support exposure analysis + tests #94
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| workflow_call: | |
| push: | |
| tags: | |
| - '*-nightly-*' | |
| branches: | |
| - master | |
| pull_request: | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| jobs: | |
| define-job-matrix: | |
| outputs: | |
| matrix: ${{ steps.define-job-matrix.outputs.matrix }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Define the matrix for build jobs | |
| id: define-job-matrix | |
| run: | | |
| source './scripts/ci/lib.sh' | |
| matrix='{ "pre_build_go_binaries": { "name":[], "arch":[] }, "build_and_push_main": { "name":[], "arch":[] }, "push_main_multiarch_manifests": { "name":[] } }' | |
| # The base matrix | |
| matrix="$(jq '.pre_build_go_binaries.name += ["default"]' <<< "$matrix")" | |
| matrix="$(jq '.pre_build_go_binaries.arch += ["amd64", "arm64"]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.name += ["RHACS_BRANDING", "STACKROX_BRANDING"]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.arch += ["amd64", "arm64"]' <<< "$matrix")" | |
| matrix="$(jq '.push_main_multiarch_manifests.name += ["RHACS_BRANDING", "STACKROX_BRANDING"]' <<< "$matrix")" | |
| if ! is_in_PR_context || pr_has_label ci-build-all-arch; then | |
| matrix="$(jq '.pre_build_go_binaries.arch += ["ppc64le", "s390x"]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.arch += ["ppc64le", "s390x"]' <<< "$matrix")" | |
| fi; | |
| # Conditionally add a prerelease build (binaries built with GOTAGS=release) | |
| if ! is_tagged; then | |
| if ! is_in_PR_context || pr_has_label ci-build-prerelease; then | |
| matrix="$(jq '.pre_build_go_binaries.name += ["prerelease"]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.name += ["prerelease"]' <<< "$matrix")" | |
| matrix="$(jq '.push_main_multiarch_manifests.name += ["prerelease"]' <<< "$matrix")" | |
| fi | |
| fi | |
| # Conditionally add a -race debug build (binaries built with -race) | |
| if ! is_in_PR_context || pr_has_label ci-build-race-condition-debug; then | |
| matrix="$(jq '.pre_build_go_binaries.name += ["race-condition-debug"]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.name += ["race-condition-debug"]' <<< "$matrix")" | |
| matrix="$(jq '.push_main_multiarch_manifests.name += ["race-condition-debug"]' <<< "$matrix")" | |
| # Exclude "arm64", "ppc64le", "s390x" | |
| matrix="$(jq '.pre_build_go_binaries.exclude = [{ "name": "race-condition-debug", "arch": "arm64" }]' <<< "$matrix")" | |
| matrix="$(jq '.pre_build_go_binaries.exclude += [{ "name": "race-condition-debug", "arch": "ppc64le" }]' <<< "$matrix")" | |
| matrix="$(jq '.pre_build_go_binaries.exclude += [{ "name": "race-condition-debug", "arch": "s390x" }]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.exclude = [{ "name": "race-condition-debug", "arch": "arm64" }]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.exclude += [{ "name": "race-condition-debug", "arch": "ppc64le" }]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.exclude += [{ "name": "race-condition-debug", "arch": "s390x" }]' <<< "$matrix")" | |
| fi | |
| echo "Job matrix after conditionals:" | |
| jq <<< "$matrix" | |
| condensed="$(jq -c <<< "$matrix")" | |
| echo "matrix=$condensed" >> "$GITHUB_OUTPUT" | |
| pre-build-ui: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| branding: [ RHACS_BRANDING, STACKROX_BRANDING ] | |
| env: | |
| ROX_PRODUCT_BRANDING: ${{ matrix.branding }} | |
| runs-on: ubuntu-latest | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.69 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - uses: ./.github/actions/cache-ui-dependencies | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: Fetch UI deps | |
| run: make -C ui deps | |
| - name: Build UI | |
| run: make -C ui build | |
| - uses: ./.github/actions/upload-artifact-with-retry | |
| with: | |
| name: ui-${{env.ROX_PRODUCT_BRANDING}}-build | |
| path: | | |
| ui/build | |
| ui/apps/platform/yarn.lock | |
| pre-build-cli: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.69 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - name: Cache Go dependencies | |
| uses: ./.github/actions/cache-go-dependencies | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: Build CLI | |
| run: make cli | |
| - name: Bundle build to preserve permissions | |
