fix: build and image validation unit tests #6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ci | |
on: | |
push: | |
branches: | |
- main | |
- release/** | |
tags: | |
- v[0-9]+.[0-9]+.[0-9]+-?** | |
pull_request: | |
branches: | |
- release/** | |
defaults: | |
run: | |
shell: bash | |
env: | |
PUBLIC_IMAGE_DEV_REPO: ${{ vars.PUBLIC_IMAGE_DEV_REPO }} | |
PUBLIC_IMAGE_REPO: ${{ vars.PUBLIC_IMAGE_REPO }} | |
PACK_VERSION: ${{ vars.PACK_VERSION }} | |
jobs: | |
unit: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: 'go.mod' | |
- name: Run tests | |
run: make unit-ci | |
- name: Report coverage | |
uses: codecov/[email protected] | |
controller-image: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Docker Login | |
uses: docker/[email protected] | |
with: | |
registry: ${{ secrets.REGISTRY_HOST }} | |
username: ${{ secrets.REGISTRY_USER }} | |
password: ${{ secrets.REGISTRY_PASSWORD }} | |
- name: Build | |
uses: ./.github/actions/pack-build | |
with: | |
pack_version: ${{ env.PACK_VERSION }} | |
tag: ${{ env.PUBLIC_IMAGE_DEV_REPO }}/controller | |
bp_go_targets: "./cmd/controller" | |
artifact_name: controller-image | |
webhook-image: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Docker Login | |
uses: docker/[email protected] | |
with: | |
registry: ${{ secrets.REGISTRY_HOST }} | |
username: ${{ secrets.REGISTRY_USER }} | |
password: ${{ secrets.REGISTRY_PASSWORD }} | |
- name: Build | |
uses: ./.github/actions/pack-build | |
with: | |
pack_version: ${{ env.PACK_VERSION }} | |
tag: ${{ env.PUBLIC_IMAGE_DEV_REPO }}/webhook | |
bp_go_targets: "./cmd/webhook" | |
artifact_name: webhook-image | |
completion-image: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Docker Login | |
uses: docker/[email protected] | |
with: | |
registry: ${{ secrets.REGISTRY_HOST }} | |
username: ${{ secrets.REGISTRY_USER }} | |
password: ${{ secrets.REGISTRY_PASSWORD }} | |
- name: Build | |
uses: ./.github/actions/pack-build | |
with: | |
pack_version: ${{ env.PACK_VERSION }} | |
tag: ${{ env.PUBLIC_IMAGE_DEV_REPO }}/completion | |
bp_go_targets: "./cmd/completion" | |
artifact_name: completion-image | |
build-init-image: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Docker Login | |
uses: docker/[email protected] | |
with: | |
registry: ${{ secrets.REGISTRY_HOST }} | |
username: ${{ secrets.REGISTRY_USER }} | |
password: ${{ secrets.REGISTRY_PASSWORD }} | |
- name: Build | |
uses: ./.github/actions/pack-build | |
with: | |
pack_version: ${{ env.PACK_VERSION }} | |
tag: ${{ env.PUBLIC_IMAGE_DEV_REPO }}/build-init | |
bp_go_targets: "./cmd/build-init" | |
artifact_name: build-init-image | |
build-waiter-image: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Docker Login | |
uses: docker/[email protected] | |
with: | |
registry: ${{ secrets.REGISTRY_HOST }} | |
username: ${{ secrets.REGISTRY_USER }} | |
password: ${{ secrets.REGISTRY_PASSWORD }} | |
- name: Build | |
uses: ./.github/actions/pack-build | |
with: | |
pack_version: ${{ env.PACK_VERSION }} | |
tag: ${{ env.PUBLIC_IMAGE_DEV_REPO }}/build-waiter | |
bp_go_targets: "./cmd/build-waiter" | |
artifact_name: build-waiter-image | |
rebase-image: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Docker Login | |
uses: docker/[email protected] | |
with: | |
registry: ${{ secrets.REGISTRY_HOST }} | |
username: ${{ secrets.REGISTRY_USER }} | |
password: ${{ secrets.REGISTRY_PASSWORD }} | |
- name: Build | |
uses: ./.github/actions/pack-build | |
with: | |
pack_version: ${{ env.PACK_VERSION }} | |
tag: ${{ env.PUBLIC_IMAGE_DEV_REPO }}/rebase | |
bp_go_targets: "./cmd/rebase" | |
artifact_name: rebase-image | |
build-init-windows-image: | |
runs-on: windows-2019 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Docker Login | |
uses: docker/[email protected] | |
with: | |
registry: ${{ secrets.REGISTRY_HOST }} | |
username: ${{ secrets.REGISTRY_USER }} | |
