dbb7d11

Please sign in to comment.