fix(CI): Optimized workflows to build images based on file changes

Signed-off-by: Anurag Rajawat <[email protected]>
anurag-rajawat · May 22, 2024 · 8121839 · 8121839
1 parent b6dd9b6
commit 8121839
Show file tree

Hide file tree

Showing 8 changed files with 130 additions and 44 deletions.
diff --git a/.github/workflows/latest-release.yaml b/.github/workflows/latest-release.yaml
@@ -2,15 +2,10 @@
 # Copyright 2023 Authors of Nimbus
 
 name: Latest release
-
 on:
   push:
     branches:
       - main
-      - "v*"
-  create:
-    branches:
-      - "v*"
 
 permissions: read-all
 
@@ -19,16 +14,38 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  files-changed:
+    name: Detect what files changed
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      nimbus: ${{ steps.filter.outputs.nimbus}}
+      adapters: ${{ steps.filter.outputs.adapters }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dorny/[email protected]
+        id: filter
+        with:
+          filters: |
+            nimbus:
+              - 'cmd/**'
+              - 'internal/**'
+              - 'pkg/processor/**'
+            adapters:
+              - 'pkg/adapter/**'
+
   release-nimbus-image:
-    if: github.repository == '5GSEC/nimbus'
+    needs: files-changed
+    if: ${{ github.repository == '5GSEC/nimbus' && needs.files-changed.outputs.nimbus == 'true' }}
     name: Build and push nimbus image
     uses: ./.github/workflows/release-image.yaml
     with:
       WORKING_DIRECTORY: .
     secrets: inherit
 
   release-adapters-image:
-    if: github.repository == '5GSEC/nimbus'
+    needs: files-changed
+    if: ${{ github.repository == '5GSEC/nimbus' && needs.files-changed.outputs.adapters == 'true' }}
     strategy:
       matrix:
         adapters: [ "nimbus-kubearmor", "nimbus-netpol", "nimbus-kyverno" ]

diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml
@@ -15,22 +15,45 @@ on:
 permissions: read-all
 
 jobs:
+  files-changed:
+    name: Detect what files changed
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      nimbus: ${{ steps.filter.outputs.nimbus}}
+      adapters: ${{ steps.filter.outputs.adapters }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dorny/[email protected]
+        id: filter
+        with:
+          filters: |
+            nimbus:
+              - 'api/**'
+              - 'cmd/**'
+              - 'internal/**'
+              - 'pkg/processor/**'
+            adapters:
+              - 'pkg/adapter/**'
+
   license:
     name: License
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Check License Header
         uses: apache/skywalking-eyes@a790ab8dd23a7f861c18bd6aaa9b012e3a234bce
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   static-checks:
+    needs: files-changed
+    if: ${{ needs.files-changed.outputs.nimbus == 'true' ||  needs.files-changed.outputs.adapters == 'true' }}
     name: Static checks
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup go
         uses: actions/setup-go@v4
@@ -49,14 +72,16 @@ jobs:
           skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
 
   go-sec:
+    needs: files-changed
+    if: ${{ needs.files-changed.outputs.nimbus == 'true' ||  needs.files-changed.outputs.adapters == 'true' }}
     runs-on: ubuntu-latest
     permissions:
       security-events: write
     env:
       GO111MODULE: on
     steps:
       - name: Checkout Source
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run Gosec Security Scanner
         uses: securego/gosec@master
@@ -70,17 +95,21 @@ jobs:
           sarif_file: results.sarif
 
   build-nimbus-image:
+    needs: files-changed
+    if: ${{ needs.files-changed.outputs.nimbus == 'true' }}
     name: Build Nimbus Operator image
     runs-on: ubuntu-latest
     timeout-minutes: 20
     steps:
       - name: Checkout source code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Build image
         run: make docker-build
 
   build-adapters-image:
+    needs: files-changed
+    if: ${{ needs.files-changed.outputs.adapters == 'true' }}
     strategy:
       matrix:
         adapters: [ "nimbus-kubearmor", "nimbus-netpol", "nimbus-kyverno" ]
@@ -89,13 +118,15 @@ jobs:
     timeout-minutes: 20
     steps:
       - name: Checkout source code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Build image
         working-directory: ./pkg/adapter/${{ matrix.adapters }}
         run: make docker-build
 
