crossplane
495 строк · 16.2 Кб
1name: CI2
3on:4push:5branches:6- master7- release-*8pull_request: {}9workflow_dispatch: {}10
11env:12# Common versions13GO_VERSION: '1.22.0'14GOLANGCI_VERSION: 'v1.56.2'15DOCKER_BUILDX_VERSION: 'v0.10.0'16
17# Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run18# a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether19# credentials have been provided before trying to run steps that need them.20DOCKER_USR: ${{ secrets.DOCKER_USR }}21AWS_USR: ${{ secrets.AWS_USR }}22UPBOUND_MARKETPLACE_PUSH_ROBOT_USR: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}23
24jobs:25check-diff:26runs-on: ubuntu-22.0427
28steps:29- name: Checkout30uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v431with:32submodules: true33
34- name: Setup Go35uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v536with:37go-version: ${{ env.GO_VERSION }}38
39- name: Find the Go Build Cache40id: go41run: echo "cache=$(make go.cachedir)" >> $GITHUB_OUTPUT42
43- name: Cache the Go Build Cache44uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v445with:46path: ${{ steps.go.outputs.cache }}47key: ${{ runner.os }}-build-check-diff-${{ hashFiles('**/go.sum') }}48restore-keys: ${{ runner.os }}-build-check-diff-49
50- name: Cache Go Dependencies51uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v452with:53path: .work/pkg54key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}55restore-keys: ${{ runner.os }}-pkg-56
57- name: Vendor Dependencies58run: make vendor vendor.check59
60- name: Check Diff61run: make check-diff62
63detect-noop:64runs-on: ubuntu-22.0465outputs:66noop: ${{ steps.noop.outputs.should_skip }}67steps:68- name: Detect No-op Changes69id: noop70uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.171with:72github_token: ${{ secrets.GITHUB_TOKEN }}73paths_ignore: '["**.md", "**.png", "**.jpg"]'74do_not_skip: '["workflow_dispatch", "schedule", "push"]'75concurrent_skipping: false76
77lint:78runs-on: ubuntu-22.0479needs: detect-noop80if: needs.detect-noop.outputs.noop != 'true'81
82steps:83- name: Checkout84uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v485with:86submodules: true87
88- name: Setup Go89uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v590with:91go-version: ${{ env.GO_VERSION }}92
93- name: Find the Go Build Cache94id: go95run: echo "cache=$(make go.cachedir)" >> $GITHUB_OUTPUT96
97- name: Cache the Go Build Cache98uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v499with:100path: ${{ steps.go.outputs.cache }}101key: ${{ runner.os }}-build-lint-${{ hashFiles('**/go.sum') }}102restore-keys: ${{ runner.os }}-build-lint-103
104- name: Cache Go Dependencies105uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4106with:107path: .work/pkg108key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}109restore-keys: ${{ runner.os }}-pkg-110
111- name: Vendor Dependencies112run: make vendor vendor.check113
114# We could run 'make lint' to ensure our desired Go version, but we prefer115# this action because it leaves 'annotations' (i.e. it comments on PRs to116# point out linter violations).117- name: Lint118uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3119with:120version: ${{ env.GOLANGCI_VERSION }}121skip-cache: true # We do our own caching.122
123codeql:124runs-on: ubuntu-22.04125needs: detect-noop126if: needs.detect-noop.outputs.noop != 'true'127
128steps:129- name: Checkout130uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4131with:132submodules: true133
134- name: Setup Go135uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5136with:137go-version: ${{ env.GO_VERSION }}138
139- name: Find the Go Build Cache140id: go141run: echo "cache=$(make go.cachedir)" >> $GITHUB_OUTPUT142
143- name: Cache the Go Build Cache144uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4145with:146path: ${{ steps.go.outputs.cache }}147key: ${{ runner.os }}-build-check-diff-${{ hashFiles('**/go.sum') }}148restore-keys: ${{ runner.os }}-build-check-diff-149
150- name: Cache Go Dependencies151uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4152with:153path: .work/pkg154key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}155restore-keys: ${{ runner.os }}-pkg-156
157- name: Vendor Dependencies158run: make vendor vendor.check159
160- name: Initialize CodeQL161uses: github/codeql-action/init@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3162with:163languages: go164
165- name: Perform CodeQL Analysis166uses: github/codeql-action/analyze@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3167
168trivy-scan-fs:169runs-on: ubuntu-22.04170needs: detect-noop171if: needs.detect-noop.outputs.noop != 'true'172steps:173- name: Checkout174uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4175with:176submodules: true177
