Bump aquasecurity/trivy-action from 0.11.2 to 0.13.0 #55
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Pull Request Workflow | |
on: | |
pull_request: | |
env: | |
GO_VERSION: 1.18 | |
HELM_VERSION: v3.9.2 | |
ICARUS_VERSION: 2.0.4 | |
PYTHON_VERSION: 3.7 # required for helm tester | |
IBM_CLOUD_API_KEY: ${{ secrets.IBM_CLOUD_API_KEY }} | |
IBM_CLOUD_REGION: us-south | |
IBM_CLOUD_RG: icm | |
IKS_CLUSTER: icm-cassandra-ci | |
IKS_NAMESPACE: cassandra-operator-ci | |
ICR_NAMESPACE: cassandra-operator | |
ICR_USERNAME: ${{ secrets.ICR_USERNAME }} | |
ICR_PASSWORD: ${{ secrets.ICR_PASSWORD }} | |
IMAGE_PULL_SECRET: icm-coreeng-pull-secret | |
TRIVY_SEVERITY: CRITICAL | |
jobs: | |
run-unit-tests: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Setup Go | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Go Lint | |
uses: golangci/golangci-lint-action@v3 | |
with: | |
args: --timeout=5m --enable exportloopref | |
skip-pkg-cache: true | |
skip-build-cache: true | |
- name: Get dependencies | |
run: go mod download | |
- name: Run operator unit tests | |
run: go test ./controllers/... -v -coverprofile=operator_unit.out -coverpkg=./... | |
- name: Run prober unit tests | |
run: | | |
cd ./prober | |
go test ./... -v -coverprofile=prober_unit.out -coverpkg=./... | |
- name: Get tests coverage | |
run: | | |
go tool cover -func=operator_unit.out | tail -n1 | awk "{print \"Operator unit tests coverage: \" \$3}" | |
go tool cover -func=prober_unit.out | tail -n1 | awk "{print \"Prober unit tests coverage: \" \$3}" | |
run-integration-tests: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: true | |
matrix: | |
k8s: [1.20.2, 1.21.2, 1.22.1, 1.23.1, 1.24.2] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Setup Go | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Setup Kubebuilder assets | |
run: | | |
curl -sSLo envtest-bins.tar.gz "https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-$k8s-linux-amd64.tar.gz" | |
mkdir kubebuilder-$k8s | |
tar -C kubebuilder-$k8s/ --strip-components=1 -zvxf envtest-bins.tar.gz && rm -f envtest-bins.tar.gz | |
echo "KUBEBUILDER_ASSETS=$(pwd)/kubebuilder-$k8s/bin" >> $GITHUB_ENV | |
$(pwd)/kubebuilder-$k8s/bin/kube-apiserver --version | |
env: | |
k8s: ${{ matrix.k8s }} | |
- name: Get dependencies | |
run: go mod download | |
- name: Run integration tests | |
run: go test ./tests/integration -v -coverprofile=integration.out -coverpkg=./... | |
- name: Get tests coverage | |
run: | | |
go tool cover -func=integration.out | tail -n1 | awk "{print \"Integration tests coverage: \" \$3}" | |
build-operator: | |
runs-on: ubuntu-latest | |
needs: [run-unit-tests, run-integration-tests, validate-helm-charts] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Inject slug/short variables | |
uses: rlespinasse/github-slug-action@v4 | |
- name: Modify GITHUB_REF_SLUG | |
run: echo "GITHUB_REF_SLUG=$GITHUB_REF_SLUG-${{ github.run_id }}" >> $GITHUB_ENV | |
- name: Setup Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Authenticate to Docker Proxy Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ secrets.DOCKER_PROXY_REGISTRY }} | |
username: ${{ secrets.ARTIFACTORY_USER }} | |
password: ${{ secrets.ARTIFACTORY_PASS }} | |
- name: Build operator image | |
uses: docker/build-push-action@v4 | |
with: | |
file: Dockerfile | |
build-args: | | |
VERSION=${{ env.GITHUB_REF_SLUG }} | |
DOCKER_PROXY_REGISTRY=${{ secrets.DOCKER_PROXY_REGISTRY }}/ | |
tags: us.icr.io/${{ env.ICR_NAMESPACE }}/cassandra-operator:${{ env.GITHUB_REF_SLUG }} | |
