Cache trivy in one more pipeline #5500
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and test images | ||
| on: | ||
| push: | ||
| branches: | ||
| - master | ||
| paths: | ||
| - '**' | ||
| permissions: read-all | ||
| concurrency: | ||
| group: ci-image-${{ github.head_ref || github.ref }}-${{ github.repository }} | ||
| cancel-in-progress: true | ||
| env: | ||
| FORCE_COLOR: 1 | ||
| jobs: | ||
| get-core-matrix: | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| matrix: ${{ steps.set-matrix.outputs.matrix }} | ||
| steps: | ||
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | ||
| - run: | | ||
| git fetch --prune --unshallow | ||
| sudo apt update && sudo apt install -y jq | ||
| - id: set-matrix | ||
| run: | | ||
| content=`cat .github/flavors.json | jq 'map(select(.variant == "core" and .arch == "amd64"))'` | ||
| # the following lines are only required for multi line json | ||
| # the following lines are only required for multi line json | ||
| content="${content//'%'/'%25'}" | ||
| content="${content//$'\n'/'%0A'}" | ||
| content="${content//$'\r'/'%0D'}" | ||
| # end of optional handling for multi line json | ||
| # end of optional handling for multi line json | ||
| echo "::set-output name=matrix::{\"include\": $content }" | ||
| # Populate the trivy cache once for all later jobs to use | ||
| trivy-cache: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Install earthly | ||
| uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 | ||
| with: | ||
| repository: quay.io/kairos/packages | ||
| packages: utils/earthly | ||
| - name: Restore trivy cache | ||
| uses: yogeshlonkar/trivy-cache-action@v0 | ||
| with: | ||
| gh-token: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Populate trivy Cache | ||
| run: | | ||
| [ ! -d ".trivy" ] && mkdir -p ".trivy" | ||
| earthly +trivy-download-db --DIR .trivy | ||
| core: | ||
| uses: ./.github/workflows/reusable-build-flavor.yaml | ||
| needs: | ||
| - trivy-cache | ||
| permissions: | ||
| id-token: write # OIDC support | ||
| contents: write | ||
| security-events: write | ||
| actions: read | ||
| attestations: read | ||
| checks: read | ||
| deployments: read | ||
| discussions: read | ||
| issues: read | ||
| packages: read | ||
| pages: read | ||
| pull-requests: read | ||
| repository-projects: read | ||
| statuses: read | ||
| secrets: inherit | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| family: ${{ matrix.family }} | ||
| base_image: ${{ matrix.baseImage }} | ||
| model: ${{ matrix.model }} | ||
| variant: ${{ matrix.variant }} | ||
| arch: ${{ matrix.arch }} | ||
| needs: | ||
| - get-core-matrix | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: ${{fromJson(needs.get-core-matrix.outputs.matrix)}} | ||
| install: | ||
| secrets: inherit | ||
| uses: ./.github/workflows/reusable-install-test.yaml | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| needs: | ||
| - core | ||
| - trivy-cache | ||
| strategy: | ||
| fail-fast: true | ||
| matrix: | ||
| include: | ||
| - flavor: opensuse | ||
| flavorRelease: leap-15.6 | ||
| secureboot: false | ||
| install-target: | ||
| secrets: inherit | ||
| uses: ./.github/workflows/reusable-install-test-target.yaml | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| needs: | ||
| - core | ||
| - trivy-cache | ||
| strategy: | ||
| fail-fast: true | ||
| matrix: | ||
| include: | ||
| - flavor: "ubuntu" | ||
| flavorRelease: "24.04" | ||
| install-secureboot: | ||
| secrets: inherit | ||
| uses: ./.github/workflows/reusable-install-test.yaml | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| secureboot: true | ||
