WIP: Switch to lima as Vagrant replacement #5631
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| on: | |
| push: | |
| branches: | |
| - main | |
| release: | |
| types: [published] | |
| pull_request: | |
| env: | |
| GO_VERSION: '1.21' | |
| NIX_VERSION: '2.15.1' | |
| BOM_VERSION: v0.5.1 | |
| permissions: {} | |
| jobs: | |
| macos: | |
| runs-on: macos-12 | |
| steps: | |
| - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3.5.2 | |
| - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - run: make test-unit | |
| - run: make verify-go-lint | |
| nix: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3.5.2 | |
| - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 | |
| with: | |
| install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install | |
| - uses: cachix/cachix-action@6a9a34cdd93d0ae4b4b59fd678660efb08109f2f | |
| with: | |
| name: security-profiles-operator | |
| authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
| pushFilter: security-profiles-operator | |
| - run: make nix | |
| - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: build | |
| path: build.tar.gz | |
| nix-spoc: | |
| if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: write # required for updating the release | |
| id-token: write # required for sigstore signing | |
| steps: | |
| - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
| - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3.5.2 | |
| - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 | |
| with: | |
| install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install | |
| - uses: cachix/cachix-action@6a9a34cdd93d0ae4b4b59fd678660efb08109f2f | |
| with: | |
| name: security-profiles-operator | |
| authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
| pushFilter: security-profiles-operator | |
| - run: | | |
| sudo curl -sSfL --retry 5 --retry-delay 3 -o /usr/bin/bom \ | |
| https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux | |
| sudo chmod +x /usr/bin/bom | |
| - run: make nix-spoc | |
| - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: spoc | |
| path: | | |
| build/* | |
| - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| files: | | |
| build/* | |
| bpf: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3.5.2 | |
| - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 | |
| with: | |
| install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install | |
| - uses: cachix/cachix-action@6a9a34cdd93d0ae4b4b59fd678660efb08109f2f | |
| with: | |
| name: security-profiles-operator | |
| authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
| pushFilter: security-profiles-operator | |
| - run: make verify-bpf | |
| build-image: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3.5.2 | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 | |
| - name: Login to Quay | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d | |
| with: | |
| registry: quay.io/security-profiles-operator | |
| username: security-profiles-operator+github | |
| password: ${{ secrets.QUAY_TOKEN }} | |
| if: github.ref == 'refs/heads/main' | |
| - name: Image metadata | |
| id: meta | |
| uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 | |
| with: | |
| images: | | |
| quay.io/security-profiles-operator/build | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=ref,event=tag | |
| type=sha,format=long | |
| - name: Build (and push if needed) | |
| uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 | |
| with: | |
| context: . | |
| file: Dockerfile.build-image | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| push: ${{ github.ref == 'refs/heads/main' }} | |
| # Only load on PR builds | |
| load: ${{ github.ref != 'refs/heads/main' }} | |
| - name: Run container image vulnerability scanner | |
| uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f | |
| with: | |
| image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
| format: 'table' | |
| # TODO(jaosorior): Fix this once we bump the NixOS dependencies. | |
| exit-code: '0' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| timeout: 10m | |
| operator-image: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3.5.2 | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 | |
| - name: Login to Quay | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d | |
| with: | |
| registry: quay.io/security-profiles-operator | |
| username: security-profiles-operator+github | |
| password: ${{ secrets.QUAY_TOKEN }} | |
| if: github.ref == 'refs/heads/main' | |
| - name: Image metadata | |
| id: meta | |
| uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 | |
| with: | |
| images: | | |
| quay.io/security-profiles-operator/spo | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=ref,event=tag | |
| type=sha,format=long | |
| - name: Build | |
| uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 | |
| with: | |
| context: . | |
| file: Dockerfile | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| load: true | |
| - name: Run container image vulnerability scanner | |
| uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f | |
| with: | |
| image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| ubi-image: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3.5.2 | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 | |
| - name: Login to Quay | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d | |
| with: | |
| registry: quay.io/security-profiles-operator | |
| username: security-profiles-operator+github | |
| password: ${{ secrets.QUAY_TOKEN }} | |
| if: github.ref == 'refs/heads/main' | |
| - name: Image metadata | |
| id: meta | |
| uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 | |
| with: | |
| images: | | |
| quay.io/security-profiles-operator/build | |
| flavor: | | |
| suffix=-ubi | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=ref,event=tag | |
| type=sha,format=long | |
| # TODO(jaosorior): Push UBI image too | |
| - name: Build | |
| uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 | |
| with: | |
| context: . | |
| file: Dockerfile.ubi | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| load: true | |
| - name: Run container image vulnerability scanner | |
| uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f | |
| with: | |
| image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' |