outputs: type=docker,dest=cassandra-operator.tar | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
with: | |
input: "cassandra-operator.tar" | |
exit-code: "1" | |
ignore-unfixed: true | |
severity: ${{ env.TRIVY_SEVERITY }} | |
- name: Upload cassandra operator image artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: cassandra-operator | |
path: cassandra-operator.tar | |
retention-days: 1 | |
build-cassandra: | |
runs-on: ubuntu-latest | |
needs: [run-unit-tests, run-integration-tests, validate-helm-charts] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Inject slug/short variables | |
uses: rlespinasse/github-slug-action@v4 | |
- name: Modify GITHUB_REF_SLUG | |
run: echo "GITHUB_REF_SLUG=$GITHUB_REF_SLUG-${{ github.run_id }}" >> $GITHUB_ENV | |
- name: Setup Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Authenticate to Docker Proxy Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ secrets.DOCKER_PROXY_REGISTRY }} | |
username: ${{ secrets.ARTIFACTORY_USER }} | |
password: ${{ secrets.ARTIFACTORY_PASS }} | |
- name: Build cassandra image | |
uses: docker/build-push-action@v4 | |
with: | |
file: ./cassandra/Dockerfile | |
context: ./cassandra | |
tags: us.icr.io/${{ env.ICR_NAMESPACE }}/cassandra:${{ env.GITHUB_REF_SLUG }} | |
build-args: DOCKER_PROXY_REGISTRY=${{ secrets.DOCKER_PROXY_REGISTRY }}/ | |
outputs: type=docker,dest=cassandra.tar | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
with: | |
input: "cassandra.tar" | |
exit-code: "1" | |
ignore-unfixed: true | |
severity: ${{ env.TRIVY_SEVERITY }} | |
- name: Upload cassandra image artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: cassandra | |
path: cassandra.tar | |
retention-days: 1 | |
build-prober: | |
runs-on: ubuntu-latest | |
needs: [run-unit-tests, run-integration-tests, validate-helm-charts] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Inject slug/short variables | |
uses: rlespinasse/github-slug-action@v4 | |
- name: Modify GITHUB_REF_SLUG | |
run: echo "GITHUB_REF_SLUG=$GITHUB_REF_SLUG-${{ github.run_id }}" >> $GITHUB_ENV | |
- name: Setup Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Authenticate to Docker Proxy Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ secrets.DOCKER_PROXY_REGISTRY }} | |
username: ${{ secrets.ARTIFACTORY_USER }} | |
password: ${{ secrets.ARTIFACTORY_PASS }} | |
- name: Build prober image | |
uses: docker/build-push-action@v4 | |
with: | |
file: ./prober/Dockerfile | |
context: ./prober | |
build-args: | | |
VERSION=${{ env.GITHUB_REF_SLUG }} | |
DOCKER_PROXY_REGISTRY=${{ secrets.DOCKER_PROXY_REGISTRY }}/ | |
tags: us.icr.io/${{ env.ICR_NAMESPACE }}/prober:${{ env.GITHUB_REF_SLUG }} | |
outputs: type=docker,dest=prober.tar | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
with: | |
input: "prober.tar" | |
exit-code: "1" | |
ignore-unfixed: true | |
severity: ${{ env.TRIVY_SEVERITY }} | |
- name: Upload prober image artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: prober | |
path: prober.tar | |
retention-days: 1 | |
build-jolokia: | |
runs-on: ubuntu-latest | |
needs: [run-unit-tests, run-integration-tests, validate-helm-charts] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Inject slug/short variables | |
uses: rlespinasse/github-slug-action@v4 | |
- name: Modify GITHUB_REF_SLUG | |
run: echo "GITHUB_REF_SLUG=$GITHUB_REF_SLUG-${{ github.run_id }}" >> $GITHUB_ENV | |
- name: Setup Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Authenticate to Docker Proxy Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ secrets.DOCKER_PROXY_REGISTRY }} | |
username: ${{ secrets.ARTIFACTORY_USER }} | |
