-
Notifications
You must be signed in to change notification settings - Fork 623
161 lines (157 loc) · 5.82 KB
/
control.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: CI
on:
workflow_dispatch:
inputs:
release:
description: "Use 'major' for incompatible changes, 'minor' for new features, and 'patch' for fixes or 'no_release' to trigger the pipeline without doing a release."
type: choice
options:
- "no_release"
- "major"
- "minor"
- "patch"
required: true
default: "no_release"
push:
branches: [ main]
tags: ["v*"]
pull_request:
types:
- opened
- synchronize
- reopened
- closed
repository_dispatch:
schedule:
# rebuild image every sunday
- cron: "0 0 * * 0"
# Grants rights to push to the Github container registry.
# The main workflow has to set the permissions.
permissions:
contents: read
packages: write
id-token: write
pull-requests: write
jobs:
# sets the release kind when it wasn't triggered by an workflow dispatch
# this prevents us from having to pass down all labels, event_name, etc
# to init.yml
adapt_release:
runs-on: ubuntu-latest
outputs:
kind: ${{ steps.kind.outputs.kind}}
steps:
- name: "Debug"
run: |
echo "${{ github.event_name }}"
echo "${{ github.event.pull_request.merged }}"
echo "${{ github.event.pull_request.labels }}"
- name: "set KIND = no_release"
run: echo "KIND=no_release" >> $GITHUB_ENV
- name: "override KIND = ${{ inputs.release }}"
if: github.event_name == 'workflow_dispatch'
run: echo "KIND=${{ inputs.release }}" >> $GITHUB_ENV
- name: "override KIND = major"
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'major_release')
run: echo "KIND=major" >> $GITHUB_ENV
- name: "override KIND = minor"
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'minor_release')
run: echo "KIND=minor" >> $GITHUB_ENV
- name: "override KIND = patch"
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'patch_release')
run: echo "KIND=patch" >> $GITHUB_ENV
- id: kind
run: |
echo "kind=${{ env.KIND }}">> "$GITHUB_OUTPUT"
init:
needs: [adapt_release]
uses: ./.github/workflows/init.yaml
with:
release: ${{ needs.adapt_release.outputs.kind }}
unittests:
name: unit-tests
uses: ./.github/workflows/tests.yml
build:
needs: [unittests]
uses: ./.github/workflows/build.yml
linting:
uses: ./.github/workflows/linting.yml
functional:
needs: [build]
uses: ./.github/workflows/functional.yaml
container:
needs: [build, init, functional]
uses: ./.github/workflows/push-container.yml
secrets:
dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }}
dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN}}
cosign_key_opensight: ${{ secrets.COSIGN_KEY_OPENSIGHT }}
cosign_password_opensight: ${{ secrets.COSIGN_KEY_PASSWORD_OPENSIGHT }}
greenbone_registry: ${{ vars.GREENBONE_REGISTRY }}
greenbone_registry_user: ${{ secrets.GREENBONE_REGISTRY_USER }}
greenbone_registry_token: ${{ secrets.GREENBONE_REGISTRY_TOKEN }}
mattermost_webhook_url: ${{ secrets.MATTERMOST_WEBHOOK_URL }}
with:
is_latest_tag: ${{needs.init.outputs.docker_build_is_latest}}
is_version_tag: ${{needs.init.outputs.docker_build_is_version }}
container-testing:
name: container
needs: [init, build ]
uses: ./.github/workflows/push-container-testing.yml
secrets:
dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }}
dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN}}
with:
is_latest_tag: ${{needs.init.outputs.docker_build_is_latest}}
is_version_tag: ${{needs.init.outputs.docker_build_is_version}}
container-oldstable:
name: container
needs: [init, build ]
uses: ./.github/workflows/push-container-oldstable.yml
secrets:
dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }}
dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN}}
with:
is_latest_tag: ${{needs.init.outputs.docker_build_is_latest}}
is_version_tag: ${{needs.init.outputs.docker_build_is_version}}
release:
permissions:
contents: write
# we release after container build so that we can release on a closed pr as we don't push the release container yet
# instead it is pushed after the tag is created.
#
# For now we just don't use it as a dependency for releases which may is counter intuitive
needs: [container, init]
if: ( needs.init.outputs.release_kind == 'major' || needs.init.outputs.release_kind == 'minor' || needs.init.outputs.release_kind == 'patch' )
uses: ./.github/workflows/release.yml
with:
new_version: ${{ needs.init.outputs.release_new_version }}
latest_version: ${{ needs.init.outputs.release_latest_version }}
release_kind: ${{ needs.init.outputs.release_kind }}
release_ref: ${{ needs.init.outputs.release_ref }}
project: ${{ needs.init.outputs.release_project }}
repository: ${{ github.repository }}
secrets:
token: ${{ secrets.GREENBONE_BOT_TOKEN }}
name: ${{ secrets.GREENBONE_BOT }}
email: ${{ secrets.GREENBONE_BOT_MAIL }}
gpg_key: ${{ secrets.GPG_KEY }}
gpg_pass: ${{ secrets.GPG_PASSPHRASE }}
smoketests:
if: github.event_name != 'pull_request'
needs: [container, init]
uses: ./.github/workflows/smoketest.yaml
with:
docker_repo: ${{ github.repository }}
docker_tag: ${{needs.init.outputs.docker_test_tag}}
helm:
permissions:
packages: write
needs: [smoketests]
if: vars.IMAGE_REGISTRY != ''
uses: ./.github/workflows/push-helm-chart.yml
secrets:
user: ${{ secrets.GREENBONE_BOT }}
token: ${{ secrets.GITHUB_TOKEN }}
with:
registry: ${{ vars.IMAGE_REGISTRY }}