Skip to content
Build and deploy Kafkarator

build(deps): bump google-github-actions/auth from 2.1.5 to 2.1.6 #702

Sign in to view logs

build(deps): bump google-github-actions/auth from 2.1.5 to 2.1.6

build(deps): bump google-github-actions/auth from 2.1.5 to 2.1.6 #702

Workflow file for this run

.github/workflows/main.yml at e0cd85f
name: Build and deploy Kafkarator
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
push:
paths-ignore:
- doc/**
- examples/**
- scripts/**
- dashboards/**
env:
GOOGLE_REGISTRY: europe-north1-docker.pkg.dev
EARTHLY_USE_INLINE_CACHE: true
EARTHLY_SAVE_INLINE_CACHE: true
EARTHLY_VERBOSE: true
EARTHLY_FULL_TARGET: true
EARTHLY_OUTPUT: true
jobs:
version:
name: Set variables
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4
- name: "Set image version"
id: constants
run: |
export version="$(date +%Y%m%d%H%M%S)-$(git describe --always --dirty --exclude '*')"
echo "VERSION=${version}" >> ${GITHUB_OUTPUT}
outputs:
version: "${{ steps.constants.outputs.VERSION }}"
build:
name: Build and push
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
needs:
- version
strategy:
fail-fast: false
matrix:
target:
- kafkarator
- canary
- canary-deployer
env:
VERSION: "${{ needs.version.outputs.VERSION }}"
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4
- name: Install cosign
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # ratchet:sigstore/cosign-installer@v3.6.0
with:
cosign-release: 'v2.2.3'
- name: Verify runner image
run: cosign verify --certificate-identity keyless@distroless.iam.gserviceaccount.com --certificate-oidc-issuer https://accounts.google.com gcr.io/distroless/static-debian11
- id: "auth"
if: github.ref == 'refs/heads/master'
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70" # ratchet:google-github-actions/auth@v2.1.6
with:
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
service_account: "gh-kafkarator@nais-io.iam.gserviceaccount.com"
token_format: "access_token"
- name: Login to Google Artifact Registry
if: github.ref == 'refs/heads/master'
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # ratchet:docker/login-action@v2
with:
registry: ${{ env.GOOGLE_REGISTRY }}
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.access_token }}"
- name: Install earthly
uses: earthly/actions-setup@43211c7a0eae5344d6d79fb4aaf209c8f8866203 # ratchet:earthly/actions-setup@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Build and possibly push ${{ matrix.target }}
env:
EARTHLY_PUSH: "${{ github.ref == 'refs/heads/master' }}"
run: |
earthly +docker-${{ matrix.target }} --VERSION=${VERSION} --REGISTRY=${GOOGLE_REGISTRY}
- name: Retrieve image digest
id: imgdigest
if: github.ref == 'refs/heads/master'
run: |
export IMAGE=${{ env.GOOGLE_REGISTRY }}/nais-io/nais/images/kafkarator/${{ matrix.target }}:${VERSION}
docker pull ${IMAGE}
echo "digest=$(docker inspect ${IMAGE} | jq -r '.[].RepoDigests[0]')" >> $GITHUB_OUTPUT
- name: Sign the container image
if: github.ref == 'refs/heads/master'
run: cosign sign --yes ${{ steps.imgdigest.outputs.digest }}
- name: Create SBOM
if: github.ref == 'refs/heads/master'
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # ratchet:aquasecurity/trivy-action@0.24.0
with:
scan-type: 'image'
format: 'cyclonedx'
output: 'cyclone.sbom.json'
image-ref: ${{ steps.imgdigest.outputs.digest }}
- name: Attest image
if: github.ref == 'refs/heads/master'
run: cosign attest --yes --predicate cyclone.sbom.json --type cyclonedx ${{ steps.imgdigest.outputs.digest }}
chart:
permissions:
contents: 'read'
id-token: 'write'
name: Build and push chart
runs-on: ubuntu-latest
needs:
- version
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4
- id: 'auth'
name: 'Authenticate to Google Cloud'
if: github.ref == 'refs/heads/master'
uses: 'google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70' # ratchet:google-github-actions/auth@v2.1.6
with:
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
service_account: 'gh-kafkarator@nais-io.iam.gserviceaccount.com'
token_format: 'access_token'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7' # ratchet:google-github-actions/setup-gcloud@v1
- name: 'Log in to Google Artifact Registry'
if: github.ref == 'refs/heads/master'
run: |-
echo '${{ steps.auth.outputs.access_token }}' | docker login -u oauth2accesstoken --password-stdin https://${{ env.GOOGLE_REGISTRY }}
- uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # ratchet:azure/setup-helm@v3
name: 'Setup Helm'
with:
version: '3.8.0'
- name: Set versions
run: |-
for chart in charts/*; do
yq e '.version = "${{ needs.version.outputs.VERSION }}"' --inplace "${chart}/Chart.yaml"
yq e '.image.tag = "${{ needs.version.outputs.VERSION }}"' --inplace "${chart}/values.yaml"
yq e '.canary.image.tag = "${{ needs.version.outputs.VERSION }}"' --inplace "${chart}/values.yaml"
yq e '.deployer.image.tag = "${{ needs.version.outputs.VERSION }}"' --inplace "${chart}/values.yaml"
done
- name: Build Chart
run: |-
for chart in charts/*; do
helm package "$chart"
done
- name: Push Chart
if: github.ref == 'refs/heads/master'
run: |-
for chart in *.tgz; do
helm push "$chart" oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature
done
rollout:
name: Rollout
if: github.actor != 'dependabot[bot]' && github.ref == 'refs/heads/master'
needs:
- version
- build
- chart
runs-on: fasit-deploy
permissions:
id-token: write
strategy:
fail-fast: false
matrix:
feature:
- kafkarator
- kafka-canary
- kafka-canary-alert
steps:
- uses: nais/fasit-deploy@v2 # ratchet:exclude
with:
chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ matrix.feature }}
version: ${{ needs.version.outputs.VERSION }}