-
Notifications
You must be signed in to change notification settings - Fork 0
145 lines (130 loc) · 6.5 KB
/
publish_release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: RF Runtime Release publish
# Controls when the workflow will run
on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
patch-version:
description: 'Patch Version Number (1.0.XX)'
required: true
default: '22'
type: string
build-number:
description: 'Patch Version Number (1.0.22-XX)'
required: true
default: '1'
type: string
project-for-scan:
description: 'Project for RF scan results'
required: false
default: '661'
jobs:
publish-release:
runs-on: ubuntu-latest
steps:
- name: Clone runtime repo
uses: actions/checkout@v4
- name: Download release
env:
PATCH_VERSION: ${{ inputs.patch-version }}
BUILD_NUMBER: ${{ inputs.build-number }}
run: |
REVISION="1.0.$PATCH_VERSION-$BUILD_NUMBER"
az storage blob download --account-name ${{ secrets.PRODMON_STORAGE_ACCOUNT }} --account-key ${{ secrets.PRODMON_STORAGE_KEY }} --container-name "releases" --name rfcmd-$REVISION.tar.gz --file rfcmd-$REVISION.tar.gz
tar xvzf rfcmd-$REVISION.tar.gz
- name: Make Release
uses: softprops/action-gh-release@v1
with:
name: 1.0.${{ inputs.patch-version }}
tag_name: 1.0.${{ inputs.patch-version }}
body_path: CHANGELOG.md
files: |
rf-cmd-darwin-arm64
rf-cmd-linux-amd64
- name: Update latest Release
uses: softprops/action-gh-release@v1
with:
name: latest
tag_name: latest
body_path: CHANGELOG.md
files: |
rf-cmd-darwin-arm64
rf-cmd-linux-amd64
- name: Install crane
run: |
VERSION=$(curl -s "https://api.github.com/repos/google/go-containerregistry/releases/latest" | jq -r '.tag_name')
OS=Linux
ARCH=x86_64
curl -sL "https://github.com/google/go-containerregistry/releases/download/${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz
tar -zxvf go-containerregistry.tar.gz -C /usr/local/bin/ crane
crane version
- name: docker login to quay
run: docker login -u=${{ secrets.RF_QUAY_USERNAME }} -p=${{ secrets.RF_QUAY_PASSWORD }} quay.io
- name: crane login to quay
run: crane auth login quay.io -u ${{ secrets.RF_QUAY_USERNAME }} -p ${{ secrets.RF_QUAY_PASSWORD }}
- name: crane login to rfruntimeoffer
run: crane auth login rfruntimeoffer.azurecr.io -u ${{ secrets.RF_AZURE_RUNTIMEOFFER_USERNAME }} -p ${{ secrets.RF_AZURE_RUNTIMEOFFER_PASSWORD }}
- name: download CNAB bundle
run: |
REVISION=1.0.${{ inputs.patch-version }}-${{ inputs.build-number }}
az storage blob download --account-name ${{ secrets.PRODMON_STORAGE_ACCOUNT }} --account-key ${{ secrets.PRODMON_STORAGE_KEY }} --container-name "releases" --name cnab-$REVISION.tar.gz --file cnab-$REVISION.tar.gz
rm -rf $GITHUB_WORKSPACE/cnab_bundle
mkdir -p $GITHUB_WORKSPACE/cnab_bundle
tar -xvzf cnab-$REVISION.tar.gz -C $GITHUB_WORKSPACE/cnab_bundle
- name: download yq
run: |
yq_url=https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
wget -q "$yq_url" -O /usr/local/bin/yq
yq --version
- name: install the RapidFort CLI tools
run: |
curl -k https://us01.rapidfort.com/cli > rfcli
sudo bash rfcli -p /usr/local/bin/rfcli
rm rfcli
echo "/usr/local/bin/rfcli" >> $GITHUB_PATH
- name: authenticate
env:
RF_ROOT_URL: https://us01.rapidfort.com
RF_ACCESS_ID: ${{ secrets.RF_ACCESS_ID }}
RF_SECRET_ACCESS_KEY: ${{ secrets.RF_SECRET_ACCESS_KEY }}
run: |
rflogin
- name: copy quay to rfruntime
run: |
echo "#!/bin/bash" > $GITHUB_WORKSPACE/scan_script.sh
chmod +x $GITHUB_WORKSPACE/scan_script.sh
image_keys=$(yq eval '.global.azure.images | keys ' $GITHUB_WORKSPACE/cnab_bundle/k8s-scanner/values.yaml)
# Iterate over the images using a Bash for loop
while IFS= read -r image_key; do
# Remove "-" and extra space from the image
image_key=${image_key//- /}
echo "fetching details for ${image_key}"
image=$(yq eval ".global.azure.images.${image_key}.image" $GITHUB_WORKSPACE/cnab_bundle/k8s-scanner/values.yaml)
registry=$(yq eval ".global.azure.images.${image_key}.registry" $GITHUB_WORKSPACE/cnab_bundle/k8s-scanner/values.yaml)
tag=$(yq eval ".global.azure.images.${image_key}.tag" $GITHUB_WORKSPACE/cnab_bundle/k8s-scanner/values.yaml)
docker pull "${registry}/${image}:${tag}"
echo rfscan "${registry}/${image}:${tag}" -p ${{ inputs.project-for-scan }} >> $GITHUB_WORKSPACE/scan_script.sh
crane copy "${registry}/${image}:${tag}" rfruntimeoffer.azurecr.io/"${image}:${tag}"
done <<< "$image_keys"
awk '!seen[$0]++' < $GITHUB_WORKSPACE/scan_script.sh > $GITHUB_WORKSPACE/scan_script_deduped.sh
chmod +x $GITHUB_WORKSPACE/scan_script_deduped.sh
cat $GITHUB_WORKSPACE/scan_script_deduped.sh
bash -c "$GITHUB_WORKSPACE/scan_script_deduped.sh"
- name: modify registry to azure registry
run: |
image_keys=$(yq eval '.global.azure.images | keys ' $GITHUB_WORKSPACE/cnab_bundle/k8s-scanner/values.yaml)
# Iterate over the images using a Bash for loop
while IFS= read -r image_key; do
# Remove "-" and extra space from the image
image_key=${image_key//- /}
echo "updating registry for ${image_key}"
yq eval -i ".global.azure.images.${image_key}.registry = \"rfruntimeoffer.azurecr.io\"" $GITHUB_WORKSPACE/cnab_bundle/k8s-scanner/values.yaml
done <<< "$image_keys"
echo """ ***** dumping $GITHUB_WORKSPACE/cnab_bundle/k8s-scanner/values.yaml ****"
cat $GITHUB_WORKSPACE/cnab_bundle/k8s-scanner/values.yaml
- name: publish cnab bundle
run: |
docker pull mcr.microsoft.com/container-package-app:latest
cat cnab_publish.sh
echo """ running docker now for cnab publishing"""
docker run -i -v /var/run/docker.sock:/var/run/docker.sock -v $GITHUB_WORKSPACE/cnab_bundle:/data -v $GITHUB_WORKSPACE/cnab_publish.sh:/scripts/cnab_publish.sh -eAZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }} -eAZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }} -eAZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }} -eREGISTRY_NAME=rfruntimeoffer --entrypoint "/scripts/cnab_publish.sh" mcr.microsoft.com/container-package-app:latest