Bump to Go 1.21 #18
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build_test_release | |
| on: | |
| push: | |
| paths-ignore: | |
| - ".github/workflows/website.yaml" | |
| - "docs/**" | |
| - "library/**" | |
| - "demo/**" | |
| - "deprecated/**" | |
| - "example/**" | |
| - "website/**" | |
| - "**.md" | |
| - "!cmd/build/helmify/static/README.md" | |
| pull_request: | |
| paths-ignore: | |
| - ".github/workflows/website.yaml" | |
| - "docs/**" | |
| - "library/**" | |
| - "demo/**" | |
| - "deprecated/**" | |
| - "example/**" | |
| - "website/**" | |
| - "**.md" | |
| - "!cmd/build/helmify/static/README.md" | |
| env: | |
| GITHUB_REPO: open-policy-agent/gatekeeper | |
| IMAGE_REPO: openpolicyagent/gatekeeper | |
| CRD_IMAGE_REPO: openpolicyagent/gatekeeper-crds | |
| GATOR_IMAGE_REPO: openpolicyagent/gator | |
| jobs: | |
| lint: | |
| name: "Lint" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Set up Go 1.19 | |
| uses: actions/setup-go@v3 | |
| with: | |
| go-version: 1.19 | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| # source: https://github.com/golangci/golangci-lint-action | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@v3 | |
| with: | |
| # version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version | |
| version: v1.48.0 | |
| test: | |
| name: "Unit test" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Set up Go 1.19 | |
| uses: actions/setup-go@v3 | |
| with: | |
| go-version: 1.19 | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - name: Unit test | |
| run: | | |
| curl -L -O "https://github.com/kubernetes-sigs/kubebuilder/releases/download/v${KUBEBUILDER_VERSION}/kubebuilder_${KUBEBUILDER_VERSION}_linux_amd64.tar.gz" &&\ | |
| tar -zxvf kubebuilder_${KUBEBUILDER_VERSION}_linux_amd64.tar.gz &&\ | |
| sudo mv kubebuilder_${KUBEBUILDER_VERSION}_linux_amd64 /usr/local/kubebuilder | |
| make native-test | |
| env: | |
| KUBEBUILDER_VERSION: 2.3.1 | |
| - name: Codecov Upload | |
| uses: codecov/codecov-action@v3 | |
| with: | |
| flags: unittests | |
| file: ./cover.out | |
| fail_ci_if_error: false | |
| gator_test: | |
| name: "Test Gator" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Set up Go 1.19 | |
| uses: actions/setup-go@v3 | |
| with: | |
| go-version: 1.19 | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - name: Download e2e dependencies | |
| run: | | |
| mkdir -p $GITHUB_WORKSPACE/bin | |
| echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH | |
| make e2e-dependencies KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }} | |
| - name: gator test | |
| run: make test-gator-containerized | |
| build_test: | |
| name: "Build and Test" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| strategy: | |
| matrix: | |
| KUBERNETES_VERSION: ["1.23.13", "1.24.7", "1.25.3", "1.26.0"] | |
| steps: | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - name: Set up Go 1.19 | |
| uses: actions/setup-go@v3 | |
| with: | |
| go-version: 1.19 | |
| - name: Bootstrap e2e | |
| run: | | |
| mkdir -p $GITHUB_WORKSPACE/bin | |
| echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH | |
| make e2e-bootstrap KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }} | |
| - name: Run e2e | |
| run: | | |
| make e2e-build-load-image IMG=gatekeeper-e2e:latest CRD_IMG=gatekeeper-crds:latest | |
| make deploy IMG=gatekeeper-e2e:latest USE_LOCAL_IMG=true | |
| go mod tidy | |
| # there should be no additional manifest or go.mod changes | |
| git diff --exit-code | |
| make test-e2e | |
| - name: Save logs | |
| if: ${{ always() }} | |
| run: | | |
| kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json | |
| kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v3 | |
| if: ${{ always() }} | |
| with: | |
| name: logs | |
| path: | | |
| logs-*.json | |
| helm_build_test: | |
| name: "[Helm] Build and Test" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| strategy: | |
| matrix: | |
| HELM_VERSION: ["3.7.2"] | |
| GATEKEEPER_NAMESPACE: ["gatekeeper-system", "custom-namespace"] | |
| steps: | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - name: Bootstrap e2e | |
| run: | | |
| mkdir -p $GITHUB_WORKSPACE/bin | |
| echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH | |
| make e2e-bootstrap | |
| - name: Run e2e | |
| run: | | |
| make e2e-build-load-image IMG=gatekeeper-e2e-helm:latest CRD_IMG=gatekeeper-crds:latest GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} | |