| needs: | ||
| - core | ||
| - trivy-cache | ||
| strategy: | ||
| fail-fast: true | ||
| matrix: | ||
| include: | ||
| - flavor: "opensuse" | ||
| flavorRelease: "leap-15.6" | ||
| - flavor: "opensuse" | ||
| flavorRelease: "tumbleweed" | ||
| - flavor: "debian" | ||
| flavorRelease: "bookworm" | ||
| - flavor: "ubuntu" | ||
| flavorRelease: "22.04" | ||
| - flavor: "ubuntu" | ||
| flavorRelease: "24.04" | ||
| - flavor: "fedora" | ||
| flavorRelease: "40" | ||
| zfs: | ||
| secrets: inherit | ||
| uses: ./.github/workflows/reusable-zfs-test.yaml | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| needs: | ||
| - core | ||
| - trivy-cache | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - flavor: "ubuntu" | ||
| flavorRelease: "22.04" | ||
| acceptance: | ||
| secrets: inherit | ||
| uses: ./.github/workflows/reusable-qemu-acceptance-test.yaml | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| needs: | ||
| - core | ||
| - trivy-cache | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - flavor: "alpine" | ||
| flavorRelease: "3.19" | ||
| - flavor: "opensuse" | ||
| flavorRelease: "leap-15.6" | ||
| - flavor: "opensuse" | ||
| flavorRelease: "tumbleweed" | ||
| - flavor: "debian" | ||
| flavorRelease: "testing" | ||
| - flavor: "ubuntu" | ||
| flavorRelease: "20.04" | ||
| - flavor: "ubuntu" | ||
| flavorRelease: "22.04" | ||
| - flavor: "ubuntu" | ||
| flavorRelease: "24.04" | ||
| bundles: | ||
| secrets: inherit | ||
| uses: ./.github/workflows/reusable-qemu-bundles-test.yaml | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| needs: | ||
| - core | ||
| - trivy-cache | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - flavor: opensuse # Kubo test needs systemd version 252+ which atm is not available in Leap | ||
| flavorRelease: tumbleweed | ||
| reset: | ||
| secrets: inherit | ||
| uses: ./.github/workflows/reusable-qemu-reset-test.yaml | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| needs: | ||
| - core | ||
| - trivy-cache | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - flavor: alpine | ||
| flavorRelease: "3.19" | ||
| family: alpine | ||
| base_image: alpine:3.19 | ||
| model: generic | ||
| variant: core | ||
| - flavor: opensuse | ||
| flavorRelease: leap-15.6 | ||
| family: opensuse | ||
| base_image: opensuse/leap:15.6 | ||
| model: generic | ||
| variant: core | ||
| netboot: | ||
| secrets: inherit | ||
| uses: ./.github/workflows/reusable-qemu-netboot-test.yaml | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| family: ${{ matrix.family }} | ||
| model: ${{ matrix.model }} | ||
| variant: ${{ matrix.variant }} | ||
| base_image: ${{ matrix.baseImage }} | ||
| needs: | ||
| - core | ||
| - trivy-cache | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - flavor: alpine | ||
| flavorRelease: "3.19" | ||
| family: alpine | ||
| variant: core | ||
| model: generic | ||
| baseImage: alpine:3.19 | ||
| - flavor: opensuse | ||
| flavorRelease: leap-15.6 | ||
| family: opensuse | ||
| variant: core | ||
| model: generic | ||
| baseImage: opensuse/leap:15.6 | ||
| - flavor: ubuntu | ||
| flavorRelease: "24.04" | ||
| family: ubuntu | ||
| variant: core | ||
| model: generic | ||
| baseImage: ubuntu:24.04 | ||
| upgrade: | ||
| secrets: inherit | ||
| uses: ./.github/workflows/reusable-upgrade-with-cli-test.yaml | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| needs: | ||
| - core | ||
| - trivy-cache | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - flavor: alpine | ||
| flavorRelease: "3.19" | ||
| - flavor: opensuse | ||
| flavorRelease: leap-15.6 | ||
| # releaseMatcher: leap-15.5 | ||
