Skip to content

netpol connectivity diff commands tree #73

netpol connectivity diff commands tree

netpol connectivity diff commands tree #73

Workflow file for this run

name: Build
on:
workflow_call:
push:
tags:
- '*-nightly-*'
branches:
- master
pull_request:
types:
- opened
- reopened
- synchronize
jobs:
define-job-matrix:
outputs:
matrix: ${{ steps.define-job-matrix.outputs.matrix }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Define the matrix for build jobs
id: define-job-matrix
run: |
source './scripts/ci/lib.sh'
matrix='{ "pre_build_go_binaries": { "name":[], "arch":[] }, "build_and_push_main": { "name":[], "arch":[] }, "push_main_multiarch_manifests": { "name":[] } }'
# The base matrix
matrix="$(jq '.pre_build_go_binaries.name += ["default"]' <<< "$matrix")"
matrix="$(jq '.pre_build_go_binaries.arch += ["amd64", "arm64", "ppc64le"]' <<< "$matrix")"
matrix="$(jq '.build_and_push_main.name += ["STACKROX_BRANDING", "RHACS_BRANDING"]' <<< "$matrix")"
matrix="$(jq '.build_and_push_main.arch += ["amd64", "arm64", "ppc64le"]' <<< "$matrix")"
matrix="$(jq '.push_main_multiarch_manifests.name += ["STACKROX_BRANDING", "RHACS_BRANDING"]' <<< "$matrix")"
# Conditionally add a prerelease build (binaries built with GOTAGS=release)
if ! is_tagged; then
if ! is_in_PR_context || pr_has_label ci-build-prerelease; then
matrix="$(jq '.pre_build_go_binaries.name += ["prerelease"]' <<< "$matrix")"
matrix="$(jq '.build_and_push_main.name += ["prerelease"]' <<< "$matrix")"
matrix="$(jq '.push_main_multiarch_manifests.name += ["prerelease"]' <<< "$matrix")"
fi
fi
# Conditionally add a -race debug build (binaries built with -race)
if ! is_in_PR_context || pr_has_label ci-build-race-condition-debug; then
matrix="$(jq '.pre_build_go_binaries.name += ["race-condition-debug"]' <<< "$matrix")"
matrix="$(jq '.build_and_push_main.name += ["race-condition-debug"]' <<< "$matrix")"
matrix="$(jq '.push_main_multiarch_manifests.name += ["race-condition-debug"]' <<< "$matrix")"
# Exclude "arm64", "ppc64le"
matrix="$(jq '.pre_build_go_binaries.exclude = [{ "name": "race-condition-debug", "arch": "arm64" }]' <<< "$matrix")"
matrix="$(jq '.pre_build_go_binaries.exclude += [{ "name": "race-condition-debug", "arch": "ppc64le" }]' <<< "$matrix")"
matrix="$(jq '.build_and_push_main.exclude = [{ "name": "race-condition-debug", "arch": "arm64" }]' <<< "$matrix")"
matrix="$(jq '.build_and_push_main.exclude += [{ "name": "race-condition-debug", "arch": "ppc64le" }]' <<< "$matrix")"
fi
echo "Job matrix after conditionals:"
jq <<< "$matrix"
condensed="$(jq -c <<< "$matrix")"
echo "matrix=$condensed" >> "$GITHUB_OUTPUT"
pre-build-ui:
strategy:
matrix:
branding: [ RHACS_BRANDING, STACKROX_BRANDING ]
env:
ROX_PRODUCT_BRANDING: ${{ matrix.branding }}
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.59
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Ignore dubious repository ownership
run: |
# Prevent fatal error "detected dubious ownership in repository" from recent git.
git config --global --add safe.directory "$(pwd)"
- uses: ./.github/actions/create-concatenated-ui-monorepo-lock
- uses: ./.github/actions/cache-ui-dependencies
- uses: ./.github/actions/handle-tagged-build
- name: Fetch UI deps
run: make -C ui deps
- name: Build UI
run: make -C ui build
- uses: actions/upload-artifact@v3
with:
name: ui-${{env.ROX_PRODUCT_BRANDING}}-build
path: |
ui/build
ui/monorepo.lock
pre-build-cli:
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.59
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Ignore dubious repository ownership
run: |
# Prevent fatal error "detected dubious ownership in repository" from recent git.
git config --global --add safe.directory "$(pwd)"
- name: Cache Go dependencies
uses: ./.github/actions/cache-go-dependencies
- uses: ./.github/actions/handle-tagged-build
- name: Build CLI
run: make cli
- name: Bundle build to preserve permissions
run: tar -cvzf cli-build.tgz bin
- uses: actions/upload-artifact@v3
with:
name: cli-build
path: cli-build.tgz
pre-build-go-binaries:
strategy:
# Supports three go binary builds:
# default - built with environment defaults (see handle-tagged-build & env.mk)
# prerelease - built with GOTAGS=release
# race-condition-debug - built with -race
matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).pre_build_go_binaries }}
needs: define-job-matrix
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.59
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Ignore dubious repository ownership