| make e2e-helm-deploy HELM_REPO=gatekeeper-e2e-helm HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest HELM_VERSION=${{ matrix.HELM_VERSION }} GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} | |
| make test-e2e GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} | |
| - name: Save logs | |
| if: ${{ always() }} | |
| run: | | |
| kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=controller-manager --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-controller.json | |
| kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=audit-controller --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-audit.json | |
| kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l run=dummy-provider --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-dummy-provider.json | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v3 | |
| if: ${{ always() }} | |
| with: | |
| name: helm-logs | |
| path: | | |
| logs-*.json | |
| build_test_generator_expansion: | |
| name: "[Generator Resource Expansion] Build and Test" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - name: Set up Go 1.19 | |
| uses: actions/setup-go@v3 | |
| with: | |
| go-version: 1.19 | |
| - name: Bootstrap e2e | |
| run: | | |
| mkdir -p $GITHUB_WORKSPACE/bin | |
| echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH | |
| make e2e-bootstrap | |
| - name: Run e2e | |
| run: | | |
| make e2e-build-load-image IMG=gatekeeper-e2e:latest CRD_IMG=gatekeeper-crds:latest | |
| make deploy IMG=gatekeeper-e2e:latest USE_LOCAL_IMG=true ENABLE_GENERATOR_EXPANSION=true | |
| go mod tidy | |
| # there should be no additional manifest or go.mod changes | |
| git diff --exit-code | |
| make test-e2e ENABLE_GENERATOR_EXPANSION_TESTS=1 | |
| - name: Save logs | |
| if: ${{ always() }} | |
| run: | | |
| kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-generatorexpansion-controller.json | |
| kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-generatorexpansion-audit.json | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v3 | |
| if: ${{ always() }} | |
| with: | |
| name: generatorexpansion-logs | |
| path: | | |
| logs-*.json | |
| scan_vulnerabilities: | |
| name: "[Trivy] Scan for vulnerabilities" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - name: Download trivy | |
| run: | | |
| pushd $(mktemp -d) | |
| wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz | |
| tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz | |
| echo "$(pwd)" >> $GITHUB_PATH | |
| env: | |
| TRIVY_VERSION: "0.32.1" | |
| - name: Run trivy on git repository | |
| run: | | |
| trivy fs --format table --ignore-unfixed --skip-dirs website --security-checks vuln . | |
| - name: Build docker images | |
| run: make docker-build | |
| - name: Run trivy on images | |
| run: | | |
| for img in "openpolicyagent/gatekeeper:latest" "openpolicyagent/gatekeeper-crds:latest"; do | |
| for vuln_type in "os" "library"; do | |
| trivy image --ignore-unfixed --vuln-type="${vuln_type}" "${img}" | |
| done | |
| done | |
| pre-release: | |
| name: "Pre Release" | |
| runs-on: "ubuntu-latest" | |
| if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'open-policy-agent/gatekeeper' | |
| needs: [lint, test, build_test, helm_build_test, scan_vulnerabilities] | |
| timeout-minutes: 30 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - name: make docker-push-dev | |
| run: | | |
| tokenUri="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${{ env.IMAGE_REPO }}:pull&scope=repository:${{ env.CRD_IMAGE_REPO }}:pull&scope=repository:${{ env.GATOR_IMAGE_REPO }}:pull" | |
| bearerToken="$(curl --silent --get $tokenUri | jq --raw-output '.token')" | |
| listUri="https://registry-1.docker.io/v2/${{ env.IMAGE_REPO }}/tags/list" | |
| authz="Authorization: Bearer $bearerToken" | |
| version_list="$(curl --silent --get -H "Accept: application/json" -H "$authz" $listUri | jq --raw-output '.')" | |
| exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)') | |
| if [[ $exists == null ]] | |
| then | |
| make docker-login | |
| make docker-buildx-dev DEV_TAG=${GITHUB_SHA::7} | |
| fi | |
| listUri="https://registry-1.docker.io/v2/${{ env.CRD_IMAGE_REPO }}/tags/list" | |
| version_list="$(curl --silent --get -H "Accept: application/json" -H "$authz" $listUri | jq --raw-output '.')" | |
| exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)') | |
| if [[ $exists == null ]] | |
| then | |
