mirror of
https://github.com/project-zot/zot.git
synced 2024-12-16 21:56:37 -05:00
fac1d1d05d
1. chore(trivy): update trivy library version The trivy team switched github.com/urfave/cli for viper so there are some other code changes as well. Since we don't use github.com/urfave/cli directly in our software we needed to add a tools.go in order for "go mod tidy" to not delete it. See this pattern explained in: - https://github.com/99designs/gqlgen#quick-start - https://github.com/golang/go/wiki/Modules#how-can-i-track-tool-dependencies-for-a-module - https://github.com/go-modules-by-example/index/blob/master/010_tools/README.md#walk-through The jobs using "go get -u" have been updated to use "go install", since go get modifies the go.mod by upgrading some of the packages, but downgrading trivy to an older version with broken dependencies 2. fix(storage) Update local storage to ignore folder names not compliant with dist spec Also updated trivy to download the DB and cache results under the rootDir/_trivy folder 3. fix(s3): one of the s3 tests was missing the skipIt call This caused a failure when running locally without s3 being available 4. make sure the offline scanning is enabled, and zot only downloads the trivy DB on the regular schedule, and doesn't download the DB on every image scan ci: increase build and test timeout as tests are reaching the limit more often Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
377 lines
15 KiB
YAML
377 lines
15 KiB
YAML
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
release:
|
|
types:
|
|
- published
|
|
name: build-test
|
|
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
|
|
jobs:
|
|
build-test:
|
|
name: Build and test ZOT
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Run build and test
|
|
timeout-minutes: 60
|
|
run: |
|
|
echo "job deprecated"
|
|
build-test-arch:
|
|
name: Build and test ZOT
|
|
permissions:
|
|
contents: write
|
|
packages: write
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
os: [linux, darwin]
|
|
arch: [amd64, arm64]
|
|
steps:
|
|
- name: Install go
|
|
uses: actions/setup-go@v3
|
|
with:
|
|
go-version: 1.19.x
|
|
- name: Check out source code
|
|
uses: actions/checkout@v3
|
|
- name: Cache go dependencies
|
|
id: cache-go-dependencies
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: |
|
|
~/.cache/go-build
|
|
~/go/pkg/mod
|
|
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-
|
|
- name: Install go dependencies
|
|
if: steps.cache-go-dependencies.outputs.cache-hit != 'true'
|
|
run: go mod download
|
|
- name: Install other dependencies
|
|
run: |
|
|
cd $GITHUB_WORKSPACE
|
|
go install github.com/swaggo/swag/cmd/swag@v1.6.3
|
|
sudo apt-get update
|
|
sudo apt-get install rpm
|
|
sudo apt-get install snapd
|
|
sudo apt-get install libgpgme-dev libassuan-dev libbtrfs-dev libdevmapper-dev pkg-config
|
|
git clone https://github.com/containers/skopeo -b v1.6.1 $GITHUB_WORKSPACE/src/github.com/containers/skopeo
|
|
cd $GITHUB_WORKSPACE/src/github.com/containers/skopeo && make bin/skopeo
|
|
cd $GITHUB_WORKSPACE
|
|
curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v0.7.1-alpha.1/notation_0.7.1-alpha.1_linux_amd64.tar.gz
|
|
sudo tar xvzf notation.tar.gz -C /usr/bin notation
|
|
go install github.com/wadey/gocovmerge@latest
|
|
|
|
- if: matrix.os == 'linux' && matrix.arch == 'amd64'
|
|
name: Setup localstack service
|
|
run: |
|
|
pip install localstack # Install LocalStack cli
|
|
docker pull localstack/localstack:1.3 # Make sure to pull the latest version of the image
|
|