password: ${{ secrets.ARTIFACTORY_PASS }} | |
- name: Build jolokia image | |
uses: docker/build-push-action@v4 | |
with: | |
file: ./jolokia/Dockerfile | |
context: ./jolokia | |
build-args: DOCKER_PROXY_REGISTRY=${{ secrets.DOCKER_PROXY_REGISTRY }}/ | |
tags: us.icr.io/${{ env.ICR_NAMESPACE }}/jolokia:${{ env.GITHUB_REF_SLUG }} | |
outputs: type=docker,dest=jolokia.tar | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
with: | |
input: "jolokia.tar" | |
exit-code: "1" | |
ignore-unfixed: true | |
severity: ${{ env.TRIVY_SEVERITY }} | |
- name: Upload jolokia image artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: jolokia | |
path: jolokia.tar | |
retention-days: 1 | |
build-icarus: | |
runs-on: ubuntu-latest | |
needs: [run-unit-tests, run-integration-tests, validate-helm-charts] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Inject slug/short variables | |
uses: rlespinasse/github-slug-action@v4 | |
- name: Modify GITHUB_REF_SLUG | |
run: echo "GITHUB_REF_SLUG=$GITHUB_REF_SLUG-${{ github.run_id }}" >> $GITHUB_ENV | |
- name: Setup Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Authenticate to Docker Proxy Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ secrets.DOCKER_PROXY_REGISTRY }} | |
username: ${{ secrets.ARTIFACTORY_USER }} | |
password: ${{ secrets.ARTIFACTORY_PASS }} | |
- name: Build icarus image | |
uses: docker/build-push-action@v4 | |
with: | |
file: ./icarus/Dockerfile | |
context: ./icarus | |
build-args: | | |
ICARUS_VERSION: ${{ env.ICARUS_VERSION }} | |
DOCKER_PROXY_REGISTRY=${{ secrets.DOCKER_PROXY_REGISTRY }}/ | |
tags: us.icr.io/${{ env.ICR_NAMESPACE }}/icarus:${{ env.GITHUB_REF_SLUG }} | |
outputs: type=docker,dest=icarus.tar | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
with: | |
input: "icarus.tar" | |
exit-code: "1" | |
ignore-unfixed: true | |
severity: ${{ env.TRIVY_SEVERITY }} | |
- name: Upload jolokia image artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: icarus | |
path: icarus.tar | |
retention-days: 1 | |
validate-helm-charts: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # ct needs history to compare | |
- name: Setup Helm | |
uses: azure/[email protected] | |
with: | |
version: ${{ env.HELM_VERSION }} | |
- name: Setup Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ env.PYTHON_VERSION }} | |
- name: Setup chart-testing | |
uses: helm/[email protected] | |
- name: Run chart-testing (list-changed) | |
id: list-changed | |
run: | | |
changed=$(ct list-changed --target-branch=main) | |
if [[ -n "$changed" ]]; then | |
echo "::set-output name=changed::true" | |
fi | |
- name: Run chart-testing (lint) | |
run: ct lint --target-branch=main --check-version-increment=false | |
- name: Download Pluto | |
uses: FairwindsOps/pluto/[email protected] | |
- name: Scan for deprecated k8s APIs | |
run: helm template cassandra-operator/ | pluto detect - | |
check-docs: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Setup Node | |
uses: actions/setup-node@v3 | |
with: | |
node-version: 16 | |
- name: Build docs website | |
run: | | |
npm -v | |
node -v | |
cd docs | |
npm ci | |
npm run build | |
push-images-for-e2e: | |
if: "!contains(github.event.head_commit.message, 'e2e skip')" | |
needs: [build-operator, build-cassandra, build-prober, build-jolokia, build-icarus, validate-helm-charts] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Inject slug/short variables | |
uses: rlespinasse/github-slug-action@v4 | |
# We have below variable value replacement to prevent re-push of the image within branch during parallel workflows run | |
- name: Modify GITHUB_REF_SLUG | |