run: |
# Prevent fatal error "detected dubious ownership in repository" from recent git.
git config --global --add safe.directory "$(pwd)"
- name: Cache Go dependencies
uses: ./.github/actions/cache-go-dependencies
- uses: ./.github/actions/handle-tagged-build
- name: PR labels
uses: joerick/[email protected]
- name: Setup Go build environment for release
if: |
contains(github.event.pull_request.labels.*.name, 'ci-release-build')
||
matrix.name == 'prerelease'
run: echo "GOTAGS=release" >> "$GITHUB_ENV"
- name: Setup Go build environment for -race
if: |
contains(github.event.pull_request.labels.*.name, 'ci-race-tests')
||
matrix.name == 'race-condition-debug'
run: echo "RACE=true" >> "$GITHUB_ENV"
- name: Build Go Binaries
run: |
if [[ "${{ matrix.arch }}" != "amd64" ]]; then
echo "Building non-amd binary"
GOOS=linux GOARCH=${{ matrix.arch }} CGO_ENABLED=0 make build-prep main-build-nodeps
else
echo "Building amd binary"
GOOS=linux GOARCH=${{ matrix.arch }} CGO_ENABLED=1 make build-prep main-build-nodeps
fi
- name: Bundle the build to preserve permissions
run: tar -cvzf go-binaries-build.tgz bin/linux_${{ matrix.arch }}
- uses: actions/upload-artifact@v3
with:
name: go-binaries-build-${{ matrix.arch }}-${{ matrix.name }}
path: go-binaries-build.tgz
pre-build-docs:
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.59
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Ignore dubious repository ownership
run: |
# Prevent fatal error "detected dubious ownership in repository" from recent git.
git config --global --add safe.directory "$(pwd)"
- name: Cache Go dependencies
uses: ./.github/actions/cache-go-dependencies
- uses: ./.github/actions/handle-tagged-build
- name: Resolve mods for protos
run: go mod tidy
- name: Generate the swagger docs
run: |
make swagger-docs
# Workarround to handle https://github.com/actions/cache/issues/753
rm -rf .proto
- uses: actions/upload-artifact@v3
with:
name: docs-build
path: |
image/rhel/docs
build-and-push-main:
runs-on: ubuntu-latest
needs:
- define-job-matrix
- pre-build-ui
- pre-build-cli
- pre-build-go-binaries
- pre-build-docs
strategy:
# Supports four image builds (see Setup build env):
# STACKROX_BRANDING
# RHACS_BRANDING
# prerelease
# race-condition-debug
fail-fast: false
matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).build_and_push_main }}
env:
GO_BINARIES_BUILD_ARTIFACT: ""
ROX_PRODUCT_BRANDING: ""
container:
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.59
env:
QUAY_RHACS_ENG_RO_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }}
QUAY_RHACS_ENG_RO_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }}
QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
QUAY_STACKROX_IO_RW_USERNAME: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }}
QUAY_STACKROX_IO_RW_PASSWORD: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }}
steps:
- name: Setup build env
run: |
case "${{ matrix.name }}" in
STACKROX_BRANDING)
go_binaries="default"
brand="STACKROX_BRANDING"
;;
RHACS_BRANDING)
go_binaries="default"
brand="RHACS_BRANDING"
;;
race-condition-debug)
go_binaries="race-condition-debug"
brand="RHACS_BRANDING"
;;
prerelease)
go_binaries="prerelease"
brand="RHACS_BRANDING"
;;
*)
echo "Unsupported build: ${{ matrix.name }}"
exit 1
esac
{
echo "GO_BINARIES_BUILD_ARTIFACT=go-binaries-build-${{ matrix.arch }}-${go_binaries}"
echo "ROX_PRODUCT_BRANDING=${brand}"
} >> "$GITHUB_ENV"
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Ignore dubious repository ownership
