-
Notifications
You must be signed in to change notification settings - Fork 0
182 lines (176 loc) · 6.97 KB
/
continuous-integration.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
name: Continuous Integration
# Controls when the workflow will run
on:
push:
branches: [main]
pull_request:
branches: [main]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
env:
LM_K8S_WEBHOOK_IMAGE_NAME: lm-k8s-webhook
LM_RELOADER_IMAGE_NAME: lm-config-reloader
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
setup-environment:
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@v2
- name: Setup Go
uses: actions/[email protected]
with:
go-version: 1.17
- name: Cache Modules
id: module-cache
uses: actions/cache@v2
with:
path: /home/runner/go/pkg/mod
key: go-pkg-mod-${{ runner.os }}-${{ hashFiles('**/go.sum') }}
- name: Install dependencies
if: steps.module-cache.outputs.cache-hit != 'true'
run: make gomoddownload
- name: Cache Tools
id: tool-cache
uses: actions/cache@v2
with:
path: /home/runner/go/bin
key: tools-${{ runner.os }}-${{ hashFiles('./internal/tools/go.mod') }}
- name: Install Tools
if: steps.tool-cache.outputs.cache-hit != 'true'
run: make install-tools
lint:
name: lint
runs-on: ubuntu-latest
needs: [setup-environment]
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- name: Checkout Code
uses: actions/checkout@v2
- name: Install Go
uses: actions/setup-go@v2
with:
go-version: 1.17.x
- name: Run Linters
uses: golangci/golangci-lint-action@v2
with:
version: v1.29
args: --timeout=5m
unittest:
name: unit-test
needs: lint
runs-on: ubuntu-latest
if: needs.lint.result == 'success'
steps:
- name: Checkout Code
uses: actions/checkout@v2
- name: Install Go
uses: actions/setup-go@v2
with:
go-version: 1.17.x
- name: Cache Modules
id: module-cache
uses: actions/cache@v2
with:
path: /home/runner/go/pkg/mod
key: go-pkg-mod-${{ runner.os }}-${{ hashFiles('**/go.sum') }}
- name: Cache Tools
id: tool-cache
uses: actions/cache@v2
with:
path: /home/runner/go/bin
key: tools-${{ runner.os }}-${{ hashFiles('./internal/tools/go.mod') }}
- name: Run Unit Tests
run: make gotest
test-coverage:
name: test-coverage
needs: lint
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v2
- name: Install Go
uses: actions/setup-go@v2
with:
go-version: 1.17.x
- name: Cache Modules
id: module-cache
uses: actions/cache@v2
with:
path: /home/runner/go/pkg/mod
key: go-pkg-mod-${{ runner.os }}-${{ hashFiles('**/go.sum') }}
- name: Cache Tools
id: tool-cache
uses: actions/cache@v2
with:
path: /home/runner/go/bin
key: tools-${{ runner.os }}-${{ hashFiles('./internal/tools/go.mod') }}
- name: Run Go Unit Tests With Coverage
run: make gotest-with-cover
- uses: codecov/codecov-action@v2
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: coverage.txt
fail_ci_if_error: true # optional (default = false)
verbose: true # optional (default = false)
- name: Run Gosec Security Scanner
uses: securego/gosec@master
with:
# we let the report trigger content trigger a failure using the GitHub Security features.
args: '-no-fail -fmt sarif -out code-scan-results.sarif ./...'
- name: Upload Gosec scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
# Path to SARIF file relative to the root of the repository
sarif_file: code-scan-results.sarif
vulnerabilities-scan:
name: vulnerabilities-scan
needs: lint
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Set env vars for the job
run: |
grep -v '\#' versions.txt | grep lm-k8s-webhook | awk -F= '{print "LM_WEBHOOK_VERSION="$2}' >> $GITHUB_ENV
grep -v '\#' versions.txt | grep lm-config-reloader | awk -F= '{print "LM_RELOADER_VERSION="$2}' >> $GITHUB_ENV
echo "VERSION_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
echo "LM_WEBHOOK_VERSION_PKG=github.com/logicmonitor/lm-k8s-webhook/internal/version"
echo "LM_RELOADER_VERSION_PKG=github.com/logicmonitor/lm-k8s-webhook/lm-config-reloader/internal/version"
- name: Build an image from Dockerfile for lm-k8s-webhook
run: |
docker build --build-arg VERSION_PKG=${{ env.LM_WEBHOOK_VERSION_PKG }} --build-arg LM_K8S_VERSION=${{ env.LM_WEBHOOK_VERSION }} --build-arg VERSION_DATE=${{ env.VERSION_DATE }} -t ghcr.io/${{ github.repository_owner }}/${{ env.LM_K8S_WEBHOOK_IMAGE_NAME }}:${{ env.LM_WEBHOOK_VERSION }} .
- name: Run Trivy vulnerability scanner for lm-k8s-webhook
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/${{ github.repository_owner }}/${{ env.LM_K8S_WEBHOOK_IMAGE_NAME }}:${{ env.LM_WEBHOOK_VERSION }}'
format: 'sarif'
output: 'trivy-results-lm-k8s-webhook-image.sarif'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results-lm-k8s-webhook-image.sarif'
category: lm-k8s-webhook-scan-results
- name: Build an image for lm-config-reloader
run: |
docker build --build-arg VERSION_PKG=${{ env.LM_RELOADER_VERSION_PKG }} --build-arg LM_RELOADER_VERSION=${{ env.LM_RELOADER_VERSION }} --build-arg VERSION_DATE=${{ env.VERSION_DATE }} -t ghcr.io/${{ github.repository_owner }}/${{ env.LM_RELOADER_IMAGE_NAME }}:${{ env.LM_RELOADER_VERSION }} ./lm-config-reloader/.
- name: Run Trivy vulnerability scanner for lm-config-reloader
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/${{ github.repository_owner }}/${{ env.LM_RELOADER_IMAGE_NAME }}:${{ env.LM_RELOADER_VERSION }}'
format: 'sarif'
output: 'trivy-results-lm-config-reloader-image.sarif'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results-lm-config-reloader-image.sarif'
category: lm-config-reloader-scan-results