Skip to content

Commit

Permalink
Always build & test Zarf Agent during pull requests; publish latest Z…
Browse files Browse the repository at this point in the history
…arf Agent on release (#651)

- Adds the Zarf Agent (mutating webook) automatic build in test with the latest code
- Fix issue with out of sync Zarf Agent image tag, always cut a new agent image before a release
- Test the release once more before publishing
- Full support for Linux ARM, closes Complete ARM Support #386
  • Loading branch information
jeff-mccoy authored Aug 1, 2022
1 parent 939e68b commit de395b7
Show file tree
Hide file tree
Showing 15 changed files with 211 additions and 150 deletions.
59 changes: 33 additions & 26 deletions .github/workflows/build-rust-injector.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,4 @@
name: Build Rust Binary

env:
zarfInjectorPath: 'src/injector/stage1/target/x86_64-unknown-linux-musl/release/zarf-injector'
name: Publish Injector Stage I

on:
workflow_dispatch:
Expand All @@ -12,48 +9,58 @@ on:
branchName:
description: "Branch to build the injector from"
required: false
default: 'master'
default: "master"

jobs:
build-injector:
runs-on: ubuntu-latest
runs-on: self-hosted
steps:
- name: "Dependency: Install cosign"
uses: sigstore/[email protected]

- name: "Dependency: Setup rust toolchain"
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --no-modify-path
echo "$HOME/.cargo/bin" >> $GITHUB_PATH
- name: "Checkout Repo"
uses: actions/checkout@v3
with:
ref: ${{ github.event.inputs.branchName }}

- name: "Install cosign"
uses: sigstore/[email protected]

- name: "Install Rust And Build"
uses: gmiam/[email protected]
with:
args: cargo build --target x86_64-unknown-linux-musl --release --manifest-path src/injector/stage1/Cargo.toml
- name: "Build Rust Binary for x86_64"
working-directory: src/injector/stage1
run: |
cargo build --target x86_64-unknown-linux-musl --release
strip target/x86_64-unknown-linux-musl/release/zarf-injector
- name: "Strip The Binary Down"
run: sudo strip ${{ env.zarfInjectorPath }}

- name: "Upload Rust Binary"
uses: actions/upload-artifact@v3
with:
name: zarf-injector
path: ${{ env.zarfInjectorPath }}
- name: "Build Rust Binary for aarch64"
working-directory: src/injector/stage1
run: |
rustup target add aarch64-unknown-linux-musl
curl https://musl.cc/aarch64-linux-musl-cross.tgz | tar -xz
export PATH="$PWD/aarch64-linux-musl-cross/bin:$PATH"
cargo build --target aarch64-unknown-linux-musl --release
aarch64-linux-musl-strip target/aarch64-unknown-linux-musl/release/zarf-injector
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: "Upload Binary To DockerHub"
run: cosign upload blob -f ${{ env.zarfInjectorPath }} defenseunicorns/zarf-injector:${{ github.event.inputs.versionTag }}
- name: "Upload Binaries To DockerHub"
working-directory: src/injector/stage1/target
run: |
cosign upload blob -f x86_64-unknown-linux-musl/release/zarf-injector defenseunicorns/zarf-injector:amd64-${{ github.event.inputs.versionTag }}
cosign upload blob -f aarch64-unknown-linux-musl/release/zarf-injector defenseunicorns/zarf-injector:arm64-${{ github.event.inputs.versionTag }}
- name: "Sign the binary"
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=${{ github.event.inputs.versionTag }} defenseunicorns/zarf-injector:${{ github.event.inputs.versionTag }}
- name: "Sign the binaries"
run: |
cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=${{ github.event.inputs.versionTag }} defenseunicorns/zarf-injector:amd64-${{ github.event.inputs.versionTag }}
cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=${{ github.event.inputs.versionTag }} defenseunicorns/zarf-injector:arm64-${{ github.event.inputs.versionTag }}
env:
COSIGN_EXPERIMENTAL: 1
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}

66 changes: 0 additions & 66 deletions .github/workflows/build-zarf-agent.yml

This file was deleted.

21 changes: 13 additions & 8 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,21 @@ name: docs
on:
pull_request:
paths:
- '**.md'
- '**.jpg'
- '**.png'
- '**.gif'
- '**.svg'
- 'adr/**'
- 'docs/**'
- "**.md"
- "**.jpg"
- "**.png"
- "**.gif"
- "**.svg"
- "adr/**"
- "docs/**"

# Abort prior jobs in the same workflow / PR
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
validate:
runs-on: ubuntu-latest
steps:
- run: 'echo "Not required, non-code changes only." '
- run: 'echo "Not required, non-code changes only." '
10 changes: 7 additions & 3 deletions .github/workflows/labels.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,15 @@ on:
pull_request:
types: [labeled, unlabeled, opened, edited, synchronize]

# Abort prior jobs in the same workflow / PR
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
enforce:
runs-on: ubuntu-latest
steps:
- uses: yogevbd/[email protected]
with:
BANNED_LABELS: "needs-docs,needs-tests,needs-adr,needs-git-sign-off"
- uses: yogevbd/[email protected]
with:
BANNED_LABELS: "needs-docs,needs-tests,needs-adr,needs-git-sign-off"
56 changes: 39 additions & 17 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,31 +3,56 @@ name: Publish Zarf Packages on Tag
on:
push:
tags:
- 'v*'
- "v*"

jobs:
push-resources:
runs-on: self-hosted
steps:
- name: Install GoLang
- name: "Dependency: Install Golang"
uses: actions/setup-go@v3
with:
go-version: 1.18.x