password: ${{ secrets.REGISTRY_PASSWORD }} | |
- name: Build | |
uses: ./.github/actions/pack-build | |
with: | |
pack_version: ${{ env.PACK_VERSION }} | |
tag: ${{ env.PUBLIC_IMAGE_DEV_REPO }}/build-init-windows | |
bp_go_targets: '.\cmd\build-init;.\cmd\network-wait-launcher' | |
builder: gcr.io/cf-build-service-public/kpack-windows-builder | |
additional_pack_args: "--trust-builder" | |
artifact_name: build-init-windows-image | |
completion-windows-image: | |
runs-on: windows-2019 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Docker Login | |
uses: docker/[email protected] | |
with: | |
registry: ${{ secrets.REGISTRY_HOST }} | |
username: ${{ secrets.REGISTRY_USER }} | |
password: ${{ secrets.REGISTRY_PASSWORD }} | |
- name: Build | |
uses: ./.github/actions/pack-build | |
with: | |
pack_version: ${{ env.PACK_VERSION }} | |
tag: ${{ env.PUBLIC_IMAGE_DEV_REPO }}/completion-windows | |
bp_go_targets: '.\cmd\completion' | |
builder: gcr.io/cf-build-service-public/kpack-windows-builder | |
additional_pack_args: "--trust-builder" | |
artifact_name: completion-windows-image | |
lifecycle-image: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Docker Login | |
uses: docker/[email protected] | |
with: | |
registry: ${{ secrets.REGISTRY_HOST }} | |
username: ${{ secrets.REGISTRY_USER }} | |
password: ${{ secrets.REGISTRY_PASSWORD }} | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: 'go.mod' | |
- name: Build | |
run: | | |
trap 'echo -e "$output"' EXIT | |
output=$(go run ./hack/lifecycle/main.go --tag=${{ env.PUBLIC_IMAGE_DEV_REPO }}/lifecycle 2>&1) | |
image=$(echo "$output" | grep "saved lifecycle" | awk -F "saved lifecycle image: " '{print $2}') | |
mkdir images | |
echo $image > images/lifecycle | |
- name: Upload Image Artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: lifecycle-image | |
path: images/ | |
generate-pre-release-yaml: | |
runs-on: ubuntu-latest | |
needs: | |
- lifecycle-image | |
- controller-image | |
- webhook-image | |
- completion-image | |
- rebase-image | |
- build-init-image | |
- build-waiter-image | |
- build-init-windows-image | |
- completion-windows-image | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: 'go.mod' | |
- name: Setup carvel | |
uses: carvel-dev/setup-action@v2 | |
with: | |
token: ${{ secrets.RELEASE_TOKEN }} | |
only: ytt, kapp | |
- name: Download artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: '*-image' | |
path: images | |
merge-multiple: true | |
- name: Build release yaml | |
run: | | |
ytt -f config/ \ | |
-v controller.image=$(cat images/controller) \ | |
-v webhook.image=$(cat images/webhook) \ | |
-v build_init.image=$(cat images/build-init) \ | |
-v build_init_windows.image=$(cat images/build-init-windows) \ | |
-v build_waiter.image=$(cat images/build-waiter) \ | |
-v rebase.image=$(cat images/rebase) \ | |
-v completion.image=$(cat images/completion) \ | |
-v completion_windows.image=$(cat images/completion-windows) \ | |
-v lifecycle.image=$(cat images/lifecycle) > prerelease.yaml | |
cat prerelease.yaml | |
- name: Upload Pre-Release | |
uses: actions/upload-artifact@v4 | |
with: | |
name: prerelease | |
path: prerelease.yaml | |
e2e: | |
needs: | |
- generate-pre-release-yaml | |
- controller-image | |
- webhook-image | |
- completion-image | |
- rebase-image | |
- build-init-image | |
- build-waiter-image | |
- build-init-windows-image | |
- completion-windows-image | |
- lifecycle-image | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: 'go.mod' | |
- name: Setup crane | |
uses: imjasonh/[email protected] | |
- name: Setup carvel | |
uses: carvel-dev/setup-action@v2 | |
with: | |
token: ${{ secrets.RELEASE_TOKEN }} | |
only: ytt, kapp | |
- name: Download release | |
uses: actions/download-artifact@v4 | |
with: | |
name: prerelease | |
- name: Setup local registry | |
run: | | |
user="test" | |
