Dangling servicemonitor check #1039
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test kube-linter | |
on: | |
pull_request: | |
# Workflows triggered by Dependabot on the "push" event run with read-only access. | |
# Uploading Code Scanning results requires write access. Ignore dependabot branches for auto-merge. | |
push: | |
branches-ignore: "dependabot/**" | |
tags: | |
- "*" | |
env: | |
# Use docker.io for Docker Hub if empty | |
REGISTRY: ghcr.io | |
# github.repository as <account>/<repo> | |
IMAGE_NAME: ${{ github.repository }} | |
jobs: | |
build-and-test: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
# Checkout all repo history to make tags available for figuring out kube-linter version during build. | |
fetch-depth: 0 | |
- name: Read Go version from go.mod | |
run: echo "GO_VERSION=$(grep -E "^go\s+[0-9.]+$" go.mod | cut -d " " -f 2)" >> $GITHUB_ENV | |
- name: Setup Go environment | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Go Build Cache | |
uses: actions/cache@v3 | |
with: | |
path: ~/.cache | |
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }} | |
- name: Go Mod Cache | |
uses: actions/cache@v3 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} | |
- name: Build binaries | |
run: make build | |
- name: Upload binary | |
uses: actions/upload-artifact@v3 | |
with: | |
name: bin | |
path: bin | |
- name: Verify the binary version | |
run: | | |
expected_version="$(./get-tag)" | |
version_from_binary="$(.gobin/kube-linter version)" | |
echo "Version from kube-linter binary: ${version_from_binary}. Expected version: ${expected_version}" | |
[[ "${version_from_binary}" == "${expected_version}" ]] | |
- name: Run lint checks | |
run: make lint | |
- name: Ensure generated files are up-to-date | |
run: make generated-srcs && git diff --exit-code HEAD | |
- name: Run unit tests | |
run: make test | |
- name: Run E2E tests | |
run: make e2e-test | |
- name: Setup BATS | |
uses: mig4/setup-bats@v1 | |
with: | |
bats-version: 1.5.0 | |
- name: Run bats tests | |
run: make e2e-bats | |
test-sarif: | |
needs: build-and-test | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download executable | |
uses: actions/download-artifact@v3 | |
with: | |
name: bin | |
- name: Set permissions to file | |
run: chmod +x linux/kube-linter | |
- name: Print kube-linter version | |
run: linux/kube-linter version | |
- name: Run kube-linter on a sample file with SARIF output | |
run: linux/kube-linter lint --format=sarif tests/testdata/splunk.yaml > results.sarif | |
continue-on-error: true | |
- name: Dump output file and check it is not empty | |
# The if part will generate no-zero exit code if the file is empty. See https://github.com/stedolan/jq/issues/1142#issuecomment-432003984 | |
run: jq -es 'if . == [] then null else .[] | . end' results.sarif | |
- name: Upload output file as GitHub artifact for manual investigation | |
uses: actions/upload-artifact@v3 | |
with: | |
name: results.sarif | |
path: results.sarif | |
- name: Install yajsv | |
run: curl https://github.com/neilpa/yajsv/releases/download/v1.4.0/yajsv.linux.amd64 -LsSfo yajsv && chmod +x yajsv | |
- name: Check if output file is valid according to SARIF schema | |
run: | | |
set -ex | |
schema=$(jq -r '.["$schema"]' results.sarif) | |
[ "$schema" = https://json.schemastore.org/sarif-2.1.0.json ] | |
./yajsv -s ./scripts/sarif/sarif-schema-2.1.0.json results.sarif | |
- name: Upload SARIF output file to GitHub | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: results.sarif | |
windows-sanity-test: | |
name: Windows sanity test | |
needs: build-and-test | |
runs-on: windows-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
# Checkout all repo history to make tags available for figuring out kube-linter version during build. | |
fetch-depth: 0 | |
- name: Download windows executable | |
uses: actions/download-artifact@v3 | |
with: | |
name: bin | |
path: tmp/ | |
- shell: bash | |
run: | | |
# In Windows, the workspace is attached relative to the current directory. | |
tag="$(./get-tag)" | |
version_from_bin="$(tmp/windows/kube-linter.exe version)" | |
echo "Expected tag ${tag}, got ${version_from_bin}" | |
[[ "${tag}" == "${version_from_bin}" ]] | |
# Make sure the lint command can run without errors. | |
# TODO: run the full suite of E2E tests on Windows. | |
tmp/windows/kube-linter.exe lint "tests/checks/access-to-create-pods.yml" | |
image: | |
if: (github.ref == 'refs/heads/main') || (startsWith(github.ref, 'refs/tags/')) | |
needs: build-and-test | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
id-token: write # needed for signing the images with GitHub OIDC Token **not production ready** | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download executable | |
