Update docker/login-action digest to 3b8fed7 #1442
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| jobs: | |
| build: | |
| timeout-minutes: 10 | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| node-version: [16.x, 18.x] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Use Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| cache: 'npm' | |
| - run: npm ci | |
| - run: npm run build --if-present | |
| - run: npm run lint --if-present | |
| - run: npm test | |
| - uses: actions/upload-artifact@v4 | |
| if: ${{ matrix.node-version == '16.x' }} | |
| with: | |
| name: coverage | |
| path: | | |
| coverage | |
| sonar: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: coverage | |
| path: coverage | |
| - name: SonarCloud Scan | |
| uses: SonarSource/sonarcloud-github-action@master | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
| SONAR_TOKEN: ${{ secrets.SONARQUBE_KEY }} | |
| build-image: | |
| timeout-minutes: 10 | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| env: | |
| REGISTRY: 'ghcr.io' | |
| IMAGE_NAME: 'curium-rocks/k8s-validating-webhook' | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| security-events: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@162dfdf7b9ab8be88c95b4fc982792c4c273e27a | |
| with: | |
| cosign-release: 'v1.13.1' | |
| # for multi arch container builds | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@master | |
| with: | |
| platforms: all | |
| - name: Setup Docker buildx | |
| id: buildx | |
| timeout-minutes: 4 | |
| uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 | |
| - name: Log into registry | |
| timeout-minutes: 5 | |
| uses: docker/login-action@3b8fed7e4b60203b2aa0ecc6c6d6d91d12c06760 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract Docker metadata | |
| id: meta | |
| timeout-minutes: 5 | |
| uses: docker/metadata-action@38b36773831fce8789962056bf155ba063580c34 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=sha | |
| type=raw,value={{date 'YYYYMMDD'}}-{{sha}} | |
| - name: Build Docker image | |
| id: push | |
| timeout-minutes: 25 | |
| uses: docker/build-push-action@090ca155fc9b214cbcac536c450455a0e96f52c6 | |
| with: | |
| context: . | |
| load: false | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| platforms: linux/amd64, linux/arm64 | |
| - name: Sign the published Docker image | |
| env: | |
| COSIGN_EXPERIMENTAL: "true" | |
| run: cosign sign --force --recursive ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }} | |
| # deploy it and verify that expected things are allowed or disallowed | |
| verify: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [1.22.13, 1.23.10, 1.24.4, 1.25.0] | |
| needs: | |
| - build-image | |
| env: | |
| REGISTRY: 'ghcr.io' | |
| IMAGE_NAME: 'curium-rocks/k8s-validating-webhook' | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Use Node.js 18 | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 18 | |
| cache: 'npm' | |
| - name: Install Dependencies | |
| run: npm ci | |
| - name: Start Minikube | |
| run: npm run minikube:start -- --kubernetes-version=${{ matrix.k8s-version }} | |
| - name: Create Pull Secret | |
| run: npm run k8s:createPullSecret --helm_namespace=default --registry_username=${{ github.actor }} --registry_password=${{ github.token }} | |
| - name: Add Helm Repos | |
| run: npm run helm:addRepos | |
| - name: Deploy CertManager | |
| run: npm run helm:deployCertManager | |
| - name: Deploy (PR) | |
| if: ${{ github.event_name == 'pull_request' }} | |
| run: npm run helm:deploy -- --set 'imagePullSecrets[0].name'=ghcr-credentials --set image.tag=pr-${{ github.event.number }} | |
| - name: Deploy (Branch) | |
| if: ${{ github.event_name != 'pull_request' }} | |
| timeout-minutes: 10 | |
| run: npm run helm:deploy -- --set 'imagePullSecrets[0].name'=ghcr-credentials --set image.tag=main | |
| - name: Run E2E Tests | |
| run: npm run test:e2e | |
| - name: Collect Logs On Failure | |
| if: ${{ failure() }} | |
| run: | | |
| mkdir -p /tmp/failure-logs | |
| minikube logs > /tmp/failure-logs/minikube.log | |
| kubectl logs deployments/k8s-validating-webhook --prefix=true --ignore-errors=true --timestamps --pod-running-timeout=60s > /tmp/failure-logs/k8s-validating-webhook.deployment.log | |
| kubectl describe deployment k8s-validating-webhook > /tmp/failure-logs/k8s-validating-webhook.deployment.describe | |
| kubectl get deployment k8s-validating-webhook -o yaml > /tmp/failure-logs/k8s-validating-webhook.deployment.yaml | |
| kubectl describe configmap k8s-validating-webhook-config > /tmp/failure-logs/k8s-validating-webhook.configmap.describe | |
| - name: Upload Logs On Failure | |
| if: ${{ failure() }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ runner.name }} minikube logs | |
| path: | | |
| /tmp/failure-logs | |
| publish-chart: | |
| if: ${{ github.event_name != 'pull_request' }} | |
| needs: | |
| - verify | |
| timeout-minutes: 5 | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Configure Git | |
| run: | | |
| git config user.name "$GITHUB_ACTOR" | |
| git config user.email "$GITHUB_ACTOR@users.noreply.github.com" | |
| - name: Install Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.8.1 | |
| - name: Run chart-releaser | |
| uses: helm/chart-releaser-action@v1.6.0 | |
| env: | |
| CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| with: | |
| charts_dir: helm |