chore(deps): update rhtap references (master) (#8561) #86
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
workflow_call: | |
push: | |
tags: | |
- '*-nightly-*' | |
branches: | |
- master | |
pull_request: | |
types: | |
- opened | |
- reopened | |
- synchronize | |
jobs: | |
define-job-matrix: | |
outputs: | |
matrix: ${{ steps.define-job-matrix.outputs.matrix }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Define the matrix for build jobs | |
id: define-job-matrix | |
run: | | |
source './scripts/ci/lib.sh' | |
matrix='{ "pre_build_go_binaries": { "name":[], "arch":[] }, "build_and_push_main": { "name":[], "arch":[] }, "push_main_multiarch_manifests": { "name":[] } }' | |
# The base matrix | |
matrix="$(jq '.pre_build_go_binaries.name += ["default"]' <<< "$matrix")" | |
matrix="$(jq '.pre_build_go_binaries.arch += ["amd64", "arm64", "ppc64le", "s390x"]' <<< "$matrix")" | |
matrix="$(jq '.build_and_push_main.name += ["STACKROX_BRANDING", "RHACS_BRANDING"]' <<< "$matrix")" | |
matrix="$(jq '.build_and_push_main.arch += ["amd64", "arm64", "ppc64le", "s390x"]' <<< "$matrix")" | |
matrix="$(jq '.push_main_multiarch_manifests.name += ["STACKROX_BRANDING", "RHACS_BRANDING"]' <<< "$matrix")" | |
# Conditionally add a prerelease build (binaries built with GOTAGS=release) | |
if ! is_tagged; then | |
if ! is_in_PR_context || pr_has_label ci-build-prerelease; then | |
matrix="$(jq '.pre_build_go_binaries.name += ["prerelease"]' <<< "$matrix")" | |
matrix="$(jq '.build_and_push_main.name += ["prerelease"]' <<< "$matrix")" | |
matrix="$(jq '.push_main_multiarch_manifests.name += ["prerelease"]' <<< "$matrix")" | |
fi | |
fi | |
# Conditionally add a -race debug build (binaries built with -race) | |
if ! is_in_PR_context || pr_has_label ci-build-race-condition-debug; then | |
matrix="$(jq '.pre_build_go_binaries.name += ["race-condition-debug"]' <<< "$matrix")" | |
matrix="$(jq '.build_and_push_main.name += ["race-condition-debug"]' <<< "$matrix")" | |
matrix="$(jq '.push_main_multiarch_manifests.name += ["race-condition-debug"]' <<< "$matrix")" | |
# Exclude "arm64", "ppc64le", "s390x" | |
matrix="$(jq '.pre_build_go_binaries.exclude = [{ "name": "race-condition-debug", "arch": "arm64" }]' <<< "$matrix")" | |
matrix="$(jq '.pre_build_go_binaries.exclude += [{ "name": "race-condition-debug", "arch": "ppc64le" }]' <<< "$matrix")" | |
matrix="$(jq '.pre_build_go_binaries.exclude += [{ "name": "race-condition-debug", "arch": "s390x" }]' <<< "$matrix")" | |
matrix="$(jq '.build_and_push_main.exclude = [{ "name": "race-condition-debug", "arch": "arm64" }]' <<< "$matrix")" | |
matrix="$(jq '.build_and_push_main.exclude += [{ "name": "race-condition-debug", "arch": "ppc64le" }]' <<< "$matrix")" | |
matrix="$(jq '.build_and_push_main.exclude += [{ "name": "race-condition-debug", "arch": "s390x" }]' <<< "$matrix")" | |
fi | |
echo "Job matrix after conditionals:" | |
jq <<< "$matrix" | |
condensed="$(jq -c <<< "$matrix")" | |
echo "matrix=$condensed" >> "$GITHUB_OUTPUT" | |
pre-build-ui: | |
strategy: | |
matrix: | |
branding: [ RHACS_BRANDING, STACKROX_BRANDING ] | |
env: | |
ROX_PRODUCT_BRANDING: ${{ matrix.branding }} | |
runs-on: ubuntu-latest | |
container: | |
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: ./.github/actions/create-concatenated-ui-monorepo-lock | |
- uses: ./.github/actions/cache-ui-dependencies | |
- uses: ./.github/actions/handle-tagged-build | |
- name: Fetch UI deps | |
run: make -C ui deps | |
- name: Build UI | |
run: make -C ui build | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: ui-${{env.ROX_PRODUCT_BRANDING}}-build | |
path: | | |
ui/build | |
ui/monorepo.lock | |
pre-build-cli: | |
runs-on: ubuntu-latest | |
container: | |
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Cache Go dependencies | |
uses: ./.github/actions/cache-go-dependencies | |
- uses: ./.github/actions/handle-tagged-build | |
- name: Build CLI | |
run: make cli | |
- name: Bundle build to preserve permissions | |
run: tar -cvzf cli-build.tgz bin | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: cli-build | |
path: cli-build.tgz | |
pre-build-go-binaries: | |
strategy: | |
# Supports three go binary builds: | |
# default - built with environment defaults (see handle-tagged-build & env.mk) | |
# prerelease - built with GOTAGS=release | |
# race-condition-debug - built with -race | |
matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).pre_build_go_binaries }} | |