| make docker-login | |
| make docker-buildx-crds-dev DEV_TAG=${GITHUB_SHA::7} | |
| fi | |
| listUri="https://registry-1.docker.io/v2/${{ env.GATOR_IMAGE_REPO }}/tags/list" | |
| version_list="$(curl --silent --get -H "Accept: application/json" -H "$authz" $listUri | jq --raw-output '.')" | |
| exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)') | |
| if [[ $exists == null ]] | |
| then | |
| make docker-login | |
| make docker-buildx-gator-dev DEV_TAG=${GITHUB_SHA::7} | |
| fi | |
| env: | |
| DOCKER_USER: ${{ secrets.DOCKER_USER }} | |
| DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} | |
| tagged-release: | |
| name: "Tagged Release" | |
| runs-on: "ubuntu-latest" | |
| permissions: | |
| contents: write | |
| if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'open-policy-agent/gatekeeper' | |
| needs: [lint, test, build_test, helm_build_test, scan_vulnerabilities] | |
| timeout-minutes: 45 | |
| steps: | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - name: Set up Go 1.19 | |
| uses: actions/setup-go@v3 | |
| with: | |
| go-version: 1.19 | |
| - name: Get tag | |
| id: get_version | |
| run: | | |
| echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV | |
| - name: Publish release | |
| run: | | |
| tokenUri="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${{ env.IMAGE_REPO }}:pull&scope=repository:${{ env.CRD_IMAGE_REPO }}:pull&scope=repository:${{ env.GATOR_IMAGE_REPO }}:pull" | |
| bearerToken="$(curl --silent --get $tokenUri | jq --raw-output '.token')" | |
| listUri="https://registry-1.docker.io/v2/${{ env.IMAGE_REPO }}/tags/list" | |
| authz="Authorization: Bearer $bearerToken" | |
| version_list="$(curl --silent --get -H "Accept: application/json" -H $authz $listUri | jq --raw-output '.')" | |
| exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)') | |
| if [[ $exists == null ]] | |
| then | |
| make docker-login | |
| make docker-buildx-release VERSION=${TAG} | |
| fi | |
| listUri="https://registry-1.docker.io/v2/${{ env.CRD_IMAGE_REPO }}/tags/list" | |
| version_list="$(curl --silent --get -H "Accept: application/json" -H $authz $listUri | jq --raw-output '.')" | |
| exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)') | |
| if [[ $exists == null ]] | |
| then | |
| make docker-login | |
| make docker-buildx-crds-release VERSION=${TAG} | |
| fi | |
| listUri="https://registry-1.docker.io/v2/${{ env.GATOR_IMAGE_REPO }}/tags/list" | |
| version_list="$(curl --silent --get -H "Accept: application/json" -H $authz $listUri | jq --raw-output '.')" | |
| exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)') | |
| if [[ $exists == null ]] | |
| then | |
| make docker-login | |
| make docker-buildx-gator-release VERSION=${TAG} | |
| fi | |
| env: | |
| DOCKER_USER: ${{ secrets.DOCKER_USER }} | |
| DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Bootstrap e2e | |
| run: | | |
| mkdir -p $GITHUB_WORKSPACE/bin | |
| echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH | |
| make e2e-bootstrap | |
| - name: Verify release | |
| run: | | |
| make e2e-verify-release IMG=${{ env.IMAGE_REPO }}:${TAG} USE_LOCAL_IMG=false | |
| - name: Build gator-cli | |
| run: | | |
| build() { | |
| export GOOS="$(echo ${1} | cut -d '-' -f 1)" | |
| export GOARCH="$(echo ${1} | cut -d '-' -f 2)" | |
| FILENAME=${GITHUB_WORKSPACE}/_dist/gator-${TAG}-${GOOS}-${GOARCH} | |
| # build the binary | |
| make bin/gator-${GOOS}-${GOARCH} | |
| # rename the binary to gator | |
| tmp_dir=$(mktemp -d) | |
| cp bin/gator-${GOOS}-${GOARCH} ${tmp_dir}/gator | |
| pushd ${tmp_dir} | |
| tar -czf ${FILENAME}.tar.gz gator* | |
| popd | |
| } | |
| mkdir -p _dist | |
| for os_arch_extension in $PLATFORMS; do | |
| build ${os_arch_extension} & | |
| done | |
| wait | |
| pushd _dist | |
| # consolidate tar's sha256sum into a single file | |
| find . -type f -name '*.tar.gz' | sort | xargs sha256sum >> sha256sums.txt | |
| popd | |
| env: | |
| PLATFORMS: "linux-amd64 linux-arm64 darwin-amd64 darwin-arm64" | |
| - name: Create GitHub release | |
| uses: "marvinpinto/[email protected]" | |
| with: | |
| repo_token: "${{ secrets.GITHUB_TOKEN }}" | |
| prerelease: false | |
| files: | | |
| _dist/sha256sums.txt | |
| _dist/*.tar.gz | |
| - name: Publish Helm chart | |
| uses: stefanprodan/[email protected] | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| charts_dir: charts | |
| target_dir: charts | |
| linting: off |