Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: add github action #226

Merged
merged 1 commit into from
Nov 24, 2023
Merged

chore: add github action #226

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
116 changes: 116 additions & 0 deletions .github/actions/install/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
# kyverno-json-installer GitHub Action

This action enables you to install `kyverno-json`.

For a quick start guide on the usage of `kyverno-json`, please refer to https://kyverno.github.io/kyverno-json.

# Usage

This action currently supports GitHub-provided Linux, macOS and Windows runners (self-hosted runners may not work).

Add the following entry to your Github workflow YAML file:

```yaml
uses: kyverno/kyverno-json/.github/actions/install@main
with:
release: 'v0.0.1' # optional
```

Example using a pinned version:

```yaml
jobs:
example:
runs-on: ubuntu-latest

permissions: {}

name: Install kyverno-json
steps:
- name: Install kyverno-json
uses: kyverno/kyverno-json/.github/actions/install@main
with:
release: 'v0.0.1'
- name: Check install
run: kyverno-json version
```

Example using the default version:

```yaml
jobs:
example:
runs-on: ubuntu-latest

permissions: {}

name: Install kyverno-json
steps:
- name: Install kyverno-json
uses: kyverno/kyverno-json/.github/actions/install@main
- name: Check install
run: kyverno-json version
```

Example using [cosign](https://github.com/sigstore/cosign) verification:

```yaml
jobs:
example:
runs-on: ubuntu-latest

permissions: {}

name: Install kyverno-json
steps:
- name: Install Cosign
uses: sigstore/[email protected]
- name: Install kyverno-json
uses: kyverno/kyverno-json/.github/actions/install@main
with:
verify: true
- name: Check install
run: kyverno-json version
```

If you want to install `kyverno-json` from its main version by using `go install` under the hood, you can set `release` as `main`.
Once you did that, `kyverno-json` will be installed via `go install` which means that please ensure that go is installed.

Example of installing `kyverno-json` via `go install`:

```yaml
jobs:
example:
runs-on: ubuntu-latest

permissions: {}

name: Install kyverno-json via go install
steps:
- name: Install go
uses: actions/setup-go@v4
with:
go-version: '1.20'
check-latest: true
- name: Install kyverno-json
uses: kyverno/kyverno-json/.github/actions/install@main
with:
release: main
- name: Check install
run: kyverno-json version
```

### Optional Inputs

The following optional inputs:

| Input | Description |
| --- | --- |
| `release` | `kyverno-json` version to use instead of the default. |
| `install-dir` | directory to place the `kyverno-json` binary into instead of the default (`$HOME/.kyverno-json`). |
| `use-sudo` | set to `true` if `install-dir` location requires sudo privs. Defaults to false. |
| `verify` | set to `true` to enable [cosign](https://github.com/sigstore/cosign) verification of the downloaded archive. |

## Security

Should you discover any security issues, please refer to Kyverno's [security process](https://github.com/kyverno/kyverno/blob/main/SECURITY.md)
183 changes: 183 additions & 0 deletions .github/actions/install/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,183 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-action.json

name: kyverno-json-installer

author: kyverno

description: Installs kyverno-json and includes it in your path

branding:
icon: package
color: orange

# This is pinned to the last major release, we have to bump it for each action version.
inputs:
release:
description: kyverno-json release version to be installed
required: false
default: v0.0.1
install-dir:
description: Where to install the kyverno-json binary
required: false
default: $HOME/.kyverno-json
use-sudo:
description: Set to true if install-dir location requires sudo privs
required: false
default: 'false'
verify:
description: Set to true if you want to verify the archive with cosign
required: false
default: 'false'

runs:
using: composite
steps:
- shell: bash
run: |
#!/bin/bash

shopt -s expand_aliases

if [ -z "$NO_COLOR" ]; then
alias log_info="echo -e \"\033[1;32mINFO\033[0m:\""
alias log_error="echo -e \"\033[1;31mERROR\033[0m:\""
else
alias log_info="echo \"INFO:\""
alias log_error="echo \"ERROR:\""
fi

set -e

mkdir -p ${{ inputs.install-dir }}

# main
if [[ ${{ inputs.release }} == "main" ]]; then
log_info "installing via 'go install' from its main version"
GOBIN=$(go env GOPATH)/bin
go install github.com/kyverno/kyverno-json@main
ln -s $GOBIN/kyverno-json ${{ inputs.install-dir}}/kyverno-json
exit 0
fi

trap "popd >/dev/null" EXIT

pushd ${{ inputs.install-dir }} > /dev/null

case ${{ runner.os }} in
Linux)
case ${{ runner.arch }} in
X64)
release_archive='linux_amd64.tar.gz'
;;

ARM64)
release_archive='linux_arm64.tar.gz'
;;

*)
log_error "unsupported architecture ${{ runner.arch }}"
exit 1
;;
esac
;;

macOS)
case ${{ runner.arch }} in
X64)
release_archive='darwin_amd64.tar.gz'
;;

ARM64)
release_archive='darwin_arm64.tar.gz'
;;

*)
log_error "unsupported architecture ${{ runner.arch }}"
exit 1
;;
esac
;;

Windows)
case ${{ runner.arch }} in
X64)
release_archive='windows_amd64.tar.gz'
;;

*)
log_error "unsupported architecture ${{ runner.arch }}"
exit 1
;;
esac
;;

*)
log_error "unsupported os ${{ runner.os }}"
exit 1
;;
esac

SUDO=
if [[ "${{ inputs.use-sudo }}" == "true" ]] && command -v sudo >/dev/null; then
SUDO=sudo
fi

semver='^v([0-9]+\.){0,2}(\*|[0-9]+)(-rc|-alpha|-beta)?(\.[0-9]+)$'
if [[ ${{ inputs.release }} =~ $semver ]]; then
log_info "Custom version '${{ inputs.release }}' requested"
else
log_error "Unable to validate requested version: '${{ inputs.release }}'"
exit 1
fi

release_archive=kyverno-json_${release_archive}
release_archive_url=https://github.com/kyverno/kyverno-json/releases/download/${{ inputs.release }}/${release_archive}

log_info "Downloading kyverno-json version '${{ inputs.release }}'...\n ${release_archive_url}"
$SUDO curl -sL ${release_archive_url} -o ${release_archive}

if [[ "${{ inputs.verify }}" == "true" ]]; then
$SUDO curl -sL ${release_archive_url}.sig -o ${release_archive}.sig
$SUDO curl -sL ${release_archive_url}.pem -o ${release_archive}.pem

cosign verify-blob \
--certificate ${release_archive}.pem \
--signature ${release_archive}.sig \
--certificate-identity=https://github.com/kyverno/kyverno-json/.github/workflows/release.yaml@refs/tags/${{ inputs.release }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
${release_archive}

$SUDO rm ${release_archive}.pem
$SUDO rm ${release_archive}.sig
fi

case ${{ runner.os }} in
Linux)
$SUDO tar -xvf ${release_archive} kyverno-json
;;

macOS)
$SUDO tar -xvf ${release_archive} kyverno-json
;;

Windows)
$SUDO tar -xvf ${release_archive} kyverno-json.exe
;;

*)
log_error "unsupported os ${{ runner.os }}"
exit 1
;;
esac

$SUDO rm ${release_archive}
$SUDO chmod +x kyverno-json

log_info "Installation complete!"

- if: ${{ runner.os == 'Linux' || runner.os == 'macOS' }}
run: echo "${{ inputs.install-dir }}" >> $GITHUB_PATH
shell: bash
- if: ${{ runner.os == 'Windows' }}
run: echo "${{ inputs.install-dir }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
shell: pwsh
Loading
Loading