add sbom generation and signing of cli binary #85
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
pull_request: | |
merge_group: | |
push: | |
branches: | |
- main | |
- release-* | |
permissions: | |
contents: read | |
jobs: | |
test-unit: | |
runs-on: ubuntu-latest | |
container: | |
image: golang:1.23.4-bookworm | |
steps: | |
# Install Git from "trixie" repository to get a more recent version than | |
# the one available in "stable". This can be removed once the version in | |
# "stable" is updated to >= 2.42.0 (which supports `--orphan` for `git | |
# worktree add`). | |
- name: Update Git to >= 2.42 | |
run: | | |
echo "deb http://deb.debian.org/debian trixie main" > /etc/apt/sources.list.d/trixie.list | |
apt update && apt install -y -t trixie git | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
with: | |
path: /go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go- | |
- name: Run unit tests | |
run: make test-unit | |
- name: Remove generated code from report | |
run: | | |
grep -v .pb.go coverage.txt | grep -v zz_generated | grep -v service.connect.go > coverage.tmp | |
mv coverage.tmp coverage.txt | |
- name: Upload coverage reports | |
uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
lint-and-typecheck-ui: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
with: | |
path: ~/.pnpm-store | |
key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} | |
restore-keys: | | |
${{ runner.os }}-pnpm- | |
- name: Install pnpm | |
uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0 | |
with: | |
package_json_file: ui/package.json | |
- name: Install nodejs | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
node-version: "22.8.0" | |
cache: "pnpm" | |
cache-dependency-path: "**/pnpm-lock.yaml" | |
- name: Run typecheck | |
run: make typecheck-ui | |
- name: Run linter | |
run: make lint-ui | |
lint-go: | |
permissions: | |
checks: write # Used to create checks (linting comments) on PRs | |
runs-on: ubuntu-latest | |
container: | |
image: golang:1.23.4-bookworm | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Cache golangci-lint | |
id: cache-golangci-lint | |
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
with: | |
path: | | |
hack/bin/golangci-lint | |
hack/bin/golangci-lint-* | |
key: ${{ runner.os }}-golangci-lint-${{ hashFiles('hack/tools/go.mod') }} | |
- name: Install golangci-lint | |
if: steps.cache-golangci-lint.outputs.cache-hit != 'true' | |
run: make install-golangci-lint | |
- name: Configure Git | |
run: git config --global --add safe.directory '*' | |
- name: Run linter | |
env: | |
GO_LINT_ERROR_FORMAT: colored-line-number | |
run: make lint-go | |
lint-charts: | |
runs-on: ubuntu-latest | |
container: | |
image: golang:1.23.4-bookworm | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Cache helm | |
id: cache-helm | |
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
with: | |
path: | | |
hack/bin/helm | |
hack/bin/helm-* | |
key: | |
${{ runner.os }}-helm-${{ hashFiles('hack/tools/go.mod') }} | |
- name: Install helm | |
if: steps.cache-helm.outputs.cache-hit != 'true' | |
run: make install-helm | |
- name: Run linter | |
run: make lint-charts | |
lint-proto: | |
permissions: | |
checks: write # Used to create checks (linting comments) on PRs | |
runs-on: ubuntu-latest | |
container: | |
image: golang:1.23.4-bookworm | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Cache buf | |
id: cache-buf | |
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
with: | |
path: | | |
hack/bin/buf | |
hack/bin/buf-* | |
key: ${{ runner.os }}-buf-${{ hashFiles('hack/tools/go.mod') }} | |
- name: Install buf | |
if: steps.cache-buf.outputs.cache-hit != 'true' | |
run: make install-buf | |
- name: Run linter | |
env: | |
BUF_LINT_ERROR_FORMAT: github-actions | |
run: make lint-proto | |
check-codegen: | |
runs-on: ubuntu-latest | |
container: | |
image: golang:1.23.4-bookworm | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Install tools | |
run: apt update && apt install unzip | |
- name: Install pnpm | |
uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0 | |
with: | |
package_json_file: ui/package.json | |
- name: Install nodejs | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
node-version: "22.8.0" | |
cache: "pnpm" | |
cache-dependency-path: "**/pnpm-lock.yaml" | |
- name: Install nodejs dependencies | |
run: pnpm install --dev | |
working-directory: ./ui | |
- name: Cache Go modules | |
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
with: | |
path: /go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
- name: Cache tools | |
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
with: | |
path: | | |
hack/bin | |
hack/include | |
key: ${{ runner.os }}-tools-${{ hashFiles('hack/tools/go.mod', 'hack/tools.mk') }} | |
- name: Git stuff | |
# As of go 1.20, this seems to be necessary for invoking git commands | |
# within the container | |
run: git config --global --add safe.directory /__w/kargo/kargo | |
- name: Run Codegen | |
run: make codegen | |
- name: Check nothing has changed | |
run: git diff --exit-code -- . | |
build-image: | |
needs: [test-unit, lint-go, lint-charts, lint-proto, lint-and-typecheck-ui, check-codegen] | |
runs-on: ubuntu-latest | |
services: | |
registry: | |
image: registry:2 | |
ports: | |
- 5000:5000 | |
steps: | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
with: | |
driver-opts: network=host | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Build base image | |
run: | | |
BASE_IMAGE=localhost:5000/kargo-base make build-base-image | |
docker push localhost:5000/kargo-base:latest-arm64 | |
docker push localhost:5000/kargo-base:latest-amd64 | |
- name: Build final image | |
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 | |
with: | |
platforms: linux/amd64,linux/arm64 | |
build-args: | | |
BASE_IMAGE=localhost:5000/kargo-base | |
push: false | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
build-cli: | |
needs: [test-unit, lint-go, lint-charts, lint-proto, lint-and-typecheck-ui, check-codegen] | |
runs-on: ubuntu-latest | |
container: | |
image: golang:1.23.4-bookworm | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
with: | |
path: /go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go- | |
- name: Build CLI | |
env: | |
GOFLAGS: -buildvcs=false | |
run: make build-cli |