-
Notifications
You must be signed in to change notification settings - Fork 2
118 lines (114 loc) · 3.83 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
name: CI
on:
push:
branches:
- main
- develop
pull_request:
branches:
- develop
schedule:
- cron: "0 2 * * 1-5"
workflow_dispatch: {}
concurrency:
group: "${{ github.ref }}-${{ github.workflow }}"
cancel-in-progress: true
permissions:
contents: read
pull-requests: write
jobs:
changes:
runs-on: ubuntu-latest
permissions:
pull-requests: read
outputs:
apps: ${{ steps.filter.outputs.changes }}
steps:
- name: Check-out the repository
uses: actions/checkout@v4
- uses: dorny/paths-filter@v3
id: filter
with:
base: ${{ github.ref }}
filters: |
game-2048: src/game-2048/**/*.!(md)
cow-demo: src/cow-demo/**/*.!(md)
rancher-helloworld: src/rancher-helloworld/**/*.!(md)
code-check:
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v4
with:
# gets all history for all branches and tags (mandatory for chart-testing to work, see https://github.com/helm/chart-testing/issues/186)
fetch-depth: 0
- name: Lint Markdown files
uses: DavidAnson/markdownlint-cli2-action@v16
with:
globs: '**/*.md'
# uses https://github.com/koalaman/shellcheck
- name: Install Shellcheck
run: sudo apt install shellcheck
- name: Check shell file code
run:
shellcheck -e SC2086 -e SC2034 -e SC2126 scripts/**/*.sh
- name: Install Helm
uses: azure/setup-helm@v4.2.0
with:
version: v3.14.0
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Add dependency Helm chart repositories
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add nfs-ganesha-server-and-external-provisioner https://kubernetes-sigs.github.io/nfs-ganesha-server-and-external-provisioner/
helm repo update
- name: Install Python
uses: actions/setup-python@v5
with:
python-version: '3.x'
check-latest: true
- name: Install Helm chart-testing
uses: helm/chart-testing-action@v2.6.1
- name: List changed Helm charts
id: list-changed
run: |
changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
if [[ -n "$changed" ]]; then
echo "changed=true" >> "$GITHUB_OUTPUT"
fi
- name: Run chart-testing (lint)
if: steps.list-changed.outputs.changed == 'true'
run: ct lint --target-branch ${{ github.event.repository.default_branch }}
image-scan:
needs: changes
if: needs.changes.outputs.apps != '[]'
strategy:
matrix:
app: ${{ fromJSON(needs.changes.outputs.apps) }}
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build container image from source
run: |
cd src/${{ matrix.app }}
docker build . --tag $CONTAINER_REGITRY_DOMAIN/$IMAGE_FOLDER/${{ matrix.app }}:${{ env.IMAGE_TAG }}
- name: Scan container image with NeuVector
if: ${{ vars.USE_NEUVECTOR == 'true' }}
uses: neuvector/scan-action@main
with:
image-repository: ${{ env.CONTAINER_REGITRY_DOMAIN }}/${{ env.IMAGE_FOLDER }}/${{ matrix.app }}
image-tag: ${{ env.IMAGE_TAG }}
min-high-cves-to-fail: "1"
min-medium-cves-to-fail: "1"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CONTAINER_REGITRY_DOMAIN: docker.io
IMAGE_FOLDER: ${{ vars.DOCKERHUB_NAMESPACE }}
IMAGE_TAG: 1.0.${{ github.run_id }}