localstack start -d # Start LocalStack in the background
|
|
|
|
echo "Waiting for LocalStack startup..." # Wait 30 seconds for the LocalStack container
|
|
localstack wait -t 30 # to become ready before timing out
|
|
echo "Startup complete"
|
|
|
|
aws dynamodb --endpoint-url http://localhost:4566 --region "us-east-2" create-table --table-name BlobTable --attribute-definitions AttributeName=Digest,AttributeType=S --key-schema AttributeName=Digest,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5
|
|
aws dynamodb --endpoint-url http://localhost:4566 --region "us-east-2" create-table --table-name RepoMetadataTable --attribute-definitions AttributeName=RepoName,AttributeType=S --key-schema AttributeName=RepoName,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5
|
|
aws dynamodb --endpoint-url http://localhost:4566 --region "us-east-2" create-table --table-name ManifestDataTable --attribute-definitions AttributeName=Digest,AttributeType=S --key-schema AttributeName=Digest,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5
|
|
env:
|
|
AWS_ACCESS_KEY_ID: fake
|
|
AWS_SECRET_ACCESS_KEY: fake
|
|
- name: Run build and test
|
|
timeout-minutes: 70
|
|
run: |
|
|
echo "Building for $OS:$ARCH"
|
|
cd $GITHUB_WORKSPACE
|
|
if [[ $OS == "linux" && $ARCH == "amd64" ]]; then
|
|
make OS=$OS ARCH=$ARCH
|
|
sudo env "PATH=$PATH" make privileged-test
|
|
else
|
|
make OS=$OS ARCH=$ARCH binary binary-minimal binary-debug cli bench exporter-minimal
|
|
fi
|
|
env:
|
|
S3MOCK_ENDPOINT: localhost:4566
|
|
DYNAMODBMOCK_ENDPOINT: http://localhost:4566
|
|
AWS_ACCESS_KEY_ID: fake
|
|
AWS_SECRET_ACCESS_KEY: fake
|
|
OS: ${{ matrix.os }}
|
|
ARCH: ${{ matrix.arch }}
|
|
- name: Upload code coverage
|
|
uses: codecov/codecov-action@v3
|
|
|
|
- name: Generate GraphQL Introspection JSON on Release
|
|
if: github.event_name == 'release' && github.event.action == 'published' && matrix.os == 'linux' && matrix.arch == 'amd64'
|
|
run: |
|
|
bin/zot-linux-amd64 serve examples/config-search.json &
|
|
sleep 10
|
|
curl -X POST -H "Content-Type: application/json" -d @.pkg/debug/githubWorkflows/introspection-query.json http://localhost:5000/v2/_zot/ext/search | jq > bin/zot-gql-introspection-result.json
|
|
pkill zot
|
|
|
|
- if: github.event_name == 'release' && github.event.action == 'published'
|
|
name: Publish artifacts on releases
|
|
uses: svenstaro/upload-release-action@v2
|
|
with:
|
|
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
|
file: bin/z*
|
|
tag: ${{ github.ref }}
|
|
overwrite: true
|
|
file_glob: true
|
|
|
|
push-image:
|
|
if: github.event_name == 'release' && github.event.action== 'published'
|
|
name: Push OCI images to GitHub Packages
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
os: [linux, darwin]
|
|
arch: [amd64, arm64]
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: actions/checkout@v3
|
|
- name: Log in to GitHub Docker Registry
|
|
uses: docker/login-action@v2
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Build and push zot container image
|
|
uses: project-stacker/stacker-build-push-action@main
|
|
with:
|
|
file: 'build/stacker.yaml'
|
|
build-args: |
|
|
RELEASE_TAG=${{ github.event.release.tag_name }}
|
|
COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }}
|
|
OS=${{ matrix.os }}
|
|
ARCH=${{ matrix.arch }}
|
|
REPO_NAME=zot-${{ matrix.os }}-${{ matrix.arch }}
|
|
url: docker://ghcr.io/${{ github.repository_owner }}
|
|
tags: ${{ github.event.release.tag_name }} latest
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Run zot container image with docker
|
|
run: |
