Skip to content

Perform dependency review on PR #1698

Perform dependency review on PR

Perform dependency review on PR #1698

name: Build and Deploy Skiperator
on:
workflow_dispatch:
push:
branches: [main]
paths-ignore:
- doc/**
- samples/**
- README.md
- CONTRIBUTING.md
pull_request:
branches: [main]
paths-ignore:
- doc/**
- samples/**
- README.md
- CONTRIBUTING.md
env:
# Use docker.io for Docker Hub if empty
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
RBAC_FILE_PATH: config/rbac/role.yaml
CRD_APP_FILE_PATH: config/crd/skiperator.kartverket.no_applications.yaml
CRD_JOB_FILE_PATH: config/crd/skiperator.kartverket.no_skipjobs.yaml
CRD_ROUTING_FILE_PATH: config/crd/skiperator.kartverket.no_routings.yaml
ARTIFACT_NAME: skiperator-artifact-${{ github.sha }}-${{ github.run_id }}-${{ github.run_attempt }}
jobs:
build:
name: Build container image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Log into registry ${{ env.REGISTRY }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
# Use sha for tags tags
type=sha,format=long
# set latest tag for default branch
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push Docker image
id: build-docker
uses: docker/build-push-action@v6
with:
context: .
push: ${{ !github.event.pull_request.draft }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Notice of image digest
run: echo "${{ steps.build-docker.outputs.digest }}" >> $GITHUB_STEP_SUMMARY
outputs:
image_digest: ${{ steps.build-docker.outputs.digest }}
pharos-scan:
if: (!github.event.pull_request.draft)
name: Run Pharos Security Scan
needs: build
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
actions: read
security-events: write
steps:
- name: Run Pharos
uses: kartverket/[email protected]
with:
image_url: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{needs.build.outputs.image_digest}}"
tfsec: false
generate:
if: (!github.event.pull_request.draft)
name: CRD and ClusterRole
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Golang environment
uses: actions/setup-go@v5
with:
go-version: '1.23.1'
- name: Generate CRD and ClusterRole
run: make generate
- name: Upload CRD and ClusterRole
uses: actions/upload-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}
path: |
${{ env.RBAC_FILE_PATH }}
${{ env.CRD_APP_FILE_PATH }}
${{ env.CRD_JOB_FILE_PATH }}
${{ env.CRD_ROUTING_FILE_PATH }}
deploy-argo:
if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'workflow_dispatch')
needs: [build, generate]
runs-on: ubuntu-latest
permissions:
id-token: write
env:
BASE_DIR: ./bases/skiperator-latest
TMP_FILE: tmp_kustomization.yaml
steps:
- uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
id: octo-sts
with:
scope: kartverket/skip-apps
identity: skiperator
- name: Checkout apps repo
uses: actions/checkout@v4
with:
repository: kartverket/skip-apps
token: ${{ steps.octo-sts.outputs.token }}
- name: Download CRD and RBAC
uses: actions/download-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}
path: config/
- name: Patch Image Digest
run: |
kubectl patch --type=merge --local \
-f $BASE_DIR/kustomization.yaml \
-p '{"images":[{"name":"${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}","digest":"${{needs.build.outputs.image_digest}}"}]}' \
-o yaml > $BASE_DIR/$TMP_FILE
rm $BASE_DIR/kustomization.yaml
mv $BASE_DIR/$TMP_FILE $BASE_DIR/kustomization.yaml
- name: Update CRD and Role
run: |
cp -f -v $CRD_APP_FILE_PATH $BASE_DIR/crd.yaml
cp -f -v $CRD_JOB_FILE_PATH $BASE_DIR/skipjob-crd.yaml
cp -f -v $CRD_ROUTING_FILE_PATH $BASE_DIR/routing-crd.yaml
cp -f -v $RBAC_FILE_PATH $BASE_DIR/clusterrole.yaml
rm -rf config/
- name: Commit Changes to Repo
run: |
git config --global user.email "[email protected]"
git config --global user.name "GitHub Actions"
git commit -aF- <<EOF
skiperator ${{ github.ref_name }}[${{ github.event.after }}]: ${{ github.event.head_commit.message }}
EOF
git push