-  chainsaw-integration-tests:
+  integration-tests:
+    needs: files-changed
+    if: ${{ needs.files-changed.outputs.nimbus == 'true' }}
     name: Integration-Test
     runs-on: ubuntu-latest
     steps:
@@ -116,7 +147,7 @@ jobs:
         - name: Build image and load in the kind cluster
           run: |
             make docker-build
-            kind load docker-image 5gsec/nimbus:latest --name=testing
+            kind load docker-image 5gsec/nimbus:v0.1 --name=testing
 
         - name: Install Nimbus
           run: |
@@ -130,12 +161,14 @@ jobs:
         - name: Run Tests
           run: make integration-test
 
-  chainsaw-e2e-tests:
+  e2e-tests:
+    needs: files-changed
+    if: ${{ needs.files-changed.outputs.nimbus == 'true' || needs.files-changed.outputs.adapters == 'true' }}
     name: E2E-Test
     runs-on: ubuntu-latest
     steps:
         - name: Checkout source code
-          uses: actions/checkout@v3
+          uses: actions/checkout@v4
 
         - name: Install helm
           id: helm
@@ -151,25 +184,25 @@ jobs:
         - name: Build nimbus image and load in the kind cluster
           run: |
             make docker-build
-            kind load docker-image 5gsec/nimbus:latest --name=testing
+            kind load docker-image 5gsec/nimbus:v0.1 --name=testing
 
         - name: Build nimbus-netpol image and load in the kind cluster
           working-directory: ./pkg/adapter/nimbus-netpol
           run: |
             make docker-build
-            kind load docker-image 5gsec/nimbus-netpol:latest --name=testing  
+            kind load docker-image 5gsec/nimbus-netpol:v0.1 --name=testing  
 
         - name: Build nimbus-kubearmor image and load in the kind cluster
           working-directory: ./pkg/adapter/nimbus-kubearmor
           run: |
             make docker-build
-            kind load docker-image 5gsec/nimbus-kubearmor:latest --name=testing 
+            kind load docker-image 5gsec/nimbus-kubearmor:v0.1 --name=testing 
             
         - name: Build nimbus-kyverno image and load in the kind cluster
           working-directory: ./pkg/adapter/nimbus-kyverno
           run: |
             make docker-build
-            kind load docker-image 5gsec/nimbus-kyverno:latest --name=testing 
+            kind load docker-image 5gsec/nimbus-kyverno:v0.1 --name=testing 
           
         - name: Install Kubearmor CRDs
           run: |
@@ -179,7 +212,6 @@ jobs:
           run: |
             kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/config/crds/kyverno/kyverno.io_clusterpolicies.yaml 
             kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/config/crds/kyverno/kyverno.io_policies.yaml
-        
 
         - name: Install Nimbus
           run: |

diff --git a/.github/workflows/release-image.yaml b/.github/workflows/release-image.yaml
@@ -11,14 +11,18 @@ on:
         description: 'current working directory'
         required: true
         type: string
+      NAME:
+        description: 'app name'
+        required: true
+        type: string
 
 jobs:
   release-image:
     timeout-minutes: 30
     runs-on: ubuntu-latest
     steps:
       - name: Checkout source code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -41,6 +45,22 @@ jobs:
             echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
           fi
 
+      - name: Build image
+        run: make docker-build
+        working-directory: ${{ inputs.WORKING_DIRECTORY }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'docker.io/5gsec/${{ inputs.NAME }}:v0.1'
+          format: 'sarif'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          scan-type: image
+          output: 'trivy-results.sarif'
+
       - name: Build and push image
         working-directory: ${{ inputs.WORKING_DIRECTORY }}
         run: make docker-buildx TAG=${{ steps.tag.outputs.tag }}
diff --git a/.github/workflows/latest-charts-release.yaml → .github/workflows/stable-release.yaml b/.github/workflows/latest-charts-release.yaml → .github/workflows/stable-release.yaml
@@ -1,28 +1,49 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright 2023 Authors of Nimbus
 