needs: define-job-matrix | |
runs-on: ubuntu-latest | |
container: | |
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Cache Go dependencies | |
uses: ./.github/actions/cache-go-dependencies | |
- uses: ./.github/actions/handle-tagged-build | |
- name: PR labels | |
uses: joerick/[email protected] | |
- name: Setup Go build environment for release | |
if: | | |
contains(github.event.pull_request.labels.*.name, 'ci-release-build') | |
|| | |
matrix.name == 'prerelease' | |
run: echo "GOTAGS=release" >> "$GITHUB_ENV" | |
- name: Setup Go build environment for -race | |
if: | | |
contains(github.event.pull_request.labels.*.name, 'ci-race-tests') | |
|| | |
matrix.name == 'race-condition-debug' | |
run: echo "RACE=true" >> "$GITHUB_ENV" | |
- name: Build Go Binaries | |
run: | | |
if [[ "${{ matrix.arch }}" != "amd64" ]]; then | |
echo "Building non-amd binary" | |
GOOS=linux GOARCH=${{ matrix.arch }} CGO_ENABLED=0 make build-prep main-build-nodeps | |
else | |
echo "Building amd binary" | |
GOOS=linux GOARCH=${{ matrix.arch }} CGO_ENABLED=1 make build-prep main-build-nodeps | |
fi | |
- name: Bundle the build to preserve permissions | |
run: tar -cvzf go-binaries-build.tgz bin/linux_${{ matrix.arch }} | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: go-binaries-build-${{ matrix.arch }}-${{ matrix.name }} | |
path: go-binaries-build.tgz | |
pre-build-docs: | |
runs-on: ubuntu-latest | |
container: | |
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Cache Go dependencies | |
uses: ./.github/actions/cache-go-dependencies | |
- uses: ./.github/actions/handle-tagged-build | |
- name: Resolve mods for protos | |
run: go mod tidy | |
- name: Generate the swagger docs | |
run: | | |
make swagger-docs | |
# Workarround to handle https://github.com/actions/cache/issues/753 | |
rm -rf .proto | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: docs-build | |
path: | | |
image/rhel/docs | |
build-and-push-main: | |
runs-on: ubuntu-latest | |
needs: | |
- define-job-matrix | |
- pre-build-ui | |
- pre-build-cli | |
- pre-build-go-binaries | |
- pre-build-docs | |
strategy: | |
# Supports four image builds (see Setup build env): | |
# STACKROX_BRANDING | |
# RHACS_BRANDING | |
# prerelease | |
# race-condition-debug | |
fail-fast: false | |
matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).build_and_push_main }} | |
env: | |
GO_BINARIES_BUILD_ARTIFACT: "" | |
ROX_PRODUCT_BRANDING: "" | |
container: | |
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.61 | |
env: | |
QUAY_RHACS_ENG_RO_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }} | |
QUAY_RHACS_ENG_RO_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }} | |
QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} | |
QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} | |
QUAY_STACKROX_IO_RW_USERNAME: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }} | |
QUAY_STACKROX_IO_RW_PASSWORD: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }} | |
steps: | |
- name: Setup build env | |
run: | | |
case "${{ matrix.name }}" in | |
STACKROX_BRANDING) | |
go_binaries="default" | |
brand="STACKROX_BRANDING" | |
;; | |
RHACS_BRANDING) | |
go_binaries="default" | |
brand="RHACS_BRANDING" | |
;; | |
race-condition-debug) | |
go_binaries="race-condition-debug" | |
brand="RHACS_BRANDING" | |
;; | |
prerelease) | |
go_binaries="prerelease" | |
brand="RHACS_BRANDING" | |
;; | |
*) | |
echo "Unsupported build: ${{ matrix.name }}" | |
exit 1 | |
esac | |
{ | |
echo "GO_BINARIES_BUILD_ARTIFACT=go-binaries-build-${{ matrix.arch }}-${go_binaries}" | |
echo "ROX_PRODUCT_BRANDING=${brand}" | |
} >> "$GITHUB_ENV" | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Checkout submodules | |
run: | | |
git submodule update --init | |
- uses: ./.github/actions/handle-tagged-build | |
- uses: actions/download-artifact@v3 | |
with: | |
name: ui-${{ env.ROX_PRODUCT_BRANDING }}-build | |
path: ui | |
- uses: actions/download-artifact@v3 | |
with: | |
name: cli-build | |
- name: Unpack cli build | |
run: | | |
tar xvzf cli-build.tgz | |
- uses: actions/download-artifact@v3 | |
with: | |
name: ${{ env.GO_BINARIES_BUILD_ARTIFACT }} | |
- name: Unpack Go binaries build | |
run: | | |
tar xvzf go-binaries-build.tgz | |
- uses: actions/download-artifact@v3 | |
with: | |
name: docs-build | |