| run: tar -cvzf cli-build.tgz bin | |
| - uses: ./.github/actions/upload-artifact-with-retry | |
| with: | |
| name: cli-build | |
| path: cli-build.tgz | |
| pre-build-go-binaries: | |
| strategy: | |
| # Supports three go binary builds: | |
| # default - built with environment defaults (see handle-tagged-build & env.mk) | |
| # prerelease - built with GOTAGS=release | |
| # race-condition-debug - built with -race | |
| matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).pre_build_go_binaries }} | |
| needs: define-job-matrix | |
| runs-on: ubuntu-latest | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.69 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - name: Cache Go dependencies | |
| uses: ./.github/actions/cache-go-dependencies | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: PR labels | |
| uses: joerick/[email protected] | |
| - name: Setup build env for debugging support | |
| run: | | |
| if [[ "${GITHUB_HEAD_REF:-}" =~ -debug ]]; then | |
| echo "DEBUG_BUILD=yes" >> "${GITHUB_ENV}" | |
| fi | |
| - name: Setup Go build environment for release | |
| if: | | |
| contains(github.event.pull_request.labels.*.name, 'ci-release-build') | |
| || | |
| matrix.name == 'prerelease' | |
| run: echo "GOTAGS=release" >> "$GITHUB_ENV" | |
| - name: Setup Go build environment for -race | |
| if: | | |
| matrix.arch == 'amd64' | |
| && | |
| ( | |
| contains(github.event.pull_request.labels.*.name, 'ci-race-tests') | |
| || | |
| matrix.name == 'race-condition-debug' | |
| ) | |
| run: echo "RACE=true" >> "$GITHUB_ENV" | |
| - name: Build Go Binaries | |
| run: | | |
| if [[ "${{ matrix.arch }}" != "amd64" ]]; then | |
| echo "Building non-amd binary" | |
| GOOS=linux GOARCH=${{ matrix.arch }} CGO_ENABLED=0 make build-prep main-build-nodeps | |
| else | |
| echo "Building amd binary" | |
| GOOS=linux GOARCH=${{ matrix.arch }} CGO_ENABLED=1 make build-prep main-build-nodeps | |
| fi | |
| - name: Bundle the build to preserve permissions | |
| run: tar -cvzf go-binaries-build.tgz bin/linux_${{ matrix.arch }} | |
| - uses: ./.github/actions/upload-artifact-with-retry | |
| with: | |
| name: go-binaries-build-${{ matrix.arch }}-${{ matrix.name }} | |
| path: go-binaries-build.tgz | |
| pre-build-docs: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.69 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - name: Cache Go dependencies | |
| uses: ./.github/actions/cache-go-dependencies | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: Resolve mods for protos | |
| run: go mod tidy | |
| - name: Generate the swagger docs | |
| run: | | |
| make swagger-docs | |
| # Workaround to handle https://github.com/actions/cache/issues/753 | |
| rm -rf .proto | |
| - uses: ./.github/actions/upload-artifact-with-retry | |
| with: | |
| name: docs-build | |
| path: | | |
| image/rhel/docs | |
| build-and-push-main: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - define-job-matrix | |
| - pre-build-ui | |
| - pre-build-cli | |
| - pre-build-go-binaries | |
| - pre-build-docs | |
| # This step will run even if required pre-* steps failed. By following this | |
| # approach as much of the build matrix as possible is completed despite | |
| # transient issues e.g. docker pull timeouts. In this way some e2e jobs that | |
| # require some part of the build matrix can still proceed. | |
| if: ${{ !cancelled() }} | |
| strategy: | |
| # Supports four image builds (see Setup build env): | |
| # STACKROX_BRANDING | |
| # RHACS_BRANDING | |
| # prerelease | |
| # race-condition-debug | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).build_and_push_main }} | |
| env: | |
| GO_BINARIES_BUILD_ARTIFACT: "" | |
| ROX_PRODUCT_BRANDING: "" | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.69 | |
| env: | |
| QUAY_RHACS_ENG_RO_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }} | |
| QUAY_RHACS_ENG_RO_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }} | |
| QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} | |
| QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} | |
| QUAY_STACKROX_IO_RW_USERNAME: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }} | |
| QUAY_STACKROX_IO_RW_PASSWORD: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }} | |
| steps: | |
| - name: Setup build env | |
| run: | | |
| case "${{ matrix.name }}" in | |
| STACKROX_BRANDING) | |
| go_binaries="default" | |
| brand="STACKROX_BRANDING" | |
| ;; | |
| RHACS_BRANDING) | |
| go_binaries="default" | |
| brand="RHACS_BRANDING" | |
| ;; | |
| race-condition-debug) | |
| go_binaries="race-condition-debug" | |
| brand="RHACS_BRANDING" | |
| ;; | |
| prerelease) | |
| go_binaries="prerelease" | |
| brand="RHACS_BRANDING" | |
| ;; | |
| *) | |
| echo "Unsupported build: ${{ matrix.name }}" | |
| exit 1 | |
| esac | |
| { | |
| echo "GO_BINARIES_BUILD_ARTIFACT=go-binaries-build-${{ matrix.arch }}-${go_binaries}" | |
| echo "ROX_PRODUCT_BRANDING=${brand}" | |
| } >> "$GITHUB_ENV" | |
| if [[ "${GITHUB_HEAD_REF:-}" =~ -debug ]]; then | |
| echo "DEBUG_BUILD=yes" >> "${GITHUB_ENV}" | |
| fi | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - name: Login to docker.io to mitigate rate limiting on downloading images | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_CI_ACCOUNT_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_CI_ACCOUNT_PASSWORD }} | |
| - name: Set up QEMU | |
| if: matrix.arch != 'amd64' | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Checkout submodules | |
| run: | | |
| git submodule update --init | |
| - uses: ./.github/actions/handle-tagged-build | |
| - uses: ./.github/actions/download-artifact-with-retry | |
| with: | |
| name: ui-${{ env.ROX_PRODUCT_BRANDING }}-build | |
| path: ui | |
| - uses: ./.github/actions/download-artifact-with-retry | |
| with: | |
| name: cli-build | |
| - name: Unpack cli build | |
| run: | | |
| tar xvzf cli-build.tgz | |
| - uses: ./.github/actions/download-artifact-with-retry | |
| with: | |
| name: ${{ env.GO_BINARIES_BUILD_ARTIFACT }} | |
| - name: Unpack Go binaries build | |
| run: | | |
| tar xvzf go-binaries-build.tgz | |
| - uses: ./.github/actions/download-artifact-with-retry | |
| with: | |
| name: docs-build | |
| path: image/rhel/docs | |
| # needed to restore node_modules for ossls-nostice | |
| - uses: ./.github/actions/cache-ui-dependencies | |
| # explicitly fetch deps just in case cache was not ready | |
| - name: Fetch UI deps | |
| run: make -C ui deps | |
| - name: Generate OSS notice | |
| run: make ossls-notice | |
| - name: Set build tag for prerelease images | |
| if: matrix.name == 'prerelease' | |
| run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-prerelease" >> "$GITHUB_ENV" | |
| - name: Set build tag for race condition images | |
| if: matrix.name == 'race-condition-debug' | |
| run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-rcd" >> "$GITHUB_ENV" | |
| - name: Build main images | |
| run: | | |
| GOOS=linux GOARCH=${{ matrix.arch }} scripts/lib.sh retry 6 true make docker-build-main-image | |
| - name: Check debugger presence in the main image | |
| run: make check-debugger | |
| - name: Build roxctl image | |
| run: | | |
| GOOS=linux GOARCH=${{ matrix.arch }} scripts/lib.sh retry 6 true make docker-build-roxctl-image | |
| # needed for docs ensure_image.sh initial pull with RHACS_BRANDING | |
| - name: Docker login | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| ./scripts/ci/lib.sh registry_ro_login "quay.io/rhacs-eng" | |
| - name: Push images | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| source ./scripts/ci/lib.sh | |
| echo "Will determine context from: ${{ github.event_name }} & ${{ github.ref_name }}" | |
| push_context="" | |
| if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_name }}" == "master" ]]; then | |
| push_context="merge-to-master" | |
| fi | |
| push_main_image_set "$push_context" "${{ env.ROX_PRODUCT_BRANDING }}" "${{ matrix.arch }}" | |
| - name: Push matching collector and scanner images | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| # Need to free up some space before push_matching_collector_scanner_images() does its pull. | |
| docker system prune --all --force | |
| source ./scripts/ci/lib.sh | |
| push_matching_collector_scanner_images "${{ env.ROX_PRODUCT_BRANDING }}" "${{ matrix.arch }}" | |
| push-main-manifests: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - define-job-matrix | |
| - build-and-push-main | |
| # This step will run even if some of the build-and-push-matrix steps failed. | |
| # By following this approach as much of the build matrix as possible is | |
| # completed despite transient issues e.g. docker pull timeouts. In this way | |