uses: actions/download-artifact@v3 | |
with: | |
name: bin | |
- name: Set permissions to file | |
run: chmod +x linux/kube-linter | |
- name: Move binary | |
run: mv linux/kube-linter image/bin | |
- name: Print kube-linter version | |
run: image/bin/kube-linter version | |
# Install the cosign tool except on PR | |
# https://github.com/sigstore/cosign-installer | |
- name: Install cosign | |
if: github.event_name != 'pull_request' | |
uses: sigstore/[email protected] | |
# Workaround: https://github.com/docker/build-push-action/issues/461 | |
- name: Setup Docker buildx | |
uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 | |
# Login against a Docker registry except on PR | |
# https://github.com/docker/login-action | |
- name: Log into registry ${{ env.REGISTRY }} | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# Login against a Docker registry except on PR | |
# https://github.com/docker/login-action | |
- name: Log into registry dockerhub | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
# Extract metadata (tags, labels) for Docker | |
# https://github.com/docker/metadata-action | |
- name: Extract Docker metadata | |
id: meta | |
uses: docker/[email protected] | |
with: | |
images: | | |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
${{ env.IMAGE_NAME }} | |
# Build and push Docker image with Buildx (don't push on PR) | |
# https://github.com/docker/build-push-action | |
- name: Build and push Docker image | |
id: build-and-push | |
uses: docker/[email protected] | |
with: | |
context: image | |
push: ${{ github.event_name != 'pull_request' }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
- name: Extract Alpine Docker metadata | |
id: meta-alpine | |
uses: docker/[email protected] | |
with: | |
flavor: | | |
latest=auto | |
suffix=-alpine,onlatest=true | |
images: | | |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
${{ env.IMAGE_NAME }} | |
- name: Build and push Alpine Docker image | |
id: build-and-push-alpine | |
uses: docker/[email protected] | |
with: | |
context: image | |
file: image/Dockerfile_alpine | |
push: ${{ github.event_name != 'pull_request' }} | |
tags: ${{ steps.meta-alpine.outputs.tags }} | |
labels: ${{ steps.meta-alpine.outputs.labels }} | |
# Workaround: https://github.com/sigstore/cosign-installer/issues/73 | |
- name: Write cosign private key to file | |
env: | |
KEY: ${{ secrets.COSIGN_KEY }} | |
shell: bash | |
run: 'echo "$KEY" > cosign.key' | |
# Sign the resulting Docker image digest except on PRs. | |
- name: Sign the published Docker image with cosign | |
if: ${{ github.event_name != 'pull_request' }} | |
env: | |
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} | |
run: | | |
cosign sign --yes --key cosign.key ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} | |
cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} | |
cosign sign --yes --key cosign.key ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push-alpine.outputs.digest }} | |
cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@${{ steps.build-and-push-alpine.outputs.digest }} | |
# Sign the resulting Docker image digest except on PRs. | |
# This will only write to the public Rekor transparency log when the Docker | |
# repository is public to avoid leaking data. If you would like to publish | |
# transparency data even for private images, pass --force to cosign below. | |
# https://github.com/sigstore/cosign | |
- name: Sign the published Docker image with cosign keyless | |
if: ${{ github.event_name != 'pull_request' }} | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
# This step uses the identity token to provision an ephemeral certificate | |
# against the sigstore community Fulcio instance. | |
run: | | |
cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} | |
cosign sign --yes ${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} | |
cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push-alpine.outputs.digest }} | |
cosign sign --yes ${{ env.IMAGE_NAME }}@${{ steps.build-and-push-alpine.outputs.digest }} | |
update_release_draft: | |
if: (github.ref == 'refs/heads/main') || (startsWith(github.ref, 'refs/tags/')) | |
needs: build-and-test | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install cosign | |
uses: sigstore/[email protected] | |
- name: Download executables | |
uses: actions/download-artifact@v3 | |
with: | |
name: bin | |
- name: Set permissions to files | |
run: | | |
chmod +x linux/kube-linter | |
chmod +x darwin/kube-linter | |
- name: copy binaries with OS ending | |
run: | | |
for os in darwin linux; do | |
bin_name="kube-linter" | |
