From 649c0f283996c91711ccc30f36c21b38d11fd7ad Mon Sep 17 00:00:00 2001 From: Shubham Gupta <69793468+shubham-cmyk@users.noreply.github.com> Date: Mon, 7 Aug 2023 20:11:07 +0530 Subject: [PATCH] Migrate the Pipeline from Azure to Github actions (#571) * update pipeline Signed-off-by: Shubham Gupta * fix : container_quality_dockerfile_lint Signed-off-by: Shubham Gupta * fix bugs Signed-off-by: Shubham Gupta * fix : build_container_image and build_go_binary Signed-off-by: Shubham Gupta * fix the image scanning Signed-off-by: Shubham Gupta * Remove the trivy scan Signed-off-by: Shubham Gupta * Move trivy scan Signed-off-by: Shubham Gupta * change Signed-off-by: Shubham Gupta * add scanner Signed-off-by: Shubham Gupta * fix image Name Signed-off-by: Shubham Gupta * remove scan Signed-off-by: Shubham Gupta * UPDATE ACCESS TOKEN Signed-off-by: Shubham Gupta --------- Signed-off-by: Shubham Gupta --- .azure-pipelines/pipeline.yaml | 28 ----- .github/workflows/operator-ci.yaml | 144 +++++++++++++++++++++++++ .github/workflows/release-images.yaml | 150 ++++++++++++++++++++++++++ 3 files changed, 294 insertions(+), 28 deletions(-) delete mode 100644 .azure-pipelines/pipeline.yaml create mode 100644 .github/workflows/operator-ci.yaml create mode 100644 .github/workflows/release-images.yaml diff --git a/.azure-pipelines/pipeline.yaml b/.azure-pipelines/pipeline.yaml deleted file mode 100644 index 8e6c9bc15..000000000 --- a/.azure-pipelines/pipeline.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -trigger: - - master - -pr: - branches: - include: - - master - -variables: - - group: RuntimeVariables - -resources: - repositories: - - repository: golang-template - type: github - name: opstree/azure-devops-template - endpoint: OT-CONTAINER-KIT - -extends: - template: operator-ci.yaml@golang-template - parameters: - ApplicationName: redis-operator - QuayImageName: opstree/redis-operator - GithubImageName: ot-container-kit/redis-operator/redis-operator - BuildDocs: false - AppVersion: "v0.15.0" - GolangVersion: "1.17" \ No newline at end of file diff --git a/.github/workflows/operator-ci.yaml b/.github/workflows/operator-ci.yaml new file mode 100644 index 000000000..339bf9989 --- /dev/null +++ b/.github/workflows/operator-ci.yaml @@ -0,0 +1,144 @@ +name: CI +on: + pull_request: + branches: + - master + push: + branches: + - master + +env: + GolangVersion: 1.17 + ApplicationName: redis-operator + DockerImagName: docker.io/opstree/redis-operator + BuildDocs: true + AppVersion: "v0.15.0" + DOCKERFILE_PATH: '**/Dockerfile' + +jobs: + gofmt: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: ${{ env.GolangVersion }} + - name: Check Go Fmt + run: | + gofmt_files=$(go fmt ./... | wc -l) + if [[ ${gofmt_files} > 0 ]] + then + echo "Please format golang files using:- go fmt ./..." + exit 1 + else + echo "All files are formated using gofmt" + fi + + govet: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: ${{ env.GolangVersion }} + - name: Run Go Vet + run: go vet ./... + + code_quality_golang_ci_lint: + needs: [gofmt, govet] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: ${{ env.GolangVersion }} + - name: Install GolangCI-Lint + run: | + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.40.0 + - name: Run GolangCI-Lint + run: ./bin/golangci-lint run --timeout 5m0s ./... + + container_quality_dockerfile_lint: + needs: [gofmt, govet] + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Execute dockerlinter + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: Dockerfile + ignore: DL3007,DL3018 + + build_go_binary: + needs: [code_quality_golang_ci_lint] + runs-on: ubuntu-latest + strategy: + matrix: + arch: ['amd64', 'arm64'] + steps: + - name: Checkout Code + uses: actions/checkout@v2 + - name: Setup Go Environment + uses: actions/setup-go@v2 + with: + go-version: ${{ env.GOLANG_VERSION }} + - name: Set GOARCH + run: echo "GOARCH=${{ matrix.arch }}" >> $GITHUB_ENV + - name: Build Go Binary + run: go build -o ${{ github.workspace }}/${{ env.APPLICATION_NAME }} + - name: Archive Binary + run: | + mkdir -p ${{ github.workspace }}/compiled/${{ matrix.arch }} + zip ${{ github.workspace }}/compiled/${{ matrix.arch }}/${{ env.APPLICATION_NAME }}-${{ matrix.arch }}.zip ${{ github.workspace }}/${{ env.APPLICATION_NAME }} + + build_scan_container_image: + needs: [container_quality_dockerfile_lint] + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Build arm64 image + uses: docker/build-push-action@v2 + with: + context: . + platforms: linux/arm64 + push: false + tags: ${{ env.DockerImagName }}:arm64 + + - name: Build amd64 image + uses: docker/build-push-action@v2 + with: + context: . + platforms: linux/amd64 + push: false + tags: ${{ env.DockerImagName }}:amd64 + - name: Build multi-arch image + uses: docker/build-push-action@v2 + with: + context: . + platforms: linux/arm64,linux/amd64 + push: false + tags: ${{ env.DockerImagName }}:latest + + gosec_scan: + needs: [build_go_binary] + runs-on: ubuntu-latest + + steps: + - name: Checkout Code + uses: actions/checkout@v2 + - name: Gosec Scan + uses: securego/gosec@master + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GOSEC_OUTPUT: "junit-xml:/github/workspace/gosec-results.xml" + \ No newline at end of file diff --git a/.github/workflows/release-images.yaml b/.github/workflows/release-images.yaml new file mode 100644 index 000000000..8cdfab6ba --- /dev/null +++ b/.github/workflows/release-images.yaml @@ -0,0 +1,150 @@ +name: Release container images + +on: + pull_request: + types: [closed] + branches: + - master + +env: + ApplicationName: redis-operator + QuayImageName: quay.io/opstree/redis-operator + AppVersion: "v0.15.0" + DOCKERFILE_PATH: '**/Dockerfile' + +jobs: + setup: + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to Quay.io + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.ACCESS_TOKEN }} + + build_arm64: + needs: setup + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + steps: + - name: Check existing AppVersion + id: check_version_arm64 + run: | + EXISTS=$(curl -s https://quay.io/api/v1/repository/${{ env.QuayImageName }}/tag/?specificTag=${{ env.AppVersion }}-arm64 | jq '.tags | length') + echo "::set-output name=exists::$EXISTS" + + - name: Build and push arm64 image + if: steps.check_version_arm64.outputs.exists == '0' + uses: docker/build-push-action@v2 + with: + context: . + file: ${{ env.DOCKERFILE_PATH }} + platforms: linux/arm64 + push: true + tags: ${{ env.QuayImageName }}:${{ env.AppVersion }}-arm64 + + build_amd64: + needs: setup + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + steps: + - name: Check existing AppVersion + id: check_version_amd64 + run: | + EXISTS=$(curl -s https://quay.io/api/v1/repository/${{ env.QuayImageName }}/tag/?specificTag=${{ env.AppVersion }}-amd64 | jq '.tags | length') + echo "::set-output name=exists::$EXISTS" + + - name: Build and push amd64 image + if: steps.check_version_amd64.outputs.exists == '0' + uses: docker/build-push-action@v2 + with: + context: . + file: ${{ env.DOCKERFILE_PATH }} + platforms: linux/amd64 + push: true + tags: ${{ env.QuayImageName }}:${{ env.AppVersion }}-amd64 + + build_multi_arch: + needs: setup + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + steps: + - name: Check existing AppVersion + id: check_version_multi_arch + run: | + EXISTS=$(curl -s https://quay.io/api/v1/repository/${{ env.QuayImageName }}/tag/?specificTag=${{ env.AppVersion }} | jq '.tags | length') + echo "::set-output name=exists::$EXISTS" + + - name: Build and push multi-arch image + if: steps.check_version_multi_arch.outputs.exists == '0' + uses: docker/build-push-action@v2 + with: + context: . + file: ${{ env.DOCKERFILE_PATH }} + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ env.QuayImageName }}:${{ env.AppVersion }} + + - name: Build and push multi-arch latest image + uses: docker/build-push-action@v2 + with: + context: . + file: ${{ env.DOCKERFILE_PATH }} + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ env.QuayImageName }}:latest + + trivy_scan: + needs: [build_arm64, build_amd64, build_multi_arch] + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Run Trivy vulnerability scanner for arm64 image + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.QuayImageName }}:${{ env.AppVersion }}-arm64 + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results-arm64.sarif' + exit-code: '1' + ignore-unfixed: true + severity: 'CRITICAL,HIGH' + - name: Run Trivy vulnerability scanner for amd64 image + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.QuayImageName }}:${{ env.AppVersion }}-amd64 + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results-amd64.sarif' + exit-code: '1' + ignore-unfixed: true + severity: 'CRITICAL,HIGH' + - name: Run Trivy vulnerability scanner for multi-arch image + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.QuayImageName }}:${{ env.AppVersion }} + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results-latest.sarif' + exit-code: '1' + ignore-unfixed: true + severity: 'CRITICAL,HIGH' + - name: Run Trivy vulnerability scanner for latest image + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.QuayImageName }}:latest + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results-latest.sarif' + exit-code: '1' + ignore-unfixed: true + severity: 'CRITICAL,HIGH' \ No newline at end of file