Auto generated from templates by gromit #1940
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated by: gromit policy | ||
| # Generated on: Thu Nov 16 23:48:52 UTC 2023 | ||
| # Distribution channels covered by this workflow | ||
| # - Ubuntu and Debian | ||
| # - RHEL and AL | ||
| # - docker hub | ||
| # - devenv ECR | ||
| # - Cloudsmith | ||
| name: Release | ||
| on: | ||
| pull_request: | ||
| push: | ||
| branches: | ||
| - master | ||
| - release-** | ||
| tags: | ||
| - 'v*' | ||
| env: | ||
| GOPRIVATE: github.com/TykTechnologies | ||
| jobs: | ||
| goreleaser: | ||
| name: '${{ matrix.golang_cross }}' | ||
| runs-on: ubuntu-latest | ||
| container: 'tykio/golang-cross:${{ matrix.golang_cross }}' | ||
| permissions: | ||
| id-token: write # AWS OIDC JWT | ||
| contents: read # actions/checkout | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| golang_cross: | ||
| - 1.19-bullseye | ||
| include: | ||
| - golang_cross: 1.19-bullseye | ||
| goreleaser: 'ci/goreleaser/goreleaser.yml' | ||
| cgo: 0 | ||
| rpmvers: 'el/7 el/8 el/9 amazon/2 amazon/2023' | ||
| debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy debian/jessie debian/buster debian/bullseye debian/bookworm' | ||
| outputs: | ||
| tags: ${{ steps.metadata.outputs.tags }} | ||
| steps: | ||
| - name: Fix private module deps | ||
| env: | ||
| TOKEN: '${{ secrets.ORG_GH_TOKEN }}' | ||
| run: > | ||
| git config --global url."https://${TOKEN}@github.com".insteadOf "https://github.com" | ||
| - name: Checkout of tyk-pump | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
| - name: "Add Git safe.directory" | ||
| run: git config --global --add safe.directory $GITHUB_WORKSPACE | ||
| - uses: docker/setup-qemu-action@v3 | ||
| - uses: docker/setup-buildx-action@v3 | ||
| - name: Login to DockerHub | ||
| if: startsWith(github.ref, 'refs/tags') | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKER_USERNAME }} | ||
| password: ${{ secrets.DOCKER_PASSWORD }} | ||
| - name: Login to Cloudsmith | ||
| if: startsWith(github.ref, 'refs/tags') | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: docker.tyk.io | ||
| username: ${{ secrets.CLOUDSMITH_USERNAME }} | ||
| password: ${{ secrets.CLOUDSMITH_API_KEY }} | ||
| - name: Unlock agent | ||
| env: | ||
| NFPM_STD_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }} | ||
| GPG_FINGERPRINT: 12B5D62C28F57592D1575BD51ED14C59E37DAC20 | ||
| PKG_SIGNING_KEY: ${{ secrets.SIGNING_KEY }} | ||
| run: | ||
| ci/bin/unlock-agent.sh | ||
| - uses: actions/cache@v3 | ||
| with: | ||
| path: | | ||
| ~/.cache/go-build | ||
| ~/go/pkg/mod | ||
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | ||
| - uses: goreleaser/goreleaser-action@v4 | ||
| with: | ||
| version: latest | ||
| args: release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot' || '' }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| CGO_ENABLED: ${{ matrix.cgo }} | ||
| NFPM_STD_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }} | ||
| NFPM_PAYG_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }} | ||
| GPG_FINGERPRINT: 12B5D62C28F57592D1575BD51ED14C59E37DAC20 | ||
| PKG_SIGNING_KEY: ${{ secrets.SIGNING_KEY }} | ||
| GOLANG_CROSS: ${{ matrix.golang_cross }} | ||
| DEBVERS: ${{ matrix.debvers }} | ||
| RPMVERS: ${{ matrix.rpmvers }} | ||
| PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }} | ||
