-
Notifications
You must be signed in to change notification settings - Fork 0
134 lines (117 loc) · 3.48 KB
/
push.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
on:
push:
branches:
- "main"
tags:
- "*"
pull_request: {}
release:
types:
- published
name: CI Build & Test
jobs:
review-go:
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: "go.mod"
- name: check if go.mod and go.sum are tidy
run: make depscheck
- name: check code format
run: make fmtcheck
- name: check code quality
run: make go-lint
review-docker:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: reviewdog/action-hadolint@v1
with:
reporter: github-pr-review
level: info
filter_mode: file
tests:
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: "go.mod"
- name: run unit tests
run: make test
- name: upload coverage
uses: actions/upload-artifact@v4
with:
name: unit-coverage
path: coverage.out
docker-build:
runs-on: ubuntu-latest
needs:
- review-go
- review-docker
steps:
- uses: actions/checkout@v4
# try to log into our Harbor, but continue without pushing when secrets
# not available (e.g. when PR from a fork or dependabot). Sadly, the
# secrets context is not available in jobs/steps.if but we copy the
# HARBOR_USER secret into the environment and check that instead.
- uses: docker/login-action@v3
id: docker_login
env:
HARBOR_USER: ${{ secrets.HARBOR_USER }}
if: ${{ env.HARBOR_USER != null }}
with:
username: ${{ secrets.HARBOR_USER }}
password: ${{ secrets.HARBOR_SECRET }}
registry: anx-cr.io
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
anx-cr.io/anexia/csi-driver
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
- name: Build Docker Image
uses: docker/build-push-action@v6
id: docker_build
with:
push: ${{ steps.docker_login.outcome == 'success' }}
build-args: version=${{ github.ref_type == 'tag' && github.ref_name || github.sha }}
tags: |
${{ steps.meta.outputs.tags }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.docker_build.outputs.imageid }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
trivyignores: .trivyignore
upload-results:
needs: tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
- uses: paambaati/[email protected]
env:
CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
with:
prefix: github.com/anexia/csi-driver
coverageLocations: |
${{ github.workspace }}/unit-coverage/coverage.out:gocov