Skip to content

Bump actions/upload-artifact from 3 to 4 #1164

Bump actions/upload-artifact from 3 to 4

Bump actions/upload-artifact from 3 to 4 #1164

Workflow file for this run

name: Test kube-linter
on:
pull_request:
# Workflows triggered by Dependabot on the "push" event run with read-only access.
# Uploading Code Scanning results requires write access. Ignore dependabot branches for auto-merge.
push:
branches-ignore: "dependabot/**"
tags:
- "*"
env:
# Use docker.io for Docker Hub if empty
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
jobs:
build-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
# Checkout all repo history to make tags available for figuring out kube-linter version during build.
fetch-depth: 0
- name: Read Go version from go.mod
run: echo "GO_VERSION=$(grep -E "^go\s+[0-9.]+$" go.mod | cut -d " " -f 2)" >> $GITHUB_ENV
- name: Setup Go environment
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Go Build Cache
uses: actions/cache@v3
with:
path: ~/.cache
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
- name: Go Mod Cache
uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
- name: Build binaries
run: make build
- name: Upload binary
uses: actions/upload-artifact@v4
with:
name: bin
path: bin
- name: Verify the binary version
run: |
expected_version="$(./get-tag)"
version_from_binary="$(.gobin/kube-linter version)"
echo "Version from kube-linter binary: ${version_from_binary}. Expected version: ${expected_version}"
[[ "${version_from_binary}" == "${expected_version}" ]]
- name: Run lint checks
run: make lint
- name: Ensure generated files are up-to-date
run: make generated-srcs && git diff --exit-code HEAD
- name: Run unit tests
run: make test
- name: Run E2E tests
run: make e2e-test
- name: Setup BATS
uses: mig4/setup-bats@v1
with:
bats-version: 1.5.0
- name: Run bats tests
run: make e2e-bats
test-sarif:
needs: build-and-test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download executable
uses: actions/download-artifact@v3
with:
name: bin
- name: Set permissions to file
run: chmod +x linux/kube-linter
- name: Print kube-linter version
run: linux/kube-linter version
- name: Run kube-linter on a sample file with SARIF output
run: linux/kube-linter lint --format=sarif tests/testdata/splunk.yaml > results.sarif
continue-on-error: true
- name: Dump output file and check it is not empty
# The if part will generate no-zero exit code if the file is empty. See https://github.com/stedolan/jq/issues/1142#issuecomment-432003984
run: jq -es 'if . == [] then null else .[] | . end' results.sarif
- name: Upload output file as GitHub artifact for manual investigation
uses: actions/upload-artifact@v4
with:
name: results.sarif
path: results.sarif
- name: Install yajsv
run: curl https://github.com/neilpa/yajsv/releases/download/v1.4.0/yajsv.linux.amd64 -LsSfo yajsv && chmod +x yajsv
- name: Check if output file is valid according to SARIF schema
run: |
set -ex
schema=$(jq -r '.["$schema"]' results.sarif)
[ "$schema" = https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json ]
./yajsv -s ./scripts/sarif/sarif-schema-2.1.0.json results.sarif
- name: Upload SARIF output file to GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
windows-sanity-test:
name: Windows sanity test
needs: build-and-test
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
with:
# Checkout all repo history to make tags available for figuring out kube-linter version during build.
fetch-depth: 0
- name: Download windows executable
uses: actions/download-artifact@v3
with:
name: bin
path: tmp/
- shell: bash
run: |
# In Windows, the workspace is attached relative to the current directory.
tag="$(./get-tag)"
version_from_bin="$(tmp/windows/kube-linter.exe version)"
echo "Expected tag ${tag}, got ${version_from_bin}"
[[ "${tag}" == "${version_from_bin}" ]]
# Make sure the lint command can run without errors.
# TODO: run the full suite of E2E tests on Windows.
tmp/windows/kube-linter.exe lint "tests/checks/access-to-create-pods.yml"
image:
if: (github.ref == 'refs/heads/main') || (startsWith(github.ref, 'refs/tags/'))
needs: build-and-test
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # needed for signing the images with GitHub OIDC Token **not production ready**
steps:
- uses: actions/checkout@v4
- name: Download executable
uses: actions/download-artifact@v3
with:
name: bin
- name: Set permissions to file
run: chmod +x linux/kube-linter
- name: Move binary
run: mv linux/kube-linter image/bin
- name: Print kube-linter version
run: image/bin/kube-linter version
# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/[email protected]
# Workaround: https://github.com/docker/build-push-action/issues/461
- name: Setup Docker buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry dockerhub
if: github.event_name != 'pull_request'
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/[email protected]
with:
images: |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
${{ env.IMAGE_NAME }}
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/[email protected]
with:
context: image
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Extract Alpine Docker metadata
id: meta-alpine
uses: docker/[email protected]
with:
flavor: |
latest=auto
suffix=-alpine,onlatest=true
images: |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
${{ env.IMAGE_NAME }}
- name: Build and push Alpine Docker image
id: build-and-push-alpine
uses: docker/[email protected]
with:
context: image
file: image/Dockerfile_alpine
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta-alpine.outputs.tags }}
labels: ${{ steps.meta-alpine.outputs.labels }}
# Workaround: https://github.com/sigstore/cosign-installer/issues/73
- name: Write cosign private key to file
env:
KEY: ${{ secrets.COSIGN_KEY }}
shell: bash
run: 'echo "$KEY" > cosign.key'
# Sign the resulting Docker image digest except on PRs.
- name: Sign the published Docker image with cosign
