diff --git a/.github/workflows/alpha.yaml b/.github/workflows/alpha.yaml new file mode 100644 index 0000000000..9ebda9579b --- /dev/null +++ b/.github/workflows/alpha.yaml @@ -0,0 +1,386 @@ +name: alpha + +on: + push: + branches: + - master + +jobs: + + generate-schema: + runs-on: ubuntu-18.04 + container: + image: schemahero/schemahero:0.12.2 + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Generate fixtures + run: | + /schemahero fixtures \ + --input-dir ./migrations/tables \ + --output-dir ./migrations/fixtures/schema \ + --dbname ship-cloud --driver postgres + + - name: Upload schema artifact + uses: actions/upload-artifact@v2 + with: + name: schema + path: ./migrations/fixtures/schema/fixtures.sql + + + generate-fixtures: + runs-on: ubuntu-18.04 + needs: [generate-schema] + container: + image: replicated/gitops-builder:buildkite + options: --user root + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Download schema artifact + uses: actions/download-artifact@v2 + with: + name: schema + path: ./migrations/fixtures/schema + + - name: Build fixtures + run: make -C migrations/fixtures deps build run + + - name: Upload fixtures artifact + uses: actions/upload-artifact@v2 + with: + name: fixtures + path: ./migrations/fixtures/fixtures.sql + + + publish-fixtures: + runs-on: ubuntu-18.04 + needs: [generate-fixtures] + steps: + - name: Checkout + uses: actions/checkout@v2 + + - uses: azure/docker-login@v1 + with: + username: ${{ secrets.DOCKERHUB_USER }} + password: ${{ secrets.DOCKERHUB_PASSWORD }} + + - name: Download fixtures artifact + uses: actions/download-artifact@v2 + with: + name: fixtures + path: ./migrations/fixtures + + - name: Publish fixtures + run: | + make -C migrations/fixtures publish + + + build-schema-migrations: + runs-on: ubuntu-18.04 + needs: [publish-fixtures] + steps: + - name: Checkout + uses: actions/checkout@v2 + + - uses: azure/docker-login@v1 + env: + DOCKER_CONFIG: ./migrations/.docker + with: + username: ${{ secrets.DOCKERHUB_USER }} + password: ${{ secrets.DOCKERHUB_PASSWORD }} + + - name: Build + env: + DOCKER_CONFIG: ./.docker + run: | + make -C migrations schema-alpha + + + test_web: + runs-on: ubuntu-18.04 + needs: [build-schema-migrations] + container: + image: replicated/gitops-builder:buildkite + options: --user root + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Setup Node.js environment + uses: actions/setup-node@v2 + with: + node-version: '10' + + - name: Install cross-env + run: npm i -g cross-env + shell: bash + + # - name: Test web + # env: + # PACT_BROKER_USERNAME: ${{ secrets.PACT_BROKER_USERNAME }} + # PACT_BROKER_PASSWORD: ${{ secrets.PACT_BROKER_PASSWORD }} + # run: | + # make -C kotsadm/web deps test publish-pact + + # TODO: migrate retry logic for pacts + # retry: + # automatic: + # # this command exiting with status 2 typically means that the yarn package failed to download + # - exit_status: 2 + # limit: 5 + + + build_web: + runs-on: ubuntu-18.04 + needs: [build-schema-migrations] + container: + image: replicated/gitops-builder:buildkite + options: --user root + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Setup Node.js environment + uses: actions/setup-node@v2 + with: + node-version: '10' + + - name: Build web + env: + GIT_COMMIT: ${{ github.sha }} + GIT_TAG: "" + run: make -C web deps build-kotsadm + ## TODO: retry logic + # retry: + # automatic: + # # this command exiting with status 2 typically means that the yarn package failed to download + # - exit_status: 2 + # limit: 5 + + - name: Upload web artifact + uses: actions/upload-artifact@v2 + with: + name: web + path: ./web/dist + + + build_kurl_proxy: + runs-on: ubuntu-18.04 + needs: [build-schema-migrations] + container: + image: replicated/gitops-builder:buildkite-go14-node10 + options: --user root + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Setup Go + uses: actions/setup-go@v2 + with: + go-version: '^1.16.3' + + - name: Build kurl_proxy + env: + GIT_COMMIT: ${{ github.sha }} + GIT_TAG: "" + SCOPE_DSN_PUBLIC: "" + run: make -C kurl_proxy test build + + - name: Upload kurl_proxy artifact + uses: actions/upload-artifact@v2 + with: + name: kurl_proxy + path: ./kurl_proxy/bin + + + build_go_api: + runs-on: ubuntu-18.04 + needs: [test_web, build_web, build_kurl_proxy] + container: + image: replicated/gitops-builder:buildkite-go14-node10 + options: --user root + steps: + - uses: actions/setup-go@v2 + with: + go-version: '^1.16.3' + + - id: go-cache-paths + run: | + echo "::set-output name=go-build::$(go env GOCACHE)" + echo "::set-output name=go-mod::$(go env GOMODCACHE)" + - name: Checkout + uses: actions/checkout@v1 # not @v2 because of: https://github.com/actions/checkout/issues/126 + + - uses: actions/cache@v2 + with: + path: ${{ steps.go-cache-paths.outputs.go-build }} + key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }} + - uses: actions/cache@v2 + with: + path: ${{ steps.go-cache-paths.outputs.go-mod }} + key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} + + - name: Download web artifact + uses: actions/download-artifact@v2 + with: + name: web + path: ./web/dist + + - name: Build Go API + env: + GIT_COMMIT: ${{ github.sha }} + # GITHUB_SHA: ${{ github.sha }} + GIT_TAG: "" + # GITHUB_REPOSITORY: + # GITHUB_WORKSPACE: + SCOPE_DSN_PUBLIC: "" + run: make test kotsadm + + - name: Upload Go API artifact + uses: actions/upload-artifact@v2 + with: + name: go_api + path: ./bin + + + release_go_api_alpha: + runs-on: ubuntu-18.04 + needs: [build_web, build_go_api] + steps: + - name: Setup Go + uses: actions/setup-go@v2 + with: + go-version: '^1.16.3' + + - id: go-cache-paths + run: | + echo "::set-output name=go-build::$(go env GOCACHE)" + echo "::set-output name=go-mod::$(go env GOMODCACHE)" + - name: Checkout + uses: actions/checkout@v2 + + - uses: actions/cache@v2 + with: + path: ${{ steps.go-cache-paths.outputs.go-build }} + key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }} + - uses: actions/cache@v2 + with: + path: ${{ steps.go-cache-paths.outputs.go-mod }} + key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} + + - name: Download go_api artifact + uses: actions/download-artifact@v2 + with: + name: go_api + path: ./bin + + - name: Add executable permissions + run: chmod a+x ./bin/kotsadm + + - uses: azure/docker-login@v1 + with: + username: ${{ secrets.DOCKERHUB_USER }} + password: ${{ secrets.DOCKERHUB_PASSWORD }} + + - name: Build alpha release + env: + GIT_COMMIT: ${{ github.sha }} + run: | + make build-alpha + + + release_go_api_tagged: + runs-on: ubuntu-18.04 + needs: [build_web, build_go_api] + steps: + - name: Setup Go + uses: actions/setup-go@v2 + with: + go-version: '^1.16.3' + + - id: go-cache-paths + run: | + echo "::set-output name=go-build::$(go env GOCACHE)" + echo "::set-output name=go-mod::$(go env GOMODCACHE)" + - name: Checkout + uses: actions/checkout@v2 + + - uses: actions/cache@v2 + with: + path: ${{ steps.go-cache-paths.outputs.go-build }} + key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }} + - uses: actions/cache@v2 + with: + path: ${{ steps.go-cache-paths.outputs.go-mod }} + key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} + + - uses: azure/docker-login@v1 + env: + DOCKER_CONFIG: ./.docker + with: + username: ${{ secrets.DOCKERHUB_USER }} + password: ${{ secrets.DOCKERHUB_PASSWORD }} + + + build_kurl_proxy_alpha: + runs-on: ubuntu-18.04 + needs: [build_kurl_proxy] + steps: + - uses: azure/docker-login@v1 + with: + username: ${{ secrets.DOCKERHUB_USER }} + password: ${{ secrets.DOCKERHUB_PASSWORD }} + + - name: Setup Go + uses: actions/setup-go@v2 + with: + go-version: '^1.16.3' + + - id: go-cache-paths + run: | + echo "::set-output name=go-build::$(go env GOCACHE)" + echo "::set-output name=go-mod::$(go env GOMODCACHE)" + - name: Checkout + uses: actions/checkout@v2 + + - uses: actions/cache@v2 + with: + path: ${{ steps.go-cache-paths.outputs.go-build }} + key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }} + - uses: actions/cache@v2 + with: + path: ${{ steps.go-cache-paths.outputs.go-mod }} + key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} + + - name: Download kurl_proxy artifact + uses: actions/download-artifact@v2 + with: + name: kurl_proxy + path: ./kurl_proxy/bin + + - name: Add executable permissions + run: chmod a+x ./kurl_proxy/bin/kurl_proxy + + - name: Build alpha release + env: + GIT_COMMIT: ${{ github.sha }} + run: | + make -C kurl_proxy build-alpha + + + build_kurl_addon_alpha: + runs-on: ubuntu-18.04 + needs: [release_go_api_alpha, build_kurl_proxy_alpha] + steps: + - name: Build kURL addon alpha package + env: + GH_PAT: ${{ secrets.GH_PAT }} + run: | + package=kotsadm-alpha.tar.gz + curl -H "Authorization: token $GH_PAT" \ + -H 'Accept: application/json' \ + -d "{\"event_type\": \"build-package-staging\", \"client_payload\": {\"package\": \"${package}\"}}" \ + "https://api.github.com/repos/replicatedhq/kurl/dispatches" diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index 7ca6873fe8..6b75b1f886 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -152,14 +152,6 @@ jobs: context: ./ file: ./deploy/Dockerfile push: true - - name: Scan kotsadm for vulnerabilities - uses: aquasecurity/trivy-action@master - with: - image-ref: ttl.sh/automated-${{ github.run_id }}/kotsadm:2h - format: 'table' - exit-code: '0' - ignore-unfixed: true - severity: 'CRITICAL,HIGH,MEDIUM' build-kurl-proxy: @@ -206,14 +198,7 @@ jobs: context: ./kurl_proxy file: ./kurl_proxy/deploy/Dockerfile push: true - - name: Scan kurl_proxy for vulnerabilities - uses: aquasecurity/trivy-action@master - with: - image-ref: ttl.sh/automated-${{ github.run_id }}/kurl-proxy:2h - format: 'table' - exit-code: '0' - ignore-unfixed: true - severity: 'CRITICAL,HIGH,MEDIUM' + build-migrations: runs-on: ubuntu-18.04 @@ -257,14 +242,6 @@ jobs: context: ./migrations file: ./migrations/deploy/Dockerfile push: true - - name: Scan migrations for vulnerabilities - uses: aquasecurity/trivy-action@master - with: - image-ref: ttl.sh/automated-${{ github.run_id }}/kotsadm-migrations:2h - format: 'table' - exit-code: '0' - ignore-unfixed: true - severity: 'CRITICAL,HIGH,MEDIUM' push-minio: @@ -276,14 +253,6 @@ jobs: docker pull minio/minio:RELEASE.2021-08-05T22-01-19Z docker tag minio/minio:RELEASE.2021-08-05T22-01-19Z ttl.sh/automated-${{ github.run_id }}/minio:2h docker push ttl.sh/automated-${{ github.run_id }}/minio:2h - - name: Scan minio for vulnerabilities - uses: aquasecurity/trivy-action@master - with: - image-ref: ttl.sh/automated-${{ github.run_id }}/minio:2h - format: 'table' - exit-code: '0' - ignore-unfixed: true - severity: 'CRITICAL,HIGH,MEDIUM' push-postgres: @@ -295,14 +264,6 @@ jobs: docker pull postgres:10.17-alpine docker tag postgres:10.17-alpine ttl.sh/automated-${{ github.run_id }}/postgres:2h docker push ttl.sh/automated-${{ github.run_id }}/postgres:2h - - name: Scan postgres for vulnerabilities - uses: aquasecurity/trivy-action@master - with: - image-ref: ttl.sh/automated-${{ github.run_id }}/postgres:2h - format: 'table' - exit-code: '0' - ignore-unfixed: true - severity: 'CRITICAL,HIGH,MEDIUM' validate-legacy: diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml deleted file mode 100644 index 2342678b1f..0000000000 --- a/.github/workflows/deploy.yaml +++ /dev/null @@ -1,49 +0,0 @@ -name: deploy -on: - push: - tags: - - "v*.