From 7d37e1ed2e38ed796ba42d8a45d5605fa3c358af Mon Sep 17 00:00:00 2001 From: Anurag Rajawat Date: Sat, 2 Dec 2023 15:45:45 +0530 Subject: [PATCH] ci: Add initial workflows Signed-off-by: Anurag Rajawat --- .github/workflows/latest-release.yaml | 46 +++++++++++++++++ .github/workflows/pr-checks.yaml | 73 +++++++++++++++++++++++++++ .licenserc.yaml | 21 ++++++++ Makefile | 11 ++-- 4 files changed, 147 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/latest-release.yaml create mode 100644 .github/workflows/pr-checks.yaml create mode 100644 .licenserc.yaml diff --git a/.github/workflows/latest-release.yaml b/.github/workflows/latest-release.yaml new file mode 100644 index 00000000..b99c7f13 --- /dev/null +++ b/.github/workflows/latest-release.yaml @@ -0,0 +1,46 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +name: Latest release + +on: + push: + branches: + - main + - "v*" + create: + branches: + - "v*" + +permissions: read-all + +jobs: + release-nimbus-image: + runs-on: ubuntu-latest + steps: + - name: Checkout source code + uses: actions/checkout@v3 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Get tag + id: tag + run: | + if [ ${{ github.ref }} == "refs/heads/main" ]; then + echo "tag=latest" >> $GITHUB_OUTPUT + else + echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT + fi + + - name: Build and push nimbus image + run: make docker-buildx TAG=${{ steps.tag.outputs.tag }} diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml new file mode 100644 index 00000000..a6f9aefa --- /dev/null +++ b/.github/workflows/pr-checks.yaml @@ -0,0 +1,73 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +name: PR checks + +on: + pull_request: + types: [ opened, reopened, synchronize, ready_for_review ] + paths-ignore: + - '**.md' + - '**.sh' + - 'docs/**' + - 'LICENSE' + +permissions: read-all + +jobs: + license: + name: License + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v3 + + - name: Check License Header + uses: apache/skywalking-eyes@a790ab8dd23a7f861c18bd6aaa9b012e3a234bce + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + test: + name: Test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Setup go + uses: actions/setup-go@v4 + with: + go-version: '1.20' + + - name: go fmt + run: make fmt + + - name: Lint + id: lint + uses: golangci/golangci-lint-action@v3 + with: + version: v1.54 + args: --deadline=30m --out-format=line-number + skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778 + + - name: Run unit tests + run: make test + + go-sec: + runs-on: ubuntu-latest + permissions: + security-events: write + env: + GO111MODULE: on + steps: + - name: Checkout Source + uses: actions/checkout@v3 + + - name: Run Gosec Security Scanner + uses: securego/gosec@master + with: + # we let the report trigger content trigger a failure using the GitHub Security features. + args: '-no-fail -fmt sarif -out results.sarif ./...' + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/.licenserc.yaml b/.licenserc.yaml new file mode 100644 index 00000000..ca2cb77d --- /dev/null +++ b/.licenserc.yaml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +header: + license: + spdx-id: Apache-2.0 + copyright-owner: Nimbus + content: | + SPDX-License-Identifier: Apache-2.0 + + paths: + - "**/*.go" + - "**/*.sh" + - "**/Dockerfile" + - "**/Makefile" + + comment: on-failure + +dependency: + files: + - go.mod diff --git a/Makefile b/Makefile index 4262a20c..ea881017 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,9 @@ # Copyright 2023 Authors of Nimbus # Image URL to use all building/pushing image targets -IMG ?= controller:latest +IMG ?= 5gsec/nimbus +# Image Tag to use all building/pushing image targets +TAG ?= v0.1 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. ENVTEST_K8S_VERSION = 1.28.0 @@ -97,11 +99,12 @@ run: manifests generate fmt vet ## Run a controller from your host. # More info: https://docs.docker.com/develop/develop-images/build_enhancements/ .PHONY: docker-build docker-build: ## Build docker image with the manager. - $(CONTAINER_TOOL) build -t ${IMG} . + $(CONTAINER_TOOL) build -t ${IMG}:${TAG} -t ${IMG}:latest --build-arg VERSION=${TAG} . .PHONY: docker-push docker-push: ## Push docker image with the manager. - $(CONTAINER_TOOL) push ${IMG} + $(CONTAINER_TOOL) push ${IMG}:${TAG} + $(CONTAINER_TOOL) push ${IMG}:latest # PLATFORMS defines the target platforms for the manager image be built to provide support to multiple # architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to: @@ -116,7 +119,7 @@ docker-buildx: ## Build and push docker image for the manager for cross-platform sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross - $(CONTAINER_TOOL) buildx create --name project-v3-builder $(CONTAINER_TOOL) buildx use project-v3-builder - - $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross . + - $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --build-arg VERSION=${TAG} --tag ${IMG}:${TAG} -f Dockerfile.cross . - $(CONTAINER_TOOL) buildx rm project-v3-builder rm Dockerfile.cross