CI #336
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
pull_request: | |
branches: [ 'stable/**' ] | |
types: [ 'opened', 'reopened', 'synchronize' ] | |
workflow_dispatch: | |
permissions: | |
contents: read | |
jobs: | |
build: | |
name: Build | |
runs-on: ${{ matrix.RUNNER }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- PLATFORM: amd64 | |
ARCH: x86_64 | |
RUNNER: self-hosted-amd64-1cpu | |
- PLATFORM: arm64 | |
ARCH: aarch64 | |
RUNNER: self-hosted-arm64-1cpu | |
steps: | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3.0.2 | |
- name: Build image | |
run: make ARCHS=${{ matrix.ARCH }} PLATFORMS=${{ matrix.PLATFORM }} BUILDX_ARGS=--load build | |
- name: Save image | |
run: docker save -o node-${{ matrix.ARCH }}.tar docker.io/wallarm/node:test | |
- name: Cache image | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b | |
with: | |
retention-days: 1 | |
name: node-${{ matrix.ARCH }}.tar | |
path: node-${{ matrix.ARCH }}.tar | |
test: | |
name: Test | |
runs-on: ${{ matrix.RUNNER }} | |
env: | |
## US preset | |
env_code: ingress-us1 | |
CLIENT_ID: 7119 | |
## EU preset | |
# env_code: ingress | |
# CLIENT_ID: 5 | |
needs: | |
- build | |
strategy: | |
matrix: | |
case: [ single, split ] | |
ARCH: [ x86_64, aarch64 ] | |
include: | |
- ARCH: x86_64 | |
RUNNER: self-hosted-amd64-2cpu | |
- ARCH: aarch64 | |
RUNNER: self-hosted-arm64-2cpu | |
fail-fast: false | |
steps: | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3.0.2 | |
- name: Import secrets | |
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
id: secrets | |
with: | |
exportEnv: false | |
url: ${{ secrets.VAULT_URL }} | |
role: ${{ secrets.VAULT_ROLE }} | |
method: kubernetes | |
path: kubernetes-ci | |
secrets: | | |
kv-gitlab-ci/data/github/${{ env.env_code }} api_token ; | |
kv-gitlab-ci/data/github/${{ env.env_code }} api_host ; | |
kv-gitlab-ci/data/github/${{ env.env_code }} api_preset ; | |
kv-gitlab-ci/data/github/${{ env.env_code }} user_token ; | |
kv-gitlab-ci/data/github/${{ env.env_code }} webhook_uuid ; | |
kv-gitlab-ci/data/github/${{ env.env_code }} webhook_api_key ; | |
kv-gitlab-ci/data/github/${{ env.env_code }} allure_server_token ; | |
kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_name ; | |
kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_secret ; | |
kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds registry_name ; | |
- name: Login | |
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 | |
with: | |
registry: ${{ steps.secrets.outputs.registry_name }} | |
username: ${{ steps.secrets.outputs.token_name }} | |
password: ${{ steps.secrets.outputs.token_secret }} | |
- name: Load cache | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 | |
with: | |
name: node-${{ matrix.ARCH }}.tar | |
- name: Load images | |
run: docker load -i node-${{ matrix.ARCH }}.tar | |
- name: Run test | |
env: | |
ALLURE_PROJECT_ID: 10 | |
ALLURE_UPLOAD_REPORT: true | |
ALLURE_TOKEN: ${{ steps.secrets.outputs.ALLURE_SERVER_TOKEN }} | |
ALLURE_ENVIRONMENT_ARCH: ${{ matrix.ARCH }} | |
USER_TOKEN: ${{ steps.secrets.outputs.user_token }} | |
WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }} | |
WALLARM_API_HOST: ${{ steps.secrets.outputs.api_host }} | |
WALLARM_API_PRESET: ${{ steps.secrets.outputs.api_preset }} | |
WEBHOOK_API_KEY: ${{ steps.secrets.outputs.webhook_api_key }} | |
WEBHOOK_UUID: ${{ steps.secrets.outputs.webhook_uuid }} | |
ARCH: ${{ matrix.ARCH }} | |
run: make ${{ matrix.case }} | |
- name: Upload logs | |
if: always() | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 | |
with: | |
retention-days: 5 | |
name: node-logs-${{ matrix.ARCH }}-${{ matrix.case }}.tar.gz | |
path: node-logs-${{ matrix.ARCH }}-${{ matrix.case }}.tar.gz | |
scan: | |
name: Vulnerability scanner | |
runs-on: self-hosted-amd64-1cpu | |
permissions: | |
pull-requests: write | |
needs: | |
- build | |
env: | |
ARCH: x86_64 | |
steps: | |
- name: Load cache | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 | |
with: | |
name: node-${{ env.ARCH }}.tar | |
- name: Import secrets | |
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
id: secrets | |
with: | |
exportEnv: false | |
url: ${{ secrets.VAULT_URL }} | |
role: ${{ secrets.VAULT_ROLE }} | |
method: kubernetes | |
path: kubernetes-ci | |
secrets: | | |
kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ; | |
kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ; | |
- name: Docker Scout | |
uses: docker/scout-action@v1 | |
with: | |
command: compare,cves | |
image: archive://node-${{ env.ARCH }}.tar | |
to: docker.io/wallarm/node:latest | |
ignore-unchanged: false | |
only-severities: critical,high | |
write-comment: true | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
dockerhub-user: ${{ steps.secrets.outputs.DOCKERHUB_USER }} | |
dockerhub-password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }} |