Skip to content

chore(deps): pin dependencies #127

chore(deps): pin dependencies

chore(deps): pin dependencies #127

Workflow file for this run

name: Rust
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
workflow_dispatch:
# Automatically cancel in-progress actions on the same branch
concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }}
cancel-in-progress: true
env:
DOCKER_CONTAINER_IMAGE_BASE: lhr.ocir.io/lrdyqp2xtoja/argocd-appset-checked-pr-generator
# get correct commit sha for pull requests as well
COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
target:
- rust: aarch64-unknown-linux-musl
docker: linux/arm64
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: rui314/setup-mold@2e332a0b602c2fc65d2d3995941b1b29a5f554a0 # v1
- uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target.rust }}
- uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5
with:
cache-all-crates: "true"
cache-on-failure: "true"
- uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
# nix dev shell setup
- uses: DeterminateSystems/nix-installer-action@b92f66560d6f97d6576405a7bae901ab57e72b6a # v15
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
with: { name: "nix-community" }
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
- name: test
run: nix develop -c cargo test
- name: build
env:
TARGET_CC: clang
run: nix develop .#${{ matrix.target.rust }} -c cargo build --target ${{ matrix.target.rust }} --release
- name: Login to Docker registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: lhr.ocir.io
username: ${{ secrets.OCIR_USERNAME }}
password: ${{ secrets.OCIR_TOKEN }}
- name: Docker meta tags generator
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
# use correct sha for pr commits
env:
DOCKER_METADATA_PR_HEAD_SHA: true
with:
images: |
${{ env.DOCKER_CONTAINER_IMAGE_BASE }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=edge
type=sha,format=long
- name: Build Dockerfile
id: build-and-push-action-1
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: .
file: Dockerfile
load: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha
platforms: ${{ matrix.target.docker }}
build-args: |
RUST_TARGET_DIR=target/${{ matrix.target.rust }}/release
- run: docker push --all-tags $DOCKER_CONTAINER_IMAGE_BASE
- name: get image digest
id: docker-image-digest
run: |
# get digest of pushed image, and get rid of everything up to the actual digest (i.e. remove the repo and name)
DOCKER_IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${DOCKER_CONTAINER_IMAGE_BASE}:sha-${COMMIT_SHA} | sed 's/.*@//')
echo docker_image_digest=$DOCKER_IMAGE_DIGEST >> $GITHUB_OUTPUT
echo "image digest: \`${DOCKER_IMAGE_DIGEST}\`" >> $GITHUB_STEP_SUMMARY
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
image-ref: ${{ env.DOCKER_CONTAINER_IMAGE_BASE }}:sha-${{ env.COMMIT_SHA }}
format: "table"
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL"
outputs:
pushed-image-digest: ${{ steps.docker-image-digest.outputs.docker_image_digest }}
deploy:
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
token: ${{ secrets.WRITE_BACK_TO_REPO_TOKEN }}
- name: install kustomize
id: kustomize-installation
run: |
curl -sfLo kustomize.tar.gz https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv4.5.7/kustomize_v4.5.7_linux_amd64.tar.gz
tar xzf ./kustomize.tar.gz
echo "KUSTOMIZE_COMMAND=$PWD/kustomize" >> $GITHUB_OUTPUT
- name: Update kustomization for new image
# in 'prod' folder
env:
KUSTOMIZE_COMMAND: ${{ steps.kustomize-installation.outputs.KUSTOMIZE_COMMAND }}
run: |
cd k8s/overlays/prod
# update image digest
$KUSTOMIZE_COMMAND edit set image \
${DOCKER_CONTAINER_IMAGE_BASE}=${DOCKER_CONTAINER_IMAGE_BASE}:sha-${COMMIT_SHA}@${{ needs.build.outputs.pushed-image-digest }}
- name: Update version label
uses: mikefarah/yq@9adde1ac14bb283b8955d2b0d567bcaf3c69e639 # v4.42.1
with:
cmd: yq -i '.labels[].pairs."app.kubernetes.io/version" = strenv(COMMIT_SHA)' k8s/overlays/prod/kustomization.yaml
- name: Commit to git
run: |
git config user.name github-actions
git config user.email [email protected]
git add k8s/overlays/prod
git commit -m "update: image to version $COMMIT_SHA
[no ci]"
git pull --rebase
git push
echo "Committed to infra" >> $GITHUB_STEP_SUMMARY