From 1653d6adbd852d579f5d59052dcb4b533bbb3e85 Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Thu, 20 Jul 2023 10:37:02 -0700 Subject: [PATCH 1/3] working matrix. Signed-off-by: Spencer Schrock --- .github/workflows/docker.yml | 237 +++-------------------------------- 1 file changed, 16 insertions(+), 221 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 07e14dde6d3..975413c7366 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -23,9 +23,7 @@ on: - main env: - PROTOC_VERSION: 3.17.3 GO_VERSION_FILE: go.mod # no good way of getting a mutual version between go.mod and tools/go.mod - CACHE_DEPENDENCY_PATH: "**/go.sum" # include both go.sum and tools/go.sum jobs: docs_only_check: @@ -50,8 +48,19 @@ jobs: name: Check for docs-only changes run: echo "docs_only=true" >> $GITHUB_OUTPUT - scorecard: - name: scorecard-docker + docker_matrix: + strategy: + matrix: + target: + - 'scorecard-docker' + - 'cron-controller-docker' + - 'cron-worker-docker' + - 'cron-cii-worker-docker' + - 'cron-bq-transfer-docker' + - 'cron-webhook-docker' + - 'cron-github-server-docker' + - 'build-attestor-docker' + name: ${{ matrix.target }} runs-on: ubuntu-latest permissions: contents: read @@ -63,227 +72,13 @@ jobs: uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: Install Protoc - uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0 - with: - version: ${{ env.PROTOC_VERSION }} - repo-token: ${{ secrets.GITHUB_TOKEN }} - - name: Clone the code - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - name: Setup Go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 - with: - go-version-file: ${{ env.GO_VERSION_FILE }} - check-latest: true - cache: true - cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }} - - name: docker build - run: make scorecard-docker - cron-controller: - name: cron-controller-docker - runs-on: ubuntu-latest - permissions: - contents: read - needs: - - docs_only_check - if: (needs.docs_only_check.outputs.docs_only != 'true') - steps: - - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: Install Protoc - uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0 - with: - version: ${{ env.PROTOC_VERSION }} - repo-token: ${{ secrets.GITHUB_TOKEN }} - - name: Clone the code - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - name: Setup Go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 - with: - go-version-file: ${{ env.GO_VERSION_FILE }} - check-latest: true - cache: true - cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }} - - name: docker build - run: make cron-controller-docker - cron-worker: - name: cron-worker-docker - runs-on: ubuntu-latest - permissions: - contents: read - needs: - - docs_only_check - if: (needs.docs_only_check.outputs.docs_only != 'true') - steps: - - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: Install Protoc - uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0 - with: - version: ${{ env.PROTOC_VERSION }} - repo-token: ${{ secrets.GITHUB_TOKEN }} - - name: Clone the code - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - name: Setup Go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 - with: - go-version-file: ${{ env.GO_VERSION_FILE }} - check-latest: true - cache: true - cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }} - - name: docker build - run: make cron-worker-docker - cron-cii-worker: - name: cron-cii--worker-docker - runs-on: ubuntu-latest - permissions: - contents: read - needs: - - docs_only_check - if: (needs.docs_only_check.outputs.docs_only != 'true') - steps: - - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: Install Protoc - uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0 - with: - version: ${{ env.PROTOC_VERSION }} - repo-token: ${{ secrets.GITHUB_TOKEN }} - - name: Clone the code - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - name: Setup Go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 - with: - go-version-file: ${{ env.GO_VERSION_FILE }} - check-latest: true - cache: true - cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }} - - name: docker build - run: make cron-cii-worker-docker - cron-bq-transfer: - name: cron-bq-transfer-docker - runs-on: ubuntu-latest - permissions: - contents: read - needs: - - docs_only_check - if: (needs.docs_only_check.outputs.docs_only != 'true') - steps: - - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: Install Protoc - uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0 - with: - version: ${{ env.PROTOC_VERSION }} - repo-token: ${{ secrets.GITHUB_TOKEN }} - - name: Clone the code - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - name: Setup Go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 - with: - go-version-file: ${{ env.GO_VERSION_FILE }} - check-latest: true - cache: true - cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }} - - name: docker build - run: make cron-bq-transfer-docker - cron-webhook: - name: cron-webhook-docker - runs-on: ubuntu-latest - permissions: - contents: read - needs: - - docs_only_check - if: (needs.docs_only_check.outputs.docs_only != 'true') - steps: - - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: Install Protoc - uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0 - with: - version: ${{ env.PROTOC_VERSION }} - repo-token: ${{ secrets.GITHUB_TOKEN }} - - name: Clone the code - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - name: Setup Go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 - with: - go-version-file: ${{ env.GO_VERSION_FILE }} - check-latest: true - cache: true - cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }} - - name: docker build - run: make cron-webhook-docker - cron-github-server: - name: cron-github-server-docker - runs-on: ubuntu-latest - permissions: - contents: read - needs: - - docs_only_check - if: (needs.docs_only_check.outputs.docs_only != 'true') - steps: - - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: Install Protoc - uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0 - with: - version: ${{ env.PROTOC_VERSION }} - repo-token: ${{ secrets.GITHUB_TOKEN }} - - name: Clone the code - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - name: Setup Go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 - with: - go-version-file: ${{ env.GO_VERSION_FILE }} - check-latest: true - cache: true - - name: docker build - run: make cron-github-server-docker - attestor: - name: attestor-docker - runs-on: ubuntu-latest - permissions: - contents: read - needs: - - docs_only_check - if: (needs.docs_only_check.outputs.docs_only != 'true') - steps: - - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - name: Install Protoc - uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0 - with: - version: ${{ env.PROTOC_VERSION }} - repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Clone the code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - name: Setup Go + - name: Setup Go # needed due to the Makefile Go binary expressions uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version-file: ${{ env.GO_VERSION_FILE }} check-latest: true - cache: true + cache: false # the building happens in Docker, so saving this cache would negatively impact other builds - name: docker build - run: make build-attestor-docker + run: make ${{ matrix.target }} From 51fd24a604f1f8adb71e6d011e7a04256d45002f Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Thu, 20 Jul 2023 10:55:01 -0700 Subject: [PATCH 2/3] Remove unneeded env vars. Add comments. Signed-off-by: Spencer Schrock --- .github/workflows/docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 975413c7366..81ac259f0e5 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -74,7 +74,7 @@ jobs: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - name: Setup Go # needed due to the Makefile Go binary expressions + - name: Setup Go # needed for some of the Makefile evaluations, even if building happens in Docker uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version-file: ${{ env.GO_VERSION_FILE }} From d5dbcbd80eae0fe8af04d2b8c9fc16cf388b8462 Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Thu, 20 Jul 2023 10:57:15 -0700 Subject: [PATCH 3/3] minor syntax change. Signed-off-by: Spencer Schrock --- .github/workflows/docker.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 81ac259f0e5..db2f2d307ef 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -64,8 +64,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - needs: - - docs_only_check + needs: docs_only_check if: (needs.docs_only_check.outputs.docs_only != 'true') steps: - name: Harden Runner