path: image/rhel/docs | |
- uses: ./.github/actions/create-concatenated-ui-monorepo-lock | |
# needed to restore node_modules for ossls-nostice | |
- uses: ./.github/actions/cache-ui-dependencies | |
# explicitly fetch deps just in case cache was not ready | |
- name: Fetch UI deps | |
run: make -C ui deps | |
- name: Generate OSS notice | |
run: make ossls-notice | |
- name: Set build tag for prerelease images | |
if: matrix.name == 'prerelease' | |
run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-prerelease" >> "$GITHUB_ENV" | |
- name: Set build tag for race condition images | |
if: matrix.name == 'race-condition-debug' | |
run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-rcd" >> "$GITHUB_ENV" | |
- name: Build main images | |
run: | | |
GOOS=linux GOARCH=${{ matrix.arch }} make docker-build-main-image | |
- name: Check debugger presence in the main image | |
run: make check-debugger | |
- name: Build roxctl image | |
run: | | |
GOOS=linux GOARCH=${{ matrix.arch }} make docker-build-roxctl-image | |
# needed for docs ensure_image.sh initial pull with RHACS_BRANDING | |
- name: Docker login | |
# Skip for external contributions. | |
if: | | |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
run: | | |
docker login -u "${QUAY_RHACS_ENG_RO_USERNAME}" --password-stdin quay.io <<<"${QUAY_RHACS_ENG_RO_PASSWORD}" | |
- name: Push images | |
# Skip for external contributions. | |
if: | | |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
run: | | |
source ./scripts/ci/lib.sh | |
echo "Will determine context from: ${{ github.event_name }} & ${{ github.ref_name }}" | |
push_context="" | |
if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_name }}" == "master" ]]; then | |
push_context="merge-to-master" | |
fi | |
push_main_image_set "$push_context" "${{ env.ROX_PRODUCT_BRANDING }}" "${{ matrix.arch }}" | |
- name: Push matching collector and scanner images | |
# Skip for external contributions. | |
if: | | |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
run: | | |
# Need to free up some space before push_matching_collector_scanner_images() does its pull. | |
docker system prune --all --force | |
source ./scripts/ci/lib.sh | |
push_matching_collector_scanner_images "${{ env.ROX_PRODUCT_BRANDING }}" "${{ matrix.arch }}" | |
push-main-manifests: | |
runs-on: ubuntu-latest | |
needs: | |
- define-job-matrix | |
- build-and-push-main | |
strategy: | |
# Supports four image builds (see Setup build env): | |
# STACKROX_BRANDING | |
# RHACS_BRANDING | |
# prerelease | |
# race-condition-debug | |
fail-fast: false | |
matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).push_main_multiarch_manifests }} | |
env: | |
ROX_PRODUCT_BRANDING: "" | |
container: | |
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.61 | |
env: | |
QUAY_RHACS_ENG_RO_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }} | |
QUAY_RHACS_ENG_RO_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }} | |
QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} | |
QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} | |
QUAY_STACKROX_IO_RW_USERNAME: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }} | |
QUAY_STACKROX_IO_RW_PASSWORD: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }} | |
steps: | |
- name: Setup build env | |
run: | | |
case "${{ matrix.name }}" in | |
STACKROX_BRANDING) | |
brand="STACKROX_BRANDING" | |
;; | |
RHACS_BRANDING) | |
brand="RHACS_BRANDING" | |
;; | |
race-condition-debug) | |
brand="RHACS_BRANDING" | |
;; | |
prerelease) | |
brand="RHACS_BRANDING" | |
;; | |
*) | |
echo "Unsupported build: ${{ matrix.name }}" | |
exit 1 | |
esac | |
{ | |
echo "ROX_PRODUCT_BRANDING=${brand}" | |
} >> "$GITHUB_ENV" | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Checkout submodules | |
run: | | |
git submodule update --init | |
- uses: ./.github/actions/handle-tagged-build | |
- name: Set build tag for prerelease images | |
if: matrix.name == 'prerelease' | |
run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-prerelease" >> "$GITHUB_ENV" | |
- name: Set build tag for race condition images | |
if: matrix.name == 'race-condition-debug' | |
run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-rcd" >> "$GITHUB_ENV" | |
- name: Build and push manifest lists | |
# Skip for external contributions. | |
if: | | |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
run: | | |
