From 81218391dfd67cb082d3f5ec534d8ae452d2735e Mon Sep 17 00:00:00 2001 From: Anurag Rajawat Date: Wed, 22 May 2024 20:07:59 +0530 Subject: [PATCH] fix(CI): Optimized workflows to build images based on file changes Signed-off-by: Anurag Rajawat --- .github/workflows/latest-release.yaml | 31 +++++++--- .github/workflows/pr-checks.yaml | 60 ++++++++++++++----- .github/workflows/release-image.yaml | 22 ++++++- ...harts-release.yaml => stable-release.yaml} | 41 +++++++++---- Makefile | 5 +- pkg/adapter/nimbus-kubearmor/Makefile | 5 +- pkg/adapter/nimbus-kyverno/Makefile | 5 +- pkg/adapter/nimbus-netpol/Makefile | 5 +- 8 files changed, 130 insertions(+), 44 deletions(-) rename .github/workflows/{latest-charts-release.yaml => stable-release.yaml} (50%) diff --git a/.github/workflows/latest-release.yaml b/.github/workflows/latest-release.yaml index 4d84c321..9de238dc 100644 --- a/.github/workflows/latest-release.yaml +++ b/.github/workflows/latest-release.yaml @@ -2,15 +2,10 @@ # Copyright 2023 Authors of Nimbus name: Latest release - on: push: branches: - main - - "v*" - create: - branches: - - "v*" permissions: read-all @@ -19,8 +14,29 @@ concurrency: cancel-in-progress: true jobs: + files-changed: + name: Detect what files changed + runs-on: ubuntu-latest + timeout-minutes: 5 + outputs: + nimbus: ${{ steps.filter.outputs.nimbus}} + adapters: ${{ steps.filter.outputs.adapters }} + steps: + - uses: actions/checkout@v4 + - uses: dorny/paths-filter@v3.0.2 + id: filter + with: + filters: | + nimbus: + - 'cmd/**' + - 'internal/**' + - 'pkg/processor/**' + adapters: + - 'pkg/adapter/**' + release-nimbus-image: - if: github.repository == '5GSEC/nimbus' + needs: files-changed + if: ${{ github.repository == '5GSEC/nimbus' && needs.files-changed.outputs.nimbus == 'true' }} name: Build and push nimbus image uses: ./.github/workflows/release-image.yaml with: @@ -28,7 +44,8 @@ jobs: secrets: inherit release-adapters-image: - if: github.repository == '5GSEC/nimbus' + needs: files-changed + if: ${{ github.repository == '5GSEC/nimbus' && needs.files-changed.outputs.adapters == 'true' }} strategy: matrix: adapters: [ "nimbus-kubearmor", "nimbus-netpol", "nimbus-kyverno" ] diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml index dba82763..e95d2fa9 100644 --- a/.github/workflows/pr-checks.yaml +++ b/.github/workflows/pr-checks.yaml @@ -15,11 +15,32 @@ on: permissions: read-all jobs: + files-changed: + name: Detect what files changed + runs-on: ubuntu-latest + timeout-minutes: 5 + outputs: + nimbus: ${{ steps.filter.outputs.nimbus}} + adapters: ${{ steps.filter.outputs.adapters }} + steps: + - uses: actions/checkout@v4 + - uses: dorny/paths-filter@v3.0.2 + id: filter + with: + filters: | + nimbus: + - 'api/**' + - 'cmd/**' + - 'internal/**' + - 'pkg/processor/**' + adapters: + - 'pkg/adapter/**' + license: name: License runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Check License Header uses: apache/skywalking-eyes@a790ab8dd23a7f861c18bd6aaa9b012e3a234bce @@ -27,10 +48,12 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} static-checks: + needs: files-changed + if: ${{ needs.files-changed.outputs.nimbus == 'true' || needs.files-changed.outputs.adapters == 'true' }} name: Static checks runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Setup go uses: actions/setup-go@v4 @@ -49,6 +72,8 @@ jobs: skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778 go-sec: + needs: files-changed + if: ${{ needs.files-changed.outputs.nimbus == 'true' || needs.files-changed.outputs.adapters == 'true' }} runs-on: ubuntu-latest permissions: security-events: write @@ -56,7 +81,7 @@ jobs: GO111MODULE: on steps: - name: Checkout Source - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run Gosec Security Scanner uses: securego/gosec@master @@ -70,17 +95,21 @@ jobs: sarif_file: results.sarif build-nimbus-image: + needs: files-changed + if: ${{ needs.files-changed.outputs.nimbus == 'true' }} name: Build Nimbus Operator image runs-on: ubuntu-latest timeout-minutes: 20 steps: - name: Checkout source code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build image run: make docker-build build-adapters-image: + needs: files-changed + if: ${{ needs.files-changed.outputs.adapters == 'true' }} strategy: matrix: adapters: [ "nimbus-kubearmor", "nimbus-netpol", "nimbus-kyverno" ] @@ -89,13 +118,15 @@ jobs: timeout-minutes: 20 steps: - name: Checkout source code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build image working-directory: ./pkg/adapter/${{ matrix.adapters }} run: make docker-build - chainsaw-integration-tests: + integration-tests: + needs: files-changed + if: ${{ needs.files-changed.outputs.nimbus == 'true' }} name: Integration-Test runs-on: ubuntu-latest steps: @@ -116,7 +147,7 @@ jobs: - name: Build image and load in the kind cluster run: | make docker-build - kind load docker-image 5gsec/nimbus:latest --name=testing + kind load docker-image 5gsec/nimbus:v0.1 --name=testing - name: Install Nimbus run: | @@ -130,12 +161,14 @@ jobs: - name: Run Tests run: make integration-test - chainsaw-e2e-tests: + e2e-tests: + needs: files-changed + if: ${{ needs.files-changed.outputs.nimbus == 'true' || needs.files-changed.outputs.adapters == 'true' }} name: E2E-Test runs-on: ubuntu-latest steps: - name: Checkout source code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install helm id: helm @@ -151,25 +184,25 @@ jobs: - name: Build nimbus image and load in the kind cluster run: | make docker-build - kind load docker-image 5gsec/nimbus:latest --name=testing + kind load docker-image 5gsec/nimbus:v0.1 --name=testing - name: Build nimbus-netpol image and load in the kind cluster working-directory: ./pkg/adapter/nimbus-netpol run: | make docker-build - kind load docker-image 5gsec/nimbus-netpol:latest --name=testing + kind load docker-image 5gsec/nimbus-netpol:v0.1 --name=testing - name: Build nimbus-kubearmor image and load in the kind cluster working-directory: ./pkg/adapter/nimbus-kubearmor run: | make docker-build - kind load docker-image 5gsec/nimbus-kubearmor:latest --name=testing + kind load docker-image 5gsec/nimbus-kubearmor:v0.1 --name=testing - name: Build nimbus-kyverno image and load in the kind cluster working-directory: ./pkg/adapter/nimbus-kyverno run: | make docker-build - kind load docker-image 5gsec/nimbus-kyverno:latest --name=testing + kind load docker-image 5gsec/nimbus-kyverno:v0.1 --name=testing - name: Install Kubearmor CRDs run: | @@ -179,7 +212,6 @@ jobs: run: | kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/config/crds/kyverno/kyverno.io_clusterpolicies.yaml kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/config/crds/kyverno/kyverno.io_policies.yaml - - name: Install Nimbus run: | diff --git a/.github/workflows/release-image.yaml b/.github/workflows/release-image.yaml index 639eba9f..0b3ba1e4 100644 --- a/.github/workflows/release-image.yaml +++ b/.github/workflows/release-image.yaml @@ -11,6 +11,10 @@ on: description: 'current working directory' required: true type: string + NAME: + description: 'app name' + required: true + type: string jobs: release-image: @@ -18,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout source code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -41,6 +45,22 @@ jobs: echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT fi + - name: Build image + run: make docker-build + working-directory: ${{ inputs.WORKING_DIRECTORY }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@v0.20.0 + with: + image-ref: 'docker.io/5gsec/${{ inputs.NAME }}:v0.1' + format: 'sarif' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + scan-type: image + output: 'trivy-results.sarif' + - name: Build and push image working-directory: ${{ inputs.WORKING_DIRECTORY }} run: make docker-buildx TAG=${{ steps.tag.outputs.tag }} diff --git a/.github/workflows/latest-charts-release.yaml b/.github/workflows/stable-release.yaml similarity index 50% rename from .github/workflows/latest-charts-release.yaml rename to .github/workflows/stable-release.yaml index 9900e408..ef657f21 100644 --- a/.github/workflows/latest-charts-release.yaml +++ b/.github/workflows/stable-release.yaml @@ -1,28 +1,49 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2023 Authors of Nimbus -name: Release Charts +name: Stable release on: - push: - branches: - - main - - "v*" - paths: - - "deployments/**" create: - branches: + tags: - "v*" +permissions: read-all + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: - release: + release-nimbus-image: + if: github.repository == '5GSEC/nimbus' + name: Build and push nimbus image + uses: ./.github/workflows/release-image.yaml + with: + WORKING_DIRECTORY: . + NAME: nimbus + secrets: inherit + + release-adapters-image: + if: github.repository == '5GSEC/nimbus' + strategy: + matrix: + adapters: [ "nimbus-kubearmor", "nimbus-netpol", "nimbus-kyverno" ] + name: Build and push ${{ matrix.adapters }} adapter's image + uses: ./.github/workflows/release-image.yaml + with: + WORKING_DIRECTORY: ./pkg/adapter/${{ matrix.adapters }} + NAME: ${{ matrix.adapters }} + secrets: inherit + + release_helm_charts: if: github.repository == '5GSEC/nimbus' permissions: contents: write runs-on: ubuntu-latest steps: - name: Checkout source code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install Helm uses: azure/setup-helm@v3 diff --git a/Makefile b/Makefile index d0506d7d..baeacc64 100644 --- a/Makefile +++ b/Makefile @@ -107,12 +107,11 @@ run: manifests generate fmt vet ## Run a controller from your host. # More info: https://docs.docker.com/develop/develop-images/build_enhancements/ .PHONY: docker-build docker-build: ## Build docker image with the manager. - $(CONTAINER_TOOL) build -t ${IMG}:${TAG} -t ${IMG}:latest --build-arg VERSION=${TAG} . + $(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} . .PHONY: docker-push docker-push: ## Push docker image with the manager. $(CONTAINER_TOOL) push ${IMG}:${TAG} - $(CONTAINER_TOOL) push ${IMG}:latest # PLATFORMS defines the target platforms for the manager image be built to provide support to multiple # architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to: @@ -120,7 +119,7 @@ docker-push: ## Push docker image with the manager. # - have enabled BuildKit. More info: https://docs.docker.com/develop/develop-images/build_enhancements/ # - be able to push the image to your registry (i.e. if you do not set a valid value via IMG=> then the export will fail) # To adequately provide solutions that are compatible with multiple platforms, you should consider using this option. -PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le +PLATFORMS ?= linux/arm64,linux/amd64 .PHONY: docker-buildx docker-buildx: ## Build and push docker image for the manager for cross-platform support # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile diff --git a/pkg/adapter/nimbus-kubearmor/Makefile b/pkg/adapter/nimbus-kubearmor/Makefile index dcfe1adf..cf69bace 100644 --- a/pkg/adapter/nimbus-kubearmor/Makefile +++ b/pkg/adapter/nimbus-kubearmor/Makefile @@ -17,14 +17,13 @@ run: build .PHONY: docker-build docker-build: - $(CONTAINER_TOOL) build -t ${IMG}:${TAG} -t ${IMG}:latest --build-arg VERSION=${TAG} -f ./Dockerfile ../../../ + $(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../ .PHONY: docker-push docker-push: $(CONTAINER_TOOL) push ${IMG}:${TAG} - $(CONTAINER_TOOL) push ${IMG}:latest -PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le +PLATFORMS ?= linux/arm64,linux/amd64 .PHONY: docker-buildx docker-buildx: # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile diff --git a/pkg/adapter/nimbus-kyverno/Makefile b/pkg/adapter/nimbus-kyverno/Makefile index 021e2bcf..5e43596f 100644 --- a/pkg/adapter/nimbus-kyverno/Makefile +++ b/pkg/adapter/nimbus-kyverno/Makefile @@ -17,14 +17,13 @@ run: build .PHONY: docker-build docker-build: - $(CONTAINER_TOOL) build -t ${IMG}:${TAG} -t ${IMG}:latest --build-arg VERSION=${TAG} -f ./Dockerfile ../../../ + $(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../ .PHONY: docker-push docker-push: $(CONTAINER_TOOL) push ${IMG}:${TAG} - $(CONTAINER_TOOL) push ${IMG}:latest -PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le +PLATFORMS ?= linux/arm64,linux/amd64 .PHONY: docker-buildx docker-buildx: # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile diff --git a/pkg/adapter/nimbus-netpol/Makefile b/pkg/adapter/nimbus-netpol/Makefile index e1a8f9ea..9124f409 100644 --- a/pkg/adapter/nimbus-netpol/Makefile +++ b/pkg/adapter/nimbus-netpol/Makefile @@ -17,14 +17,13 @@ run: build .PHONY: docker-build docker-build: - $(CONTAINER_TOOL) build -t ${IMG}:${TAG} -t ${IMG}:latest --build-arg VERSION=${TAG} -f ./Dockerfile ../../../ + $(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../ .PHONY: docker-push docker-push: $(CONTAINER_TOOL) push ${IMG}:${TAG} - $(CONTAINER_TOOL) push ${IMG}:latest -PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le +PLATFORMS ?= linux/arm64,linux/amd64 .PHONY: docker-buildx docker-buildx: # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile