-
Notifications
You must be signed in to change notification settings - Fork 2
200 lines (186 loc) · 6.7 KB
/
Copy pathbuild.yaml
File metadata and controls
200 lines (186 loc) · 6.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
name: Branch Build and Test
on:
workflow_dispatch:
push:
branches:
- main
- release/**
env:
# Set once from repo variable or override here for testing
STEP_SECURITY_EGRESS_POLICY: ${{ vars.STEP_SECURITY_EGRESS_POLICY || 'audit' }}
# Default to least permissions and then we can add as needed for each job.
# This is a secure by default approach and also makes it easier to reason
# about permissions for each job since they are not implicit from the workflow
permissions: read-all
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false
jobs:
get-meta:
name: Get meta information required for the build
uses: ./.github/workflows/call-get-metadata.yaml
permissions:
contents: read
with:
get-version-from-tag: false
use-full-linux-targets: false
ref: ${{ github.ref }}
build-image:
uses: ./.github/workflows/call-build-containers.yaml
needs:
- get-meta
permissions:
contents: read
packages: write
id-token: write
with:
version: ${{ needs.get-meta.outputs.version }}
ref: ${{ github.ref }}
nightly-build-info: ${{ needs.get-meta.outputs.date }}
dockerhub-username: ${{ vars.DOCKERHUB_USERNAME }}
secrets:
dockerhub-token: ${{ secrets.DOCKERHUB_PUBLIC_READ_TOKEN }}
cosign_private_key: ${{ secrets.COSIGN_PRIVATE_KEY }}
cosign_private_key_password: ${{ secrets.COSIGN_PASSWORD }}
build-linux:
uses: ./.github/workflows/call-build-linux-packages.yaml
needs:
- get-meta
permissions:
contents: read
packages: read
with:
version: ${{ needs.get-meta.outputs.version }}
ref: ${{ github.ref }}
target-matrix: ${{ needs.get-meta.outputs.linux-targets }}
nightly-build-info: ${{ needs.get-meta.outputs.date }}
dockerhub-username: ${{ vars.DOCKERHUB_USERNAME }}
secrets:
dockerhub-token: ${{ secrets.DOCKERHUB_PUBLIC_READ_TOKEN }}
build-windows:
uses: ./.github/workflows/call-build-windows-packages.yaml
needs:
- get-meta
permissions:
contents: read
with:
version: ${{ needs.get-meta.outputs.version }}
ref: ${{ github.ref }}
nightly-build-info: ${{ needs.get-meta.outputs.date }}
build-macos:
uses: ./.github/workflows/call-build-macos-packages.yaml
needs:
- get-meta
permissions:
contents: read
with:
version: ${{ needs.get-meta.outputs.version }}
ref: ${{ github.ref }}
nightly-build-info: ${{ needs.get-meta.outputs.date }}
test-containers:
name: Test container images
uses: ./.github/workflows/call-test-containers.yaml
with:
image: ${{ matrix.image-base }}
image-tag: ${{ needs.build-image.outputs.version }}
ref: ${{ github.ref }}
secrets:
github-token: ${{ secrets.GITHUB_TOKEN }}
needs:
- get-meta
- build-image
permissions:
packages: read
contents: read
strategy:
fail-fast: false
matrix:
image-base:
- ${{ needs.get-meta.outputs.ubi-image-base }}
- ${{ needs.get-meta.outputs.debian-image-base }}
test-packages:
name: Test packages
needs:
- get-meta
- build-linux
uses: ./.github/workflows/call-test-packages.yaml
permissions:
contents: read
packages: read
with:
build-matrix: ${{ needs.get-meta.outputs.linux-targets }}
version: ${{ needs.get-meta.outputs.version }}
ref: ${{ github.ref }}
dockerhub-username: ${{ vars.DOCKERHUB_USERNAME }}
secrets:
dockerhub-token: ${{ secrets.DOCKERHUB_PUBLIC_READ_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
# Staging upload: signs packages and uploads to GCS staging for every commit on main/release branches.
# The actual GitHub release is only created for version tags (handled by release-build.yaml).
staging-upload:
name: Sign and upload staging artefacts
needs:
- get-meta
- build-linux
- build-windows
- build-macos
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
id-token: write
steps:
- name: Harden the runner
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }}
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Authenticate with GCP
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
with:
workload_identity_provider: "projects/841522437311/locations/global/workloadIdentityPools/github-actions/providers/github-actions"
service_account: "terraform-infra@infrastructure-464010.iam.gserviceaccount.com"
- name: Sign packages
# Ignore any failures so we upload anything we do have
continue-on-error: true
uses: ./.github/actions/sign-packages
- name: Upload packages to Google Cloud Storage
id: upload-packages
uses: google-github-actions/upload-cloud-storage@6397bd7208e18d13ba2619ee21b9873edc94427a # v3.0.0
with:
path: output/
# We still use the old buckets from before our rename
destination: fluentdo-agent-staging/${{ needs.get-meta.outputs.version }}/
# Required to support our auto-release cron job that looks for the last successful build.
# This job is required for the auto-release workflow to work as we search for its name.
tests-complete:
name: All tests complete
# We use this to always run even if a previous job fails or is skipped (which we check for)
if: always()
needs:
- build-linux
- build-windows
- build-macos
- build-image
- test-containers
# TODO: remove once failures are resolved to ensure auto-release job still goes ahead with latest commit
# https://github.com/telemetryforge/agent/issues/73
# - test-packages
# Add additional jobs here as required that must complete
runs-on: ubuntu-latest
steps:
- name: Harden the runner
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }}
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with:
# Add any jobs that can be skipped here to avoid failure of this job
# allowed-skips: build-macos
# Convert the needs object to JSON to pass it in
jobs: ${{ toJSON(needs) }}
- name: All tests complete
run: echo "All tests complete"
shell: bash