ci: add missing permission to Trivy scan job (#4298) #9019
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
workflow_dispatch: | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
env: | |
CI_CONTAINER_REGISTRY: europe-west1-docker.pkg.dev | |
CI_CONTAINER_REPOSITORY: europe-west1-docker.pkg.dev/weave-gitops-clusters/weave-gitops | |
name: PR CI Workflow | |
jobs: | |
ci-js: | |
name: CI Test JS | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
node-version: [22.x] | |
steps: | |
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
- name: Node modules cache | |
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 | |
id: yarn-cache | |
env: | |
cache-name: cache-node-modules | |
with: | |
path: ~/.cache/yarn | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }} | |
restore-keys: | | |
${{ runner.os }}-build-${{ env.cache-name }}- | |
${{ runner.os }}-build- | |
${{ runner.os }}- | |
- name: Use Node.js ${{ matrix.node-version }} | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
node-version: ${{ matrix.node-version }} | |
- run: make node_modules | |
- name: Check that package.json & package-lock.json were updated in commit | |
run: | | |
echo "Using node.js "$(node --version) | |
echo "Using Yarn "$(yarn --version) | |
git diff --no-ext-diff --exit-code | |
- run: make ui-audit | |
- run: make ui | |
- run: make ui-lint | |
- run: make ui-prettify-check | |
- run: make ui-test | |
- run: make ui-lib | |
ci-go: | |
name: CI Test Go | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
go-version: [1.23.X] | |
steps: | |
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
- name: Setup Go | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
with: | |
go-version: ${{ matrix.go-version }} | |
- name: Setup Flux CLI | |
uses: fluxcd/flux2/action@709b17ce59d184427c1395bc70f496ba528d3bee # main | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- run: make unit-tests | |
# server core fails if ui-tests have not just been run. | |
# was this all the case | |
# - run: make lib-test | |
ci-static: | |
name: CI Check Static Checks | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
go-version: [1.23.X] | |
node-version: [22.x] | |
steps: | |
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
- name: Setup Go | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
with: | |
go-version: ${{ matrix.go-version }} | |
- run: make check-format | |
- run: make lint | |
- run: go mod tidy | |
- name: Check that go mod tidy has been run | |
run: git diff --no-ext-diff --exit-code | |
- run: make proto | |
- name: Check that make proto has been run | |
run: git diff --no-ext-diff --exit-code | |
- run: make fakes | |
- name: Check that make fakes has been run | |
run: git diff --no-ext-diff --exit-code | |
ci-generate-tag: | |
name: CI Generate Image Tag | |
runs-on: ubuntu-latest | |
outputs: | |
tag: ${{ steps.generate-tag.outputs.tag }} | |
steps: | |
- id: generate-tag | |
run: echo "::set-output name=tag::$(date -u +%s)-${{ github.sha }}" | |
ci-build-gitops-image: | |
name: CI Build Gitops Docker Image | |
runs-on: ubuntu-latest | |
needs: [ci-generate-tag] | |
strategy: | |
matrix: | |
docker-image: | |
- gitops | |
- gitops-server | |
steps: | |
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
- uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
- name: Set build-time flags | |
run: | | |
echo "LDFLAGS=$(make echo-ldflags)" >> $GITHUB_ENV | |
echo "FLUX_VERSION=$(make echo-flux-version)" >> $GITHUB_ENV | |
- name: Build and export | |
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 | |
with: | |
tags: "${{ env.CI_CONTAINER_REPOSITORY }}/${{ matrix.docker-image }}:${{ needs.ci-generate-tag.outputs.tag }}" | |
outputs: type=docker,dest=/tmp/${{ matrix.docker-image }}.tar | |
file: ${{ matrix.docker-image }}.dockerfile | |
build-args: | | |
FLUX_VERSION=${{ env.FLUX_VERSION }} | |
LDFLAGS=${{ env.LDFLAGS }} | |
GIT_COMMIT=${{ github.sha }} | |
- name: Load docker image | |
run: docker load --input /tmp/${{ matrix.docker-image }}.tar | |
- name: Cache docker image | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: ${{ matrix.docker-image }} | |
path: /tmp/${{ matrix.docker-image }}.tar | |
ci-upload-images: | |
name: CI Upload Images - Disabled | |
runs-on: ubuntu-latest | |
# Make sure we only upload images if tests etc have passed | |
needs: [ci-go, ci-static, ci-js, ci-build-gitops-image, ci-generate-tag] | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
if: github.event_name == 'push' | |
strategy: | |
matrix: | |
docker-image: | |
- gitops | |
- gitops-server | |
steps: | |
- uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
- uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1 | |
- name: Download cached docker image | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: ${{ matrix.docker-image }} | |
path: /tmp | |
# - name: Authenticate to Google Cloud | |
# id: gcloud-auth | |
# uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1 | |
# with: | |
# service_account: ${{ secrets.service_account }} | |
# workload_identity_provider: ${{ secrets.workload_identity_provider }} | |
# - name: Login to gcloud for docker | |
# run: gcloud --quiet auth configure-docker ${{ env.CI_CONTAINER_REGISTRY }} | |
# - name: Push images to gcloud | |
# run: | | |
# docker load --input /tmp/${{ matrix.docker-image }}.tar | |
# docker push "${{ env.CI_CONTAINER_REPOSITORY }}/${{ matrix.docker-image }}:${{ needs.ci-generate-tag.outputs.tag }}" | |
ci-upload-binary: | |
name: Upload Binary - Disabled | |
runs-on: ${{matrix.os}} | |
needs: [ci-go, ci-static, ci-js, ci-build-gitops-image] | |
strategy: | |
matrix: | |
os: [ubuntu-latest, macOS-latest] | |
if: github.event_name == 'push' | |
steps: | |
- name: Install Go | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
with: | |
go-version: 1.23.X | |
- name: Checkout code | |
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
- name: Clean | |
run: make clean | |
- id: gitsha | |
run: | | |
gitsha=$(git rev-parse --short ${{ github.sha }}) | |
echo "::set-output name=sha::$gitsha" | |
- name: build | |
run: | | |
make gitops | |
# - name: publish to s3 | |
# uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0 | |
# with: | |
# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
# aws-region: us-east-2 | |
# - run: | | |
# aws s3 cp bin/gitops s3://weave-gitops/gitops-${{matrix.os}}-${{steps.gitsha.outputs.sha}} | |
# aws s3 cp s3://weave-gitops/gitops-${{matrix.os}}-${{steps.gitsha.outputs.sha}} s3://weave-gitops/gitops-${{matrix.os}} | |
ci-publish-js-lib: | |
name: Publish js library | |
runs-on: ubuntu-latest | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
needs: [ci-js] | |
permissions: | |
packages: write | |
outputs: | |
js-version: ${{ steps.package-version.outputs.js-version }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
with: | |
# avoid the merge commit that on.pull_request creates | |
# fallback to github.sha if not present (e.g. on.push(main)) | |
# https://github.com/actions/checkout#checkout-pull-request-head-commit-instead-of-merge-commit | |
# We want the correct sha so we can tag the npm package correctly | |
ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
fetch-depth: 0 | |
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
node-version: "22.x" | |
registry-url: "https://npm.pkg.github.com" | |
scope: "@weaveworks" | |
- run: yarn | |
- run: make ui-lib | |
- name: Update package version | |
id: package-version | |
run: | | |
GITOPS_VERSION=$(git describe) | |
echo "::set-output name=js-version::$GITOPS_VERSION" | |
jq '.version = "'$GITOPS_VERSION'" | .name = "@weaveworks/weave-gitops-main"' < dist/package.json > dist/package-new.json | |
mv dist/package-new.json dist/package.json | |
cp .npmrc dist | |
- run: cd dist && npm publish | |
env: | |
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# We only push images on merge so create a passing check if everything finished | |
finish-ci-pr: | |
name: PR CI Pipeline | |
runs-on: ubuntu-latest | |
needs: | |
- ci-go | |
- ci-static | |
- ci-js | |
- ci-build-gitops-image | |
if: github.event_name != 'push' | |
steps: | |
- run: echo "All done" | |
finish-ci-merge: | |
# must match https://github.com/weaveworks/corp/blob/master/github-repo-weave-gitops.tf | |
name: PR CI Pipeline | |
runs-on: ubuntu-latest | |
needs: | |
- ci-upload-images | |
- ci-upload-binary | |
- ci-publish-js-lib | |
steps: | |
- run: echo "All done" | |
# release step updates 'release' status check for non releases branches. See ../../doc/incidents/issues-3907 for full context. | |
release: | |
if: ${{ github.event_name == 'pull_request' && !startsWith(github.event.pull_request.head.ref, 'releases/') && !github.event.pull_request.head.repo.fork }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Release | |
run: | | |
curl --fail --request POST \ | |
--url https://api.github.com/repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }} \ | |
--header 'authorization: Bearer ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }}' \ | |
--header 'content-type: application/json' \ | |
--data '{ | |
"state":"success", | |
"description":"release not required", | |
"context":"release" | |
}' |