*.*" - -jobs: - goreleaser: - runs-on: ubuntu-18.04 - steps: - - id: go-cache-paths - run: | - echo "::set-output name=go-build::$(go env GOCACHE)" - echo "::set-output name=go-mod::$(go env GOMODCACHE)" - - - name: Checkout - uses: actions/checkout@v2 - - - uses: actions/cache@v2 - with: - path: ${{ steps.go-cache-paths.outputs.go-build }} - key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }} - - uses: actions/cache@v2 - with: - path: ${{ steps.go-cache-paths.outputs.go-mod }} - key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} - - - name: Unshallow - run: git fetch --prune --unshallow - - - uses: actions/setup-go@v2 - with: - go-version: '^1.16.3' - - - run: sudo apt-get update -y - - run: sudo apt-get -qq -y install gnupg2 libdevmapper-dev libgpgme-dev libc6-dev-i386 btrfs-progs btrfs-tools pkg-config - - name: set previous release tag for goreleaser - shell: bash - run: | - export TAG=$(curl --silent "https://api.github.com/repos/replicatedhq/kots/releases/latest" | grep -Po '"tag_name": "\K.*?(?=")') - echo "GORELEASER_PREVIOUS_TAG=${TAG}" >> $GITHUB_ENV - - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v2 - with: - version: "v0.166.1" - args: release --rm-dist --config deploy/.goreleaser.yaml - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/kotsadm.yaml b/.github/workflows/release.yaml similarity index 81% rename from .github/workflows/kotsadm.yaml rename to .github/workflows/release.yaml index 7e53debe8c..d00fb03644 100644 --- a/.github/workflows/kotsadm.yaml +++ b/.github/workflows/release.yaml @@ -1,15 +1,12 @@ -name: kotsadm-build +name: release on: push: - branches: - - "**" tags: - "v*.*.*" jobs: - generate-schema: runs-on: ubuntu-18.04 container: @@ -76,11 +73,6 @@ jobs: name: fixtures path: ./migrations/fixtures - - name: Publish fixtures - if: ${{ github.ref == 'refs/heads/master' }} - run: | - make -C migrations/fixtures publish - build-schema-migrations: runs-on: ubuntu-18.04 @@ -100,15 +92,7 @@ jobs: id: get_tag uses: ./actions/version-tag - - name: Build - if: ${{ github.ref == 'refs/heads/master' }} - env: - DOCKER_CONFIG: ./.docker - run: | - make -C migrations schema-alpha - - name: "Release schema migrations on tag" - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} env: GIT_TAG: ${{ steps.get_tag.outputs.GIT_TAG }} DOCKER_CONFIG: ./.docker @@ -117,7 +101,6 @@ jobs: command: "make -C migrations schema-release" - name: Upload airgap image - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} uses: actions/upload-artifact@v2 with: name: migrations-image @@ -283,53 +266,6 @@ jobs: path: ./bin - release_go_api_alpha: - runs-on: ubuntu-18.04 - if: ${{ github.ref == 'refs/heads/master' }} - needs: [build_web, build_go_api] - steps: - - name: Setup Go - uses: actions/setup-go@v2 - with: - go-version: '^1.16.3' - - - id: go-cache-paths - run: | - echo "::set-output name=go-build::$(go env GOCACHE)" - echo "::set-output name=go-mod::$(go env GOMODCACHE)" - - name: Checkout - uses: actions/checkout@v2 - - - uses: actions/cache@v2 - with: - path: ${{ steps.go-cache-paths.outputs.go-build }} - key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }} - - uses: actions/cache@v2 - with: - path: ${{ steps.go-cache-paths.outputs.go-mod }} - key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} - - - name: Download go_api artifact - uses: actions/download-artifact@v2 - with: - name: go_api - path: ./bin - - - name: Add executable permissions - run: chmod a+x ./bin/kotsadm - - - uses: azure/docker-login@v1 - with: - username: ${{ secrets.DOCKERHUB_USER }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - - - name: Build alpha release - env: - GIT_COMMIT: ${{ github.sha }} - run: | - make build-alpha - - release_go_api_tagged: runs-on: ubuntu-18.04 needs: [build_web, build_go_api] @@ -360,14 +296,12 @@ jobs: uses: ./actions/version-tag - name: Download go_api artifact - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} uses: actions/download-artifact@v2 with: name: go_api path: ./bin - name: Add executable permissions - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} run: chmod a+x ./bin/kotsadm - uses: azure/docker-login@v1 @@ -378,7 +312,6 @@ jobs: password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Build tagged release - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} env: GIT_TAG: ${{ steps.get_tag.outputs.GIT_TAG }} DOCKER_CONFIG: ./.docker @@ -387,16 +320,14 @@ jobs: command: "make build-release" - name: Upload airgap image - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} uses: actions/upload-artifact@v2 with: name: kotsadm-image path: ./bin/docker-archive - build_kurl_proxy_alpha: + build_kurl_proxy_tagged: runs-on: ubuntu-18.04 - if: ${{ github.ref == 'refs/heads/master' }} needs: [build_kurl_proxy] steps: - uses: azure/docker-login@v1 @@ -425,6 +356,10 @@ jobs: path: ${{ steps.go-cache-paths.outputs.go-mod }} key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} + - name: Get tags + id: get_tag + uses: ./actions/version-tag + - name: Download kurl_proxy artifact uses: actions/download-artifact@v2 with: @@ -434,31 +369,21 @@ jobs: - name: Add executable permissions run: chmod a+x ./kurl_proxy/bin/kurl_proxy - - name: Build alpha release + - name: Build tagged release env: - GIT_COMMIT: ${{ github.sha }} + GIT_TAG: ${{ steps.get_tag.outputs.GIT_TAG }} run: | - make -C kurl_proxy build-alpha + make -C kurl_proxy build-release - build_kurl_proxy_tagged: + goreleaser: runs-on: ubuntu-18.04 - needs: [build_kurl_proxy] steps: - - uses: azure/docker-login@v1 - with: - username: ${{ secrets.DOCKERHUB_USER }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - - - name: Setup Go - uses: actions/setup-go@v2 - with: - go-version: '^1.16.3' - - id: go-cache-paths run: | echo "::set-output name=go-build::$(go env GOCACHE)" echo "::set-output name=go-mod::$(go env GOMODCACHE)" + - name: Checkout uses: actions/checkout@v2 @@ -471,43 +396,72 @@ jobs: path: ${{ steps.go-cache-paths.outputs.go-mod }} key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} + - name: Unshallow + run: git fetch --prune --unshallow + + - uses: actions/setup-go@v2 + with: + go-version: '^1.16.3' + + - run: sudo apt-get update -y + - run: sudo apt-get -qq -y install gnupg2 libdevmapper-dev libgpgme-dev libc6-dev-i386 btrfs-progs btrfs-tools pkg-config + - name: set previous release tag for goreleaser + shell: bash + run: | + export TAG=$(curl --silent "https://api.github.com/repos/replicatedhq/kots/releases/latest" | grep -Po '"tag_name": "\K.*?(?=")') + echo "GORELEASER_PREVIOUS_TAG=${TAG}" >> $GITHUB_ENV + + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v2 + with: + version: "v0.166.1" + args: release --rm-dist --config deploy/.goreleaser.yaml + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + + build_airgap: + runs-on: ubuntu-18.04 + needs: [release_go_api_tagged, goreleaser] + steps: + - name: Checkout + uses: actions/checkout@v2 - name: Get tags id: get_tag uses: ./actions/version-tag - - name: Download kurl_proxy artifact - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} + - name: Download migrations uses: actions/download-artifact@v2 with: - name: kurl_proxy - path: ./kurl_proxy/bin + name: migrations-image + path: ./docker-archive - - name: Add executable permissions - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} - run: chmod a+x ./kurl_proxy/bin/kurl_proxy + - name: Download kotsadm image + uses: actions/download-artifact@v2 + with: + name: kotsadm-image + path: ./docker-archive - - name: Build tagged release - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} + - name: Get Release + id: get_release + uses: bruceadams/get-release@v1.2.3 # no v1 tag env: - GIT_TAG: ${{ steps.get_tag.outputs.GIT_TAG }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Make kotsadm airgap archive run: | - make -C kurl_proxy build-release + tar czf ./kotsadm.tar.gz -C ./ ./docker-archive + - name: Upload airgap bundle + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: https://uploads.github.com/repos/replicatedhq/kots/releases/${{ steps.get_release.outputs.id }}/assets?name=kotsadm.tar.gz + asset_path: ./kotsadm.tar.gz + asset_name: kotsadm.tar.gz + asset_content_type: application/gzip - build_kurl_addon_alpha: - runs-on: ubuntu-18.04 - needs: [release_go_api_alpha, build_kurl_proxy_alpha] - steps: - - name: Build kURL addon alpha package - if: ${{ github.ref == 'refs/heads/master' }} - env: - GH_PAT: ${{ secrets.GH_PAT }} - run: | - package=kotsadm-alpha.tar.gz - curl -H "Authorization: token $GH_PAT" \ - -H 'Accept: application/json' \ - -d "{\"event_type\": \"build-package-staging\", \"client_payload\": {\"package\": \"${package}\"}}" \ - "https://api.github.com/repos/replicatedhq/kurl/dispatches" scan_postgres_alpine: @@ -532,6 +486,7 @@ jobs: with: sarif_file: postgres-alpine-scan-output.sarif + scan_postgres_debian_stretch: runs-on: ubuntu-18.04 needs: [build-schema-migrations] @@ -554,61 +509,66 @@ jobs: with: sarif_file: postgres-scan-output.sarif - scan_migrations: + + scan_minio: runs-on: ubuntu-18.04 - needs: [build-schema-migrations] steps: - name: Checkout uses: actions/checkout@v2 - - name: Scan migrations for vulnerabilities + - name: Scan minio for vulnerabilities id: scan uses: aquasecurity/trivy-action@master with: - image-ref: "kotsadm/kotsadm-migrations:alpha" + image-ref: "minio/minio:RELEASE.2021-08-05T22-01-19Z" format: 'template' template: '@/contrib/sarif.tpl' - output: 'kotsadm-migration-scan-output.sarif' + output: 'minio-scan-output.sarif' exit-code: '0' ignore-unfixed: true severity: 'CRITICAL,HIGH,MEDIUM' + - name: Upload scan report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: kotsadm-migration-scan-output.sarif + sarif_file: 'minio-scan-output.sarif' - scan_minio: + + scan_dex: runs-on: ubuntu-18.04 steps: - name: Checkout uses: actions/checkout@v2 - - name: Scan minio for vulnerabilities + - name: Scan dex for vulnerabilities id: scan uses: aquasecurity/trivy-action@master with: - image-ref: "minio/minio:RELEASE.2021-08-05T22-01-19Z" + image-ref: "ghcr.io/dexidp/dex:v2.28.1" # TODO: update this format: 'template' template: '@/contrib/sarif.tpl' - output: 'minio-scan-output.sarif' + output: 'dex-scan-output.sarif' exit-code: '0' ignore-unfixed: true severity: 'CRITICAL,HIGH,MEDIUM' - - name: Upload scan report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: 'minio-scan-output.sarif' + sarif_file: dex-scan-output.sarif + scan_kurl_proxy: runs-on: ubuntu-18.04 - needs: [build_kurl_proxy_alpha] + needs: [build_kurl_proxy_tagged] steps: - name: Checkout uses: actions/checkout@v2 + - name: Get tags + id: get_tag + uses: ./actions/version-tag - name: Scan kurl-proxy for vulnerabilities id: scan uses: aquasecurity/trivy-action@master with: - image-ref: "kotsadm/kurl-proxy:alpha" + image-ref: "kotsadm/kurl-proxy:${{ steps.get_tag.outputs.GIT_TAG }}" format: 'template' template: '@/contrib/sarif.tpl' output: 