|
|
if [[ $OS == "linux" && $ARCH == "amd64" ]]; then
|
|
docker run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}
|
|
sleep 2
|
|
curl --connect-timeout 5 \
|
|
--max-time 10 \
|
|
--retry 12 \
|
|
--retry-max-time 360 \
|
|
--retry-connrefused \
|
|
'http://localhost:5000/v2/'
|
|
docker kill $(docker ps -q)
|
|
fi
|
|
env:
|
|
OS: ${{ matrix.os }}
|
|
ARCH: ${{ matrix.arch }}
|
|
- name: Run zot container image with podman
|
|
run: |
|
|
if [[ $OS == "linux" && $ARCH == "amd64" ]]; then
|
|
podman run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}
|
|
sleep 2
|
|
curl --connect-timeout 5 \
|
|
--max-time 10 \
|
|
--retry 12 \
|
|
--retry-max-time 360 \
|
|
--retry-connrefused \
|
|
'http://localhost:5000/v2/'
|
|
podman kill --all
|
|
fi
|
|
env:
|
|
OS: ${{ matrix.os }}
|
|
ARCH: ${{ matrix.arch }}
|
|
- name: Build and push zot-minimal container image
|
|
uses: project-stacker/stacker-build-push-action@main
|
|
with:
|
|
file: 'build/stacker.yaml'
|
|
build-args: |
|
|
RELEASE_TAG=${{ github.event.release.tag_name }}
|
|
COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }}
|
|
OS=${{ matrix.os }}
|
|
ARCH=${{ matrix.arch }}
|
|
EXT=-minimal
|
|
REPO_NAME=zot-minimal-${{ matrix.os }}-${{ matrix.arch }}
|
|
url: docker://ghcr.io/${{ github.repository_owner }}
|
|
tags: ${{ github.event.release.tag_name }} latest
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Run zot-minimal container image with docker
|
|
run: |
|
|
if [[ $OS == "linux" && $ARCH == "amd64" ]]; then
|
|
docker run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot-minimal-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}
|
|
sleep 2
|
|
curl --connect-timeout 5 \
|
|
--max-time 10 \
|
|
--retry 12 \
|
|
--retry-max-time 360 \
|
|
--retry-connrefused \
|
|
'http://localhost:5000/v2/'
|
|
docker kill $(docker ps -q)
|
|
fi
|
|
env:
|
|
OS: ${{ matrix.os }}
|
|
ARCH: ${{ matrix.arch }}
|
|
- name: Run zot-minimal container image with podman
|
|
run: |
|
|
if [[ $OS == "linux" && $ARCH == "amd64" ]]; then
|
|
podman run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot-minimal-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}
|
|
sleep 2
|
|
curl --connect-timeout 5 \
|
|
--max-time 10 \
|
|
--retry 12 \
|
|
--retry-max-time 360 \
|
|
--retry-connrefused \
|
|
'http://localhost:5000/v2/'
|
|
podman kill --all
|
|
fi
|
|
env:
|
|
OS: ${{ matrix.os }}
|
|
ARCH: ${{ matrix.arch }}
|
|
- name: Build and push zot-exporter container image
|
|
uses: project-stacker/stacker-build-push-action@main
|
|
with:
|
|
file: 'build/stacker-zxp.yaml'
|
|
build-args: |
|
|
RELEASE_TAG=${{ github.event.release.tag_name }}
|
|
COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }}
|
|
OS=${{ matrix.os }}
|
|
ARCH=${{ matrix.arch }}
|
|
REPO_NAME=zxp-${{ matrix.os }}-${{ matrix.arch }}
|
|
url: docker://ghcr.io/${{ github.repository_owner }}
|
|
tags: ${{ github.event.release.tag_name }} latest
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Run zot-exporter container image with docker
|
|
run: |
|
|
if [[ $OS == "linux" && $ARCH == "amd64" ]]; then
|
|
docker run -d -p 5001:5001 ghcr.io/${{ github.repository_owner }}/zxp-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}
|
|
sleep 2
|
|
curl --connect-timeout 5 \
|
|
--max-time 10 \
|
|
--retry 12 \
|
|
--retry-max-time 360 \
|
|
--retry-connrefused \
|
|
'http://localhost:5001/metrics'
|
|
docker kill $(docker ps -q)
|
|
fi
|
|
env:
|
|
OS: ${{ matrix.os }}
|
|
ARCH: ${{ matrix.arch }}
|
|
- name: Run zot-exporter container image with podman
|
|
run: |
