automation: provide multiple actions

This commit brings new automation via new GitHub actions. Important: all the GitHub actions are now referenced by their shasum. This provides a better security posture. Next to the shasum, there's a comment stating the "human" tag of the action. Dependabot can keep both information (shasum, human tag) in sync. Testing ======= Unit and function tests, plus linters are now run on PR and each change done to the `main` branch. Container image building ============================ The container image will be built only from the contents of the `main` branch or with the contents referenced by a tag that follows the `v*` naming convention. Prior to this commit, images were built also for PR branches, which caused issues like #31 The following tags are going to be used: - `latest`: rolling tag pointing to `main` - `v<version>`: a tagged release of the operator Prior to this change the stable releases had a really long (and a bit strange) tag: `:kwasm-operator-<version>`. SBOM generation =============== As part of the release process, SBOM files are generated for the container images (x86_64, arm64). The SBOM files are generated using syft. Cosign integration ================== Each artifact produced by the automation pipeline (container images, SBOM files) are now signed by cosign. Signing is done using Sigstore's keyless mode. Changelog generation ==================== Release drafter is now used to automatically build a changelog of the upcoming release. The changelog is built by looking at the commits subjects. As a result of that, it would be great to have all the contributions follow git semantic commits guidelines. We should probably document that into the contribution guidelines. GitHub Release ============== A GitHub release will be created whenever a `v*` tag is pushed. The name of the GitHub Release will be `v<version>`. The GitHub release will contain the information generated by the `release-drafter` action. The release will also feature several artifacts like the SBOMs and the signatures of the container images (+ SBOMS). These can be used by end users to verify the integrity of all the assets we produce inside of our release pipeline. Prior to this commit, no GitHub Release was created for the operator itself. There was just one release for the helm chart. Helm chart release ================== When the contents of the `charts/` directory are changed, the GitHub action will create a new GitHub release called `kwasm-operator-chart-<version>`. This is done to differentiate it from the GitHub Release of the operator. The action creates also a git tag named `kwasm-operator-chart-<version>`. Before this tag was named `kwasm-operator-<version>`. Signed-off-by: Flavio Castelli <[email protected]>
KWasm · Nov 28, 2023 · bebcd58 · bebcd58
1 parent 9c9bc16
commit bebcd58
Show file tree

