Sync upstream main #392

Workflow file for this run

	name: CI

	on:
	push:
	branches:
	- main
	- release-*
	pull_request: {}
	workflow_dispatch: {}

	env:
	# Common versions
	EARTHLY_VERSION: '0.8.13'

	# Force Earthly to use color output
	FORCE_COLOR: "1"

	# Common users. We can't run a step 'if secrets.DOCKER_USR != ""' but we can run
	# a step 'if env.DOCKER_USR' != ""', so we copy these to succinctly test whether
	# credentials have been provided before trying to run steps that need them.
	DOCKER_USR: ${{ secrets.DOCKER_USR }}
	UPBOUND_MARKETPLACE_PUSH_ROBOT_USR: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}


	jobs:
	check-diff:
	runs-on: ubuntu-22.04

	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

	- name: Setup Earthly
	uses: earthly/actions-setup@v1
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	version: ${{ env.EARTHLY_VERSION }}

	- name: Login to DockerHub
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
	if: env.DOCKER_USR != ''
	with:
	username: ${{ secrets.DOCKER_USR }}
	password: ${{ secrets.DOCKER_PSW }}

	- name: Login to GitHub Container Registry
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Configure Earthly to Push Cache to GitHub Container Registry
	if: github.ref == 'refs/heads/main'
	run: \|
	echo "EARTHLY_PUSH=true" >> $GITHUB_ENV
	echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV

	- name: Generate Files
	run: earthly --strict --remote-cache ghcr.io/upbound/crossplane-earthly-cache:${{ github.job }} +generate

	- name: Count Changed Files
	id: changed_files
	run: echo "count=$(git status --porcelain \| wc -l)" >> $GITHUB_OUTPUT

	- name: Fail if Files Changed
	if: steps.changed_files.outputs.count != 0
	uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
	with:
	script: core.setFailed('Found changed files after running earthly +generate.')

	lint:
	runs-on: ubuntu-22.04

	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

	- name: Setup Earthly
	uses: earthly/actions-setup@v1
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	version: ${{ env.EARTHLY_VERSION }}

	- name: Login to DockerHub
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
	if: env.DOCKER_USR != ''
	with:
	username: ${{ secrets.DOCKER_USR }}
	password: ${{ secrets.DOCKER_PSW }}

	- name: Login to GitHub Container Registry
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Configure Earthly to Push Cache to GitHub Container Registry
	if: github.ref == 'refs/heads/main'
	run: \|
	echo "EARTHLY_PUSH=true" >> $GITHUB_ENV
	echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV

	- name: Lint
	run: earthly --strict --remote-cache ghcr.io/upbound/crossplane-earthly-cache:${{ github.job }} +lint

	codeql:
	runs-on: ubuntu-22.04

	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

	- name: Setup Earthly
	uses: earthly/actions-setup@v1
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	version: ${{ env.EARTHLY_VERSION }}

	- name: Login to DockerHub
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
	if: env.DOCKER_USR != ''
	with:
	username: ${{ secrets.DOCKER_USR }}
	password: ${{ secrets.DOCKER_PSW }}

	- name: Login to GitHub Container Registry
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Configure Earthly to Push Cache to GitHub Container Registry
	if: github.ref == 'refs/heads/main'
	run: \|
	echo "EARTHLY_PUSH=true" >> $GITHUB_ENV
	echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV

	- name: Run CodeQL
	run: earthly --strict --remote-cache ghcr.io/upbound/crossplane-earthly-cache:${{ github.job }} +ci-codeql

	- name: Upload CodeQL Results to GitHub
	uses: github/codeql-action/upload-sarif@f079b8493333aace61c81488f8bd40919487bd9f # v3
	with:
	sarif_file: '_output/codeql/go.sarif'


	trivy-scan-fs:
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

	- name: Run Trivy vulnerability scanner in fs mode
	uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
	with:
	scan-type: 'fs'
	ignore-unfixed: true
	skip-dirs: design
	scan-ref: '.'
	severity: 'CRITICAL,HIGH'
	format: sarif
	output: 'trivy-results.sarif'

	- name: Upload Trivy Results to GitHub
	uses: github/codeql-action/upload-sarif@f079b8493333aace61c81488f8bd40919487bd9f # v3
	with:
	sarif_file: 'trivy-results.sarif'

	unit-tests:
	runs-on: ubuntu-22.04

	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

	- name: Setup Earthly
	uses: earthly/actions-setup@v1
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	version: ${{ env.EARTHLY_VERSION }}

	- name: Login to DockerHub
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
	if: env.DOCKER_USR != ''
	with:
	username: ${{ secrets.DOCKER_USR }}
	password: ${{ secrets.DOCKER_PSW }}

	- name: Login to GitHub Container Registry
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Configure Earthly to Push Cache to GitHub Container Registry
	if: github.ref == 'refs/heads/main'
	run: \|
	echo "EARTHLY_PUSH=true" >> $GITHUB_ENV
	echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV

	- name: Run Unit Tests
	run: earthly --strict --remote-cache ghcr.io/upbound/crossplane-earthly-cache:${{ github.job }} +test

	- name: Publish Unit Test Coverage
	uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4
	with:
	flags: unittests
	file: _output/tests/coverage.txt
	token: ${{ secrets.CODECOV_TOKEN }}

	e2e-tests:
	runs-on: ubuntu-22.04
	strategy:
	fail-fast: false
	matrix:
	test-suite:
	- base
	- environment-configs
	- usage
	- ssa-claims
	- realtime-compositions