178- name: Run Trivy vulnerability scanner in fs mode179uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # 0.17.0180with:181scan-type: 'fs'182ignore-unfixed: true183skip-dirs: design184scan-ref: '.'185exit-code: '1'186severity: 'CRITICAL,HIGH'187
188unit-tests:189runs-on: ubuntu-22.04190needs: detect-noop191if: needs.detect-noop.outputs.noop != 'true'192
193steps:194- name: Checkout195uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4196with:197submodules: true198
199- name: Fetch History200run: git fetch --prune --unshallow201
202- name: Setup Go203uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5204with:205go-version: ${{ env.GO_VERSION }}206
207- name: Find the Go Build Cache208id: go209run: echo "cache=$(make go.cachedir)" >> $GITHUB_OUTPUT210
211- name: Cache the Go Build Cache212uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4213with:214path: ${{ steps.go.outputs.cache }}215key: ${{ runner.os }}-build-unit-tests-${{ hashFiles('**/go.sum') }}216restore-keys: ${{ runner.os }}-build-unit-tests-217
218- name: Cache Go Dependencies219uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4220with:221path: .work/pkg222key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}223restore-keys: ${{ runner.os }}-pkg-224
225- name: Vendor Dependencies226run: make vendor vendor.check227
228- name: Run Unit Tests229run: make -j2 test230
231- name: Publish Unit Test Coverage232uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3233with:234flags: unittests235file: _output/tests/linux_amd64/coverage.txt236
237e2e-tests:238runs-on: ubuntu-22.04239needs: detect-noop240if: needs.detect-noop.outputs.noop != 'true'241strategy:242fail-fast: false243matrix:244test-suite:245- base246- environment-configs247- usage248- ssa-claims249
250steps:251- name: Setup QEMU252uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3253with:254platforms: all255
256- name: Setup Docker Buildx257uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3258with:259version: ${{ env.DOCKER_BUILDX_VERSION }}260install: true261
262- name: Checkout263uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4264with:265submodules: true266
267- name: Fetch History268run: git fetch --prune --unshallow269
270- name: Setup Go271uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5272with:273go-version: ${{ env.GO_VERSION }}274
275- name: Find the Go Build Cache276id: go277run: echo "cache=$(make go.cachedir)" >> $GITHUB_OUTPUT278
279- name: Cache the Go Build Cache280uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4281with:282path: ${{ steps.go.outputs.cache }}283key: ${{ runner.os }}-build-e2e-tests-${{ hashFiles('**/go.sum') }}284restore-keys: ${{ runner.os }}-build-e2e-tests-285
286- name: Cache Go Dependencies287uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4288with:289path: .work/pkg290key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}291restore-keys: |292${{ runner.os }}-pkg-
293
294- name: Vendor Dependencies295run: make vendor vendor.check296
297- name: Build Helm Chart298run: make -j2 build299env:300# We're using docker buildx, which doesn't actually load the images it301# builds by default. Specifying --load does so.302BUILD_ARGS: "--load"303
304- name: Run E2E Tests305run: make e2e E2E_TEST_FLAGS="-test.v -test.failfast -fail-fast --kind-logs-location ./logs-kind --test-suite ${{ matrix.test-suite }}"306
307- name: Upload artifacts308uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4309if: failure()310with:311name: e2e-kind-logs-${{ matrix.test-suite }}312path: ./logs-kind313if-no-files-found: error314retention-days: 7315
316publish-artifacts:317runs-on: ubuntu-22.04318needs: detect-noop319if: needs.detect-noop.outputs.noop != 'true'320
321steps:322- name: Cleanup Disk323uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1324with:325android: true326dotnet: true327haskell: true328tool-cache: true329large-packages: false330swap-storage: false331
332- name: Setup QEMU333uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3334with:335platforms: all336
337- name: Setup Docker Buildx338uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3339with:340version: ${{ env.DOCKER_BUILDX_VERSION }}341install: true342
343- name: Checkout344uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4345with:346submodules: true347
348- name: Fetch History349run: git fetch --prune --unshallow350
351- name: Setup Go352uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5353with:354go-version: ${{ env.GO_VERSION }}355
356- name: Find the Go Build Cache357id: go358run: echo "cache=$(make go.cachedir)" >> $GITHUB_OUTPUT359
360- name: Cache the Go Build Cache361uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4362with:363path: ${{ steps.go.outputs.cache }}364key: ${{ runner.os }}-build-publish-artifacts-${{ hashFiles('**/go.sum') }}365restore-keys: ${{ runner.os }}-build-publish-artifacts-366
367- name: Cache Go Dependencies368uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4369with:370path: .work/pkg371key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}372restore-keys: ${{ runner.os }}-pkg-373
374- name: Vendor Dependencies375run: make vendor vendor.check376
377- name: Build Artifacts378run: make -j2 build.all379env:380# We're using docker buildx, which doesn't actually load the images it381# builds by default. Specifying --load does so.382BUILD_ARGS: "--load"383
384- name: Publish Artifacts to GitHub385uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4386with:387name: output388path: _output/**389
390- name: Login to DockerHub391uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3392if: env.DOCKER_USR != ''393with:394username: ${{ secrets.DOCKER_USR }}395password: ${{ secrets.DOCKER_PSW }}396
397- name: Login to Upbound398uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3399if: env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != ''400with:401registry: xpkg.upbound.io402username: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}403password: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }}404
405- name: Publish Artifacts to S3, Marketplace, DockerHub406run: make -j2 publish BRANCH_NAME=${GITHUB_REF##*/}407if: env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != ''408env:409AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }}410AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }}411AWS_DEFAULT_REGION: us-east-1412GIT_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}413DOCS_GIT_USR: ${{ secrets.UPBOUND_BOT_GITHUB_USR }}414DOCS_GIT_PSW: ${{ secrets.UPBOUND_BOT_GITHUB_PSW }}415
416- name: Promote Artifacts in S3, DockerHub417if: github.ref == 'refs/heads/master' && env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != ''418run: make -j2 promote419env:420BRANCH_NAME: master421CHANNEL: master422AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }}423AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }}424AWS_DEFAULT_REGION: us-east-1425
426fuzz-test:427runs-on: ubuntu-22.04428needs: detect-noop429if: needs.detect-noop.outputs.noop != 'true'430
431steps:432# TODO(negz): Can we make this use our Go build and dependency cache? It433# seems to build Crossplane inside of a Docker image.434- name: Build Fuzzers435id: build436uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master437with:438oss-fuzz-project-name: "crossplane"439language: go440
441- name: Run Fuzzers442uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master443with:444oss-fuzz-project-name: "crossplane"445fuzz-seconds: 300446language: go447
448- name: Upload Crash449uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4450if: failure() && steps.build.outcome == 'success'451with:452name: artifacts453path: ./out/artifacts454
455# TODO(negz): Refactor this job. Should the parts pertaining to release456# branches live in promote.yaml instead?457protobuf-schemas:458runs-on: ubuntu-22.04459needs: detect-noop460if: needs.detect-noop.outputs.noop != 'true'461
462steps:463- name: Checkout464uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4465
466- name: Setup Buf467uses: bufbuild/buf-setup-action@v1468
469- name: Lint Protocol Buffers470uses: bufbuild/buf-lint-action@v1471with:472input: apis473
474- name: Detect Breaking Changes in Protocol Buffers (Master Branch)475uses: bufbuild/buf-breaking-action@a074e988ee34efcd4927079e79c611f428354c01 # v1476# We want to run this for the master branch, and PRs.477if: ${{ ! startsWith(github.ref, 'refs/heads/release-') }}478with:479input: apis480against: "https://github.com/${GITHUB_REPOSITORY}.git#branch=master,subdir=apis"481
482- name: Detect Breaking Changes in Protocol Buffers (Release Branch)483uses: bufbuild/buf-breaking-action@a074e988ee34efcd4927079e79c611f428354c01 # v1484# We want to run this only on release branches.485if: ${{ startsWith(github.ref, 'refs/heads/release-') }}486with:487input: apis488against: "https://github.com/${GITHUB_REPOSITORY}.git#branch=${GITHUB_REF_NAME},subdir=apis"489
490- name: Push Protocol Buffers to Buf Schema Registry491if: ${{ github.repository == 'crossplane/crossplane' && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-')) }}492uses: bufbuild/buf-push-action@v1493with:494input: apis495buf_token: ${{ secrets.BUF_TOKEN }}496