Skip to content

update(spire-agent): upgrade dependency packages #27

update(spire-agent): upgrade dependency packages

update(spire-agent): upgrade dependency packages #27

name: spire-agent workflow
on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
- "v[0-9]+.[0-9]+.[0-9]+-*"
pull_request_target:
branches:
- "*"
env:
GO_VERSION: 1.20.1
REPO: 956994857092.dkr.ecr.us-east-2.amazonaws.com
IMAGE_NAME: spire-agent
CHART_NAME: spire-agent
CHART_PATH: ./spire-agent-chart
CHART_REVISION_NAME: spire-agent
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DEV_ACCESS_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DEV_SECRET_ID }}
AWS_REGION: us-east-2
permissions:
contents: read
jobs:
tag-validate:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
steps:
- uses: rubenesp87/[email protected]
with:
version: ${{ github.ref_name }}
cache-deps:
name: cache-deps (linux)
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/[email protected]
- name: Setup go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/[email protected]
with:
go-version: ${{ env.GO_VERSION }}
- name: Set git token
run: git remote set-url origin https://${{ secrets.V_GIT_KEY }}@github.com/accuknox/spire.git
- name: Update submodules
run: git submodule update --init --recursive
- name: Setup dep cache
uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # ratchet:actions/[email protected]
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Pull go deps
run: go mod download
artifacts:
name: artifacts (linux)
runs-on: ubuntu-20.04
needs: [cache-deps]
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/[email protected]
- name: Setup go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/[email protected]
with:
go-version: ${{ env.GO_VERSION }}
- name: Load cached deps
uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # ratchet:actions/[email protected]
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Load cached build tools
uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # ratchet:actions/[email protected]
with:
path: .build
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
- name: Build artifacts
run: ./.github/workflows/scripts/build_artifacts.sh
images:
name: images (linux)
runs-on: ubuntu-20.04
needs: [cache-deps]
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/[email protected]
- name: Setup go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/[email protected]
with:
go-version: ${{ env.GO_VERSION }}
- name: Load cached deps
uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # ratchet:actions/[email protected]
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Load cached build tools
uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # ratchet:actions/[email protected]
with:
path: .build
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
- name: Set up QEMU
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # ratchet:docker/[email protected]
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # ratchet:docker/[email protected]
- name: download regctl
run: |
curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 >regctl
chmod 755 regctl
mv regctl /usr/bin
whereis regctl
- name: Build spire-agent-image
run: make spire-agent-image
- name: load spire-agent-image
run: make load-images
- name: Tag docker images
run: docker image tag ${{ env.IMAGE_NAME }}:latest ${{ env.REPO }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
docker-image-scan:
runs-on: ubuntu-latest
needs: [tag-validate]
if: always() && !contains(needs.tag-validate.result, 'failure')
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REPO }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
output: ./trivy-results
severity: CRITICAL,HIGH
exit-code: 0
docker-image-push:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
needs: [docker-image-scan, helm-chart-validate]
steps:
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Docker push to ECR
shell: bash
run: docker push ${{ env.REPO }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
helm-chart-validate:
runs-on: ubuntu-latest
needs: [tag-validate]
if: always() && !contains(needs.version-validation.result, 'failure')
steps:
- name: Checkout source
uses: accuknox/common-gh-actions/actions/checkout-source@main
- name: Validate helm chart
uses: accuknox/common-gh-actions/actions/helm-check@main
with:
chart-path: ${{ env.CHART_PATH }}
revision-name: ${{ env.CHART_REVISION_NAME }}
helm-chart-push:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
needs: [docker-image-push]
steps:
- name: Checkout source
uses: accuknox/common-gh-actions/actions/checkout-source@main
- name: Push helm chart to ECR
uses: accuknox/common-gh-actions/actions/helm-push@main
with:
chart-path: ${{ env.CHART_PATH }}
version: ${{ github.ref_name }}
ecr-region: ${{ env.AWS_REGION }}
ecr-repo: ${{ env.REPO }}
success:
runs-on: ubuntu-20.04
needs: [artifacts]
permissions:
contents: read
steps:
- name: Declare victory!
run: echo "# Successful" >> $GITHUB_STEP_SUMMARY