| - uses: aws-actions/configure-aws-credentials@v4 | ||
| with: | ||
| role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk | ||
| role-session-name: cipush | ||
| aws-region: eu-central-1 | ||
| # Don't mask to pass it across job boundaries | ||
| mask-aws-account-id: false | ||
| - uses: aws-actions/amazon-ecr-login@v1 | ||
| id: ecr | ||
| with: | ||
| mask-password: 'true' | ||
| - name: Docker metadata for CI | ||
| id: metadata | ||
| uses: docker/metadata-action@v5 | ||
| with: | ||
| images: ${{ steps.ecr.outputs.registry }}/tyk-pump | ||
| flavor: | | ||
| latest=false | ||
| tags: | | ||
| type=ref,event=branch | ||
| type=ref,event=pr | ||
| type=sha,format=long | ||
| type=semver,pattern=v{{major}}.{{minor}},prefix=v | ||
| type=semver,pattern=v{{version}},prefix=v | ||
| - name: CI push | ||
| shell: bash | ||
| env: | ||
| t: ${{ steps.metadata.outputs.tags }} | ||
| build_tag: ${{ startswith(github.ref, 'refs/tags') && github.ref_name || 'v0.0.0' }} | ||
| run: | | ||
| set +e | ||
| IFS=$'\n' tags=($t) | ||
| for tag in "${tags[@]}"; do | ||
| for arch in amd64 arm64; do | ||
| docker tag tykio/tyk-pump-docker-pub:${build_tag}-${arch} ${tag}-${arch} && docker push ${tag}-${arch} | ||
| done | ||
| docker manifest create ${tag} ${tag}-amd64 ${tag}-arm64 && docker manifest push ${tag} | ||
| done | ||
| - uses: actions/upload-artifact@v3 | ||
| if: ${{ matrix.golang_cross == '1.19-bullseye' }} | ||
| with: | ||
| name: deb | ||
| retention-days: 1 | ||
| path: | | ||
| dist/*.deb | ||
| !dist/*PAYG*.deb | ||
| - uses: actions/upload-artifact@v3 | ||
| if: ${{ matrix.golang_cross == '1.19-bullseye' }} | ||
| with: | ||
| name: rpm | ||
| retention-days: 1 | ||
| path: | | ||
| dist/*.rpm | ||
| !dist/*PAYG*.rpm | ||
| api-tests: | ||
| needs: goreleaser | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write # This is required for requesting the JWT | ||
| contents: read # This is required for actions/checkout | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| conf: [ "sha256", "murmur64" ] | ||
| db: [ "mongo44", "postgres15" ] | ||
| include: | ||
| - db: postgres15 | ||
| markers: "and not sql" | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
| submodules: false | ||
| - name: Checkout of tyk-automated-tests | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: TykTechnologies/tyk-automated-tests | ||
| token: ${{ secrets.ORG_GH_TOKEN }} | ||
| ref: ${{ startsWith(github.ref_name, 'release-') && github.ref_name || 'master' }} | ||
| path: tyk-automated-tests | ||
| - uses: aws-actions/configure-aws-credentials@v2 | ||
| with: | ||
| role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk | ||
| role-session-name: cipush | ||
| aws-region: eu-central-1 | ||
| - id: ecr | ||
| uses: aws-actions/amazon-ecr-login@v1 | ||
| with: | ||
| mask-password: 'true' | ||
| # Only ${{ github.actor }} has access | ||
| # See https://github.com/mxschmitt/action-tmate#use-registered-public-ssh-keys | ||
| - name: Setup tmate session only in debug mode | ||
| uses: mxschmitt/action-tmate@v3 | ||
| if: ${{ runner.debug == '1' }} | ||
| with: | ||
| detached: true | ||
| limit-access-to-actor: true | ||
| - name: env up | ||
| shell: bash | ||
| working-directory: tyk-automated-tests/ci/auto | ||
| id: env_up | ||
| env: | ||
| t: ${{ needs.goreleaser.outputs.tags }} | ||
| pull_policy: 'if_not_present' | ||