	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

	- name: Setup Earthly
	uses: earthly/actions-setup@v1
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	version: ${{ env.EARTHLY_VERSION }}

	- name: Login to DockerHub
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
	if: env.DOCKER_USR != ''
	with:
	username: ${{ secrets.DOCKER_USR }}
	password: ${{ secrets.DOCKER_PSW }}

	- name: Login to GitHub Container Registry
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Configure Earthly to Push Cache to GitHub Container Registry
	if: github.ref == 'refs/heads/main'
	run: \|
	echo "EARTHLY_PUSH=true" >> $GITHUB_ENV
	echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV

	- name: Run E2E Tests
	run: \|
	earthly --strict --allow-privileged --remote-cache ghcr.io/upbound/crossplane-earthly-cache:${{ github.job }}-${{ matrix.test-suite}} \
	+e2e --FLAGS="-test.failfast -fail-fast --test-suite ${{ matrix.test-suite }}"

	- name: Publish E2E Test Flakes
	if: '!cancelled()'
	uses: buildpulse/buildpulse-action@d0d30f53585cf16b2e01811a5a753fd47968654a # v0.11.0
	with:
	account: 45158470
	repository: 147886080
	key: ${{ secrets.BUILDPULSE_ACCESS_KEY_ID }}
	secret: ${{ secrets.BUILDPULSE_SECRET_ACCESS_KEY }}
	path: _output/tests/e2e-tests.xml

	publish-artifacts:
	runs-on: ubuntu-22.04

	steps:
	- name: Cleanup Disk
	uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
	with:
	android: true
	dotnet: true
	haskell: true
	tool-cache: true
	swap-storage: false
	# This works, and saves ~5GiB, but takes ~2 minutes to do it.
	large-packages: false
	# TODO(negz): Does having these around avoid Earthly needing to pull
	# large images like golang?
	docker-images: false

	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
	with:
	fetch-depth: 0

	- name: Setup Earthly
	uses: earthly/actions-setup@v1
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	version: ${{ env.EARTHLY_VERSION }}

	- name: Login to DockerHub
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
	if: env.DOCKER_USR != ''
	with:
	username: ${{ secrets.DOCKER_USR }}
	password: ${{ secrets.DOCKER_PSW }}

	- name: Login to Upbound
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
	if: env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != ''
	with:
	registry: xpkg.upbound.io
	username: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}
	password: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }}

	- name: Login to GitHub Container Registry
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Configure Earthly to Push Cache to GitHub Container Registry
	if: github.ref == 'refs/heads/main'
	run: echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV

	- name: Configure Earthly to Push Artifacts
	if: (github.ref == 'refs/heads/main' \|\| startsWith(github.ref, 'refs/heads/release-')) && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != ''
	run: echo "EARTHLY_PUSH=true" >> $GITHUB_ENV

	- name: Set CROSSPLANE_VERSION GitHub Environment Variable
	run: earthly +ci-version

	- name: Build and Push Artifacts
	run: earthly --strict --remote-cache ghcr.io/upbound/crossplane-earthly-cache:${{ github.job }} +ci-artifacts --CROSSPLANE_VERSION=${CROSSPLANE_VERSION}

	- name: Upload Artifacts to GitHub
	uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
	with:
	name: output
	path: _output/**

	fuzz-test:
	runs-on: ubuntu-22.04

	steps:
	# TODO(negz): Can we make this use our Go build and dependency cache? It
	# seems to build Crossplane inside of a Docker image.
	- name: Build Fuzzers
	id: build
	uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
	with:
	oss-fuzz-project-name: "crossplane"
	language: go

	- name: Run Fuzzers
	uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
	with:
	oss-fuzz-project-name: "crossplane"
	fuzz-seconds: 300
	language: go

	- name: Upload Crash
	uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
	if: failure() && steps.build.outcome == 'success'
	with:
	name: artifacts
	path: ./out/artifacts

	protobuf-schemas:
	runs-on: ubuntu-22.04

	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

	- name: Setup Buf
	uses: bufbuild/buf-setup-action@v1
	with:
	github_token: ${{ secrets.GITHUB_TOKEN }}

	- name: Lint Protocol Buffers
	uses: bufbuild/buf-lint-action@v1
	with:
	input: apis

	# buf-breaking-action doesn't support branches
	# https://github.com/bufbuild/buf-push-action/issues/34
	- name: Detect Breaking Changes in Protocol Buffers
	uses: bufbuild/buf-breaking-action@a074e988ee34efcd4927079e79c611f428354c01 # v1
	# We want to run this for the main branch, and PRs against main.
	if: ${{ github.ref == 'refs/heads/main' \|\| github.base_ref == 'main' }}
	with:
	input: apis
	against: "https://github.com/${GITHUB_REPOSITORY}.git#branch=main,subdir=apis"

	- name: Push Protocol Buffers to Buf Schema Registry
	if: ${{ github.repository == 'crossplane/crossplane' && github.ref == 'refs/heads/main' }}
	uses: bufbuild/buf-push-action@v1
	with:
	input: apis
	buf_token: ${{ secrets.BUF_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sync upstream main #392

Workflow file

Sync upstream main #392

Jobs

Run details

Workflow file for this run