v1.10.5-hardened5 #3
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Hardened CI | |
| on: | |
| push: | |
| branches: | |
| - hardened-nginx-** | |
| pull_request: | |
| branches: | |
| - hardened-nginx-** | |
| release: | |
| types: | |
| - created | |
| workflow_dispatch: {} | |
| permissions: | |
| contents: read | |
| jobs: | |
| unit: | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| # Taken from the upstream ci.yaml action | |
| - name: Get go version | |
| run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV | |
| - name: Set up Go | |
| id: go | |
| uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version: ${{ env.GOLANG_VERSION }} | |
| check-latest: true | |
| - name: Run Unit Tests | |
| run: ./scripts/test | |
| e2e: | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| - name: Run E2E Tests | |
| # Runner user seems to lack permissions to access the kubeconfig file | |
| run: | | |
| SKIP_BUILDX_HACK=true ./scripts/e2e-test | |
| release: | |
| needs: e2e | |
| permissions: | |
| contents: read | |
| id-token: write # needed for the Vault authentication | |
| if: github.event_name == 'release' && github.event.action == 'created' | |
| runs-on: ubuntu-latest | |
| env: | |
| REGISTRY: ${{ github.repository_owner }} | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| # Only pull vault secrets if the repository is rancher | |
| - name: "Read secrets" | |
| if: github.repository_owner == 'rancher' | |
| uses: rancher-eio/read-vault-secrets@main | |
| with: | |
| secrets: | | |
| secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; | |
| secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_TOKEN ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD | |
| - name: Login to Container Registry with Rancher Secrets | |
| if: github.repository_owner == 'rancher' | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ env.DOCKER_USERNAME }} | |
| password: ${{ env.DOCKER_TOKEN }} | |
| # For forks, setup docker login with GHA secrets | |
| - name: Login to Container Registry | |
| if: github.repository_owner != 'rancher' | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_TOKEN }} | |
| - name: Build Base Image | |
| run: ./scripts/build-base-image | |
| - name: Build Binaries | |
| run: ./scripts/build-binary | |
| - name: Setup tags | |
| run: | | |
| source ./scripts/version | |
| echo "TAG=$TAG" >> $GITHUB_ENV | |
| echo "PKG=$PKG" >> $GITHUB_ENV | |
| echo "NGINX_TAG=$NGINX_TAG" >> $GITHUB_ENV | |
| echo "BASE_IMAGE=$BASE_IMAGE" >> $GITHUB_ENV | |
| - name: Setup Docker Credentials | |
| if: github.repository_owner != 'rancher' | |
| env: | |
| DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} | |
| DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} | |
| run: | | |
| echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_ENV | |
| echo "DOCKER_TOKEN=$DOCKER_TOKEN" >> $GITHUB_ENV | |
| - name: Build and push controller image | |
| uses: rancher/ecm-distro-tools/actions/publish-image@master | |
| with: | |
| image: nginx-ingress-controller | |
| tag: ${{ github.event.release.tag_name }} | |
| make-target: push-image | |
| public-repo: ${{ env.REGISTRY }} | |
| public-username: ${{ env.DOCKER_USERNAME }} | |
| public-password: ${{ env.DOCKER_TOKEN }} | |
| prime-repo: rancher | |
| prime-registry: ${{ env.PRIME_REGISTRY }} | |
| prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} | |
| prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} | |
| push-to-prime: ${{ github.repository_owner == 'rancher' }} | |
| - name: Build and push controller chroot image | |
| uses: rancher/ecm-distro-tools/actions/publish-image@master | |
| with: | |
| image: nginx-ingress-controller-chroot | |
| tag: ${{ github.event.release.tag_name }} | |
| make-target: push-chroot-image | |
| public-repo: ${{ env.REGISTRY }} | |
| public-username: ${{ env.DOCKER_USERNAME }} | |
| public-password: ${{ env.DOCKER_TOKEN }} | |
| prime-repo: rancher | |
| prime-registry: ${{ env.PRIME_REGISTRY }} | |
| prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} | |
| prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} | |
| push-to-prime: ${{ github.repository_owner == 'rancher' }} |