Skip to content
Pull request

feat: use chainguard for OpenEBS images #3274

Sign in to view logs

feat: use chainguard for OpenEBS images

feat: use chainguard for OpenEBS images #3274

Workflow file for this run

.github/workflows/pull-request.yaml at c064f00
name: Pull request
on:
- pull_request
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
sanitize:
name: Sanitize
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Go vet
run: |
make vet
- name: Lint
uses: golangci/golangci-lint-action@v6
with:
version: v1.54
tests:
name: Unit tests
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Go vet
run: |
make vet
- name: Unit tests
run: |
make unit-tests
build:
name: Build
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- uses: actions/cache@v4
with:
path: |
build/.melange-cache
key: melange-cache
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Setup Melange
uses: chainguard-dev/actions/setup-melange@main
- name: Build and push local-artifact-mirror image
run: |
SHA=${{ github.event.pull_request.head.sha }}
export SHORT_SHA=dev-${SHA::7}
export LOCAL_ARTIFACT_MIRROR_IMAGE=replicated/embedded-cluster-local-artifact-mirror-staging
export REGISTRY=docker.io
export USERNAME=${{ secrets.DOCKERHUB_USER }}
export PASSWORD=${{ secrets.DOCKERHUB_PASSWORD }}
make apko
make build-and-push-local-artifact-mirror-image VERSION="${SHORT_SHA}"
make build-and-push-local-artifact-mirror-image VERSION="${SHORT_SHA}-previous-k0s"
make build-and-push-local-artifact-mirror-image VERSION="${SHORT_SHA}-upgrade"
- name: Build and push utils image
run: |
SHA=${{ github.event.pull_request.head.sha }}
export SHORT_SHA=dev-${SHA::7}
export EMBEDDED_OPERATOR_UTILS_IMAGE=replicated/embedded-cluster-utils-staging
export REGISTRY=docker.io
export USERNAME=${{ secrets.DOCKERHUB_USER }}
export PASSWORD=${{ secrets.DOCKERHUB_PASSWORD }}
make apko
make build-and-push-utils-image VERSION="${SHORT_SHA}"
make build-and-push-utils-image VERSION="${SHORT_SHA}-previous-k0s"
make build-and-push-utils-image VERSION="${SHORT_SHA}-upgrade"
- name: Build Linux AMD64 and Output Metadata
run: |
SHA=${{ github.event.pull_request.head.sha }}
export SHORT_SHA=dev-${SHA::7}
export LOCAL_ARTIFACT_MIRROR_IMAGE=replicated/embedded-cluster-local-artifact-mirror-staging
export EMBEDDED_OPERATOR_UTILS_IMAGE=replicated/embedded-cluster-utils-staging
make -B embedded-cluster-linux-amd64 K0S_VERSION=$(make print-PREVIOUS_K0S_VERSION) K0S_BINARY_SOURCE_OVERRIDE=$(make print-PREVIOUS_K0S_BINARY_SOURCE_OVERRIDE) VERSION="${SHORT_SHA}-previous-k0s"
tar -C output/bin -czvf embedded-cluster-linux-amd64-previous-k0s.tgz embedded-cluster
./output/bin/embedded-cluster version metadata > metadata-previous-k0s.json
make -B embedded-cluster-linux-amd64 VERSION="${SHORT_SHA}-upgrade"
tar -C output/bin -czvf embedded-cluster-linux-amd64-upgrade.tgz embedded-cluster
./output/bin/embedded-cluster version metadata > metadata-upgrade.json
make -B embedded-cluster-linux-amd64 VERSION="${SHORT_SHA}"
tar -C output/bin -czvf embedded-cluster-linux-amd64.tgz embedded-cluster
./output/bin/embedded-cluster version metadata > metadata.json
- name: Install Replicated CLI
run: |
curl -s https://api.github.com/repos/replicatedhq/replicated/releases/latest \
| grep "browser_download_url.*linux_amd64.tar.gz" \
| cut -d : -f 2,3 \
| tr -d \" \
| wget -O replicated.tar.gz -qi -
tar xf replicated.tar.gz replicated && rm replicated.tar.gz
mv replicated /usr/local/bin/replicated
- name: Create CI Releases
env:
REPLICATED_APP: "embedded-cluster-smoke-test-staging-app"
REPLICATED_API_TOKEN: ${{ secrets.STAGING_REPLICATED_API_TOKEN }}
REPLICATED_API_ORIGIN: "https://api.staging.replicated.com/vendor"
run: |
SHA=${{ github.event.pull_request.head.sha }}
export SHORT_SHA=dev-${SHA::7}
echo "${SHORT_SHA}"
sed -i "s/__version_string__/${SHORT_SHA}/g" e2e/kots-release-install/cluster-config.yaml