| upgrade-latest: | ||
| secrets: inherit | ||
| uses: ./.github/workflows/reusable-upgrade-latest-test.yaml | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| family: ${{ matrix.family }} | ||
| release_matcher: ${{ matrix.releaseMatcher }} # introduced so tests can be green while we wait for the kairos release with the latest flavor release | ||
| needs: | ||
| - core | ||
| - trivy-cache | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| # cant do alpine yet as it hasnt been released with the proper name | ||
| # - flavor: alpine | ||
| # flavorRelease: "3.19" | ||
| - flavor: opensuse | ||
| flavorRelease: leap-15.6 | ||
| family: opensuse | ||
| # releaseMatcher: leap-15.5 | ||
| custom-partitioning: | ||
| secrets: inherit | ||
| uses: ./.github/workflows/reusable-custom-partitioning-test.yaml | ||
| permissions: | ||
| id-token: write # OIDC support | ||
| contents: write | ||
| security-events: write | ||
| actions: read | ||
| attestations: read | ||
| checks: read | ||
| deployments: read | ||
| discussions: read | ||
| issues: read | ||
| packages: read | ||
| pages: read | ||
| pull-requests: read | ||
| repository-projects: read | ||
| statuses: read | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| needs: | ||
| - core | ||
| - trivy-cache | ||
| strategy: | ||
| fail-fast: true | ||
| matrix: | ||
| flavor: | ||
| - "opensuse" | ||
| flavorRelease: | ||
| - "leap-15.6" | ||
| encryption: | ||
| uses: ./.github/workflows/reusable-encryption-test.yaml | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| label: ${{ matrix.label }} | ||
| needs: | ||
| - core | ||
| - trivy-cache | ||
| strategy: | ||
| fail-fast: true | ||
| matrix: | ||
| label: | ||
| - "local-encryption" | ||
| - "remote-auto" | ||
| - "remote-static" | ||
| - "remote-https-pinned" | ||
| - "remote-https-bad-cert" | ||
| flavor: | ||
| - "opensuse" | ||
| flavorRelease: | ||
| - "leap-15.6" | ||
| standard: | ||
| uses: ./.github/workflows/reusable-build-provider.yaml | ||
| needs: | ||
| - core | ||
| - trivy-cache | ||
| permissions: | ||
| id-token: write # OIDC support | ||
| contents: write | ||
| security-events: write | ||
| actions: read | ||
| attestations: read | ||
| checks: read | ||
| deployments: read | ||
| discussions: read | ||
| issues: read | ||
| packages: read | ||
| pages: read | ||
| pull-requests: read | ||
| repository-projects: read | ||
| statuses: read | ||
| secrets: inherit | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| family: ${{ matrix.family }} | ||
| base_image: ${{ matrix.baseImage }} | ||
| variant: standard | ||
| model: generic | ||
| arch: amd64 | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - flavor: opensuse | ||
| flavorRelease: leap-15.6 | ||
| family: opensuse | ||
| baseImage: opensuse/leap:15.6 | ||
| - flavor: alpine | ||
| flavorRelease: "3.19" | ||
| family: alpine | ||
| baseImage: alpine:3.19 | ||
| - flavor: ubuntu | ||
| flavorRelease: "24.04" | ||
| family: ubuntu | ||
| baseImage: ubuntu:24.04 | ||
| various: | ||
| secrets: inherit | ||
| uses: ./.github/workflows/reusable-provider-tests.yaml | ||
| permissions: | ||
| contents: write | ||
| security-events: write | ||
| id-token: write | ||
| actions: read | ||
| attestations: read | ||
| checks: read | ||
| deployments: read | ||
| discussions: read | ||
| issues: read | ||
| packages: read | ||
| pages: read | ||
| pull-requests: read | ||
| repository-projects: read | ||
| statuses: read | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| label: ${{ matrix.label }} | ||
| needs: | ||
| - standard | ||
| - trivy-cache | ||