| # some e2e jobs that require some part of the build matrix can still | |
| # proceed. | |
| if: ${{ !cancelled() }} | |
| strategy: | |
| # Supports four image builds (see Setup build env): | |
| # STACKROX_BRANDING | |
| # RHACS_BRANDING | |
| # prerelease | |
| # race-condition-debug | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).push_main_multiarch_manifests }} | |
| env: | |
| ROX_PRODUCT_BRANDING: "" | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.69 | |
| env: | |
| QUAY_RHACS_ENG_RO_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }} | |
| QUAY_RHACS_ENG_RO_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }} | |
| QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} | |
| QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} | |
| QUAY_STACKROX_IO_RW_USERNAME: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }} | |
| QUAY_STACKROX_IO_RW_PASSWORD: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }} | |
| steps: | |
| - name: Setup build env | |
| run: | | |
| case "${{ matrix.name }}" in | |
| STACKROX_BRANDING) | |
| brand="STACKROX_BRANDING" | |
| ;; | |
| RHACS_BRANDING) | |
| brand="RHACS_BRANDING" | |
| ;; | |
| race-condition-debug) | |
| brand="RHACS_BRANDING" | |
| ;; | |
| prerelease) | |
| brand="RHACS_BRANDING" | |
| ;; | |
| *) | |
| echo "Unsupported build: ${{ matrix.name }}" | |
| exit 1 | |
| esac | |
| { | |
| echo "ROX_PRODUCT_BRANDING=${brand}" | |
| } >> "$GITHUB_ENV" | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - name: Checkout submodules | |
| run: | | |
| git submodule update --init | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: Set build tag for prerelease images | |
| if: matrix.name == 'prerelease' | |
| run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-prerelease" >> "$GITHUB_ENV" | |
| - name: Set build tag for race condition images | |
| if: matrix.name == 'race-condition-debug' | |
| run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-rcd" >> "$GITHUB_ENV" | |
| - name: Build and push manifest lists | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| source ./scripts/ci/lib.sh | |
| echo "Will determine context from: ${{ github.event_name }} & ${{ github.ref_name }}" | |
| push_context="" | |
| if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_name }}" == "master" ]]; then | |
| push_context="merge-to-master" | |
| fi | |
| architectures="amd64,arm64" | |
| if ! is_in_PR_context || pr_has_label ci-build-all-arch; then | |
| architectures="amd64,arm64,ppc64le,s390x" | |
| fi | |
| if [[ "${{ matrix.name }}" == "race-condition-debug" ]]; then | |
| architectures="amd64" | |
| fi | |
| push_image_manifest_lists "$push_context" "${{ env.ROX_PRODUCT_BRANDING }}" "$architectures" | |
| - name: Comment on the PR | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| env: | |
| GITHUB_TOKEN: "${{ secrets.RHACS_BOT_GITHUB_TOKEN }}" | |
| run: | | |
| source ./scripts/ci/lib.sh | |
| add_build_comment_to_pr | |
| build-and-push-operator: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.69 | |
| env: | |
| QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} | |
| QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} | |
| QUAY_RHACS_ENG_BEARER_TOKEN: ${{ secrets.QUAY_RHACS_ENG_BEARER_TOKEN }} | |
| strategy: | |
| matrix: | |
| branding: [ RHACS_BRANDING ] | |
| env: | |
| ROX_PRODUCT_BRANDING: ${{ matrix.branding }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - name: Cache Go dependencies | |
| uses: ./.github/actions/cache-go-dependencies | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: Resolve mods for protos | |
| run: go mod tidy | |
| - name: PR labels | |
| uses: joerick/[email protected] | |
| - name: Setup Go build environment | |
| if: contains(github.event.pull_request.labels.*.name, 'ci-release-build') | |
| run: echo "GOTAGS=release" >> "$GITHUB_ENV" | |
| - name: Docker login | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| ./scripts/ci/lib.sh registry_rw_login "quay.io/rhacs-eng" | |
| - name: Build Operator Bundle image | |
| run: | | |
| make -C operator/ bundle bundle-build | |
| - name: Build Operator image | |
| run: | | |
| scripts/lib.sh retry 6 true make -C operator/ build docker-build | |
| - name: Check that Operator image is runnable | |
