ci(security-scanner): add support for Red Hat UBI images and fix typo… #1709
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) HashiCorp, Inc. | |
# SPDX-License-Identifier: MPL-2.0 | |
# This workflow builds a dev binary and distributes a Docker image on every push to the main branch. | |
name: build-artifacts | |
on: | |
push: | |
branches: | |
- main | |
permissions: | |
contents: read | |
env: | |
GOPRIVATE: github.com/hashicorp # Required for enterprise deps | |
jobs: | |
setup: | |
name: Setup | |
runs-on: ubuntu-latest | |
outputs: | |
compute-small: ${{ steps.setup-outputs.outputs.compute-small }} | |
compute-medium: ${{ steps.setup-outputs.outputs.compute-medium }} | |
compute-large: ${{ steps.setup-outputs.outputs.compute-large }} | |
compute-xl: ${{ steps.setup-outputs.outputs.compute-xl }} | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- id: setup-outputs | |
name: Setup outputs | |
run: ./.github/scripts/get_runner_classes.sh | |
get-go-version: | |
uses: ./.github/workflows/reusable-get-go-version.yml | |
dev-build-push: | |
needs: | |
- setup | |
- get-go-version | |
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }} | |
permissions: | |
id-token: write # NOTE: this permission is explicitly required for Vault auth. | |
contents: read | |
steps: | |
# NOTE: ENT specific step as we store secrets in Vault. | |
- name: Authenticate to Vault | |
if: ${{ endsWith(github.repository, '-enterprise') }} | |
id: vault-auth | |
run: vault-auth | |
# NOTE: ENT specific step as we store secrets in Vault. | |
- name: Fetch Secrets | |
if: ${{ endsWith(github.repository, '-enterprise') }} | |
id: secrets | |
uses: hashicorp/vault-action@v3 | |
with: | |
url: ${{ steps.vault-auth.outputs.addr }} | |
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }} | |
token: ${{ steps.vault-auth.outputs.token }} | |
secrets: | | |
kv/data/github/${{ github.repository }}/dockerhub username | DOCKERHUB_USERNAME; | |
kv/data/github/${{ github.repository }}/dockerhub token | DOCKERHUB_TOKEN; | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
# NOTE: ENT specific step as we need to set elevated GitHub permissions. | |
- name: Setup Git | |
if: ${{ endsWith(github.repository, '-enterprise') }} | |
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com" | |
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: ${{ needs.get-go-version.outputs.go-version }} | |
- run: go env | |
- name: Build dev binary | |
run: make dev | |
- name: Set env vars | |
run: | | |
echo "SHORT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_ENV | |
echo "GITHUB_BUILD_URL=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> $GITHUB_ENV | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 | |
# NOTE: conditional specific logic as we store secrets in Vault in ENT and use GHA secrets in CE. | |
- name: Login to Docker Hub | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 | |
with: | |
username: ${{ endsWith(github.repository, '-enterprise') && steps.secrets.outputs.DOCKERHUB_USERNAME || secrets.DOCKERHUB_USERNAME }} | |
password: ${{ endsWith(github.repository, '-enterprise') && steps.secrets.outputs.DOCKERHUB_TOKEN || secrets.DOCKERHUB_TOKEN }} | |
- name: Docker build and push | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
with: | |
context: ./bin | |
file: ./build-support/docker/Consul-Dev.dockerfile | |
labels: COMMIT_SHA=${{ github.sha }},GITHUB_BUILD_URL=${{ env.GITHUB_BUILD_URL }} | |
push: true | |
# This is required or else the image is not pullable. | |
# See https://github.com/docker/build-push-action/issues/820 for further | |
# details. | |
# TODO - investigate further and see if we can find a solution where we | |
# we don't have to know to set this. | |
provenance: false | |
tags: | | |
hashicorpdev/${{ github.event.repository.name }}:${{ env.SHORT_SHA }} | |
hashicorpdev/${{ github.event.repository.name }}:latest | |
# This is job is required for branch protection as a required gihub check | |
# because GitHub actions show up as checks at the job level and not the | |
# workflow level. This is currently a feature request: | |
# https://github.com/orgs/community/discussions/12395 | |
# | |
# This job must: | |
# - be placed after the fanout of a workflow so that everything fans back in | |
# to this job. | |
# - "need" any job that is part of the fan out / fan in | |
# - implement the if logic because we have conditional jobs | |
# (go-test-enteprise) that this job needs and this would potentially get | |
# skipped if a previous job got skipped. So we use the if clause to make | |
# sure it does not get skipped. | |
build-artifacts-success: | |
needs: | |
- setup | |
- dev-build-push | |
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }} | |
if: ${{ always() }} | |
steps: | |
- name: evaluate upstream job results | |
run: | | |
# exit 1 if failure or cancelled result for any upstream job | |
if printf '${{ toJSON(needs) }}' | grep -E -i '\"result\": \"(failure|cancelled)\"'; then | |
printf "Tests failed or workflow cancelled:\n\n${{ toJSON(needs) }}" | |
exit 1 | |
fi |