run: echo "GITHUB_REF_SLUG=$GITHUB_REF_SLUG-${{ github.run_id }}" >> $GITHUB_ENV | |
- name: Install IBM Cloud CLI | |
run: | | |
curl -fsSL https://clis.cloud.ibm.com/install/linux | sh | |
ibmcloud --version | |
ibmcloud config --check-version=false | |
ibmcloud plugin install -f container-registry | |
- name: Authenticate with IBM Cloud CLI | |
uses: nick-fields/retry@v2 | |
id: retry | |
continue-on-error: false | |
with: | |
timeout_seconds: 60 | |
max_attempts: 3 | |
retry_on: error | |
command: | | |
ibmcloud login --apikey "$IBM_CLOUD_API_KEY" -r "$IBM_CLOUD_REGION" -g "$IBM_CLOUD_RG" --quiet | |
ibmcloud cr region-set "$IBM_CLOUD_REGION" | |
ibmcloud cr login | |
- name: Download operator image artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: cassandra-operator | |
- name: Download cassandra image artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: cassandra | |
- name: Download prober image artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: prober | |
- name: Download jolokia image artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: jolokia | |
- name: Download icarus image artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: icarus | |
- name: Load container images | |
run: | | |
docker load -i cassandra-operator.tar | |
docker load -i cassandra.tar | |
docker load -i prober.tar | |
docker load -i jolokia.tar | |
docker load -i icarus.tar | |
- name: Push Images to ICR | |
run: | | |
docker push "us.icr.io/${{ env.ICR_NAMESPACE }}/cassandra-operator:$GITHUB_REF_SLUG" | |
docker push "us.icr.io/${{ env.ICR_NAMESPACE }}/prober:$GITHUB_REF_SLUG" | |
docker push "us.icr.io/${{ env.ICR_NAMESPACE }}/cassandra:$GITHUB_REF_SLUG" | |
docker push "us.icr.io/${{ env.ICR_NAMESPACE }}/jolokia:$GITHUB_REF_SLUG" | |
docker push "us.icr.io/${{ env.ICR_NAMESPACE }}/icarus:$GITHUB_REF_SLUG" | |
run-e2e-tests: | |
needs: [push-images-for-e2e] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Block Concurrent Executions for the Deployment | |
uses: softprops/turnstyle@v1 | |
with: | |
poll-interval-seconds: 10 | |
abort-after-seconds: 7200 | |
same-branch-only: false | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Inject slug/short variables | |
uses: rlespinasse/github-slug-action@v4 | |
- name: Modify GITHUB_REF_SLUG | |
run: echo "GITHUB_REF_SLUG=$GITHUB_REF_SLUG-${{ github.run_id }}" >> $GITHUB_ENV | |
- name: Install IBM Cloud CLI | |
run: | | |
curl -fsSL https://clis.cloud.ibm.com/install/linux | sh | |
ibmcloud --version | |
ibmcloud config --check-version=false | |
ibmcloud plugin install -f kubernetes-service | |
ibmcloud plugin install -f container-registry | |
- name: Authenticate with IBM Cloud CLI | |
uses: nick-fields/retry@v2 | |
id: retry | |
continue-on-error: false | |
with: | |
timeout_seconds: 60 | |
max_attempts: 3 | |
retry_on: error | |
command: | | |
ibmcloud login --apikey "$IBM_CLOUD_API_KEY" -r "$IBM_CLOUD_REGION" -g "$IBM_CLOUD_RG" --quiet | |
ibmcloud cr region-set "$IBM_CLOUD_REGION" | |
ibmcloud cr login | |
ibmcloud ks cluster config --cluster $IKS_CLUSTER | |
kubectl config current-context | |
kubectl config set-context --current --namespace $IKS_NAMESPACE | |
- name: Setup k8s namespace | |
run: | | |
kubectl create namespace $IKS_NAMESPACE || true | |
kubectl create secret docker-registry icm-coreeng-pull-secret \ | |
[email protected] \ | |
--docker-username="$ICR_USERNAME" \ | |
--docker-password="$ICR_PASSWORD" \ | |
--docker-server=us.icr.io || true | |
- name: Deploy C* operator helm chart | |