sed -i "s/__version_string__/${SHORT_SHA}-upgrade/g" e2e/kots-release-upgrade/cluster-config.yaml
# re-promote a release containing an old version of embedded-cluster to test upgrades
replicated release promote 807 2cHXb1RCttzpR0xvnNWyaZCgDBP --version "appver-${SHORT_SHA}-pre-minio-removal"
replicated release create --yaml-dir e2e/kots-release-install --promote CI --version "appver-${SHORT_SHA}"
replicated release create --yaml-dir e2e/kots-release-install --promote CI --version "appver-${SHORT_SHA}-noop"
replicated release create --yaml-dir e2e/kots-release-upgrade --promote CI --version "appver-${SHORT_SHA}-upgrade"
- name: Build CI binary
run: |
SHA=${{ github.event.pull_request.head.sha }}
export SHORT_SHA=dev-${SHA::7}
export LOCAL_ARTIFACT_MIRROR_IMAGE=replicated/embedded-cluster-local-artifact-mirror-staging
export EMBEDDED_OPERATOR_UTILS_IMAGE=replicated/embedded-cluster-utils-staging
echo "# channel release object" > e2e/kots-release-install/release.yaml
echo 'channelID: "2cHXb1RCttzpR0xvnNWyaZCgDBP"' >> e2e/kots-release-install/release.yaml
echo 'channelSlug: "ci"' >> e2e/kots-release-install/release.yaml
echo 'appSlug: "embedded-cluster-smoke-test-staging-app"' >> e2e/kots-release-install/release.yaml
echo "versionLabel: \"appver-${SHORT_SHA}\"" >> e2e/kots-release-install/release.yaml
cat e2e/kots-release-install/release.yaml
cp output/bin/embedded-cluster output/bin/embedded-cluster-original
make -B embedded-release K0S_VERSION=$(make print-PREVIOUS_K0S_VERSION) VERSION="${SHORT_SHA}-previous-k0s"
mv output/bin/embedded-cluster output/bin/embedded-cluster-previous-k0s
make -B embedded-release VERSION="${SHORT_SHA}" # this is done after the metadata.json is generated so as to not include additional charts
- name: Cache files for integration test
env:
S3_BUCKET: "tf-staging-embedded-cluster-bin"
AWS_ACCESS_KEY_ID: ${{ secrets.STAGING_EMBEDDED_CLUSTER_UPLOAD_IAM_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.STAGING_EMBEDDED_CLUSTER_UPLOAD_IAM_SECRET }}
AWS_REGION: "us-east-1"
run: |
SHA=${{ github.event.pull_request.head.sha }}
export SHORT_SHA=dev-${SHA::7}
export EC_VERSION="v${SHORT_SHA}"
./scripts/cache-files.sh
./scripts/create-upgrade-release.sh
./scripts/create-previous-k0s-release.sh
- name: Create Airgap Release
env:
REPLICATED_APP: "embedded-cluster-smoke-test-staging-app"
REPLICATED_API_TOKEN: ${{ secrets.STAGING_REPLICATED_API_TOKEN }}
REPLICATED_API_ORIGIN: "https://api.staging.replicated.com/vendor"
run: |
SHA=${{ github.event.pull_request.head.sha }}
export SHORT_SHA=dev-${SHA::7}
echo "${SHORT_SHA}"
rm e2e/kots-release-install/release.yaml
replicated release create --yaml-dir e2e/kots-release-install --promote CI-airgap --version "appver-${SHORT_SHA}"
# airgap tests install the previous k0s version to ensure an upgrade occurs
sed -i "s/${SHORT_SHA}/${SHORT_SHA}-previous-k0s/g" e2e/kots-release-install/cluster-config.yaml
replicated release create --yaml-dir e2e/kots-release-install --promote CI-airgap --version "appver-${SHORT_SHA}-previous-k0s"
replicated release create --yaml-dir e2e/kots-release-upgrade --promote CI-airgap --version "appver-${SHORT_SHA}-upgrade"
- name: Create download link message text
run: |
SHA=${{ github.event.pull_request.head.sha }}
export SHORT_SHA=dev-${SHA::7}
echo "This PR has been released (on staging) and is available for download with a embedded-cluster-smoke-test-staging-app [license ID](https://vendor.staging.replicated.com/apps/embedded-cluster-smoke-test-staging-app/customers?sort=name-asc)." > download-link.txt
echo "" >> download-link.txt
echo "Online Installer:" >> download-link.txt
echo "\`\`\`" >> download-link.txt
echo "curl \"https://staging.replicated.app/embedded/embedded-cluster-smoke-test-staging-app/ci/appver-${SHORT_SHA}\" -H \"Authorization: \$EC_SMOKE_TEST_LICENSE_ID\" -o embedded-cluster-smoke-test-staging-app-ci.tgz" >> download-link.txt
echo "\`\`\`" >> download-link.txt
