ROX-21124: Move non-e2e testing OSCI jobs to GitHub Actions #41
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
push: | |
branches: | |
- master | |
pull_request: | |
types: | |
- opened | |
- reopened | |
- synchronize | |
jobs: | |
pre-build-updater: | |
runs-on: ubuntu-latest | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Cache Go dependencies | |
uses: ./.github/actions/cache-go-dependencies | |
- name: Build updater | |
run: make build-updater | |
- name: Bundle the build to preserve permissions | |
run: tar -cvzf updater-build.tgz bin/updater | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: updater-build | |
path: updater-build.tgz | |
pre-build-scanner: | |
runs-on: ubuntu-latest | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Cache Go dependencies | |
uses: ./.github/actions/cache-go-dependencies | |
- name: Build Scanner | |
run: make scanner-build-nodeps | |
- name: Bundle the build to preserve permissions | |
run: tar -cvzf scanner-build.tgz image/scanner/bin/scanner | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: scanner-build | |
path: scanner-build.tgz | |
style-check: | |
env: | |
ARTIFACT_DIR: /artifacts | |
runs-on: ubuntu-latest | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Cache Go dependencies | |
uses: ./.github/actions/cache-go-dependencies | |
- name: Create artifacts dir | |
run: mkdir -p "$ARTIFACT_DIR" | |
- name: Run style checks | |
run: ./scripts/ci/jobs/style-checks.sh | |
unit-tests: | |
env: | |
ARTIFACT_DIR: /artifacts | |
runs-on: ubuntu-latest | |
needs: | |
- pre-build-scanner | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Cache Go dependencies | |
uses: ./.github/actions/cache-go-dependencies | |
- name: Create artifacts dir | |
run: mkdir -p "$ARTIFACT_DIR" | |
- uses: actions/download-artifact@v3 | |
with: | |
name: scanner-build | |
- name: Unpack scanner build | |
run: | | |
tar xvzf scanner-build.tgz | |
- name: Run unit tests | |
run: ./scripts/ci/jobs/unit-tests.sh | |
db-integration-tests: | |
env: | |
ARTIFACT_DIR: /artifacts | |
runs-on: ubuntu-latest | |
needs: | |
- pre-build-scanner | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Cache Go dependencies | |
uses: ./.github/actions/cache-go-dependencies | |
- name: Create artifacts dir | |
run: mkdir -p "$ARTIFACT_DIR" | |
- uses: actions/download-artifact@v3 | |
with: | |
name: scanner-build | |
- name: Unpack scanner build | |
run: | | |
tar xvzf scanner-build.tgz | |
- name: Run db integration tests | |
run: ./scripts/ci/jobs/db-integration-tests.sh | |
generate-genesis-dump: | |
env: | |
NVD_API_KEY: ${{ secrets.NVD_API_KEY }} | |
runs-on: ubuntu-latest | |
needs: | |
- pre-build-updater | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: actions/download-artifact@v3 | |
with: | |
name: updater-build | |
- name: Unpack updater build | |
run: | | |
tar xvzf updater-build.tgz | |
- name: genesis-dump | |
run: | | |
source ./scripts/ci/lib.sh | |
generate_genesis_dump | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: genesis-dump | |
path: /tmp/genesis-dump/genesis-dump.zip | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: vuln-dump | |
path: /tmp/vuln-dump | |
generate-db-dump: | |
runs-on: ubuntu-latest | |
needs: | |
- generate-genesis-dump | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: actions/download-artifact@v3 | |
with: | |
name: updater-build | |
- name: Unpack updater build | |
run: | | |
tar xvzf updater-build.tgz | |
- uses: actions/download-artifact@v3 | |
with: | |
name: genesis-dump | |
path: /tmp/genesis-dump | |
- name: db-dump | |
run: | | |
source ./scripts/ci/lib.sh | |
generate_db_dump | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: db-dump | |
path: /tmp/postgres/pg-definitions.sql.gz | |
generate-scanner-bundle: | |
runs-on: ubuntu-latest | |
needs: | |
- generate-genesis-dump | |
- pre-build-scanner | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: actions/download-artifact@v3 | |
with: | |
name: scanner-build | |
- name: Unpack scanner build | |
run: | | |
tar xvzf scanner-build.tgz | |
- uses: actions/download-artifact@v3 | |
with: | |
name: vuln-dump | |
path: /tmp/vuln-dump | |
- name: Generate OSS notice | |
run: make ossls-notice | |
- name: Get genesis dump | |
run: | | |
source ./scripts/ci/lib.sh | |
get_genesis_dump | |
- name: Make bundle | |
run: image/scanner/rhel/create-bundle.sh image/scanner image/scanner/rhel | |