run: |
# Prevent fatal error "detected dubious ownership in repository" from recent git.
git config --global --add safe.directory "$(pwd)"
- name: Checkout submodules
run: |
git submodule update --init
- uses: ./.github/actions/handle-tagged-build
- uses: actions/download-artifact@v3
with:
name: ui-${{ env.ROX_PRODUCT_BRANDING }}-build
path: ui
- uses: actions/download-artifact@v3
with:
name: cli-build
- name: Unpack cli build
run: |
tar xvzf cli-build.tgz
- uses: actions/download-artifact@v3
with:
name: ${{ env.GO_BINARIES_BUILD_ARTIFACT }}
- name: Unpack Go binaries build
run: |
tar xvzf go-binaries-build.tgz
- uses: actions/download-artifact@v3
with:
name: docs-build
path: image/rhel/docs
- uses: ./.github/actions/create-concatenated-ui-monorepo-lock
# needed to restore node_modules for ossls-nostice
- uses: ./.github/actions/cache-ui-dependencies
# explicitly fetch deps just in case cache was not ready
- name: Fetch UI deps
run: make -C ui deps
- name: Generate OSS notice
run: make ossls-notice
- name: Set build tag for prerelease images
if: matrix.name == 'prerelease'
run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-prerelease" >> "$GITHUB_ENV"
- name: Set build tag for race condition images
if: matrix.name == 'race-condition-debug'
run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-rcd" >> "$GITHUB_ENV"
- name: Build main images
run: |
GOOS=linux GOARCH=${{ matrix.arch }} make docker-build-main-image
- name: Check debugger presence in the main image
run: make check-debugger
- name: Build roxctl image
run: |
GOOS=linux GOARCH=${{ matrix.arch }} make docker-build-roxctl-image
# needed for docs ensure_image.sh initial pull with RHACS_BRANDING
- name: Docker login
# Skip for external contributions.
if: |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork
run: |
docker login -u "${QUAY_RHACS_ENG_RO_USERNAME}" --password-stdin quay.io <<<"${QUAY_RHACS_ENG_RO_PASSWORD}"
- name: Push images
# Skip for external contributions.
if: |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork
run: |
source ./scripts/ci/lib.sh
echo "Will determine context from: ${{ github.event_name }} & ${{ github.ref_name }}"
push_context=""
if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_name }}" == "master" ]]; then
push_context="merge-to-master"
fi
push_main_image_set "$push_context" "${{ env.ROX_PRODUCT_BRANDING }}" "${{ matrix.arch }}"
- name: Push matching collector and scanner images
# Skip for external contributions.
if: |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork
run: |
source ./scripts/ci/lib.sh
push_matching_collector_scanner_images "${{ env.ROX_PRODUCT_BRANDING }}" "${{ matrix.arch }}"
push-main-manifests:
runs-on: ubuntu-latest
needs:
- define-job-matrix
- build-and-push-main
strategy:
# Supports four image builds (see Setup build env):
# STACKROX_BRANDING
# RHACS_BRANDING
# prerelease
# race-condition-debug
fail-fast: false
matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).push_main_multiarch_manifests }}
env:
ROX_PRODUCT_BRANDING: ""
container:
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.59
env:
QUAY_RHACS_ENG_RO_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }}
QUAY_RHACS_ENG_RO_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }}
QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
QUAY_STACKROX_IO_RW_USERNAME: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }}
QUAY_STACKROX_IO_RW_PASSWORD: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }}
steps:
- name: Setup build env
run: |
case "${{ matrix.name }}" in
STACKROX_BRANDING)
brand="STACKROX_BRANDING"
;;
RHACS_BRANDING)
brand="RHACS_BRANDING"
;;
race-condition-debug)
brand="RHACS_BRANDING"
;;
prerelease)
brand="RHACS_BRANDING"
;;
*)
echo "Unsupported build: ${{ matrix.name }}"
exit 1
esac
{
echo "ROX_PRODUCT_BRANDING=${brand}"
} >> "$GITHUB_ENV"
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Ignore dubious repository ownership
run: |
# Prevent fatal error "detected dubious ownership in repository" from recent git.
git config --global --add safe.directory "$(pwd)"
- name: Checkout submodules
run: |
git submodule update --init
- name: Set build tag for prerelease images
if: matrix.name == 'prerelease'
run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-prerelease" >> "$GITHUB_ENV"
- name: Set build tag for race condition images
if: matrix.name == 'race-condition-debug'
run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-rcd" >> "$GITHUB_ENV"
- uses: ./.github/actions/handle-tagged-build
- name: Build and push manifest lists
# Skip for external contributions.
if: |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork
run: |
source ./scripts/ci/lib.sh
echo "Will determine context from: ${{ github.event_name }} & ${{ github.ref_name }}"
push_context=""
if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_name }}" == "master" ]]; then
push_context="merge-to-master"
fi
architectures="amd64,arm64,ppc64le"
if [[ "${{ matrix.name }}" == "race-condition-debug" ]]; then
architectures="amd64"
fi
push_image_manifest_lists "$push_context" "${{ env.ROX_PRODUCT_BRANDING }}" "$architectures"
