Skip to content

Split CI into seperate Jobs #5

Split CI into seperate Jobs

Split CI into seperate Jobs #5

Workflow file for this run

name: Hardened CI
on:
push:
branches:
- hardened-nginx-**
pull_request:
branches:
- hardened-nginx-**
release:
types:
- created
workflow_dispatch: {}
permissions:
contents: read
jobs:
unit:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
# Taken from the upstream ci.yaml action
- name: Get go version
run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
- name: Set up Go
id: go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: ${{ env.GOLANG_VERSION }}
check-latest: true
- name: Run Unit Tests
run: ./scripts/test
e2e:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Run E2E Tests
# Runner user seems to lack permissions to access the kubeconfig file
run: |
SKIP_BUILDX_HACK=true ./scripts/e2e-test
release-base-image:
needs: e2e
permissions:
contents: read
id-token: write # needed for the Vault authentication
if: github.event_name == 'release' && github.event.action == 'created'
runs-on: ubuntu-latest
env:
REGISTRY: ${{ github.repository_owner }}
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
# Only pull vault secrets if the repository is rancher
- name: "Read secrets"
if: github.repository_owner == 'rancher'
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_TOKEN ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
- name: Login to Container Registry with Rancher Secrets
if: github.repository_owner == 'rancher'
uses: docker/login-action@v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_TOKEN }}
# For forks, setup docker login with GHA secrets
- name: Login to Container Registry
if: github.repository_owner != 'rancher'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build And Push Base Image
run: ./scripts/build-base-image
release-controller-image:
needs: release-base-image
permissions:
contents: read
id-token: write # needed for the Vault authentication
if: github.event_name == 'release' && github.event.action == 'created'
runs-on: ubuntu-latest
env:
REGISTRY: ${{ github.repository_owner }}
steps:
- name: Check out code
uses: actions/checkout@v4
# Only pull vault secrets if the repository is rancher
- name: "Read secrets"
if: github.repository_owner == 'rancher'
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_TOKEN ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
- name: Login to Container Registry with Rancher Secrets
if: github.repository_owner == 'rancher'
uses: docker/login-action@v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_TOKEN }}
# For forks, setup docker login with GHA secrets
- name: Login to Container Registry
if: github.repository_owner != 'rancher'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build Binaries
run: ./scripts/build-binary
- name: Setup tags
run: |
source ./scripts/version
echo "TAG=$TAG" >> $GITHUB_ENV
echo "PKG=$PKG" >> $GITHUB_ENV
echo "NGINX_TAG=$NGINX_TAG" >> $GITHUB_ENV
echo "BASE_IMAGE=$BASE_IMAGE" >> $GITHUB_ENV
- name: Setup Docker Credentials
if: github.repository_owner != 'rancher'
env:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
run: |
echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_ENV
echo "DOCKER_TOKEN=$DOCKER_TOKEN" >> $GITHUB_ENV
- name: Build and push controller image
uses: rancher/ecm-distro-tools/actions/publish-image@master
with:
image: nginx-ingress-controller
tag: ${{ github.event.release.tag_name }}
make-target: push-image
public-repo: ${{ env.REGISTRY }}
public-username: ${{ env.DOCKER_USERNAME }}
public-password: ${{ env.DOCKER_TOKEN }}
prime-repo: rancher
prime-registry: ${{ env.PRIME_REGISTRY }}
prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
push-to-prime: ${{ github.repository_owner == 'rancher' }}
- name: Build and push controller chroot image
uses: rancher/ecm-distro-tools/actions/publish-image@master
with:
image: nginx-ingress-controller-chroot
tag: ${{ github.event.release.tag_name }}
make-target: push-chroot-image
public-repo: ${{ env.REGISTRY }}
public-username: ${{ env.DOCKER_USERNAME }}
public-password: ${{ env.DOCKER_TOKEN }}
prime-repo: rancher
prime-registry: ${{ env.PRIME_REGISTRY }}
prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
push-to-prime: ${{ github.repository_owner == 'rancher' }}