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
run: |
cosign sign --yes --key cosign.key ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
cosign sign --yes --key cosign.key ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push-alpine.outputs.digest }}
cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@${{ steps.build-and-push-alpine.outputs.digest }}
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
# repository is public to avoid leaking data. If you would like to publish
# transparency data even for private images, pass --force to cosign below.
# https://github.com/sigstore/cosign
- name: Sign the published Docker image with cosign keyless
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_EXPERIMENTAL: "true"
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: |
cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
cosign sign --yes ${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push-alpine.outputs.digest }}
cosign sign --yes ${{ env.IMAGE_NAME }}@${{ steps.build-and-push-alpine.outputs.digest }}
update_release_draft:
if: (github.ref == 'refs/heads/main') || (startsWith(github.ref, 'refs/tags/'))
needs: build-and-test
runs-on: ubuntu-latest
steps:
- name: Install cosign
uses: sigstore/[email protected]
- name: Download executables
uses: actions/download-artifact@v3
with:
name: bin
- name: Set permissions to files
run: |
chmod +x linux/kube-linter
chmod +x darwin/kube-linter
- name: copy binaries with OS ending
run: |
for os in darwin linux; do
bin_name="kube-linter"
cp "${os}/${bin_name}" "${os}/${bin_name}-${os}"
done
- name: create linux tar archive
run: |
tar -C linux -czf kube-linter-linux.tar.gz kube-linter
# Workaround: https://github.com/sigstore/cosign-installer/issues/73
- name: Write cosign private key to file
env:
KEY: ${{ secrets.COSIGN_KEY }}
shell: bash
run: 'echo "$KEY" > cosign.key'
- name: sign binaries
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: |
for os in darwin linux windows; do
bin_name="kube-linter-${os}"
if [[ "${os}" == "windows" ]]; then
bin_name="kube-linter.exe"
fi
cosign sign-blob --yes --key cosign.key --output-file "${bin_name}.sig" "${os}/${bin_name}"
done
for f in *.{gz,zip}; do \
cosign sign-blob --yes --key cosign.key --output-file "${f}.sig" "${f}"; \
done
- uses: release-drafter/release-drafter@v5
id: release_drafter
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload Binary Linux
id: upload-binary-linux
uses: gfreezy/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_id: ${{ steps.release_drafter.outputs.id }}
upload_url: ${{ steps.release_drafter.outputs.upload_url }}
asset_path: linux/kube-linter-linux
asset_name: kube-linter-linux
asset_content_type: application/octet-stream
- name: Upload Binary Darwin
id: upload-binary-darwin
uses: gfreezy/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_id: ${{ steps.release_drafter.outputs.id }}
upload_url: ${{ steps.release_drafter.outputs.upload_url }}
asset_path: darwin/kube-linter-darwin
asset_name: kube-linter-darwin
asset_content_type: application/octet-stream
- name: Upload Binary Windows
id: upload-binary-windows
uses: gfreezy/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_id: ${{ steps.release_drafter.outputs.id }}
upload_url: ${{ steps.release_drafter.outputs.upload_url }}
asset_path: windows/kube-linter.exe
asset_name: kube-linter.exe
asset_content_type: application/octet-stream
#
# This is kept for backwards compatibility for the kube-linter-action. The action tries to download this specific
# archive to get the latest kube-linter version. We cannot add a cosign signature for it, since the action will get
# a name clash trying to download this. Once we have met the grace period (say 3 months), we will remove this.
#
- name: Upload Release Asset Linux
id: upload-release-asset-linux
uses: gfreezy/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_id: ${{ steps.release_drafter.outputs.id }}
upload_url: ${{ steps.release_drafter.outputs.upload_url }}
asset_path: kube-linter-linux.tar.gz
asset_name: kube-linter-linux.tar.gz
asset_content_type: application/octet-stream
- name: Upload Binary Sig Linux
id: upload-binary-sig-linux
uses: gfreezy/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_id: ${{ steps.release_drafter.outputs.id }}
upload_url: ${{ steps.release_drafter.outputs.upload_url }}
asset_path: kube-linter-linux.sig
asset_name: kube-linter-linux.sig
asset_content_type: application/octet-stream
- name: Upload Binary Sig Darwin
id: upload-binary-sig-darwin
uses: gfreezy/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_id: ${{ steps.release_drafter.outputs.id }}
upload_url: ${{ steps.release_drafter.outputs.upload_url }}
asset_path: kube-linter-darwin.sig
asset_name: kube-linter-darwin.sig
asset_content_type: application/octet-stream
- name: Upload Binary Sig Windows
id: upload-binary-sig-windows
uses: gfreezy/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_id: ${{ steps.release_drafter.outputs.id }}
upload_url: ${{ steps.release_drafter.outputs.upload_url }}
asset_path: kube-linter.exe.sig
asset_name: kube-linter.exe.sig
asset_content_type: application/octet-stream
- name: Upload sig source code zip
id: upload-release-asset-source-zip-sig
uses: gfreezy/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_id: ${{ steps.release_drafter.outputs.id }}
upload_url: ${{ steps.release_drafter.outputs.upload_url }}
asset_path: kube-linter-source.zip.sig
asset_name: kube-linter-source.zip.sig
asset_content_type: text/plain
- name: Upload sig source code
id: upload-release-asset-source-sig
uses: gfreezy/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_id: ${{ steps.release_drafter.outputs.id }}
upload_url: ${{ steps.release_drafter.outputs.upload_url }}
asset_path: kube-linter-source.tar.gz.sig
asset_name: kube-linter-source.tar.gz.sig
asset_content_type: text/plain