|
|
if [[ $OS == "linux" && $ARCH == "amd64" ]]; then
|
|
podman run -d -p 5001:5001 ghcr.io/${{ github.repository_owner }}/zxp-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}
|
|
sleep 2
|
|
curl --connect-timeout 5 \
|
|
--max-time 10 \
|
|
--retry 12 \
|
|
--retry-max-time 360 \
|
|
--retry-connrefused \
|
|
'http://localhost:5001/metrics'
|
|
podman kill --all
|
|
fi
|
|
env:
|
|
OS: ${{ matrix.os }}
|
|
ARCH: ${{ matrix.arch }}
|
|
- name: Build and push zb container image
|
|
uses: project-stacker/stacker-build-push-action@main
|
|
with:
|
|
file: 'build/stacker-zb.yaml'
|
|
build-args: |
|
|
RELEASE_TAG=${{ github.event.release.tag_name }}
|
|
COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }}
|
|
OS=${{ matrix.os }}
|
|
ARCH=${{ matrix.arch }}
|
|
REPO_NAME=zb-${{ matrix.os }}-${{ matrix.arch }}
|
|
url: docker://ghcr.io/${{ github.repository_owner }}
|
|
tags: ${{ github.event.release.tag_name }} latest
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Run zb container image with docker
|
|
run: |
|
|
if [[ $OS == "linux" && $ARCH == "amd64" ]]; then
|
|
docker run ghcr.io/${{ github.repository_owner }}/zb-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }} --help
|
|
fi
|
|
env:
|
|
OS: ${{ matrix.os }}
|
|
ARCH: ${{ matrix.arch }}
|
|
- name: Run zb container image with podman
|
|
run: |
|
|
if [[ $OS == "linux" && $ARCH == "amd64" ]]; then
|
|
podman run ghcr.io/${{ github.repository_owner }}/zb-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }} --help
|
|
fi
|
|
env:
|
|
OS: ${{ matrix.os }}
|
|
ARCH: ${{ matrix.arch }}
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: 'ghcr.io/${{ github.repository }}-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}'
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
env:
|
|
TRIVY_USERNAME: ${{ github.actor }}
|
|
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Run Trivy vulnerability scanner (minimal)
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: 'ghcr.io/${{ github.repository }}-minimal-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}'
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
env:
|
|
TRIVY_USERNAME: ${{ github.actor }}
|
|
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
with:
|
|
sarif_file: 'trivy-results.sarif'
|
|
|
|
update-helm-chart:
|
|
if: github.event_name == 'release' && github.event.action== 'published'
|
|
name: Update Helm Chart
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
with:
|
|
ref: main
|
|
fetch-depth: '0'
|
|
|
|
- name: Checkout project-zot/helm-charts
|
|
uses: actions/checkout@v3
|
|
with:
|
|
repository: project-zot/helm-charts
|
|
ref: main
|
|
fetch-depth: '0'
|
|
token: ${{ secrets.HELM_PUSH_TOKEN }}
|
|
path: ./helm-charts
|
|
|
|
- name: Configure Git
|
|
run: |
|
|
git config --global user.name 'github-actions'
|
|
git config --global user.email 'github-actions@users.noreply.github.com'
|
|
- name: Update appVersion
|
|
uses: mikefarah/yq@master
|
|
with:
|
|
cmd: yq -i '.appVersion = "${{ github.event.release.tag_name }}"' 'helm-charts/charts/zot/Chart.yaml'
|
|
- name: Update image tag
|
|
uses: mikefarah/yq@master
|
|
with:
|
|
cmd: yq -i '.image.tag = "${{ github.event.release.tag_name }}"' 'helm-charts/charts/zot/values.yaml'
|
|
- name: Update version
|
|
run: |
|
|
sudo apt-get install pip
|
|
pip install pybump
|
|
pybump bump --file helm-charts/charts/zot/Chart.yaml --level patch
|
|
- name: Push changes to project-zot/helm-charts
|
|
run: |
|
|
cd ./helm-charts
|
|
git commit -am "Automated update of Helm Chart"
|
|
git push
|