Security via operator, OIDC trusted certificates #5081
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
push: | |
branches: | |
- 'main' | |
- '[0-9]+.[0-9]+.x' | |
pull_request: | |
branches: | |
- 'main' | |
- '[0-9]+.[0-9]+.x' | |
types: [ opened, reopened, synchronize ] | |
jobs: | |
build-images: | |
runs-on: ubuntu-24.04 | |
services: | |
registry: | |
image: registry:2 | |
ports: | |
- 5000:5000 | |
env: | |
PLATFORMS: linux/amd64,linux/arm64,linux/ppc64le | |
steps: | |
# ==================== Setup ==================== | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set Image Tag Env | |
run: echo "PROJECT_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV | |
- name: Operator Version Check | |
run: ./operator/bin/version-check.sh "${{ env.PROJECT_VERSION }}" | |
- name: Set Up JDK 17 | |
uses: actions/setup-java@v4 | |
with: | |
java-version: '17' | |
distribution: 'adopt' | |
- name: Cache Maven Packages | |
uses: actions/cache@v4 | |
with: | |
path: ~/.m2/repository | |
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
restore-keys: | | |
${{ runner.os }}-maven- | |
- name: Set Up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set Up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
driver-opts: network=host | |
# ==================== UI ==================== | |
- name: Build UI Project | |
working-directory: ui | |
run: | | |
npm ci --omit=dev | |
export BACKEND_URL=http://example | |
export CONSOLE_METRICS_PROMETHEUS_URL=http://example | |
export NEXTAUTH_SECRET=examplesecret | |
export LOG_LEVEL=info | |
export CONSOLE_MODE=read-only | |
npm run build | |
- name: Build UI Image | |
uses: docker/build-push-action@v6 | |
with: | |
context: ui/ | |
platforms: ${{ env.PLATFORMS }} | |
provenance: false | |
push: true | |
tags: | | |
localhost:5000/streamshub/console-ui:${{ env.PROJECT_VERSION }} | |
# ==================== API & Operator ==================== | |
- name: Test Projects and Build API and Operator Images | |
env: | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
SONAR_ORG: ${{secrets.SONAR_ORG}} | |
SONAR_PROJECT: ${{secrets.SONAR_PROJECT}} | |
SONAR_TOKEN: ${{secrets.SONAR_TOKEN}} | |
run: | | |
# | |
# Set write-transformed-bytecode-to-build-output for IT coverage. Do NOT use the container image | |
# created by this step. | |
# | |
# See: https://quarkus.io/guides/tests-with-coverage#coverage-for-integration-tests | |
# | |
export QUARKUS_CONTAINER_IMAGE_REGISTRY="localhost:5000" | |
export QUARKUS_CONTAINER_IMAGE_PUSH=true | |
export QUARKUS_CONTAINER_IMAGE_TAG="${{ env.PROJECT_VERSION }}" | |
export QUARKUS_KUBERNETES_VERSION="${{ env.PROJECT_VERSION }}" | |
mvn verify -P container-image -B --no-transfer-progress \ | |
-Dquarkus.kubernetes.namespace='$${NAMESPACE}' \ | |
-Dquarkus.package.write-transformed-bytecode-to-build-output=true \ | |
-Dquarkus.docker.buildx.platform=${{ env.PLATFORMS }} | |
# ==================== Operator-Bundle ==================== | |
- name: Modify Bundle CSV Metadata | |
run: ./operator/bin/modify-bundle-metadata.sh "VERSION=${{ env.PROJECT_VERSION }}" | |
- name: Build Operator Bundle Image | |
uses: docker/build-push-action@v6 | |
with: | |
context: operator/target/bundle/streamshub-console-operator/ | |
platforms: ${{ env.PLATFORMS }} | |
provenance: false | |
push: true | |
file: operator/target/bundle/streamshub-console-operator/bundle.Dockerfile | |
tags: | | |
localhost:5000/streamshub/console-operator-bundle:${{ env.PROJECT_VERSION }} | |
# ==================== Operator-Catalog ==================== | |
- name: Generate Operator Catalog Config | |
run: | | |
curl -L -o opm https://github.com/operator-framework/operator-registry/releases/download/v1.43.1/linux-amd64-opm | |
chmod +x opm | |
sudo cp -v opm /usr/bin/ | |
rm -vf opm | |
operator/bin/generate-catalog.sh localhost:5000/streamshub/console-operator-bundle true | |
- name: Build Operator Catalog Image | |
uses: docker/build-push-action@v6 | |
with: | |
context: operator/ | |
platforms: ${{ env.PLATFORMS }} | |
network: none | |
provenance: false | |
push: true | |
file: operator/src/main/docker/catalog.Dockerfile | |
tags: | | |
localhost:5000/streamshub/console-operator-catalog:${{ env.PROJECT_VERSION }} | |
# ==================== Archive artifacts ==================== | |
- name: Archive Operator Kubernetes Resources | |
uses: actions/upload-artifact@v4 | |
with: | |
name: k8s-resources | |
path: | | |
operator/target/bundle/ | |
operator/target/catalog/ | |
operator/target/kubernetes/*.yml | |
- name: Archive Failed Tests Results | |
uses: actions/upload-artifact@v4 | |
if: failure() | |
with: | |
name: artifacts | |
path: api/target/failsafe-reports/ | |
## Save the context information for use in Sonar analysis | |
- name: Save Build Context | |
run: | | |
mkdir -vp target | |
echo "$GITHUB_CONTEXT" > target/build-context.json | |
env: | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
## Attach the target directory for use in Sonar analysis | |
- name: Archive Build Output | |
uses: actions/upload-artifact@v4 | |
with: | |
name: target | |
path: | | |
**/target/ | |
!**/target/**/*.jar | |
!**/target/failsafe-reports/**/* | |
!**/target/surefire-reports/**/* | |
- name: Save [UI, API, Operator, Operator-Bundle, Operator-Catalog] Images To Files | |
run: | | |
mkdir streamshub-images | |
for img in console-ui console-api console-operator console-operator-bundle console-operator-catalog ; do | |
skopeo sync --all --scoped --src docker --src-tls-verify=false --dest dir \ | |
localhost:5000/streamshub/${img}:${{ env.PROJECT_VERSION }} \ | |
$(pwd)/streamshub-images | |
done | |
tar -czf streamshub-images.tgz -C streamshub-images . | |
- name: Archive [UI, API, Operator-Bundle, Operator, Operator-Catalog] Image Files | |
uses: actions/upload-artifact@v4 | |
with: | |
name: streamshub-images | |
path: streamshub-images.tgz | |
test-storybook: | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Build Storybook | |
working-directory: ./ui | |
run: | | |
npm ci | |
npx playwright install | |
npm run build-storybook | |
- name: Test Storybook | |
working-directory: ./ui | |
run: | | |
npx --yes concurrently -k -s first -n "SB,TEST" -c "magenta,blue" \ | |
"npx http-server storybook-static --port 6006 --silent" \ | |
"npx wait-on tcp:127.0.0.1:6006 && npm run test-storybook" | |
Playwright: | |
if: ${{ contains(github.event.pull_request.labels.*.name, 'safe to test') || github.repository == 'streamshub/console' }} | |
uses: ./.github/workflows/playwright-tests.yml | |
needs: | |
- build-images |