uses: nick-fields/retry@v2 | |
with: | |
timeout_seconds: 60 | |
max_attempts: 3 | |
retry_on: error | |
command: | | |
helm install cassandra-operator cassandra-operator \ | |
--set "container.image=us.icr.io/${{ env.ICR_NAMESPACE }}/cassandra-operator:$GITHUB_REF_SLUG" \ | |
--set "proberImage=us.icr.io/${{ env.ICR_NAMESPACE }}/prober:$GITHUB_REF_SLUG" \ | |
--set "cassandraImage=us.icr.io/${{ env.ICR_NAMESPACE }}/cassandra:$GITHUB_REF_SLUG" \ | |
--set "jolokiaImage=us.icr.io/${{ env.ICR_NAMESPACE }}/jolokia:$GITHUB_REF_SLUG" \ | |
--set "icarusImage=us.icr.io/${{ env.ICR_NAMESPACE }}/icarus:$GITHUB_REF_SLUG" \ | |
--set "logFormat=console" \ | |
--set "logLevel=debug" \ | |
--set "container.imagePullSecret=$IMAGE_PULL_SECRET" | |
kubectl rollout status deployment cassandra-operator | |
- name: C* operator deployment has failed, showing debug... | |
if: ${{ failure() }} | |
run: | | |
kubectl get deployments,po | |
kubectl describe pod -l operator=cassandra-operator | |
kubectl logs deployment/cassandra-operator --tail=20 | |
- name: Set up Go with latest minor version 1.x | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ^1.18 | |
- name: Get go dependencies | |
run: go mod download | |
- name: Install Ginkgo | |
run: go install github.com/onsi/ginkgo/v2/[email protected] | |
- name: Run e2e tests | |
id: e2e | |
run: make e2e-tests | |
- name: Upload logs artifact | |
if: ${{ always() && steps.e2e.outcome == 'failure' }} | |
uses: actions/upload-artifact@v3 | |
with: | |
name: logs | |
path: /tmp/debug-logs/ | |
retention-days: 7 | |
- name: Uninstall C* operator helm chart | |
if: ${{ always() }} | |
run: helm uninstall cassandra-operator | |
- name: Remove CassandraCluster CRD | |
if: ${{ always() }} | |
run: kubectl delete -f cassandra-operator/crds/db.ibm.com_cassandraclusters.yaml | |
- name: Remove CassandraBackup CRD | |
if: ${{ always() }} | |
run: kubectl delete -f cassandra-operator/crds/db.ibm.com_cassandrabackups.yaml | |
- name: Remove CassandraRestore CRD | |
if: ${{ always() }} | |
run: kubectl delete -f cassandra-operator/crds/db.ibm.com_cassandrarestores.yaml | |
# We have below logic bc when multiple tags exist for the same image digest within a repository, the ibmcloud cr image-rm command removes the underlying image and all its tags. See details: https://cloud.ibm.com/docs/container-registry-cli-plugin?topic=container-registry-cli-plugin-containerregcli#bx_cr_image_rm | |
# We can also add a check if commit message contains `no_image_del` then skip the image deletion step | |
- name: Cleanup k8s namespace | |
if: ${{ always() }} | |
run: kubectl delete namespace $IKS_NAMESPACE | |
- name: Cleanup Images | |
if: ${{ always() }} | |
run: | | |
for image_name in cassandra-operator prober cassandra jolokia icarus; do | |
image_digest=$(ibmcloud cr image-list --restrict ${{ env.ICR_NAMESPACE }} --format "{{if and (eq .Repository \"us.icr.io/cassandra-operator/$image_name\") (eq .Tag \"$GITHUB_REF_SLUG\")}}{{.Digest}}{{end}}" --no-trunc) | |
image_tags=$(ibmcloud cr image-digests --restrict ${{ env.ICR_NAMESPACE }} --format "{{if and (eq .Digest \"$image_digest\")}}{{.Tags}}{{end}}" | sed -e 's/\[//g' -e 's/\]//g') | |
image_tags_arr=($image_tags) | |
echo "image tags: ${image_tags_arr[@]}, number: ${#image_tags_arr[@]}" | |
if (( ${#image_tags_arr[@]} > 1 )); then | |
ibmcloud cr image-untag "us.icr.io/${{ env.ICR_NAMESPACE }}/$image_name:$GITHUB_REF_SLUG" | |
else | |
ibmcloud cr image-rm "us.icr.io/${{ env.ICR_NAMESPACE }}/$image_name:$GITHUB_REF_SLUG" | |
fi | |
done |