Skip to content

Merge pull request #10029 from slonka/merge-release-2.7-master #172

Merge pull request #10029 from slonka/merge-release-2.7-master

Merge pull request #10029 from slonka/merge-release-2.7-master #172

name: "build-test-distribute"
on:
push:
branches: ["master", "release-*", "!*-merge-master"]
tags: ["*"]
pull_request:
branches: ["master", "release-*"]
concurrency:
group: ${{github.workflow}}-${{ github.ref_name }} # group all runs by branch or tag
cancel-in-progress: ${{ github.event_name == 'pull_request' }} # only cancel previous runs on PRs, we want each commit to build on branches
permissions:
contents: write # To upload assets
id-token: write # For using token to sign images
actions: read # For getting workflow run info to build provenance
packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
env:
KUMA_DIR: "."
CI_TOOLS_DIR: "/home/runner/work/kuma/kuma/.ci_tools"
jobs:
check:
permissions:
contents: read
# golangci-lint-action
checks: write
timeout-minutes: 15
runs-on: ubuntu-latest
env:
FULL_MATRIX: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'ci/run-full-matrix') }}
ALLOW_PUSH: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'ci/force-publish') }}
BUILD: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'ci/run-build') || contains(github.event.pull_request.labels.*.name, 'ci/force-publish') }}
FORCE_PUBLISH_FROM_FORK: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'ci/force-publish') && github.event.pull_request.head.repo.full_name != github.repository }}
outputs:
FULL_MATRIX: ${{ env.FULL_MATRIX }}
ALLOW_PUSH: ${{ env.ALLOW_PUSH }}
BUILD: ${{ env.BUILD }}
IMAGES: ${{ steps.metadata.outputs.images }}
REGISTRY: ${{ steps.metadata.outputs.registry }}
VERSION_NAME: ${{ steps.metadata.outputs.version }}
NOTARY_REPOSITORY: ${{ (contains(steps.metadata.outputs.version, 'preview') && 'notary-internal') || 'notary' }}
steps:
- name: "Fail when 'ci/force-publish' label is present on PRs from forks"
if: ${{ fromJSON(env.FORCE_PUBLISH_FROM_FORK) }}
run: |
echo "::error title=Label 'ci/force-publish' cannot be used on PRs from forks::To prevent accidental exposure of secrets, CI won't use repository secrets on pull requests from forks"
exit 1
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
fetch-depth: 0
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: go.mod
cache: false
- uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
with:
args: --fix=false --verbose
version: v1.56.1
skip-pkg-cache: true
- uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: |
${{ env.CI_TOOLS_DIR }}
key: ${{ runner.os }}-${{ runner.arch }}-devtools-${{ hashFiles('mk/dependencies/deps.lock') }}
restore-keys: |
${{ runner.os }}-${{ runner.arch }}-devtools
- run: |
make dev/tools
- run: |
make clean
- run: |
make check
- id: sca-project
uses: Kong/public-shared-actions/security-actions/sca@23929cfda574afc77b018c51794454b6dc99ca57 # v2.2.1
with:
dir: .
config: .syft.yaml
upload-sbom-release-assets: true
- id: metadata
run: |
echo "images=$(make images/info/release/json)" >> $GITHUB_OUTPUT
echo "registry=$(make docker/info/registry)" >> $GITHUB_OUTPUT
echo "version=$(make build/info/version)" >> $GITHUB_OUTPUT
test:
permissions:
contents: read
needs: ["check"]
uses: ./.github/workflows/_test.yaml
with:
FULL_MATRIX: ${{ needs.check.outputs.FULL_MATRIX }}
secrets: inherit
build_publish:
permissions:
contents: read
id-token: write
needs: ["check", "test"]
uses: ./.github/workflows/_build_publish.yaml
if: ${{ fromJSON(needs.check.outputs.BUILD) }}
with:
FULL_MATRIX: ${{ needs.check.outputs.FULL_MATRIX }}
ALLOW_PUSH: ${{ needs.check.outputs.ALLOW_PUSH }}
IMAGE_ARTIFACT_NAME: "image_artifacts"
BINARY_ARTIFACT_NAME: "binary_artifacts"
IMAGES: ${{ needs.check.outputs.IMAGES }}
REGISTRY: ${{ needs.check.outputs.REGISTRY }}
NOTARY_REPOSITORY: ${{ needs.check.outputs.NOTARY_REPOSITORY }}
VERSION_NAME: ${{ needs.check.outputs.VERSION_NAME }}
secrets: inherit
provenance:
needs: ["check", "build_publish"]
if: ${{ github.ref_type == 'tag' }}
uses: ./.github/workflows/_provenance.yaml
secrets: inherit
permissions:
contents: write
id-token: write # For using token to sign images
actions: read # For getting workflow run info to build provenance
packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
with:
BINARY_ARTIFACTS_HASH_AS_FILE: ${{ needs.build_publish.outputs.BINARY_ARTIFACT_DIGEST_BASE64 }}
IMAGES: ${{ needs.check.outputs.IMAGES }}
REGISTRY: ${{ needs.check.outputs.REGISTRY }}
NOTARY_REPOSITORY: ${{ needs.check.outputs.NOTARY_REPOSITORY }}
IMAGE_DIGESTS: ${{ needs.build_publish.outputs.IMAGE_DIGESTS }}
distributions:
needs: ["build_publish", "check", "test", "provenance"]
timeout-minutes: 10
if: ${{ always() }}
runs-on: ubuntu-latest
steps:
- name: "Halt due to previous failures"
run: |-
echo "results: ${{ toJson(needs.*.result) }}"
# for some reason, GH Action will always trigger a downstream job even if there are errors in an dependent job
# so we manually check it here. An example could be found here: https://github.com/kumahq/kuma/actions/runs/7044980149
[[ ${{ contains(needs.*.result, 'failure')|| contains(needs.*.result, 'cancelled') }} == "true" ]] && exit 1
echo "All dependent jobs succeeded"