| # gw and dash use the same branch names | ||
| gw_dash_image_tag: ${{ ( (github.repository == 'TykTechnologies/tyk' || github.repository == 'TykTechnologies/tyk-analytics') && startsWith(github.ref_name, 'release-') ) && github.ref_name || 'master' }} | ||
| pump_image_tag: ${{ ( github.repository == 'TykTechnologies/tyk-pump' && startsWith(github.ref_name, 'release-') ) && github.ref_name || 'master' }} | ||
| sink_image_tag: ${{ ( github.repository == 'TykTechnologies/tyk-sink' && startsWith(github.ref_name, 'release-') ) && github.ref_name || 'master' }} | ||
| GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }} | ||
| TYK_DB_LICENSEKEY: ${{ secrets.DASH_LICENSE }} | ||
| TYK_MDCB_LICENSE: ${{ secrets.MDCB_LICENSE }} | ||
| run: | | ||
| echo CI tags: $t | ||
| tags=($t) | ||
| echo First tag: ${tags[0]} | ||
| # Start customising the env | ||
| echo "registry=${{ steps.ecr.outputs.registry }} | ||
| tyk_image=\${registry}/tyk:${gw_dash_image_tag} | ||
| tyk_alfa_image=\${registry}/tyk:${gw_dash_image_tag} | ||
| tyk_beta_image=\${registry}/tyk:${gw_dash_image_tag} | ||
| tyk_analytics_image=\${registry}/tyk-analytics:${gw_dash_image_tag} | ||
| tyk_sink_image=\${registry}/tyk-sink:${sink_image_tag} | ||
| tyk_pump_image=\${registry}/tyk-pump:${pump_image_tag} | ||
| # override default above with just built tag | ||
| tyk_pump_image=${tags[0]} | ||
| # base dir for config files | ||
| confs_dir=./pro-ha | ||
| # pick database to use | ||
| env_file=local-${{ matrix.db }}.env | ||
| " > versions.env | ||
| # Add Tyk component config variations to $env_file | ||
| cat confs/${{ matrix.conf }}.env >> local-${{ matrix.db }}.env | ||
| # bring up env, the project name is important | ||
| docker compose -p auto -f pro-ha.yml -f deps_pro-ha.yml -f ${{ matrix.db }}.yml --env-file versions.env --profile master-datacenter up --quiet-pull -d | ||
| ./dash-bootstrap.sh http://localhost:3000 | ||
| docker compose -p auto -f pro-ha.yml -f deps_pro-ha.yml -f ${{ matrix.db }}.yml --env-file versions.env --profile slave-datacenter up --quiet-pull -d | ||
| - name: Run tests | ||
| working-directory: tyk-automated-tests/ci/auto | ||
| id: test_execution | ||
| run: | | ||
| docker run --rm --network auto_default --env-file pytest.env \ | ||
| ${{ steps.ecr.outputs.registry }}/tyk-automated-tests:${{ startsWith(github.ref_name, 'release-') && github.ref_name || 'master' }} \ | ||
| pytest -c pytest_ci.ini --ci -m "not local and not dind ${{ matrix.markers }}" | ||
| # TODO: PR comment, using just one comment and updating, not a new comment each time | ||
| - name: Set test result | ||
| id: test_result | ||
| if: always() && steps.test_execution.outcome != 'success' | ||
| run: echo "pytest_run=${{ steps.test_execution.outcome }}" >> $GITHUB_OUTPUT | ||
| - name: Archive Integration tests report | ||
| if: ${{ always() }} | ||
| uses: actions/upload-artifact@v2 | ||
| with: | ||
| name: api-test-report | ||
| path: ${{ github.workspace }}/reports | ||
| - name: Fetch commit author | ||
| if: ${{ steps.test_execution.outcome != 'success' && !github.event.pull_request.draft }} | ||
| run: echo "GIT_USER_EMAIL=$(git show -s --format='%ae' HEAD)" >> $GITHUB_ENV | ||
| - name: Fetch slack user | ||
| if: ${{ steps.test_execution.outcome != 'success' && !github.event.pull_request.draft }} | ||