-name: Release Charts
+name: Stable release
 
 on:
-  push:
-    branches:
-      - main
-      - "v*"
-    paths:
-      - "deployments/**"
   create:
-    branches:
+    tags:
       - "v*"
 
+permissions: read-all
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  release:
+  release-nimbus-image:
+    if: github.repository == '5GSEC/nimbus'
+    name: Build and push nimbus image
+    uses: ./.github/workflows/release-image.yaml
+    with:
+      WORKING_DIRECTORY: .
+      NAME: nimbus
+    secrets: inherit
+
+  release-adapters-image:
+    if: github.repository == '5GSEC/nimbus'
+    strategy:
+      matrix:
+        adapters: [ "nimbus-kubearmor", "nimbus-netpol", "nimbus-kyverno" ]
+    name: Build and push ${{ matrix.adapters }} adapter's image
+    uses: ./.github/workflows/release-image.yaml
+    with:
+      WORKING_DIRECTORY: ./pkg/adapter/${{ matrix.adapters }}
+      NAME: ${{ matrix.adapters }}
+    secrets: inherit
+
+  release_helm_charts:
     if: github.repository == '5GSEC/nimbus'
     permissions:
       contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout source code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Install Helm
         uses: azure/setup-helm@v3

diff --git a/Makefile b/Makefile
@@ -107,20 +107,19 @@ run: manifests generate fmt vet ## Run a controller from your host.
 # More info: https://docs.docker.com/develop/develop-images/build_enhancements/
 .PHONY: docker-build
 docker-build: ## Build docker image with the manager.
-	$(CONTAINER_TOOL) build -t ${IMG}:${TAG} -t ${IMG}:latest --build-arg VERSION=${TAG} .
+	$(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} .
 
 .PHONY: docker-push
 docker-push: ## Push docker image with the manager.
 	$(CONTAINER_TOOL) push ${IMG}:${TAG}
-	$(CONTAINER_TOOL) push ${IMG}:latest
 
 # PLATFORMS defines the target platforms for the manager image be built to provide support to multiple
 # architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to:
 # - be able to use docker buildx. More info: https://docs.docker.com/build/buildx/
 # - have enabled BuildKit. More info: https://docs.docker.com/develop/develop-images/build_enhancements/
 # - be able to push the image to your registry (i.e. if you do not set a valid value via IMG=<myregistry/image:<tag>> then the export will fail)
 # To adequately provide solutions that are compatible with multiple platforms, you should consider using this option.
-PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
+PLATFORMS ?= linux/arm64,linux/amd64
 .PHONY: docker-buildx
 docker-buildx: ## Build and push docker image for the manager for cross-platform support
 	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile

diff --git a/pkg/adapter/nimbus-kubearmor/Makefile b/pkg/adapter/nimbus-kubearmor/Makefile
@@ -17,14 +17,13 @@ run: build
 
 .PHONY: docker-build
 docker-build:
-	$(CONTAINER_TOOL) build -t ${IMG}:${TAG} -t ${IMG}:latest --build-arg VERSION=${TAG} -f ./Dockerfile ../../../
+	$(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../
 
 .PHONY: docker-push
 docker-push:
 	$(CONTAINER_TOOL) push ${IMG}:${TAG}
-	$(CONTAINER_TOOL) push ${IMG}:latest
 
-PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
+PLATFORMS ?= linux/arm64,linux/amd64
 .PHONY: docker-buildx
 docker-buildx:
 	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile

diff --git a/pkg/adapter/nimbus-kyverno/Makefile b/pkg/adapter/nimbus-kyverno/Makefile
@@ -17,14 +17,13 @@ run: build
 
 .PHONY: docker-build
 docker-build:
-	$(CONTAINER_TOOL) build -t ${IMG}:${TAG} -t ${IMG}:latest --build-arg VERSION=${TAG} -f ./Dockerfile ../../../
+	$(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../
 
 .PHONY: docker-push
 docker-push:
 	$(CONTAINER_TOOL) push ${IMG}:${TAG}
-	$(CONTAINER_TOOL) push ${IMG}:latest
 
-PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
+PLATFORMS ?= linux/arm64,linux/amd64
 .PHONY: docker-buildx
 docker-buildx:
 	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile