Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 43 additions & 38 deletions .github/workflows/devel.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,47 +9,52 @@ permissions:
pull-requests: read

jobs:
trivy:
permissions:
actions: read
contents: read
security-events: write
uses: "./.github/workflows/lib-trivy.yaml"
with:
upload-to-github-security-tab: true

validate:
uses: "./.github/workflows/lib-validate.yaml"
# trivy:
# permissions:
# actions: read
# contents: read
# security-events: write
# uses: "./.github/workflows/lib-trivy.yaml"
# with:
# upload-to-github-security-tab: true

# validate:
# uses: "./.github/workflows/lib-validate.yaml"

# codeql:
# permissions:
# actions: read
# contents: read
# security-events: write
# uses: "./.github/workflows/lib-codeql.yaml"

# scorecard:
# permissions:
# contents: read
# id-token: write
# security-events: write
# uses: "./.github/workflows/lib-scorecard.yaml"

# build:
# needs:
# - validate
# - trivy
# uses: "./.github/workflows/lib-build.yaml"

# e2e:
# needs:
# - build
# uses: "./.github/workflows/lib-e2e.yaml"

codeql:
permissions:
actions: read
contents: read
security-events: write
uses: "./.github/workflows/lib-codeql.yaml"

scorecard:
# devel image push
publish:
permissions:
contents: read
id-token: write
security-events: write
uses: "./.github/workflows/lib-scorecard.yaml"

build:
needs:
- validate
- trivy
uses: "./.github/workflows/lib-build.yaml"

e2e:
needs:
- build
uses: "./.github/workflows/lib-e2e.yaml"

# devel image push
publish:
needs:
- e2e
- build
# needs:
# - e2e
# - build
uses: "./.github/workflows/lib-publish.yaml"
secrets: inherit
with:
registry: docker.io/tkatila
66 changes: 43 additions & 23 deletions .github/workflows/lib-publish.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,41 +6,49 @@ on:
default: "devel"
required: false
type: string
registry:
default: "docker.io/intel"
required: false
type: string
env:
no_base_check: "['intel-qat-plugin-kerneldrv', 'intel-idxd-config-initcontainer', 'crypto-perf', 'opae-nlb-demo']"

permissions:
contents: read
id-token: write

jobs:
image:
name: Build image
runs-on: ubuntu-22.04
permissions:
contents: read
id-token: write
strategy:
fail-fast: false
matrix:
image:
- intel-fpga-admissionwebhook
- intel-fpga-initcontainer
- intel-gpu-initcontainer
# - intel-fpga-admissionwebhook
# - intel-fpga-initcontainer
# - intel-gpu-initcontainer
- intel-gpu-plugin
- intel-fpga-plugin
- intel-qat-initcontainer
- intel-qat-plugin
- intel-deviceplugin-operator
- intel-sgx-admissionwebhook
- intel-sgx-plugin
- intel-sgx-initcontainer
- intel-dsa-plugin
- intel-iaa-plugin
- intel-idxd-config-initcontainer
- intel-dlb-plugin
- intel-dlb-initcontainer
- intel-xpumanager-sidecar
# - intel-fpga-plugin
# - intel-qat-initcontainer
# - intel-qat-plugin
# - intel-deviceplugin-operator
# - intel-sgx-admissionwebhook
# - intel-sgx-plugin
# - intel-sgx-initcontainer
# - intel-dsa-plugin
# - intel-iaa-plugin
# - intel-idxd-config-initcontainer
# - intel-dlb-plugin
# - intel-dlb-initcontainer
# - intel-xpumanager-sidecar