'kurl-proxy-scan-output.sarif' @@ -620,17 +580,21 @@ jobs: with: sarif_file: kurl-proxy-scan-output.sarif + scan_kotsadm: runs-on: ubuntu-18.04 - needs: [release_go_api_alpha] + needs: [release_go_api_tagged] steps: - name: Checkout uses: actions/checkout@v2 + - name: Get tags + id: get_tag + uses: ./actions/version-tag - name: Scan kotsadm for vulnerabilities id: scan uses: aquasecurity/trivy-action@master with: - image-ref: "kotsadm/kotsadm:alpha" + image-ref: "kotsadm/kotsadm:${{ steps.get_tag.outputs.GIT_TAG }}" format: 'template' template: '@/contrib/sarif.tpl' output: 'kotsadm-scan-output.sarif' @@ -642,75 +606,31 @@ jobs: with: sarif_file: kotsadm-scan-output.sarif - scan_dex: + + scan_migrations: runs-on: ubuntu-18.04 - needs: [release_go_api_alpha] + needs: [build-schema-migrations] steps: - name: Checkout uses: actions/checkout@v2 - - name: Scan dex for vulnerabilities + - name: Get tags + id: get_tag + uses: ./actions/version-tag + - name: Scan migrations for vulnerabilities id: scan uses: aquasecurity/trivy-action@master with: - image-ref: "ghcr.io/dexidp/dex:v2.28.1" + image-ref: "kotsadm/kotsadm-migrations:${{ steps.get_tag.outputs.GIT_TAG }}" format: 'template' template: '@/contrib/sarif.tpl' - output: 'dex-scan-output.sarif' + output: 'kotsadm-migration-scan-output.sarif' exit-code: '0' ignore-unfixed: true severity: 'CRITICAL,HIGH,MEDIUM' - name: Upload scan report uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: dex-scan-output.sarif - - - build_airgap: - runs-on: ubuntu-18.04 - needs: [release_go_api_tagged] - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Get tags - id: get_tag - uses: ./actions/version-tag - - - name: Download migrations - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} - uses: actions/download-artifact@v2 - with: - name: migrations-image - path: ./docker-archive - - - name: Download kotsadm image - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} - uses: actions/download-artifact@v2 - with: - name: kotsadm-image - path: ./docker-archive - - - name: Get Release - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} - id: get_release - uses: bruceadams/get-release@v1.2.3 # no v1 tag - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Make kotsadm airgap archive - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} - run: | - tar czf ./kotsadm.tar.gz -C ./ ./docker-archive - - - name: Upload airgap bundle - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: https://uploads.github.com/repos/replicatedhq/kots/releases/${{ steps.get_release.outputs.id }}/assets?name=kotsadm.tar.gz - asset_path: ./kotsadm.tar.gz - asset_name: kotsadm.tar.gz - asset_content_type: application/gzip + sarif_file: kotsadm-migration-scan-output.sarif copy_nightly: @@ -752,7 +672,6 @@ jobs: uses: rlespinasse/git-commit-data-action@v1.x # no v1 tag - name: Create staging gitops commit - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} env: REPLICATEDCOM_GITHUB_PRIVATE_KEY: ${{ secrets.REPLICATEDCOM_GITHUB_PRIVATE_KEY }} PR_URL: ${{ steps.pr_url.outputs.url }} @@ -763,7 +682,6 @@ jobs: run: ./hack/deploy-kgrid.sh - name: Create production gitops commit - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} env: REPLICATEDCOM_GITHUB_PRIVATE_KEY: ${{ secrets.REPLICATEDCOM_GITHUB_PRIVATE_KEY }} PR_URL: ${{ steps.pr_url.outputs.url }} @@ -774,6 +692,7 @@ jobs: GITOPS_BRANCH: release run: ./hack/deploy-kgrid.sh + generate-kurl-addon-pr: runs-on: ubuntu-18.04 needs: [release_go_api_tagged, build_kurl_proxy_tagged] @@ -787,7 +706,6 @@ jobs: uses: ./actions/version-tag - name: Generate Kurl Addon PR - if: ${{ steps.get_tag.outputs.GIT_TAG != '' }} env: GIT_TAG: ${{ steps.get_tag.outputs.GIT_TAG }} GH_PAT: ${{ secrets.GH_PAT }}