pass="test" | |
echo "Generating users" | |
htpasswd -Bbn "$user" "$pass" >> htpasswd # authenticated user for tests | |
# the registry can be accessed from inside the kind cluster via it's name. | |
# however, due to a quirk with ggcr, it will force https connections UNLESS | |
# it fits certain patterns (https://github.com/google/go-containerregistry/blob/b8d1c0a1df12a3b3dd3e7f98330780fdc015ce40/pkg/name/registry.go#L75) | |
# so in order to avoid setting tls for the registry, we can name it something.local | |
# to trick ggcr into using the http scheme | |
name="registry.local" | |
echo "Starting registry" | |
if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then | |
docker run --detach \ | |
--name "$name" \ | |
-v "$(pwd)/htpasswd:/auth/htpasswd" \ | |
-e "REGISTRY_AUTH=htpasswd" \ | |
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ | |
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \ | |
-e "REGISTRY_STORAGE_DELETE_ENABLED=true" \ | |
--publish "5000:5000" \ | |
registry:2 | |
fi | |
echo "REGISTRY_URL=$name:5000" >> $GITHUB_ENV | |
echo "REGISTRY_USER=$user" >> $GITHUB_ENV | |
echo "REGISTRY_PASS=$pass" >> $GITHUB_ENV | |
# alias registry.local to localhost | |
# ip=$(docker container inspect $name --format '{{ .NetworkSettings.Networks.kind.IPAddress }}') | |
ip=127.0.0.1 | |
echo "$ip registry.local" | sudo tee -a /etc/hosts | |
cat <<EOF > kind.yaml | |
kind: Cluster | |
apiVersion: kind.x-k8s.io/v1alpha4 | |
containerdConfigPatches: | |
- |- | |
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.local:5000"] | |
endpoint = ["http://registry.local:5000"] | |
EOF | |
- name: Create Kind Cluster | |
uses: helm/[email protected] | |
with: | |
cluster_name: e2e | |
config: kind.yaml | |
- name: Docker Login | |
uses: docker/[email protected] | |
with: | |
registry: ${{ env.REGISTRY_URL }} | |
username: ${{ env.REGISTRY_USER }} | |
password: ${{ env.REGISTRY_PASS }} | |
- name: Run tests | |
run: | | |
# make the registry container accessible by name from inside the cluster | |
docker network connect kind registry.local | |
cat <<EOF > overlay.yaml | |
#@ load("@ytt:overlay", "overlay") | |
#@overlay/match by=overlay.subset({"metadata":{"name":"kpack-controller"}, "kind": "Deployment"}) | |
--- | |
spec: | |
template: | |
spec: | |
containers: | |
#@overlay/match by="name" | |
- name: controller | |
#@overlay/match-child-defaults missing_ok=True | |
env: | |
#@overlay/match by="name" | |
#@overlay/replace or_add=True | |
- name: EXPERIMENTAL_GENERATE_SLSA_ATTESTATION | |
value: "true" | |
EOF | |
ytt -f prerelease.yaml -f overlay.yaml | kapp deploy -a kpack -y -f- | |
export IMAGE_REGISTRY=${{ env.REGISTRY_URL }} | |
export IMAGE_REGISTRY_USERNAME=${{ env.REGISTRY_USER }} | |
export IMAGE_REGISTRY_PASSWORD=${{ env.REGISTRY_PASS }} | |
export GIT_PRIVATE_REPO=${{ vars.E2E_PRIVATE_REPO }} | |
export GIT_BASIC_USERNAME="${{ secrets.E2E_PRIVATE_REPO_USERNAME }}" | |
export GIT_BASIC_PASSWORD="${{ secrets.E2E_PRIVATE_REPO_PASSWORD }}" | |
export GIT_SSH_PRIVATE_KEY="${{ secrets.E2E_PRIVATE_REPO_PRIVATE_KEY }}" | |
E2E_SLSA="true" make e2e | |
kapp delete -a kpack -y | |
- name: Run tests with Istio | |
run: | | |
helm repo add istio https://istio-release.storage.googleapis.com/charts | |
helm repo update | |
kubectl create namespace istio-system | |
helm install istio-base istio/base -n istio-system --wait | |
helm install istiod istio/istiod -n istio-system --wait | |
cat <<EOF > overlay.yaml | |
#@ load("@ytt:overlay", "overlay") | |
#@overlay/match by=overlay.subset({"metadata":{"name":"kpack-controller"}, "kind": "Deployment"}) | |
--- | |
spec: | |
template: | |
spec: | |
containers: | |
#@overlay/match by="name" | |
- name: controller | |
#@overlay/match-child-defaults missing_ok=True | |
env: | |
#@overlay/match by="name" | |
#@overlay/replace or_add=True | |