| run: docker run --rm "quay.io/rhacs-eng/stackrox-operator:$(make --quiet --no-print-directory -C operator tag)" --help | |
| - name: Push images | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| make -C operator/ docker-push docker-push-bundle | cat | |
| # Index image can only be built once bundle was pushed | |
| - name: Build index | |
| # Skip for external contributions as the build relies on the previous image to be pushed. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| make -C operator/ index-build | |
| - name: Push index image | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| make -C operator/ docker-push-index | cat | |
| scan-go-binaries: | |
| if: | | |
| contains(github.event.pull_request.labels.*.name, 'scan-go-binaries') | |
| env: | |
| ARTIFACT_DIR: junit-reports/ | |
| runs-on: ubuntu-latest | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.69 | |
| needs: | |
| - pre-build-cli | |
| - pre-build-go-binaries | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - uses: ./.github/actions/download-artifact-with-retry | |
| with: | |
| name: cli-build | |
| - name: Unpack cli build | |
| run: | | |
| tar xvzf cli-build.tgz | |
| - uses: ./.github/actions/download-artifact-with-retry | |
| with: | |
| name: go-binaries-build-amd64-default | |
| - name: Unpack Go binaries build | |
| run: | | |
| tar xvzf go-binaries-build.tgz | |
| - name: Scan | |
| run: | | |
| ./scripts/ci/govulncheck.sh | |
| - name: Publish Test Report | |
| uses: test-summary/action@v2 | |
| if: always() | |
| with: | |
| paths: 'junit-reports/**/*.xml' | |
| - name: Report junit failures in jira | |
| uses: ./.github/actions/junit2jira | |
| if: always() | |
| with: | |
| jira-token: ${{ secrets.JIRA_TOKEN }} | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| directory: 'junit-reports' | |
| scan-images-with-roxctl: | |
| if: github.event_name == 'push' | |
| needs: | |
| - build-and-push-main | |
| - build-and-push-operator | |
| - push-main-manifests | |
| name: Check images for vulnerabilities | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # Needed for stackrox/central-login to create the JWT token. | |
| id-token: write | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: | |
| [ | |
| "central-db", | |
| "collector", | |
| "collector-slim", | |
| "main", | |
| "roxctl", | |
| "scanner", | |
| "scanner-db", | |
| "scanner-db-slim", | |
| "scanner-slim", | |
| "stackrox-operator", | |
| ] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: Central login | |
| uses: stackrox/central-login@v1 | |
| with: | |
| endpoint: ${{ vars.ACS_DOGFOODING_CENTRAL_URL }} | |
| - name: Install roxctl | |
| uses: stackrox/roxctl-installer-action@v1 | |
| with: | |
| central-endpoint: ${{ vars.ACS_DOGFOODING_CENTRAL_URL }} | |
| central-token: ${{ env.ROX_API_TOKEN }} | |
| - name: Scan images for vulnerabilities | |
| run: | | |
| release_tag=$(make tag) | |
| if [[ ${{ matrix.image }} =~ "operator" ]]; then | |
| release_tag=$(make -C operator --silent tag) | |
| fi | |
| roxctl image scan --retries=10 --retry-delay=15 --force --severity=CRITICAL,IMPORTANT --output=sarif \ | |
| --image="quay.io/rhacs-eng/${{ matrix.image }}:${release_tag}" \ | |
| > results.sarif | |
| - name: Upload roxctl scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| category: ${{ matrix.image }} | |
| sarif_file: results.sarif | |
| slack-on-build-failure: | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SLACK_CI_INTEGRATION_TESTING_WEBHOOK: ${{ secrets.SLACK_CI_INTEGRATION_TESTING_WEBHOOK }} | |
| TEST_FAILURES_NOTIFY_WEBHOOK: ${{ secrets.TEST_FAILURES_NOTIFY_WEBHOOK }} | |
| if: | | |
| failure() && ( | |
| github.event_name == 'push' || | |
| contains(github.event.pull_request.labels.*.name, 'ci-test-github-action-slack-messages') | |
| ) | |
| name: Post failure message to Slack | |
| runs-on: ubuntu-latest | |
| needs: | |
| - pre-build-ui | |
| - pre-build-cli | |
| - pre-build-go-binaries | |
| - pre-build-docs | |
| - build-and-push-main | |
| - build-and-push-operator | |
| - scan-images-with-roxctl | |
| - scan-go-binaries | |
| permissions: | |
| actions: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Slack message | |
| env: | |
| GITHUB_CONTEXT: ${{ toJSON(github) }} | |
| run: | | |
| source scripts/ci/lib.sh | |
| slack_workflow_failure |