# # Demo images
- crypto-perf
- opae-nlb-demo
# # # Demo images
# - crypto-perf
# - opae-nlb-demo
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
Expand All @@ -52,21 +60,33 @@ jobs:
env:
IMAGE_NAME: ${{ matrix.image }}
run: |
REG=intel/ make ${IMAGE_NAME} BUILDER=docker
ORG=${{ inputs.registry }} TAG=${{ inputs.image_tag }} make ${IMAGE_NAME} BUILDER=docker
- name: Trivy scan for image
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
with:
scan-type: image
image-ref: intel/${{ matrix.image }}:${{ inputs.image_tag }}
image-ref: ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
exit-code: 1
- name: Test image base layer
# Don't run base layer check for selected images
if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }}
run: IMG=intel/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
run: IMG=${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
- name: Login
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_PASS }}
- name: Push
run: docker push intel/${{ matrix.image }}:${{ inputs.image_tag }}
run: docker push ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
- name: Get image digest
if: ${{ inputs.image_tag != 'devel' }}
id: digest
run: |
echo "image_sha=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }})" >> $GITHUB_OUTPUT
- name: Install cosign
if: ${{ inputs.image_tag != 'devel' }}
uses: sigstore/cosign-installer@v3.6.0
- name: Keyless image sign
if: ${{ inputs.image_tag != 'devel' }}
run: |
cosign sign --yes ${{ steps.digest.outputs.image_sha }}
30 changes: 17 additions & 13 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,25 +20,29 @@ jobs:
# remove first character (v)
run: echo "tag=${TAGNAME:1}" >> "$GITHUB_OUTPUT"

trivy:
name: Trivy
uses: "./.github/workflows/lib-trivy.yaml"
permissions:
actions: read
contents: read
security-events: write
with:
deployments: false
dockerfiles: false
export-csv: true
upload-to-github-security-tab: false
# trivy:
# name: Trivy
# uses: "./.github/workflows/lib-trivy.yaml"
# permissions:
# actions: read
# contents: read
# security-events: write
# with:
# deployments: false
# dockerfiles: false
# export-csv: true
# upload-to-github-security-tab: false

build:
name: Build & Publish
permissions:
contents: read
id-token: write
needs:
- trivy
# - trivy
- tag_fix
uses: "./.github/workflows/lib-publish.yaml"
secrets: inherit
with:
image_tag: ${{ needs.tag_fix.outputs.fixed_tag }}
registry: docker.io/tkatila
14 changes: 7 additions & 7 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,16 @@ require (
golang.org/x/text v0.17.0
google.golang.org/grpc v1.65.0
gopkg.in/yaml.v2 v2.4.0
k8s.io/api v0.31.0-beta.0
k8s.io/apimachinery v0.31.0-beta.0
k8s.io/client-go v0.31.0-beta.0
k8s.io/component-base v0.31.0-beta.0
k8s.io/api v0.31.0
k8s.io/apimachinery v0.31.0
k8s.io/client-go v0.31.0
k8s.io/component-base v0.31.0
k8s.io/klog/v2 v2.130.1
k8s.io/kubelet v0.31.0-beta.0
k8s.io/kubernetes v1.31.0-beta.0
k8s.io/pod-security-admission v0.0.0
k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
sigs.k8s.io/controller-runtime v0.18.1-0.20240717190548-1ed345090869
sigs.k8s.io/controller-runtime v0.19.0
sigs.k8s.io/yaml v1.4.0
tags.cncf.io/container-device-interface/specs-go v0.8.0
)
Expand Down Expand Up @@ -114,8 +114,8 @@ require (
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/apiextensions-apiserver v0.31.0-beta.0 // indirect
k8s.io/apiserver v0.31.0-beta.0 // indirect
k8s.io/apiextensions-apiserver v0.31.0 // indirect
k8s.io/apiserver v0.31.0 // indirect
k8s.io/cloud-provider v0.0.0 // indirect
k8s.io/component-helpers v0.31.0-beta.0 // indirect
k8s.io/controller-manager v0.31.0-beta.0 // indirect
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -338,8 +338,8 @@ k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1
k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY=
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
sigs.k8s.io/controller-runtime v0.18.1-0.20240717190548-1ed345090869 h1:9+0SFkDM+/1JJQQoG+Zk/lZXTT87mZwc6qmIezGhEq8=
sigs.k8s.io/controller-runtime v0.18.1-0.20240717190548-1ed345090869/go.mod h1:0N/oS51dz0ZJriISp1SloFWkR7uKCDC6LBt65tRt2J0=
sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q=
sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
Expand Down