- name: INJECTED_SIDECAR_SUPPORT | |
value: "true" | |
EOF | |
ytt -f prerelease.yaml -f overlay.yaml | kapp deploy -a kpack -y -f- | |
export IMAGE_REGISTRY=${{ env.REGISTRY_URL }} | |
export IMAGE_REGISTRY_USERNAME=${{ env.REGISTRY_USER }} | |
export IMAGE_REGISTRY_PASSWORD=${{ env.REGISTRY_PASS }} | |
export KPACK_TEST_NAMESPACE_LABELS="istio-injection=enabled" | |
export GIT_PRIVATE_REPO=${{ vars.E2E_PRIVATE_REPO }} | |
export GIT_BASIC_USERNAME="${{ secrets.E2E_PRIVATE_REPO_USERNAME }}" | |
export GIT_BASIC_PASSWORD="${{ secrets.E2E_PRIVATE_REPO_PASSWORD }}" | |
export GIT_SSH_PRIVATE_KEY="${{ secrets.E2E_PRIVATE_REPO_PRIVATE_KEY }}" | |
make e2e | |
release: | |
needs: | |
- unit | |
- e2e | |
- generate-pre-release-yaml | |
- controller-image | |
- webhook-image | |
- completion-image | |
- rebase-image | |
- build-init-image | |
- build-waiter-image | |
- build-init-windows-image | |
- completion-windows-image | |
- lifecycle-image | |
if: ${{ startsWith(github.ref, 'refs/tags/v') }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: 'go.mod' | |
- name: Setup crane | |
uses: imjasonh/[email protected] | |
- name: Setup carvel | |
uses: carvel-dev/setup-action@v2 | |
with: | |
token: ${{ secrets.RELEASE_TOKEN }} | |
only: ytt | |
- name: Download artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: '*-image' | |
path: images | |
merge-multiple: true | |
- name: Docker Login | |
uses: docker/[email protected] | |
with: | |
registry: ${{ secrets.REGISTRY_HOST }} | |
username: ${{ secrets.REGISTRY_USER }} | |
password: ${{ secrets.REGISTRY_PASSWORD }} | |
- name: Parse tag name | |
run: | | |
echo "GITHUB_REF=${GITHUB_REF}" | |
[[ $GITHUB_REF =~ ^refs\/tags\/v(.*)$ ]] && version=${BASH_REMATCH[1]} | |
if [[ -z "${version}" ]]; then | |
echo "ERROR: kpack version not detected." | |
exit 1 | |
fi | |
echo "KPACK_VERSION=${version}" >> $GITHUB_ENV | |
- name: Promote images | |
run: | | |
mkdir final-image-refs | |
for image in images/*; do | |
dev_image=$(cat $image) | |
digest=$(echo $dev_image| cut -d "@" -f 2) | |
name=$(basename $image) | |
final_repo="${{ env.PUBLIC_IMAGE_REPO }}/${name}" | |
crane copy "$dev_image" "$final_repo" | |
crane tag "${final_repo}@${digest}" ${{ env.KPACK_VERSION }} | |
echo "${final_repo}@${digest}" > final-image-refs/$name | |
done | |
- name: Upload image refs | |
uses: actions/upload-artifact@v4 | |
with: | |
name: final-image-refs | |
path: final-image-refs/* | |
- name: Generate release yaml | |
id: release_yaml | |
run: | | |
file="release-${{ env.KPACK_VERSION }}.yaml" | |
ytt -f config/ \ | |
-v controller.image=$(cat final-image-refs/controller) \ | |
-v webhook.image=$(cat final-image-refs/webhook) \ | |
-v build_init.image=$(cat final-image-refs/build-init) \ | |
-v build_init_windows.image=$(cat final-image-refs/build-init-windows) \ | |
-v build_waiter.image=$(cat final-image-refs/build-waiter) \ | |
-v rebase.image=$(cat final-image-refs/rebase) \ | |
-v completion.image=$(cat final-image-refs/completion) \ | |
-v completion_windows.image=$(cat final-image-refs/completion-windows) \ | |
-v lifecycle.image=$(cat final-image-refs/lifecycle) \ | |
-v kpack_version=${{ env.KPACK_VERSION }} > $file | |
echo "sha=$(shasum -a 256 $file)" >> $GITHUB_OUTPUT | |
- name: Upload Release | |
uses: actions/upload-artifact@v4 | |
with: | |
name: release | |
path: release-${{ env.KPACK_VERSION }}.yaml | |
- name: Create Draft Release | |
uses: softprops/action-gh-release@v1 | |
with: | |
name: kpack v${{ env.KPACK_VERSION }} | |
tag_name: v${{ env.KPACK_VERSION }} | |
target_commitish: ${{ github.sha }} | |
token: ${{ secrets.RELEASE_TOKEN }} | |
draft: true | |
prerelease: true | |
files: release-*.yaml | |
body: | | |
## What's Changed | |
## Bug Fixes | |
## Bumped Dependencies | |
sha256 checksum: | |
``` | |
${{ steps.release_yaml.outputs.sha }} | |
``` | |
**Full Changelog**: |