Skip to content

Commit

Permalink
chore: add github action
Browse files Browse the repository at this point in the history 
Signed-off-by: Charles-Edouard Brétéché <[email protected]>
  • Loading branch information
@eddycharly
eddycharly committed Nov 24, 2023
1 parent 4d15fc9 commit a6e47c4
Show file tree
Hide file tree
Showing 3 changed files with 518 additions and 0 deletions.
116 changes: 116 additions & 0 deletions .github/actions/install/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
# kyverno-json-installer GitHub Action

This action enables you to install `kyverno-json`.

For a quick start guide on the usage of `kyverno-json`, please refer to https://kyverno.github.io/kyverno-json.

# Usage

This action currently supports GitHub-provided Linux, macOS and Windows runners (self-hosted runners may not work).

Add the following entry to your Github workflow YAML file:

```yaml
uses: kyverno/kyverno-json/.github/actions/install@main
with:
release: 'v0.0.1' # optional
```
Example using a pinned version:
```yaml
jobs:
example:
runs-on: ubuntu-latest

permissions: {}

name: Install kyverno-json
steps:
- name: Install kyverno-json
uses: kyverno/kyverno-json/.github/actions/install@main
with:
release: 'v0.0.1'
- name: Check install
run: kyverno-json version
```
Example using the default version:
```yaml
jobs:
example:
runs-on: ubuntu-latest

permissions: {}

name: Install kyverno-json
steps:
- name: Install kyverno-json
uses: kyverno/kyverno-json/.github/actions/install@main
- name: Check install
run: kyverno-json version
```
Example using [cosign](https://github.com/sigstore/cosign) verification:
```yaml
jobs:
example:
runs-on: ubuntu-latest

permissions: {}

name: Install kyverno-json
steps:
- name: Install Cosign
uses: sigstore/[email protected]
- name: Install kyverno-json
uses: kyverno/kyverno-json/.github/actions/install@main
with:
verify: true
- name: Check install
run: kyverno-json version
```
If you want to install `kyverno-json` from its main version by using `go install` under the hood, you can set `release` as `main`.
Once you did that, `kyverno-json` will be installed via `go install` which means that please ensure that go is installed.

Example of installing `kyverno-json` via `go install`:

```yaml
jobs:
example:
runs-on: ubuntu-latest
permissions: {}
name: Install kyverno-json via go install
steps:
- name: Install go
uses: actions/setup-go@v4
with:
go-version: '1.20'
check-latest: true
- name: Install kyverno-json
uses: kyverno/kyverno-json/.github/actions/install@main
with:
release: main
- name: Check install
run: kyverno-json version
```

### Optional Inputs

The following optional inputs:

| Input | Description |
| --- | --- |
| `release` | `kyverno-json` version to use instead of the default. |
| `install-dir` | directory to place the `kyverno-json` binary into instead of the default (`$HOME/.kyverno-json`). |
| `use-sudo` | set to `true` if `install-dir` location requires sudo privs. Defaults to false. |
| `verify` | set to `true` to enable [cosign](https://github.com/sigstore/cosign) verification of the downloaded archive. |

## Security

Should you discover any security issues, please refer to Kyverno's [security process](https://github.com/kyverno/kyverno/blob/main/SECURITY.md)
183 changes: 183 additions & 0 deletions .github/actions/install/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,183 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-action.json

name: kyverno-json-installer

author: kyverno

description: Installs kyverno-json and includes it in your path

branding:
icon: package
color: orange

# This is pinned to the last major release, we have to bump it for each action version.
inputs:
release:
description: kyverno-json release version to be installed
required: false
default: v0.0.3
install-dir:
description: Where to install the kyverno-json binary
required: false
default: $HOME/.kyverno-json
use-sudo:
description: Set to true if install-dir location requires sudo privs
required: false
default: 'false'
verify:
description: Set to true if you want to verify the archive with cosign
required: false
default: 'false'

