-
Notifications
You must be signed in to change notification settings - Fork 1
166 lines (151 loc) · 5.37 KB
/
ci-main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
#
name: Main CI
#
on:
push:
branches:
- "next"
- "next-major"
pull_request:
branches:
- "main"
- "next"
- "next-major"
workflow_dispatch:
env:
DOCKER_REGISTRY_IMAGE: ghcr.io/${{ github.repository_owner }}/containers/${{ github.event.repository.name }}
permissions:
contents: read # for actions/checkout to fetch code
jobs:
lint-test:
runs-on: ubuntu-latest
steps:
- name: Install 1Password CLI
uses: 1password/install-cli-action@v1
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Helm
uses: azure/setup-helm@v3
with:
version: v3.13.0
- uses: actions/setup-python@v5
with:
python-version: '3.9'
check-latest: true
- name: Set up chart-testing
uses: helm/[email protected]
- name: inject secrets
run: find charts/s3proxy/ci/ -type f -name "*.1ptpl" -exec bash -c 'op inject -f -i $1 -o ${1%.*}' bash {} \;
- name: Run chart-testing (lint)
run: ct lint --target-branch ${{ github.event.repository.default_branch }} --all
- name: Create kind cluster
uses: helm/[email protected]
- name: Run chart-testing (install)
run: ct install --target-branch ${{ github.event.repository.default_branch }} --all
checkov-gha:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Checkov GitHub Action
uses: bridgecrewio/checkov-action@v12
with:
# This will add both a CLI output to the console and create a results.sarif file
output_format: cli,sarif
output_file_path: console,results.sarif
quiet: true
framework: github_configuration
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
# Results are generated only on a success or failure
# this is required since GitHub by default won't run the next step
# when the previous one has failed. Security checks that do not pass will 'fail'.
# An alternative is to add `continue-on-error: true` to the previous step
# Or 'soft_fail: true' to checkov.
if: success() || failure()
with:
sarif_file: results.sarif
checkov-helm:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
strategy:
matrix:
values:
- filesystem
- azureblob-azurekey
runs-on: ubuntu-latest
steps:
- name: Install 1Password CLI
uses: 1password/install-cli-action@v1
- uses: actions/checkout@v4
- name: Checkov GitHub Action
uses: bridgecrewio/checkov-action@v12
with:
# This will add both a CLI output to the console and create a results.sarif file
output_format: cli,sarif
output_file_path: console,results.sarif
quiet: true
framework: helm
directory: charts/s3proxy
var_file: "${{ matrix.values }}-values.yaml"
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
# Results are generated only on a success or failure
# this is required since GitHub by default won't run the next step
# when the previous one has failed. Security checks that do not pass will 'fail'.
# An alternative is to add `continue-on-error: true` to the previous step
# Or 'soft_fail: true' to checkov.
if: success() || failure()
with:
sarif_file: results.sarif
release:
runs-on: ubuntu-latest
needs:
- lint-test
- checkov-gha
- checkov-helm
permissions:
contents: write
issues: write
packages: write
outputs:
version: ${{ steps.version.outputs.new_release_version }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: 20
- name: Run chart-releaser
uses: helm/[email protected]
with:
install_only: true
- name: Semantic Release
id: version
uses: cycjimmy/semantic-release-action@v4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# REGISTRY_HOST: ghcr.io
REGISTRY_USERNAME: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
semantic_version: 19.0.5
extra_plugins: |
@semantic-release/[email protected]
@semantic-release/[email protected]
@semantic-release/[email protected]
@semantic-release/[email protected]
@semantic-release/[email protected]
@semantic-release/[email protected]