Skip to content

Audit access policy implementation (#12846) #332

Audit access policy implementation (#12846)

Audit access policy implementation (#12846) #332

Workflow file for this run

name: Release
on:
push:
tags:
- "edge-*"
permissions:
contents: read
env:
GH_ANNOTATION: true
DOCKER_REGISTRY: ghcr.io/linkerd
K3D_VERSION: v5.4.4
LINKERD2_PROXY_REPO: ${{ vars.LINKERD2_PROXY_REPO }}
jobs:
# TODO(ver) We should stop relying so heavily on the environment,
# especially the TAG variable. And it would be great to stop relying
# on the root-tag script altogether.
tag:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- run: echo "tag=$(CI_FORCE_CLEAN=1 bin/root-tag)" >> "$GITHUB_OUTPUT"
id: tag
outputs:
tag: ${{ steps.tag.outputs.tag }}
docker_build:
name: Docker build
needs: [tag]
runs-on: ubuntu-22.04
permissions:
id-token: write # needed for signing the images with GitHub OIDC Token
strategy:
matrix:
component:
- cli-bin
- controller
- policy-controller
- debug
- jaeger-webhook
- metrics-api
- proxy
- tap
- web
# policy-controller docker builds have occasionally hit a 30-minute timeout.
timeout-minutes: 45
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Set tag
run: echo 'TAG=${{ needs.tag.outputs.tag }}' >> "$GITHUB_ENV"
- uses: ./.github/actions/docker-build
id: build
with:
docker-registry: ${{ env.DOCKER_REGISTRY }}
docker-target: multi-arch
docker-push: 1
docker-ghcr-username: ${{ secrets.DOCKER_GHCR_USERNAME }}
docker-ghcr-pat: ${{ secrets.DOCKER_GHCR_PAT }}
component: ${{ matrix.component }}
tag: ${{ needs.tag.outputs.tag }}
env:
LINKERD2_PROXY_GITHUB_TOKEN: ${{ secrets.LINKERD2_PROXY_GITHUB_TOKEN }}
- uses: sigstore/cosign-installer@v3
- run: cosign sign '${{ steps.build.outputs.digest }}'
env:
COSIGN_YES: true
- name: Create artifact with CLI
# windows_static_cli_tests below needs this because it can't create linux containers
# inside windows
if: matrix.component == 'cli-bin'
env:
ARCHIVES: /home/runner/archives
DOCKER_TARGET: windows
run: |
bin/docker-pull-binaries "$TAG"
mkdir -p "$ARCHIVES"
cp -r "$PWD/target/release/linkerd2-cli-$TAG-windows.exe" "$ARCHIVES/linkerd-windows.exe"
# `with.path` values do not support environment variables yet, so an
# absolute path is used here.
# https://github.com/actions/upload-artifact/issues/8
- name: Upload artifact
if: matrix.component == 'cli-bin'
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b
with:
name: image-archives-cli
path: /home/runner/archives
windows_static_cli_tests:
name: Static CLI tests (windows)
timeout-minutes: 30
runs-on: windows-latest
needs: [docker_build]
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
with:
go-version: "1.22"
- name: Download image archives
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
with:
name: image-archives-cli
path: image-archives
- name: Run CLI Integration tests
run: go test --failfast --mod=readonly ".\test\cli" --linkerd="$PWD\image-archives\linkerd-windows.exe" --cli-tests -v
integration_tests:
name: Integration tests
needs: [tag, docker_build]
strategy:
matrix:
integration_test:
- cluster-domain
- cni-calico-deep
- deep
- viz
- default-policy-deny
- external
- rsa-ca
- helm-upgrade
- uninstall
- upgrade-edge
timeout-minutes: 60
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
with:
go-version: "1.22"
- name: Set environment variables from scripts
run: |
TAG='${{ needs.tag.outputs.tag }}'
CMD="$PWD/target/release/linkerd2-cli-$TAG-linux-amd64"
echo "CMD=$CMD" >> "$GITHUB_ENV"
echo "TAG=$TAG" >> "$GITHUB_ENV"
- name: Run integration tests
env:
LINKERD_DOCKER_REGISTRY: ${{ env.DOCKER_REGISTRY }}
run: |
bin/docker-pull-binaries "$TAG"
# Validate the CLI version matches the current build tag.
[[ "$TAG" == "$($CMD version --short --client)" ]]