- name: Bundle the bundle to preserve permissions # TODO(DO NOT MERGE): word this better? | |
run: tar -cvzf bundle.tgz image/scanner/rhel | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: scanner-bundle | |
path: bundle.tgz | |
generate-scanner-db-bundle: | |
runs-on: ubuntu-latest | |
needs: | |
- generate-db-dump | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: actions/download-artifact@v3 | |
with: | |
name: db-dump | |
path: /tmp/postgres | |
- name: Get db dump | |
run: | | |
source ./scripts/ci/lib.sh | |
get_db_dump | |
- name: Make db bundle | |
run: image/db/rhel/create-bundle.sh image/db image/db/rhel | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: scanner-db-bundle | |
path: image/db/rhel | |
build-images: | |
env: | |
QUAY_RHACS_ENG_RO_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }} | |
QUAY_RHACS_ENG_RO_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }} | |
QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} | |
QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} | |
QUAY_STACKROX_IO_RW_USERNAME: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }} | |
QUAY_STACKROX_IO_RW_PASSWORD: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }} | |
runs-on: ubuntu-latest | |
needs: | |
- generate-scanner-bundle | |
- generate-scanner-db-bundle | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: actions/download-artifact@v3 | |
with: | |
name: scanner-bundle | |
- name: Unpack bundle | |
run: | | |
tar xvzf bundle.tgz | |
- uses: actions/download-artifact@v3 | |
with: | |
name: scanner-db-bundle | |
path: image/db/rhel | |
- name: Build scanner image | |
run: | | |
docker build -t scanner:"$(make --quiet tag)" -f image/scanner/rhel/Dockerfile image/scanner/rhel | |
- name: Build scanner-slim image | |
run: | | |
docker build -t scanner-slim:"$(make --quiet tag)" -f image/scanner/rhel/Dockerfile.slim image/scanner/rhel | |
- name: Build scanner-db image | |
run: | | |
docker build -t scanner-db:"$(make --quiet tag)" -f image/db/rhel/Dockerfile image/db/rhel | |
- name: Build scanner-db-slim image | |
run: | | |
docker build -t scanner-db-slim:"$(make --quiet tag)" -f image/db/rhel/Dockerfile.slim image/db/rhel | |
# needed for docs ensure_image.sh initial pull with RHACS_BRANDING | |
- name: Docker login | |
# Skip for external contributions. | |
if: | | |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
run: | | |
docker login -u "${QUAY_RHACS_ENG_RO_USERNAME}" --password-stdin quay.io <<<"${QUAY_RHACS_ENG_RO_PASSWORD}" | |
- name: Push images | |
# Skip for external contributions. | |
if: | | |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
run: | | |
source ./scripts/ci/lib.sh | |
push_image_set | |
diff-dumps: | |
env: | |
GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER: ${{ secrets.GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER }} | |
SCANNER_GCP_SERVICE_ACCOUNT_CREDS: ${{ secrets.SCANNER_GCP_SERVICE_ACCOUNT_CREDS }} | |
GOOGLE_SA_CIRCLECI_SCANNER: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }} | |
runs-on: ubuntu-latest | |
needs: | |
- generate-genesis-dump | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: actions/download-artifact@v3 | |
with: | |
name: updater-build | |
- name: Unpack updater build | |
run: | | |
tar xvzf updater-build.tgz | |
- uses: actions/download-artifact@v3 | |
with: | |
name: genesis-dump | |
path: /tmp/genesis-dump | |
- name: diff-dumps | |
run: ./scripts/ci/jobs/diff-dumps.sh | |
# TODO(DO NOT MERGE): These store functions don't seem quite right | |
store-genesis-dump: | |
env: | |
ARTIFACT_DIR: /artifacts | |
runs-on: ubuntu-latest | |
needs: | |
- generate-genesis-dump | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Create artifacts dir | |
run: mkdir -p "$ARTIFACT_DIR" | |
- uses: actions/download-artifact@v3 | |
with: | |
name: genesis-dump | |
path: /tmp/genesis-dump | |
- name: store-genesis-dump | |
run: | | |
./scripts/ci/jobs/store-genesis-dump.sh | |
store-db-dump: | |
env: | |
ARTIFACT_DIR: /artifacts | |
runs-on: ubuntu-latest | |
needs: | |
- generate-db-dump | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Create artifacts dir | |
run: mkdir -p "$ARTIFACT_DIR" | |
- uses: actions/download-artifact@v3 | |
with: | |
name: db-dump | |
path: /tmp/postgres | |
- name: store-db-dump | |
run: | | |
./scripts/ci/jobs/store-db-dump.sh |