echo "Airgap Installer (may take a few minutes before the airgap bundle is built):" >> download-link.txt
echo "\`\`\`" >> download-link.txt
echo "curl \"https://staging.replicated.app/embedded/embedded-cluster-smoke-test-staging-app/ci-airgap/appver-${SHORT_SHA}?airgap=true\" -H \"Authorization: \$EC_SMOKE_TEST_LICENSE_ID\" -o embedded-cluster-smoke-test-staging-app-ci.tgz" >> download-link.txt
echo "\`\`\`" >> download-link.txt
echo "Happy debugging!" >> download-link.txt
cat download-link.txt
- name: comment download link
uses: mshick/add-pr-comment@v2
with:
message-path: download-link.txt
- name: upload binary
uses: actions/upload-artifact@v4
with:
name: embedded-release
path: |
output/bin/embedded-cluster
output/bin/embedded-cluster-original
output/bin/embedded-cluster-previous-k0s
output/bin/embedded-cluster-release-builder
e2e:
runs-on: ${{ matrix.runner || 'ubuntu-latest' }}
needs:
- build
strategy:
fail-fast: false
matrix:
test:
- TestSingleNodeInstallation
- TestSingleNodeInstallationAlmaLinux8
- TestSingleNodeInstallationDebian11
- TestSingleNodeInstallationDebian12
- TestSingleNodeInstallationCentos9Stream
- TestVersion
- TestHostPreflight
- TestUnsupportedOverrides
- TestMultiNodeInstallation
- TestMultiNodeReset
- TestCommandsRequireSudo
- TestInstallWithoutEmbed
- TestInstallFromReplicatedApp
- TestResetAndReinstall
- TestResetAndReinstallAirgap
- TestCollectSupportBundle
- TestOldVersionUpgrade
- TestMaterialize
- TestLocalArtifactMirror
- TestSingleNodeAirgapUpgrade
- TestSingleNodeAirgapUpgradeCustomCIDR
- TestInstallSnapshotFromReplicatedApp
- TestMultiNodeAirgapUpgrade
- TestSingleNodeDisasterRecovery
- TestSingleNodeDisasterRecoveryWithProxy
- TestSingleNodeResumeDisasterRecovery
- TestSingleNodeAirgapDisasterRecovery
- TestMultiNodeHAInstallation
- TestMultiNodeAirgapHAInstallation
- TestProxiedEnvironment
- TestMultiNodeHADisasterRecovery
- TestMultiNodeAirgapHADisasterRecovery
- TestCustomCIDR
- TestProxiedCustomCIDR
- TestSingleNodeInstallationNoopUpgrade
include:
- test: TestMultiNodeAirgapUpgrade
runner: embedded-cluster
- test: TestMultiNodeAirgapUpgradeSameK0s
runner: embedded-cluster
- test: TestMultiNodeAirgapHAInstallation
runner: embedded-cluster
- test: TestMultiNodeAirgapHADisasterRecovery
runner: embedded-cluster
- test: TestSingleNodeAirgapDisasterRecovery
runner: embedded-cluster
steps:
- name: Checkout
uses: actions/checkout@v4
- name: download binary
uses: actions/download-artifact@v4
with:
name: embedded-release
path: output/bin
- uses: ./.github/actions/e2e
with:
test-name: '${{ matrix.test }}'
is-large-runner: ${{ matrix.runner == 'embedded-cluster' }}
airgap-license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_AIRGAP_LICENSE_ID }}
snapshot-license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_SNAPSHOT_LICENSE_ID }}
snapshot-license: ${{ secrets.STAGING_EMBEDDED_CLUSTER_SNAPSHOT_LICENSE }}
airgap-snapshot-license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_AIRGAP_SNAPSHOT_LICENSE_ID }}
license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_LICENSE_ID }}
license: ${{ secrets.STAGING_EMBEDDED_CLUSTER_LICENSE }}
dr-aws-access-key-id: ${{ secrets.TESTIM_AWS_ACCESS_KEY_ID }}
dr-aws-secret-access-key: ${{ secrets.TESTIM_AWS_SECRET_ACCESS_KEY }}
# this job will validate that all the tests passed
# it is used for the github branch protection rule
validate-success:
runs-on: ubuntu-20.04
needs:
- e2e
- sanitize
- tests
if: always()
steps:
# https://docs.github.com/en/actions/learn-github-actions/contexts#needs-context
- name: fail if e2e job was not successful
if: needs.e2e.result != 'success'
run: exit 1
- name: fail if sanitize job was not successful
if: needs.sanitize.result != 'success'
run: exit 1
- name: fail if tests job was not successful
if: needs.tests.result != 'success'
run: exit 1
- name: succeed if everything else passed
run: echo "Validation succeeded"