bin/tests --images preload --name ${{ matrix.integration_test }} "$CMD"
choco_pack:
# only runs for stable tags. The conditionals are at each step level instead of the job level
# otherwise the jobs below that depend on this one won't run
name: Pack Chocolatey release
timeout-minutes: 30
needs: [integration_tests]
runs-on: windows-2019
steps:
- name: Checkout code
if: startsWith(github.ref, 'refs/tags/stable')
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Chocolatey - update nuspec
if: startsWith(github.ref, 'refs/tags/stable')
run: |
$LINKERD_VERSION=$env:GITHUB_REF.Substring(17)
(Get-Content bin\win\linkerd.nuspec).replace('LINKERD_VERSION', "$LINKERD_VERSION") | Set-Content bin\win\linkerd.nuspec
- name: Chocolatey - pack
if: startsWith(github.ref, 'refs/tags/stable')
uses: crazy-max/ghaction-chocolatey@0e015857dd851f84fcb7fb53380eb5c4c8202333
with:
args: pack bin/win/linkerd.nuspec
- name: Chocolatey - upload package
if: startsWith(github.ref, 'refs/tags/stable')
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b
with:
name: choco
path: ./linkerd.*.nupkg
gh_release:
name: Create GH release
needs:
- tag
- integration_tests
# TODO(ver) choco packages are not produced for edge releases...
# - choco_pack
timeout-minutes: 30
runs-on: ubuntu-22.04
permissions:
contents: write
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
# - name: Download choco package
# if: startsWith(github.ref, 'refs/tags/stable')
# uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
# with:
# name: choco
# path: choco
- name: Pull CLI binaries
run: DOCKER_TARGET=multi-arch bin/docker-pull-binaries '${{ needs.tag.outputs.tag }}'
# v=${TAG#"stable-"}
# mv choco/linkerd.*.nupkg "target/release/linkerd2-cli-stable-$v.nupkg" || true
- name: Create release
id: create_release
uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191
with:
name: "${{ needs.tag.outputs.tag }}"
generate_release_notes: true
draft: false
prerelease: false
files: |
./target/release/linkerd2-cli-*-darwin*
./target/release/linkerd2-cli-*-linux-*
./target/release/linkerd2-cli-*-windows.*
./target/release/linkerd2-cli-*.nupkg
website_publish:
name: Linkerd website publish
needs: [gh_release]
if: startsWith(github.ref, 'refs/tags/stable') || startsWith(github.ref, 'refs/tags/edge')
timeout-minutes: 30
runs-on: ubuntu-22.04
permissions:
contents: write
steps:
- name: Create linkerd/website repository dispatch event
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0
with:
token: ${{ secrets.RELEASE_TOKEN }}
repository: linkerd/website
event-type: release
website_publish_check:
name: Linkerd website publish check
needs: [tag, website_publish]
timeout-minutes: 30
if: startsWith(github.ref, 'refs/tags/stable') || startsWith(github.ref, 'refs/tags/edge')
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Set install target for stable
if: startsWith(github.ref, 'refs/tags/stable')
run: echo "INSTALL=install" >> "$GITHUB_ENV"
- name: Set install target for edge
if: startsWith(github.ref, 'refs/tags/edge')
run: echo "INSTALL=install-edge" >> "$GITHUB_ENV"
- name: Check published version
shell: bash
run: |
TAG='${{ needs.tag.outputs.tag }}'
until RES=$(bin/scurl "https://run.linkerd.io/$INSTALL" | grep "LINKERD2_VERSION=\${LINKERD2_VERSION:-$TAG}") \
|| (( count++ >= 10 ))
do
sleep 30
done
if [[ -z "$RES" ]]; then
echo "::error::The version '$TAG' was NOT found published in the website"
exit 1
fi
chart_deploy:
name: Helm chart deploy
needs: [gh_release]
timeout-minutes: 30
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Log into GCP
uses: "google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa"
with:
credentials_json: ${{ secrets.LINKERD_SITE_TOKEN }}
- name: Edge Helm chart creation and upload
uses: ./.github/actions/helm-publish