| strategy: | ||
| fail-fast: false | ||
| max-parallel: 2 | ||
| matrix: | ||
| include: | ||
| - flavor: "opensuse" | ||
| flavorRelease: "leap-15.6" | ||
| label: "provider-qrcode-install" | ||
| - flavor: "opensuse" | ||
| flavorRelease: "leap-15.6" | ||
| label: "provider-upgrade" | ||
| # no point of running this on CI if it always fails | ||
| # - flavor: "opensuse" | ||
| # flavorRelease: "leap-15.6" | ||
| # label: "provider-decentralized-k8s" | ||
| - flavor: "opensuse" | ||
| flavorRelease: "leap-15.6" | ||
| label: "provider-upgrade-k8s" | ||
| # no point of running this on CI if it always fails | ||
| # - flavor: "alpine" | ||
| # flavorRelease: "3.19" | ||
| # label: "provider-decentralized-k8s" | ||
| - flavor: "alpine" | ||
| flavorRelease: "3.19" | ||
| label: "provider-upgrade-k8s" | ||
| standard-upgrade-latest: | ||
| secrets: inherit | ||
| uses: ./.github/workflows/reusable-provider-upgrade-latest-test.yaml | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| family: ${{ matrix.family }} | ||
| release_matcher: ${{ matrix.releaseMatcher }} # introduced so tests can be green while we wait for the kairos release with the latest flavor release | ||
| needs: | ||
| - standard | ||
| - trivy-cache | ||
| strategy: | ||
| fail-fast: false | ||
| max-parallel: 2 | ||
| matrix: | ||
| include: | ||
| # cant do alpine yet as it hasnt been released with the proper name | ||
| # - flavor: "alpine" | ||
| # flavorRelease: "3.19" | ||
| - flavor: "opensuse" | ||
| flavorRelease: "leap-15.6" | ||
| family: "opensuse" | ||
| # releaseMatcher: "leap-15.5" | ||
| notify: | ||
| runs-on: ubuntu-latest | ||
| if: failure() | ||
| needs: | ||
| - trivy-cache | ||
| - core | ||
| - standard | ||
| - install | ||
| - install-target | ||
| - install-secureboot | ||
| - zfs | ||
| - acceptance | ||
| - bundles | ||
| - reset | ||
| - netboot | ||
| - upgrade | ||
| - upgrade-latest | ||
| - encryption | ||
| - various | ||
| - standard-upgrade-latest | ||
| steps: | ||
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | ||
| - run: | | ||
| git fetch --prune --unshallow | ||
| - name: save commit-message | ||
| if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} && failure() | ||
| run: echo "COMMIT_MSG=$(git log -1 --pretty=format:%s)" >> $GITHUB_ENV | ||
| - name: notify if failure | ||
| if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} && failure() | ||
| uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0 | ||
| env: | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | ||
| SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | ||
| with: | ||
| payload: | | ||
| { | ||
| "blocks": [ | ||
| { | ||
| "type": "section", | ||
| "text": { | ||
| "type": "mrkdwn", | ||
| "text": "Job failure on master branch for job ${{ github.job }} in workflow \"${{ github.workflow }}\"\n\nCommit message is \"${{ env.COMMIT_MSG }}\"\n\n Commit sha is <https://github.com/${{ github.repository }}/commit/${{ github.sha }}|${{ github.sha }}>" | ||
| } | ||
| }, | ||
| { | ||
| "type": "divider" | ||
| }, | ||
| { | ||
| "type": "actions", | ||
| "elements": [ | ||
| { | ||
| "type": "button", | ||
| "text": { | ||
| "type": "plain_text", | ||
| "text": ":thisisfine: Failed Run", | ||
| "emoji": true | ||
| }, | ||
| "url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" | ||
| }, | ||
| { | ||
| "type": "button", | ||
| "text": { | ||
| "type": "plain_text", | ||
| "text": ":kairos: Repository link", | ||
| "emoji": true | ||
| }, | ||
| "url": "https://github.com/${{ github.repository }}" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
