-
Notifications
You must be signed in to change notification settings - Fork 28
136 lines (129 loc) · 5.77 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Release
on:
push:
tags:
- 'v*'
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: read
# write is needed for:
# - OIDC for cosign's use in ecm-distro-tools/publish-image.
# - Read vault secrets in rancher-eio/read-vault-secrets.
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Load Secrets from Vault
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | RANCHER_DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | RANCHER_DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
- name: Parse target tag
run: |
TARGET=${{ github.ref_name }}
echo "TAG=${TARGET#v}" >> $GITHUB_ENV
- name: Download vulnerability database
run: |
wget https://${{ secrets.VULNDB_SERVER }}/${TAG}/cvedb.regular -O data/cvedb.regular
- name: Publish neuvector manifest
uses: rancher/ecm-distro-tools/actions/publish-image@master
with:
push-to-public: true
push-to-prime: false
image: scanner
tag: ${{ env.TAG }}
platforms: linux/amd64,linux/arm64
public-registry: docker.io
public-repo: neuvector
public-username: ${{ env.DOCKER_USERNAME }}
public-password: ${{ env.DOCKER_PASSWORD }}
- name: Publish rancher manifest
uses: rancher/ecm-distro-tools/actions/publish-image@master
env:
IMAGE_PREFIX: neuvector-
with:
image: neuvector-scanner
tag: ${{ env.TAG }}
platforms: linux/amd64,linux/arm64
public-registry: docker.io
public-repo: rancher
public-username: ${{ env.RANCHER_DOCKER_USERNAME }}
public-password: ${{ env.RANCHER_DOCKER_PASSWORD }}
prime-registry: ${{ env.PRIME_REGISTRY }}
prime-repo: rancher
prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
retag:
runs-on: ubuntu-latest
needs: [publish]
permissions:
contents: read
# write is needed for:
# - OIDC for cosign's use in ecm-distro-tools/publish-image.
# - Read vault secrets in rancher-eio/read-vault-secrets.
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Load Secrets from Vault
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | RANCHER_DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | RANCHER_DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
- name: Parse target tag
run: |
TARGET=${{ github.ref_name }}
echo "TAG=${TARGET#v}" >> $GITHUB_ENV
- name: Check if we should tag v6 scanner
run: |
if [[ ${{ github.ref_name }} =~ ^v[0-9]+\.[0-9]+$ ]];then
echo "We should update v6 scanner"
echo "UPDATE_MUTABLE_TAG=True" >> $GITHUB_ENV
fi
- name: Login to registry
if: env.UPDATE_MUTABLE_TAG == 'True'
uses: docker/login-action@v3
with:
registry: docker.io
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_PASSWORD }}
- name: Tag v6 scanner to neuvector
if: env.UPDATE_MUTABLE_TAG == 'True'
run: |
docker buildx imagetools create --tag docker.io/${{ github.repository_owner }}/scanner:6 docker.io/${{ github.repository_owner }}/scanner:${TAG}
- name: Login to registry
if: env.UPDATE_MUTABLE_TAG == 'True'
uses: docker/login-action@v3
with:
registry: ${{ env.PRIME_REGISTRY }}
username: ${{ env.PRIME_REGISTRY_USERNAME }}
password: ${{ env.PRIME_REGISTRY_PASSWORD }}
- name: Tag v6 scanner to prime
if: env.UPDATE_MUTABLE_TAG == 'True'
run: |
docker buildx imagetools create --tag ${PRIME_REGISTRY}/rancher/neuvector-scanner:6 ${PRIME_REGISTRY}/rancher/neuvector-scanner:${TAG}
- name: Login to registry
if: env.UPDATE_MUTABLE_TAG == 'True'
uses: docker/login-action@v3
with:
registry: docker.io
username: ${{ env.RANCHER_DOCKER_USERNAME }}
password: ${{ env.RANCHER_DOCKER_PASSWORD }}
- name: Tag v6 scanner to rancher
if: env.UPDATE_MUTABLE_TAG == 'True'
run: |
docker buildx imagetools create --tag docker.io/rancher/neuvector-scanner:6 docker.io/rancher/neuvector-scanner:${TAG}