- name: Checkout Repo
- name: "Dependency: Install Docker Buildx"
id: buildx
uses: docker/setup-buildx-action@v2

- name: "Checkout Repo"
uses: actions/checkout@v3
with:
fetch-depth: 0

- name: "Setup caching"
uses: actions/cache@v3
- name: "Build CLI"
run: make build-cli-linux

- name: "Zarf Agent: Login to Docker Hub"
uses: docker/login-action@v2
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: "Zarf Agent: Build and Publish the Image"
run: |
cp build/zarf build/zarf-linux-amd64 && cp build/zarf-arm build/zarf-linux-arm64
docker buildx build --push linux/arm64/v8,linux/amd64 --tag defenseunicorns/zarf-agent:$GITHUB_REF_NAME .
- name: "Zarf Agent: Sign the Image"
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME defenseunicorns/zarf-agent:$GITHUB_REF_NAME
env:
COSIGN_EXPERIMENTAL: 1
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}

# Builds init packages since GoReleaser won't handle this for us
- name: "Build init-packages For Release"
run: |
make init-package ARCH=amd64 AGENT_IMAGE=defenseunicorns/zarf-agent:$GITHUB_REF_NAME
make init-package ARCH=arm64 AGENT_IMAGE=defenseunicorns/zarf-agent:$GITHUB_REF_NAME
- name: "Run Tests"
run: sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true make test-e2e ARCH=amd64

# Set up AWS credentials for GoReleaser to upload backups of artifacts to S3
- name: Set AWS Credentials
Expand All @@ -37,12 +62,6 @@ jobs:
aws-secret-access-key: ${{ secrets.AWS_GOV_SECRET_ACCESS_KEY }}
aws-region: us-gov-west-1

# Builds init packages since GoReleaser won't handle this for us
- name: "Build init-packages For Release"
run: |
make build-cli-linux-amd init-package ARCH=amd64
make init-package ARCH=arm64
# Create the GitHub release notes, upload artifact backups to S3, publish homebrew recipe
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v3
Expand All @@ -53,3 +72,6 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.ZARF_ORG_PROJECT_TOKEN }}

- name: "Cleanup"
run: sudo make destroy
30 changes: 25 additions & 5 deletions .github/workflows/test-k3d.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,26 +10,46 @@ on:
- "adr/**"
- "docs/**"

# Abort prior jobs in the same workflow / PR
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
validate:
runs-on: self-hosted
steps:
- name: "Install GoLang"
- name: "Dependency: Install Golang"
uses: actions/setup-go@v3
with:
go-version: 1.18.x

- name: "Checkout Repo"
uses: actions/checkout@v3
- name: "Dependency: Install Docker Buildx"
id: buildx
uses: docker/setup-buildx-action@v2

- name: "K3d cluster init"
- name: "Dependency: K3d cluster init"
run: k3d cluster delete && k3d cluster create

- name: "Checkout Repo"
uses: actions/checkout@v3

- name: "Build CLI"
run: make build-cli-linux-amd ARCH=amd64

- name: "Zarf Agent: Login to Docker Hub"
uses: docker/login-action@v2
with:
username: zarfdev
password: ${{ secrets.ZARF_DEV_DOCKERHUB }}

- name: "Zarf Agent: Build and Publish the Image"
run: |
cp build/zarf build/zarf-linux-amd64
docker buildx build --push --platform linux/amd64 --tag zarfdev/agent:$GITHUB_SHA .
- name: "Make Packages"
run: make init-package build-examples ARCH=amd64
run: make init-package build-examples ARCH=amd64 AGENT_IMAGE=zarfdev/agent:$GITHUB_SHA

- name: "Run Tests"
# NOTE: This test run will create its own K3d cluster. A single cluster will be used throughout the test run.
Expand Down
24 changes: 22 additions & 2 deletions .github/workflows/test-k3s.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,23 +10,43 @@ on:
- "adr/**"
- "docs/**"

# Abort prior jobs in the same workflow / PR
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
validate:
runs-on: self-hosted
steps:
- name: "Install GoLang"
- name: "Dependency: Install Golang"
uses: actions/setup-go@v3
with:
go-version: 1.18.x

- name: "Dependency: Install Docker Buildx"
id: buildx
uses: docker/setup-buildx-action@v2

- name: "Checkout Repo"
uses: actions/checkout@v3

- name: "Build CLI"
run: make build-cli-linux-amd ARCH=amd64

- name: "Zarf Agent: Login to Docker Hub"
uses: docker/login-action@v2
with:
username: zarfdev
password: ${{ secrets.ZARF_DEV_DOCKERHUB }}

- name: "Zarf Agent: Build and Publish the Image"
run: |
cp build/zarf build/zarf-linux-amd64
docker buildx build --push --platform linux/amd64 --tag zarfdev/agent:$GITHUB_SHA .
- name: "Make Packages"
run: make init-package build-examples ARCH=amd64
run: make init-package build-examples ARCH=amd64 AGENT_IMAGE=zarfdev/agent:$GITHUB_SHA

- name: "Run Tests"
# NOTE: "PATH=$PATH" preserves the default user $PATH. This is needed to maintain the version of go installed
Expand Down
Loading

0 comments on commit de395b7

Please sign in to comment.