cp "${os}/${bin_name}" "${os}/${bin_name}-${os}" | |
done | |
- name: create linux tar archive | |
run: | | |
tar -C linux -czf kube-linter-linux.tar.gz kube-linter | |
# Workaround: https://github.com/sigstore/cosign-installer/issues/73 | |
- name: Write cosign private key to file | |
env: | |
KEY: ${{ secrets.COSIGN_KEY }} | |
shell: bash | |
run: 'echo "$KEY" > cosign.key' | |
- name: sign binaries | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
run: | | |
for os in darwin linux windows; do | |
bin_name="kube-linter-${os}" | |
if [[ "${os}" == "windows" ]]; then | |
bin_name="kube-linter.exe" | |
fi | |
cosign sign-blob --yes --key cosign.key --output-file "${bin_name}.sig" "${os}/${bin_name}" | |
done | |
for f in *.{gz,zip}; do \ | |
cosign sign-blob --yes --key cosign.key --output-file "${f}.sig" "${f}"; \ | |
done | |
- uses: release-drafter/release-drafter@v5 | |
id: release_drafter | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Upload Binary Linux | |
id: upload-binary-linux | |
uses: gfreezy/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_id: ${{ steps.release_drafter.outputs.id }} | |
upload_url: ${{ steps.release_drafter.outputs.upload_url }} | |
asset_path: linux/kube-linter-linux | |
asset_name: kube-linter-linux | |
asset_content_type: application/octet-stream | |
- name: Upload Binary Darwin | |
id: upload-binary-darwin | |
uses: gfreezy/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_id: ${{ steps.release_drafter.outputs.id }} | |
upload_url: ${{ steps.release_drafter.outputs.upload_url }} | |
asset_path: darwin/kube-linter-darwin | |
asset_name: kube-linter-darwin | |
asset_content_type: application/octet-stream | |
- name: Upload Binary Windows | |
id: upload-binary-windows | |
uses: gfreezy/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_id: ${{ steps.release_drafter.outputs.id }} | |
upload_url: ${{ steps.release_drafter.outputs.upload_url }} | |
asset_path: windows/kube-linter.exe | |
asset_name: kube-linter.exe | |
asset_content_type: application/octet-stream | |
# | |
# This is kept for backwards compatibility for the kube-linter-action. The action tries to download this specific | |
# archive to get the latest kube-linter version. We cannot add a cosign signature for it, since the action will get | |
# a name clash trying to download this. Once we have met the grace period (say 3 months), we will remove this. | |
# | |
- name: Upload Release Asset Linux | |
id: upload-release-asset-linux | |
uses: gfreezy/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_id: ${{ steps.release_drafter.outputs.id }} | |
upload_url: ${{ steps.release_drafter.outputs.upload_url }} | |
asset_path: kube-linter-linux.tar.gz | |
asset_name: kube-linter-linux.tar.gz | |
asset_content_type: application/octet-stream | |
- name: Upload Binary Sig Linux | |
id: upload-binary-sig-linux | |
uses: gfreezy/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_id: ${{ steps.release_drafter.outputs.id }} | |
upload_url: ${{ steps.release_drafter.outputs.upload_url }} | |
asset_path: kube-linter-linux.sig | |
asset_name: kube-linter-linux.sig | |
asset_content_type: application/octet-stream | |
- name: Upload Binary Sig Darwin | |
id: upload-binary-sig-darwin | |
uses: gfreezy/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_id: ${{ steps.release_drafter.outputs.id }} | |
upload_url: ${{ steps.release_drafter.outputs.upload_url }} | |
asset_path: kube-linter-darwin.sig | |
asset_name: kube-linter-darwin.sig | |
asset_content_type: application/octet-stream | |
- name: Upload Binary Sig Windows | |
id: upload-binary-sig-windows | |
uses: gfreezy/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_id: ${{ steps.release_drafter.outputs.id }} | |
upload_url: ${{ steps.release_drafter.outputs.upload_url }} | |
asset_path: kube-linter.exe.sig | |
asset_name: kube-linter.exe.sig | |
asset_content_type: application/octet-stream | |
- name: Upload sig source code zip | |
id: upload-release-asset-source-zip-sig | |
uses: gfreezy/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_id: ${{ steps.release_drafter.outputs.id }} | |
upload_url: ${{ steps.release_drafter.outputs.upload_url }} | |
asset_path: kube-linter-source.zip.sig | |
asset_name: kube-linter-source.zip.sig | |
asset_content_type: text/plain | |
- name: Upload sig source code | |
id: upload-release-asset-source-sig | |
uses: gfreezy/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_id: ${{ steps.release_drafter.outputs.id }} | |
upload_url: ${{ steps.release_drafter.outputs.upload_url }} | |
asset_path: kube-linter-source.tar.gz.sig | |
asset_name: kube-linter-source.tar.gz.sig | |
asset_content_type: text/plain |