runs:
using: composite
steps:
- shell: bash
run: |
#!/bin/bash
shopt -s expand_aliases
if [ -z "$NO_COLOR" ]; then
alias log_info="echo -e \"\033[1;32mINFO\033[0m:\""
alias log_error="echo -e \"\033[1;31mERROR\033[0m:\""
else
alias log_info="echo \"INFO:\""
alias log_error="echo \"ERROR:\""
fi
set -e
mkdir -p ${{ inputs.install-dir }}
# main
if [[ ${{ inputs.release }} == "main" ]]; then
log_info "installing via 'go install' from its main version"
GOBIN=$(go env GOPATH)/bin
go install github.com/kyverno/kyverno-json@main
ln -s $GOBIN/kyverno-json ${{ inputs.install-dir}}/kyverno-json
exit 0
fi
trap "popd >/dev/null" EXIT
pushd ${{ inputs.install-dir }} > /dev/null
case ${{ runner.os }} in
Linux)
case ${{ runner.arch }} in
X64)
release_archive='linux_amd64.tar.gz'
;;
ARM64)
release_archive='linux_arm64.tar.gz'
;;
*)
log_error "unsupported architecture ${{ runner.arch }}"
exit 1
;;
esac
;;
macOS)
case ${{ runner.arch }} in
X64)
release_archive='darwin_amd64.tar.gz'
;;
ARM64)
release_archive='darwin_arm64.tar.gz'
;;
*)
log_error "unsupported architecture ${{ runner.arch }}"
exit 1
;;
esac
;;
Windows)
case ${{ runner.arch }} in
X64)
release_archive='windows_amd64.tar.gz'
;;
*)
log_error "unsupported architecture ${{ runner.arch }}"
exit 1
;;
esac
;;
*)
log_error "unsupported os ${{ runner.os }}"
exit 1
;;
esac
SUDO=
if [[ "${{ inputs.use-sudo }}" == "true" ]] && command -v sudo >/dev/null; then
SUDO=sudo
fi
semver='^v([0-9]+\.){0,2}(\*|[0-9]+)(-rc|-alpha|-beta)?(\.[0-9]+)$'
if [[ ${{ inputs.release }} =~ $semver ]]; then
log_info "Custom version '${{ inputs.release }}' requested"
else
log_error "Unable to validate requested version: '${{ inputs.release }}'"
exit 1
fi
release_archive=kyverno-json_${release_archive}
release_archive_url=https://github.com/kyverno/kyverno-json/releases/download/${{ inputs.release }}/${release_archive}
log_info "Downloading kyverno-json version '${{ inputs.release }}'...\n ${release_archive_url}"
$SUDO curl -sL ${release_archive_url} -o ${release_archive}
if [[ "${{ inputs.verify }}" == "true" ]]; then
$SUDO curl -sL ${release_archive_url}.sig -o ${release_archive}.sig
$SUDO curl -sL ${release_archive_url}.pem -o ${release_archive}.pem
cosign verify-blob \
--certificate ${release_archive}.pem \
--signature ${release_archive}.sig \
--certificate-identity=https://github.com/kyverno/kyverno-json/.github/workflows/release.yaml@refs/tags/${{ inputs.release }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
${release_archive}
$SUDO rm ${release_archive}.pem
$SUDO rm ${release_archive}.sig
fi
case ${{ runner.os }} in
Linux)
$SUDO tar -xvf ${release_archive} kyverno-json
;;
macOS)
$SUDO tar -xvf ${release_archive} kyverno-json
;;
Windows)
$SUDO tar -xvf ${release_archive} kyverno-json.exe
;;
*)
log_error "unsupported os ${{ runner.os }}"
exit 1
;;
esac
$SUDO rm ${release_archive}
$SUDO chmod +x kyverno-json
log_info "Installation complete!"
- if: ${{ runner.os == 'Linux' || runner.os == 'macOS' }}
run: echo "${{ inputs.install-dir }}" >> $GITHUB_PATH
shell: bash
- if: ${{ runner.os == 'Windows' }}
run: echo "${{ inputs.install-dir }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
shell: pwsh
Loading

0 comments on commit a6e47c4

Please sign in to comment.