- name: Comment on the PR
# Skip for external contributions.
if: |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork
env:
GITHUB_TOKEN: "${{ secrets.ROBOT_ROX_GITHUB_TOKEN }}"
run: |
source ./scripts/ci/lib.sh
add_build_comment_to_pr
build-and-push-operator:
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.59
env:
QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
strategy:
matrix:
branding: [ RHACS_BRANDING ]
env:
ROX_PRODUCT_BRANDING: ${{ matrix.branding }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Ignore dubious repository ownership
run: |
# Prevent fatal error "detected dubious ownership in repository" from recent git.
git config --global --add safe.directory "$(pwd)"
- name: Cache Go dependencies
uses: ./.github/actions/cache-go-dependencies
- uses: ./.github/actions/handle-tagged-build
- name: Resolve mods for protos
run: go mod tidy
- name: PR labels
uses: joerick/[email protected]
- name: Setup Go build environment
if: contains(github.event.pull_request.labels.*.name, 'ci-release-build')
run: echo "GOTAGS=release" >> "$GITHUB_ENV"
- name: Docker login
# Skip for external contributions.
if: |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork
run: |
docker login -u "${QUAY_RHACS_ENG_RW_USERNAME}" --password-stdin quay.io <<<"${QUAY_RHACS_ENG_RW_PASSWORD}"
- name: Build Operator Bundle image
run: |
make -C operator/ bundle bundle-build
- name: Build Operator image
run: make -C operator/ build docker-build
- name: Check that Operator image is runnable
run: docker run --rm "quay.io/rhacs-eng/stackrox-operator:$(make --quiet --no-print-directory -C operator tag)" --help
- name: Push images
# Skip for external contributions.
if: |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork
run: |
make -C operator/ docker-push docker-push-bundle | cat
# Index image can only be built once bundle was pushed
- name: Build index
# Skip for external contributions as the build relies on the previous image to be pushed.
if: |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork
run: |
make -C operator/ index-build
- name: Push index image
# Skip for external contributions.
if: |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork
run: |
make -C operator/ docker-push-index | cat
build-and-push-mock-grpc-server:
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.59
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Ignore dubious repository ownership
run: |
# Prevent fatal error "detected dubious ownership in repository" from recent git.
git config --global --add safe.directory "$(pwd)"
- name: Cache Go dependencies
uses: ./.github/actions/cache-go-dependencies
- uses: ./.github/actions/handle-tagged-build
- name: Get tag
id: tag
run: |
echo "TAG=$(make --quiet --no-print-directory tag)" >> "$GITHUB_OUTPUT"
- name: Build image
run: make mock-grpc-server-image
- name: Set up Docker Buildx
# Skip for external contributions.
if: |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork
uses: docker/setup-buildx-action@v2
- name: Login to quay.io/rhacs-eng
# Skip for external contributions.
if: |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork
uses: docker/login-action@v2
with:
registry: quay.io
username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
- name: Push to quay.io/rhacs-eng
uses: docker/build-push-action@v4
if: |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork
with:
push: true
context: integration-tests/mock-grpc-server/image
tags: |
quay.io/rhacs-eng/grpc-server:${{ steps.tag.outputs.TAG }}
scan-images-with-roxctl:
if: github.event_name == 'push'
runs-on: ubuntu-latest
needs:
- build-and-push-main
container:
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.59
env:
STACKROX_CI_INSTANCE_API_KEY: ${{ secrets.STACKROX_CI_INSTANCE_API_KEY }}
STACKROX_CI_INSTANCE_CENTRAL_HOST: ${{ secrets.STACKROX_CI_INSTANCE_CENTRAL_HOST }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Ignore dubious repository ownership
run: |
# Prevent fatal error "detected dubious ownership in repository" from recent git.
git config --global --add safe.directory "$(pwd)"
- name: Checkout submodules
run: |
git submodule update --init
- uses: ./.github/actions/handle-tagged-build
- uses: actions/download-artifact@v3
with:
name: cli-build
- name: Unpack cli build
run: |
tar xvzf cli-build.tgz
- name: Install roxctl
run: |
make cli-install
roxctl version
- name: Scan images
run: |
./release/scripts/scan-images-with-roxctl.sh
slack-on-build-failure:
if: github.event_name == 'push' && failure()
name: Post failure message to Slack
runs-on: ubuntu-latest
needs:
- pre-build-ui
- pre-build-cli
- pre-build-go-binaries
- pre-build-docs
- build-and-push-main
- build-and-push-operator
- build-and-push-mock-grpc-server
- scan-images-with-roxctl
permissions:
actions: read
steps:
- name: Slack Workflow Notification
uses: Gamesight/slack-workflow-status@26a36836c887f260477432e4314ec3490a84f309
with:
include_commit_message: true
include_jobs: on-failure
repo_token: ${{secrets.GITHUB_TOKEN}}
slack_webhook_url: ${{secrets.TEST_FAILURES_NOTIFY_WEBHOOK}}