| id: fetch_slack_user | ||
| uses: TykTechnologies/github-actions/.github/actions/github-to-slack@main | ||
| with: | ||
| github_email: ${{ env.GIT_USER_EMAIL }} | ||
| - name: Notify slack | ||
| if: ${{ steps.test_execution.outcome != 'success' && !github.event.pull_request.draft }} | ||
| uses: rtCamp/action-slack-notify@v2 | ||
| env: | ||
| SLACK_WEBHOOK: ${{ secrets.API_TEST_ALERT_SLACK_WEBHOOK }} | ||
| SLACK_COLOR: ${{ job.status }} | ||
| SLACK_TITLE: "Result: ${{ steps.test_execution.outcome }}" | ||
| SLACK_USERNAME: API INTEGRATION TESTS | ||
| SLACK_MESSAGE: "*Test*: ${{ matrix.db }}-${{ matrix.conf }}, *Author*: ${{ steps.fetch_slack_user.outputs.slack-user-name }}" | ||
| SLACK_FOOTER: "<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|SEE EXECUTION DETAILS HERE>" | ||
| - name: Comment on PR | ||
| if: ${{ always() && !github.event.pull_request.draft }} | ||
| uses: mshick/add-pr-comment@v2 | ||
| with: | ||
| message: | | ||
| **API tests result - ${{ matrix.db }}-${{ matrix.conf }} env: ${{ steps.test_execution.outcome }}** ${{ env.STATUS }} | ||
| Branch used: ${{ github.ref }} | ||
| Commit: ${{ github.event.after }} ${{ github.event.commits[0].message }} | ||
| Triggered by: ${{ github.event_name }} (@${{ github.actor }}) | ||
| [Execution page](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) | ||
| repo-token: ${{ secrets.ORG_GH_TOKEN }} | ||
| message-id: ${{ matrix.db }}-${{ matrix.conf }} | ||
| env: | ||
| STATUS: "${{ steps.test_execution.outcome == 'success' && ':white_check_mark:' || ':no_entry_sign:' }}" | ||
| - name: Getting gateway logs on failure | ||
| if: ${{ failure() }} | ||
| run: docker logs tyk | ||
| - name: Getting dashboard logs on failure | ||
| if: ${{ failure() }} | ||
| run: docker logs tyk-analytics | ||
| xray: | ||
| needs: api-tests | ||
| runs-on: ubuntu-latest | ||
| if: always() && github.event_name == 'push' | ||
| steps: | ||
| - name: Checkout of tyk-automated-tests | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| repository: TykTechnologies/tyk-automated-tests | ||
| token: ${{ secrets.ORG_GH_TOKEN }} | ||
| ref: ${{ startsWith(github.ref_name, 'release-') && github.ref_name || 'master' }} | ||
| path: tyk-automated-tests | ||
| - name: Xray update | ||
| run: | | ||
| ./update_xray.sh | ||
| working-directory: tyk-automated-tests | ||
| env: | ||
| TEST: "QA-1307" | ||
| STATUS: ${{ needs.api-tests.outputs.api_test_result || 'success' }} | ||
| CLIENT_ID: ${{secrets.XRAY_CLIENT_ID}} | ||
| CLIENT_SECRET: ${{secrets.XRAY_CLIENT_SECRET}} | ||
| BRANCH: ${{ github.ref }} | ||
| /* if repo covered by api-tests */ | ||
| upgrade-deb: | ||
| if: startsWith(github.ref, 'refs/tags') | ||
| services: | ||
| httpbin.org: | ||
| image: kennethreitz/httpbin | ||
| runs-on: ubuntu-latest | ||
| needs: goreleaser | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| arch: | ||
| - amd64 | ||
| - arm64 | ||
| distro: | ||
| - ubuntu:bionic | ||
| - ubuntu:focal | ||
| - ubuntu:jammy | ||
| - debian:bullseye | ||
| - debian:bookworm | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
| - uses: actions/download-artifact@v3 | ||
| with: | ||
| name: deb | ||
| - uses: docker/setup-qemu-action@v3 | ||
| - uses: docker/setup-buildx-action@v3 | ||
| - name: generate dockerfile | ||
| run: | | ||
| echo 'FROM ${{ matrix.distro }} | ||
| ARG TARGETARCH | ||