source ./scripts/ci/lib.sh | |
echo "Will determine context from: ${{ github.event_name }} & ${{ github.ref_name }}" | |
push_context="" | |
if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_name }}" == "master" ]]; then | |
push_context="merge-to-master" | |
fi | |
architectures="amd64,arm64,ppc64le,s390x" | |
if [[ "${{ matrix.name }}" == "race-condition-debug" ]]; then | |
architectures="amd64" | |
fi | |
push_image_manifest_lists "$push_context" "${{ env.ROX_PRODUCT_BRANDING }}" "$architectures" | |
- name: Comment on the PR | |
# Skip for external contributions. | |
if: | | |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
env: | |
GITHUB_TOKEN: "${{ secrets.ROBOT_ROX_GITHUB_TOKEN }}" | |
run: | | |
source ./scripts/ci/lib.sh | |
add_build_comment_to_pr | |
build-and-push-operator: | |
runs-on: ubuntu-latest | |
container: | |
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.61 | |
env: | |
QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} | |
QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} | |
strategy: | |
matrix: | |
branding: [ RHACS_BRANDING ] | |
env: | |
ROX_PRODUCT_BRANDING: ${{ matrix.branding }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Cache Go dependencies | |
uses: ./.github/actions/cache-go-dependencies | |
- uses: ./.github/actions/handle-tagged-build | |
- name: Resolve mods for protos | |
run: go mod tidy | |
- name: PR labels | |
uses: joerick/[email protected] | |
- name: Setup Go build environment | |
if: contains(github.event.pull_request.labels.*.name, 'ci-release-build') | |
run: echo "GOTAGS=release" >> "$GITHUB_ENV" | |
- name: Docker login | |
# Skip for external contributions. | |
if: | | |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
run: | | |
docker login -u "${QUAY_RHACS_ENG_RW_USERNAME}" --password-stdin quay.io <<<"${QUAY_RHACS_ENG_RW_PASSWORD}" | |
- name: Build Operator Bundle image | |
run: | | |
make -C operator/ bundle bundle-build | |
- name: Build Operator image | |
run: make -C operator/ build docker-build | |
- name: Check that Operator image is runnable | |
run: docker run --rm "quay.io/rhacs-eng/stackrox-operator:$(make --quiet --no-print-directory -C operator tag)" --help | |
- name: Push images | |
# Skip for external contributions. | |
if: | | |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
run: | | |
make -C operator/ docker-push docker-push-bundle | cat | |
# Index image can only be built once bundle was pushed | |
- name: Build index | |
# Skip for external contributions as the build relies on the previous image to be pushed. | |
if: | | |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
run: | | |
make -C operator/ index-build | |
- name: Push index image | |
# Skip for external contributions. | |
if: | | |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
run: | | |
make -C operator/ docker-push-index | cat | |
scan-images-with-roxctl: | |
if: github.event_name == 'push' | |
runs-on: ubuntu-latest | |
needs: | |
- build-and-push-main | |
container: | |
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.61 | |
env: | |
STACKROX_CI_INSTANCE_API_KEY: ${{ secrets.STACKROX_CI_INSTANCE_API_KEY }} | |
STACKROX_CI_INSTANCE_CENTRAL_HOST: ${{ secrets.STACKROX_CI_INSTANCE_CENTRAL_HOST }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Checkout submodules | |
run: | | |
git submodule update --init | |
- uses: ./.github/actions/handle-tagged-build | |
- uses: actions/download-artifact@v3 | |
with: | |
name: cli-build | |
- name: Unpack cli build | |
run: | | |
tar xvzf cli-build.tgz | |
- name: Install roxctl | |
run: | | |
make cli-install | |
roxctl version | |
- name: Scan images | |
run: | | |
./release/scripts/scan-images-with-roxctl.sh | |
slack-on-build-failure: | |
if: github.event_name == 'push' && failure() | |
name: Post failure message to Slack | |
runs-on: ubuntu-latest | |
needs: | |
- pre-build-ui | |
- pre-build-cli | |
- pre-build-go-binaries | |
- pre-build-docs | |
- build-and-push-main | |
- build-and-push-operator | |
- scan-images-with-roxctl | |
permissions: | |
actions: read | |
steps: | |
- name: Slack Workflow Notification | |
uses: Gamesight/slack-workflow-status@26a36836c887f260477432e4314ec3490a84f309 | |
with: | |
include_commit_message: true | |
include_jobs: on-failure | |
repo_token: ${{secrets.GITHUB_TOKEN}} | |
slack_webhook_url: ${{secrets.TEST_FAILURES_NOTIFY_WEBHOOK}} |