Hide file tree

Showing 10 changed files with 529 additions and 70 deletions.
diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
@@ -0,0 +1,66 @@
+categories:
+  - title: '⚠️  Breaking changes'
+    labels:
+      - 'kind/major'
+      - 'kind/breaking-change'
+  - title: '🚀 Features'
+    labels:
+      - 'kind/enhancement'
+      - 'kind/feature'
+  - title: '🐛 Bug Fixes'
+    labels:
+      - 'kind/bug'
+  - title: '🧰 Maintenance'
+    labels:
+      - 'kind/chore'
+      - 'area/dependencies'
+
+exclude-labels:
+  - duplicate
+  - invalid
+  - later
+  - wontfix
+  - kind/question
+  - release/skip-changelog
+
+change-template: '- $TITLE (#$NUMBER)'
+change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
+name-template: 'v$RESOLVED_VERSION'
+template: |
+  $CHANGES
+
+autolabeler:
+    # Tag any PR with "!" in the subject as major update. In other words, breaking change
+  - label: 'kind/breaking-change'
+    title: '/.*!:.*/'
+  - label: 'area/dependencies'
+    title: 'chore(deps)'
+  - label: 'area/dependencies'
+    title: 'fix(deps)'
+  - label: 'area/dependencies'
+    title: 'build(deps)'
+  - label: 'kind/feature'
+    title: 'feat'
+  - label: 'kind/bug'
+    title: 'fix'
+  - label: 'kind/chore'
+    title: 'chore'
+
+version-resolver:
+  major:
+    labels:
+      - 'kind/major'
+      - 'kind/breaking-change'
+  minor:
+    labels:
+      - 'kind/minor'
+      - 'kind/feature'
+      - 'kind/enhancement'
+  patch:
+    labels:
+      - 'kind/patch'
+      - 'kind/fix'
+      - 'kind/bug'
+      - 'kind/chore'
+      - 'area/dependencies'
+  default: patch
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,33 @@
+name: CI
+
+on:
+  workflow_call:
+  push:
+  pull_request:
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  unit_tests:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: "1.21"
+      - run: make test
+
+  golangci:
+    name: Golangci-lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: "1.21"
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
+        with:
+          version: v1.54.2
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -0,0 +1,39 @@
+name: Build container image, sign it, and generate SBOMs
+
+on:
+  workflow_call:
+    outputs:
+      digest:
+        description: "Container image digest"
+        value: ${{jobs.build.outputs.digest}}
+
+  push:
+    branches:
+      - "main"
+      - "feat-**"
+
+jobs:
+  build:
+    uses: ./.github/workflows/container-image.yml
+    permissions:
+      packages: write
+    with:
+      push-image: true
+
+  sign:
+    needs: build
+    uses: ./.github/workflows/sign-image.yml
+    permissions:
+      packages: write
+      id-token: write
+    with:
+      image-digest: ${{ needs.build.outputs.digest }}
+
+  sbom:
+    needs: build
+    uses: ./.github/workflows/sbom.yml
+    permissions:
+      packages: write
+      id-token: write
+    with:
+      image-digest: ${{ needs.build.outputs.digest }}
diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml
@@ -0,0 +1,72 @@
+name: Build container image
+
+on:
+  workflow_call:
+    inputs:
+      push-image:
+        type: boolean
+        required: true
+    outputs:
+      repository:
+        description: "Repository used to build the container image"
+        value: ${{ jobs.build.outputs.repository }}
+      tag:
+        description: "Tag used to build the container image"
+        value: ${{ jobs.build.outputs.tag }}
+      digest:
+        description: "Image digest"
+        value: ${{ jobs.build.outputs.digest }}
+
+jobs:
+  build:
+    name: Build container image
+    permissions:
+      packages: write
+    runs-on: ubuntu-latest
+    outputs:
+      repository: ${{ steps.setoutput.outputs.repository }}
+      tag: ${{ steps.setoutput.outputs.tag }}
+      artifact: ${{ steps.setoutput.outputs.artifact }}
+      digest: ${{ steps.setoutput.outputs.digest }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Retrieve tag name (main branch)
+        if: ${{ startsWith(github.ref, 'refs/heads/main') }}
+        run: |
+          echo TAG_NAME=latest >> $GITHUB_ENV
+      - name: Retrieve tag name (feat branch)
+        if: ${{ startsWith(github.ref, 'refs/heads/feat') }}
+        run: |
+          echo "TAG_NAME=latest-$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV
+      - name: Retrieve tag name (tag)
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        run: |
+          echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV
+      - name: Build and push container image
+        if: ${{ inputs.push-image }}
+        id: build-image
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64, linux/arm64
+          push: true
+          tags: |
+            ghcr.io/${{github.repository_owner}}/kwasm-operator:${{ env.TAG_NAME }}
+      - id: setoutput
+        name: Set output parameters
+        run: |
+          echo "repository=ghcr.io/${{github.repository_owner}}/kwasm-operator" >> $GITHUB_OUTPUT
+          echo "tag=${{ env.TAG_NAME }}" >> $GITHUB_OUTPUT
+          echo "digest=${{ steps.build-image.outputs.digest }}" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml
diff --git a/.github/workflows/helm-chart-release.yml b/.github/workflows/helm-chart-release.yml
@@ -0,0 +1,42 @@
+# This action releases the kwasm-operator helm chart
+# The action must run on each commit done against main, however
+# a new release will be performed **only** when a change occurs inside
+# of the `charts` directory.
+name: Release helm chart
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      packages: write
+      contents: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Install Helm
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: v3.10.0
+
+      - name: Run chart-releaser
+        if: github.ref == 'refs/heads/main'
+        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_RELEASE_NAME_TEMPLATE: "{{ .Name }}-chart-{{ .Version }}"
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -0,0 +1,37 @@
+name: Release Drafter
+
+on:
+  workflow_dispatch:
+  push:
+    # branches to consider in the event; optional, defaults to all
+    branches:
+      - main
+  # pull_request event is required only for autolabeler
+  pull_request:
+    # Only following types are handled by the action, but one can default to all as well
+    types: [opened, reopened, synchronize, edited]
+  # pull_request_target event is required for autolabeler to support PRs from forks
+  pull_request_target:
+    types: [opened, reopened, synchronize, edited]
+
+permissions:
+  contents: read
+
+jobs:
+  update_release_draft:
+    permissions:
+      # write permission is required to create a github release
+      contents: write
+      # write permission is required for autolabeler
+      # otherwise, read permission is required at least
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      # Drafts your next Release notes as Pull Requests are merged into "master"
+      - uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5.25.0
+        # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
+        # with:
+        #   config-name: my-config.yml
+        #   disable-autolabeler: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}