-
Notifications
You must be signed in to change notification settings - Fork 0
114 lines (114 loc) · 3.7 KB
/
ci-variant.yaml
File metadata and controls
114 lines (114 loc) · 3.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
name: CI variants
run-name: test-run-name-build-test
on: # yamllint disable-line rule:truthy
workflow_call:
inputs:
name:
description: Variant name
required: true
type: string
filter-tags:
description: Regex pattern to filter CloudNativePG PostgreSQL image tags
type: string
permissions:
actions: read
contents: read
security-events: write
jobs:
get-digests:
name: Get digests
permissions:
contents: read
runs-on: ubuntu-24.04
outputs:
digests: ${{ steps.get-digests.outputs.digests }}
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- id: get-digests
name: Get digests
run: |
./scripts/get_digests.sh
digests_json=$(jq -c '.' output/digests.json)
printf "digests=%s\n" "${digests_json}" >>"${GITHUB_OUTPUT:?}"
env:
FILTER_TAGS: ${{ inputs.filter-tags }}
COMPARE_REPOSITORY: czetech/cloudnativepg-postgresql
COMPARE_TAG_SUFFIX: ${{ inputs.name }}
- name: Upload digests to artifacts
uses:
# yamllint disable-line rule:line-length
actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: digests-${{ inputs.name }}
path: output
if-no-files-found: error
image:
name: Build image
permissions:
actions: read
contents: read
security-events: write
needs: get-digests
if: ${{ needs.get-digests.outputs.digests != '[]' }}
runs-on: ubuntu-24.04
env:
IMAGE: ${{ vars.IMAGE_REPOSITORY }}:test
POSTGRESQL_DIGEST: ${{ matrix.digest.digest }}
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up QEMU
uses:
# yamllint disable-line rule:line-length
docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses:
# yamllint disable-line rule:line-length
docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Build image
uses:
# yamllint disable-line rule:line-length
docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
with:
build-args: POSTGRESQL_DIGEST
cache-from: type=gha
cache-to: type=gha,mode=max
context: variants/${{ inputs.name }}
load: true
tags: ${{ env.IMAGE }}
- name: Lint image with Dockle
uses:
erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290 # v1.4.0
with:
image: ${{ env.IMAGE }}
dockle-version: 0.4.14
accept-keywords: key
accept-filenames: >-
usr/local/lib/python3.11/dist-packages/azure/core/settings.py,
usr/local/lib/python3.9/dist-packages/azure/core/settings.py
- name: Scan image with Trivy
uses:
# yamllint disable-line rule:line-length
aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
with:
image-ref: ${{ env.IMAGE }}
format: sarif
output: trivy.sarif
scanners: vuln,secret,misconfig,license
- name: Upload Trivy results
uses:
# yamllint disable-line rule:line-length
github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
with:
sarif_file: trivy.sarif
category: trivy
- name: Test image
run: "\"./variants/${VARIANT:?}/test_image.sh\""
env:
VARIANT: ${{ inputs.name }}
timeout-minutes: 1
strategy:
matrix:
digest: ${{ fromJSON(needs.get-digests.outputs.digests) }}
fail-fast: false