build(deps): bump alpine from 3.18.2 to 3.18.3 #1541
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PR | |
on: | |
pull_request: | |
push: | |
jobs: | |
pr-gotest: | |
name: Run go tests | |
runs-on: ubuntu-latest | |
steps: | |
- name: checkout | |
uses: actions/checkout@v3 | |
- name: Ensure go version | |
uses: actions/setup-go@v4 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- name: run tests | |
run: go test -json ./... > test.json | |
- name: Annotate tests | |
if: always() | |
uses: guyarb/[email protected] | |
with: | |
test-results: test.json | |
pr-shellcheck: | |
name: Lint bash code with shellcheck | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Run ShellCheck | |
uses: bewuethr/shellcheck-action@v2 | |
pr-lint-code: | |
name: Lint golang code | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Ensure go version | |
uses: actions/setup-go@v4 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- name: Lint cmd folder | |
uses: Jerome1337/[email protected] | |
with: | |
golint-path: './cmd/...' | |
- name: Lint pkg folder | |
uses: Jerome1337/[email protected] | |
with: | |
golint-path: './pkg/...' | |
pr-check-docs-links: | |
name: Check docs for incorrect links | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Link Checker | |
uses: lycheeverse/lychee-action@ec3ed119d4f44ad2673a7232460dc7dff59d2421 | |
env: | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
with: | |
args: --verbose --no-progress '*.md' '*.yaml' '*/*/*.go' --exclude-link-local | |
fail: true | |
# This should not be made a mandatory test | |
# It is only used to make us aware of any potential security failure, that | |
# should trigger a bump of the image in build/. | |
pr-vuln-scan: | |
name: Build image and scan it against known vulnerabilities | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Ensure go version | |
uses: actions/setup-go@v4 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Setup GoReleaser | |
run: make bootstrap-tools | |
- name: Find current tag version | |
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
id: tags | |
- name: Build image | |
run: VERSION="${{ steps.tags.outputs.sha_short }}" make image | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 | |
with: | |
image-ref: 'ghcr.io/${{ github.repository }}:${{ steps.tags.outputs.sha_short }}' | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'CRITICAL,HIGH' | |
# This ensures the latest code works with the manifests built from tree. | |
# It is useful for two things: | |
# - Test manifests changes (obviously), ensuring they don't break existing clusters | |
# - Ensure manifests work with the latest versions even with no manifest change | |
# (compared to helm charts, manifests cannot easily template changes based on versions) | |
# Helm charts are _trailing_ releases, while manifests are done during development. | |
e2e-manifests: | |
name: End-to-End test with kured with code and manifests from HEAD | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
kubernetes: | |
- "1.25" | |
- "1.26" | |
- "1.27" | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Ensure go version | |
uses: actions/setup-go@v4 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Setup GoReleaser | |
run: make bootstrap-tools | |
- name: Find current tag version | |
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
id: tags | |
- name: Build artifacts | |
run: | | |
VERSION="${{ steps.tags.outputs.sha_short }}" make image | |
VERSION="${{ steps.tags.outputs.sha_short }}" make manifest | |
- name: Workaround "Failed to attach 1 to compat systemd cgroup /actions_job/..." on gh actions | |
run: | | |
sudo bash << EOF | |
cp /etc/docker/daemon.json /etc/docker/daemon.json.old | |
echo '{}' > /etc/docker/daemon.json | |
systemctl restart docker || journalctl --no-pager -n 500 | |
systemctl status docker | |
EOF | |
# Default name for helm/kind-action kind clusters is "chart-testing" | |
- name: Create kind cluster with 5 nodes | |
uses: helm/[email protected] | |
with: | |
config: .github/kind-cluster-${{ matrix.kubernetes }}.yaml | |
version: v0.14.0 | |
- name: Preload previously built images onto kind cluster | |
run: kind load docker-image ghcr.io/${{ github.repository }}:${{ steps.tags.outputs.sha_short }} --name chart-testing | |
- name: Do not wait for an hour before detecting the rebootSentinel | |
run: | | |
sed -i 's/#\(.*\)--period=1h/\1--period=30s/g' kured-ds.yaml | |
- name: Install kured with kubectl | |
run: | | |
kubectl apply -f kured-rbac.yaml && kubectl apply -f kured-ds.yaml | |
- name: Ensure kured is ready | |
uses: nick-invision/[email protected] | |
with: | |
timeout_minutes: 10 | |
max_attempts: 10 | |
retry_wait_seconds: 60 | |
# DESIRED CURRENT READY UP-TO-DATE AVAILABLE should all be = to cluster_size | |
command: "kubectl get ds -n kube-system kured | grep -E 'kured.*5.*5.*5.*5.*5'" | |
- name: Create reboot sentinel files | |
run: | | |
./tests/kind/create-reboot-sentinels.sh | |
- name: Follow reboot until success | |
env: | |
DEBUG: true | |
run: | | |
./tests/kind/follow-coordinated-reboot.sh |