ci-latest-release #20

Workflow file for this run

.github/workflows/ci-latest-release.yml at 275fd3a

	name: ci-latest-release

	on:
	push:
	branches:
	- "main"
	- "v*"
	paths:
	- "KubeArmor/**"
	- "protobuf/**"
	- ".github/workflows/ci-latest-release.yml"
	- "pkg/**"
	- "!STABLE-RELEASE"

	create:
	branches:
	- "v*"

	jobs:
	check:
	name: Check what pkg were updated
	if: github.repository == 'kubearmor/kubearmor'
	runs-on: ubuntu-20.04
	timeout-minutes: 5
	outputs:
	kubearmor: ${{ steps.filter.outputs.kubearmor}}
	controller: ${{ steps.filter.outputs.controller }}
	steps:
	- uses: actions/checkout@v3
	- uses: dorny/paths-filter@v2
	id: filter
	with:
	filters: \|
	kubearmor:
	- "KubeArmor/**"
	- "protobuf/**"
	controller:
	- 'pkg/KubeArmorController/**'

	build:
	name: Create KubeArmor latest release
	needs: check
	if: github.repository == 'kubearmor/kubearmor' && (needs.check.outputs.kubearmor == 'true' \|\| ${{ github.ref }} != 'refs/heads/main')
	runs-on: ubuntu-20.04
	permissions:
	id-token: write
	timeout-minutes: 120
	steps:
	- uses: actions/checkout@v3
	with:
	submodules: true

	- uses: actions/setup-go@v3
	with:
	go-version: "v1.20"

	- name: Install the latest LLVM toolchain
	run: ./.github/workflows/install-llvm.sh

	- name: Compile libbpf
	run: ./.github/workflows/install-libbpf.sh

	- name: Setup a Kubernetes enviroment
	id: vars
	run: \|
	if [ ${{ github.ref }} == "refs/heads/main" ]; then
	echo "tag=latest" >> $GITHUB_OUTPUT
	else
	echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
	fi
	RUNTIME=docker ./contribution/k3s/install_k3s.sh

	- name: Generate KubeArmor artifacts
	run: GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh ${{ steps.vars.outputs.tag }}

	- name: Deploy KubeArmor into Kubernetes
	run: \|
	helm upgrade --install kubearmor ./deployments/helm/KubeArmor \
	--values ./KubeArmor/build/kubearmor-helm-test-values.yaml \
	--set kubearmor.image.tag=${{ steps.vars.outputs.tag }} \
	--set kubearmorInit.image.tag=${{ steps.vars.outputs.tag }} \
	-n kubearmor --create-namespace;

	kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app
	kubectl get pods -A

	- name: Test KubeArmor using Ginkgo
	run: \|
	go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
	make -C tests/k8s_env/
	timeout-minutes: 30

	- name: Login to Docker Hub
	uses: docker/login-action@v2
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_AUTHTOK }}

	- name: Set up QEMU
	uses: docker/setup-qemu-action@v2

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v2
	with:
	platforms: linux/amd64,linux/arm64/v8

	- name: Push KubeArmor images to Docker
	run: GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/push_kubearmor.sh ${{ steps.vars.outputs.tag }}

	- name: Install Cosign
	uses: sigstore/cosign-installer@main

	- name: Get Image Digest
	id: digest
	run: \|
	echo "imagedigest=$(jq -r '.["containerimage.digest"]' kubearmor.json)" >> $GITHUB_OUTPUT
	echo "initdigest=$(jq -r '.["containerimage.digest"]' kubearmor-init.json)" >> $GITHUB_OUTPUT
	echo "ubidigest=$(jq -r '.["containerimage.digest"]' kubearmor-ubi.json)" >> $GITHUB_OUTPUT

	- name: Sign the Container Images
	run: \|
	cosign sign -r kubearmor/kubearmor@${{ steps.digest.outputs.imagedigest }} --yes
	cosign sign -r kubearmor/kubearmor-init@${{ steps.digest.outputs.initdigest }} --yes
	cosign sign -r kubearmor/kubearmor-ubi@${{ steps.digest.outputs.ubidigest }} --yes

	push-stable-version:
	name: Create KubeArmor stable release
	needs: [build, check]
	if: github.ref != 'refs/heads/main'
	runs-on: ubuntu-20.04
	permissions:
	id-token: write
	timeout-minutes: 60
	steps:
	- uses: actions/checkout@v3
	with:
	ref: main

	- name: Install regctl
	run: \|
	curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 >regctl
	chmod 755 regctl
	mv regctl /usr/local/bin

	- name: Check install
	run: regctl version

	- name: Get tag
	id: match
	run: \|
	value=`cat STABLE-RELEASE`
	if [ ${{ github.ref }} == "refs/heads/$value" ]; then
	echo "tag=true" >> $GITHUB_OUTPUT
	else
	echo "tag=false" >> $GITHUB_OUTPUT
	fi

	- name: Login to Docker Hub
	if: steps.match.outputs.tag == 'true'
	uses: docker/login-action@v2
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_AUTHTOK }}

	- name: Generate the stable version of KubeArmor in Docker Hub
	if: steps.match.outputs.tag == 'true'
	run: \|
	STABLE_VERSION=`cat STABLE-RELEASE`
	regctl image copy kubearmor/kubearmor:$STABLE_VERSION kubearmor/kubearmor:stable --digest-tags
	regctl image copy kubearmor/kubearmor-ubi:$STABLE_VERSION kubearmor/kubearmor-ubi:stable --digest-tags
	regctl image copy kubearmor/kubearmor-controller:$STABLE_VERSION kubearmor/kubearmor-controller:stable --digest-tags

	kubearmor-controller-release:
	name: Build & Push KubeArmorController
	needs: check
	if: github.repository == 'kubearmor/kubearmor' && (needs.check.outputs.controller == 'true' \|\| ${{ github.ref }} != 'refs/heads/main')
	defaults:
	run:
	working-directory: ./pkg/KubeArmorController
	runs-on: ubuntu-20.04
	timeout-minutes: 60
	steps:
	- uses: actions/setup-go@v3
	with:
	go-version: "v1.20"

	- uses: actions/checkout@v3

	- name: Set up QEMU
	uses: docker/setup-qemu-action@v2

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v2
	with:
	platforms: linux/amd64,linux/arm64/v8

	- name: Login to Docker Hub
	uses: docker/login-action@v2
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_AUTHTOK }}

	- name: Get tag
	id: tag
	run: \|
	if [ ${{ github.ref }} == "refs/heads/main" ]; then
	echo "tag=latest" >> $GITHUB_OUTPUT
	else
	echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
	fi

	- name: Build & Push KubeArmorController
	run: make docker-buildx TAG=${{ steps.tag.outputs.tag }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci-latest-release #20

Workflow file

ci-latest-release #20

Jobs

Run details

Workflow file for this run