Skip to content

Vulnerability Scanning Implementation for container images #3067

Vulnerability Scanning Implementation for container images

Vulnerability Scanning Implementation for container images #3067

Workflow file for this run

name: Unit, Integration, and E2E Tests
on:
pull_request:
branches:
- main
push:
paths-ignore:
- 'README.md'
- 'docs/**'
branches:
- main
jobs:
unit:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Install Go
uses: actions/setup-go@v3
with:
go-version: '1.20.x'
cache: true
check-latest: true
- name: Install Trivy
run: make install-trivy
- name: Build
run: make build
- name: Test
run: make test-unit-coverage
test-docker-build:
runs-on: ubuntu-latest
strategy:
fail-fast: true
max-parallel: 4
matrix:
image:
- base
- git
- image-processing
- waiter
steps:
- uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to container registry
run: echo ${{ secrets.GITHUB_TOKEN }} | docker login -u ${{ github.repository_owner }} --password-stdin ghcr.io
- name: Build Image
working-directory: images/${{ matrix.image }}
run: |
NAMESPACE=$(tr '[:upper:]' '[:lower:]' <<<${{ github.repository_owner }})
IMAGE=test-build/base-${{ matrix.image }} NAMESPACE="${NAMESPACE}" docker buildx bake --file ../docker-bake.hcl
integration:
strategy:
fail-fast: false
matrix:
kubernetes:
- v1.25.11
- v1.28.0
max-parallel: 2
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Install Go
uses: actions/setup-go@v3
with:
go-version: '1.20.x'
cache: true
check-latest: true
- name: Install Ko
uses: ko-build/[email protected]
with:
version: v0.14.1
- name: Install kubectl
uses: azure/setup-kubectl@v3
with:
version: ${{ matrix.kubernetes }}
- name: Create kind cluster
uses: helm/kind-action@v1
with:
version: v0.20.0
node_image: kindest/node:${{ matrix.kubernetes }}
cluster_name: kind
wait: 120s
- name: Verify kind cluster
run: |
echo "# Using KinD context..."
kubectl config use-context "kind-kind"
echo "# KinD nodes:"
kubectl get nodes
NODE_STATUS=$(kubectl get node kind-control-plane -o json | jq -r .'status.conditions[] | select(.type == "Ready") | .status')
if [ "${NODE_STATUS}" != "True" ]; then
echo "# Node is not ready:"
kubectl describe node kind-control-plane
echo "# Pods:"
kubectl get pod -A
echo "# Events:"
kubectl get events -A
exit 1
fi
- name: Install Tekton
run: |
make kind-tekton
kubectl -n tekton-pipelines rollout status deployment tekton-pipelines-controller --timeout=1m
kubectl -n tekton-pipelines rollout status deployment tekton-pipelines-webhook --timeout=1m
- name: Test
run: |
# host.docker.internal does not work in a GitHub action
docker exec kind-control-plane bash -c "echo '172.17.0.1 host.docker.internal' >>/etc/hosts"
# Build and load the Git image
export GIT_CONTAINER_IMAGE="$(KO_DOCKER_REPO=kind.local ko publish ./cmd/git)"
make test-integration
e2e:
strategy:
fail-fast: false
matrix:
kubernetes:
- v1.25.11
- v1.28.0
max-parallel: 2
runs-on: ubuntu-latest
steps:
- name: Maximize build space
uses: easimon/maximize-build-space@09ba4bd25af416c42e0142983065fcca855807a5
with:
root-reserve-mb: 30720
swap-size-mb: 1024
remove-android: "true"
remove-codeql: "true"
remove-docker-images: "true"
remove-dotnet: "true"
remove-haskell: "true"
- name: Check out code
uses: actions/checkout@v3
- name: Install Go
uses: actions/setup-go@v3
with:
go-version: '1.20.x'
cache: true
check-latest: true
- name: Install kubectl
uses: azure/setup-kubectl@v3
with:
version: ${{ matrix.kubernetes }}
- name: Create kind cluster
uses: helm/kind-action@v1
with:
version: v0.20.0
node_image: kindest/node:${{ matrix.kubernetes }}
cluster_name: kind
config: test/kind/config.yaml
wait: 120s
- name: Verify kind cluster
run: |
echo "# Using KinD context..."
kubectl config use-context "kind-kind"
echo "# KinD nodes:"
kubectl get nodes
NODE_STATUS=$(kubectl get node kind-control-plane -o json | jq -r .'status.conditions[] | select(.type == "Ready") | .status')
if [ "${NODE_STATUS}" != "True" ]; then
echo "# Node is not ready:"
kubectl describe node kind-control-plane
echo "# Pods:"
kubectl get pod -A
echo "# Events:"
kubectl get events -A
exit 1
fi
- name: Install Tekton
run: |
make kind-tekton
kubectl -n tekton-pipelines rollout status deployment tekton-pipelines-controller --timeout=1m
kubectl -n tekton-pipelines rollout status deployment tekton-pipelines-webhook --timeout=1m
- name: Install Registry
run: |
kubectl apply -f test/data/registry.yaml
kubectl -n registry rollout status deployment registry --timeout=1m
- name: Install Ko
uses: ko-build/[email protected]
with:
version: v0.14.1
- name: Install Shipwright Build
run: |
make install-controller-kind
kubectl -n shipwright-build rollout status deployment shipwright-build-controller --timeout=1m || true
kubectl -n shipwright-build rollout status deployment shipwright-build-webhook --timeout=1m || true
- name: Test
run: |
kubectl create namespace shp-e2e
export TEST_NAMESPACE=shp-e2e
export TEST_IMAGE_REPO=registry.registry.svc.cluster.local:32222/shipwright-io/build-e2e
export TEST_IMAGE_REPO_INSECURE=true
export TEST_E2E_TIMEOUT_MULTIPLIER=2
make test-e2e
- name: Build controller logs
if: ${{ failure() }}
run: |
echo "# Pods:"
kubectl -n shipwright-build get pod
PODS=$(kubectl -n shipwright-build get pod -o json)
POD_NAME=$(echo "${PODS}" | jq -r '.items[] | select(.metadata.name | startswith("shipwright-build-controller-")) | .metadata.name')
if [ "${POD_NAME}" != "" ]; then
RESTART_COUNT=$(echo "${PODS}" | jq -r ".items[] | select(.metadata.name == \"${POD_NAME}\") | .status.containerStatuses[0].restartCount")
if [ "${RESTART_COUNT}" != "0" ]; then
echo "# Previous logs:"
kubectl -n shipwright-build logs "${POD_NAME}" --previous || true
fi
echo "# Logs:"
kubectl -n shipwright-build logs "${POD_NAME}"
else
echo "# Pod is missing, there are no logs to retrieve, bailing out..."
fi