| COPY tyk-pump*_${TARGETARCH}.deb /tyk-pump.deb | ||
| RUN apt-get update && apt-get install -y curl | ||
| RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-pump/script.deb.sh | bash && apt-get install -y tyk-pump=1.6.0 | ||
| RUN dpkg -i tyk-pump.deb | ||
| ' > Dockerfile | ||
| - name: install on ${{ matrix.distro }} | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: "." | ||
| platforms: linux/${{ matrix.arch }} | ||
| file: Dockerfile | ||
| push: false | ||
| upgrade-rpm: | ||
| if: startsWith(github.ref, 'refs/tags') | ||
| services: | ||
| httpbin.org: | ||
| image: kennethreitz/httpbin | ||
| needs: goreleaser | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| distro: | ||
| - amazonlinux:2023 | ||
| - registry.access.redhat.com/ubi8/ubi | ||
| - registry.access.redhat.com/ubi9/ubi | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
| - uses: actions/download-artifact@v3 | ||
| with: | ||
| name: rpm | ||
| - uses: docker/setup-buildx-action@v3 | ||
| - name: generate dockerfile | ||
| run: | | ||
| echo 'FROM ${{ matrix.distro }} | ||
| COPY tyk-pump*.x86_64.rpm /tyk-pump.rpm | ||
| RUN yum install --allowerasing -y curl | ||
| RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-pump/script.rpm.sh | bash && yum install -y tyk-pump-1.6.0-1 | ||
| RUN curl https://keyserver.tyk.io/tyk.io.rpm.signing.key.2020 -o tyk-pump.key && rpm --import tyk-pump.key | ||
| RUN rpm --checksig tyk-pump.rpm | ||
| RUN rpm -Uvh --force tyk-pump.rpm | ||
| ' > Dockerfile | ||
| - name: install on ${{ matrix.distro }} | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: "." | ||
| file: Dockerfile | ||
| push: false | ||
| smoke-tests: | ||
| needs: | ||
| - goreleaser | ||
| permissions: | ||
| id-token: write # This is required for requesting the JWT | ||
| contents: read # This is required for actions/checkout | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
| - uses: aws-actions/configure-aws-credentials@v2 | ||
| with: | ||
| role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk | ||
| role-session-name: cipush | ||
| aws-region: eu-central-1 | ||
| - id: ecr | ||
| uses: aws-actions/amazon-ecr-login@v1 | ||
| with: | ||
| mask-password: 'true' | ||
| - name: Run ci/tests | ||
| shell: bash | ||
| env: | ||
| GITHUB_TAG: ${{ github.ref }} /* mdcb or dash */ | ||
| run: | | ||
| set -eaxo pipefail | ||
| if [ ! -d smoke-tests ]; then | ||
| echo "::warning No repo specific smoke tests defined" | ||
| fi | ||
| if [ ! -d ci/tests ]; then | ||
| echo "::warning No ci tests defined" | ||
| exit 0 | ||
| fi | ||
| for d in ci/tests/*/ | ||
| do | ||
| echo Attempting to test $d | ||
| if [ -d $d ] && [ -e $d/test.sh ]; then | ||
| cd $d | ||
| ./test.sh ${{ steps.ecr.outputs.registry }}/{{ .Name }}:sha-${{ github.sha }} | ||
| cd - | ||
| fi | ||
| done | ||
| for d in smoke-tests/*/ | ||
| do | ||
| echo Attempting to test $d | ||
| if [ -d $d ] && [ -e $d/test.sh ]; then | ||
| cd $d | ||
| ./test.sh ${{ steps.ecr.outputs.registry }}/{{ .Name }}:sha-${{ github.sha }} | ||
| cd - | ||
| fi | ||
| done | ||
| sbom: | ||
| needs: goreleaser | ||
| uses: TykTechnologies/github-actions/.github/workflows/sbom.yaml@main | ||
| secrets: | ||
| DEPDASH_URL: ${{ secrets.DEPDASH_URL }} | ||
| DEPDASH_KEY: ${{ secrets.DEPDASH_KEY }} | ||
| ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }} | ||
