Skip to content

Commit

Permalink
Merge pull request #22 from weaveworks/updating-github-workflows
Browse files Browse the repository at this point in the history 
updating scan and release workflows
  • Loading branch information
@souleb
souleb committed Nov 14, 2023
2 parents cdcca54 + ec9f0b4 commit 6fedee3
Show file tree
Hide file tree
Showing 2 changed files with 95 additions and 59 deletions.
66 changes: 66 additions & 0 deletions .github/workflows/release_v21.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -424,6 +424,72 @@ jobs:
flux tag artifact oci://ghcr.io/weaveworks/flux-manifests:${{ steps.patch.outputs.version }} \
--tag $VERSION
save-images-digests:
runs-on: ubuntu-latest
needs: [nightly-tag, release-flux-cli, release-source-controller, release-kustomize-controller, release-helm-controller,
release-image-reflector-controller, release-image-automation-controller, release-notification-controller]
permissions:
id-token: write
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Kustomize
uses: fluxcd/pkg/actions/kustomize@main
- name: install stgit
shell: bash
run: |
sudo apt-get install -y stgit
git config --global user.name "Soule BA"
git config --global user.email "soule@weave.works"
- name: Clone and patch repo
id: patch
run: |
ln -s patches-flux-v21 patches-flux
rm -rf flux2 || true
source ./patches-flux/VERSION
if [[ "$FLUX2_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then
VERSION=${FLUX2_BASE_VERSION}-${FLUX2_SUFFIX_VERSION}
else
VERSION=${FLUX2_BASE_VERSION}-wa
fi
if [[ "${{ needs.nightly-tag.outputs.nightly }}" == "true" ]]; then
VERSION=${VERSION}-nightly.$(date +%y%m%d%H%M%S)
else
VERSION=${VERSION}.$(date +%y%m%d%H%M%S)
fi
bash -x ./scripts/patch_repo.sh "https://github.com/fluxcd/flux2.git" flux2 ${FLUX2_BASE_VERSION}
unlink patches-flux
echo "version=${VERSION}" >> $GITHUB_OUTPUT
- name: Login to GHCR
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ghcr.io
username: weave-ghcr-bot
password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}
- name: Push manifests to GHCR
run: |
# add all images to the image_digests file
echo "SOURCE_CONTROLLER_IMAGE_DIGEST=${{ needs.release-source-controller.outputs.image_digest }}" >> ./ghcr.io/flux-system/image_digests
echo "KUSTOMIZE_CONTROLLER_IMAGE_DIGEST=${{ needs.release-kustomize-controller.outputs.image_digest }}" >> ./ghcr.io/flux-system/image_digests
echo "HELM_CONTROLLER_IMAGE_DIGEST=${{ needs.release-helm-controller.outputs.image_digest }}" >> ./ghcr.io/flux-system/image_digests
echo "IMAGE_REFLECTOR_CONTROLLER_IMAGE_DIGEST=${{ needs.release-image-reflector-controller.outputs.image_digest }}" >> ./ghcr.io/flux-system/image_digests
echo "IMAGE_AUTOMATION_CONTROLLER_IMAGE_DIGEST=${{ needs.release-image-automation-controller.outputs.image_digest }}" >> ./ghcr.io/flux-system/image_digests
echo "NOTIFICATION_CONTROLLER_IMAGE_DIGEST=${{ needs.release-notification-controller.outputs.image_digest }}" >> ./ghcr.io/flux-system/image_digests
echo "FLUX_CLI_IMAGE_DIGEST=${{ needs.release-flux-cli.outputs.image_digest }}" >> ./ghcr.io/flux-system/image_digests
oras push ghcr.io/weaveworks/flux-images-digests:${{ steps.patch.outputs.version }} image_digests
- uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
- name: Sign manifests
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign sign --yes ghcr.io/weaveworks/flux-images-digests:${{ steps.patch.outputs.version }}
- name: Tag manifests
run: |
VERSION=${GITHUB_REF/refs\/tags\//}
oras tag artifact oci://ghcr.io/weaveworks/flux-images-digests:${{ steps.patch.outputs.version }} $VERSION
release-provenance:
needs: [release-flux-cli]
permissions:
Expand Down
88 changes: 29 additions & 59 deletions .github/workflows/scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: scan
on:
workflow_dispatch:
schedule:
- cron: '00 10 * * 3'
- cron: '55 15 * * 2'

permissions:
contents: read
Expand All @@ -30,51 +30,21 @@ jobs:
- name: Get image version
id: version
run: |
ln -s patches-flux-v21 patches-flux
source ./patches-flux/VERSION
if [[ "$FLUX2_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then
FLUX2_VERSION=${FLUX2_BASE_VERSION}-${FLUX2_SUFFIX_VERSION}
else
FLUX2_VERSION=${FLUX2_BASE_VERSION}-wa
LATEST=$(curl -fsSL -H "Authorization: token ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}" https://api.github.com/repos/weaveworks/weave-assured-flux/releases/latest | grep tag_name | cut -d '"' -f 4)
if [[ -z "$LATEST" ]]; then
echo "Unable to determine Weave Assured Flux version"
exit 1
fi
if [[ "$SOURCE_CONTROLLER_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then
SOURCE_CONTROLLER_VERSION=${SOURCE_CONTROLLER_BASE_VERSION}-${SOURCE_CONTROLLER_SUFFIX_VERSION}
else
SOURCE_CONTROLLER_VERSION=${SOURCE_CONTROLLER_BASE_VERSION}-wa
fi
if [[ "$KUSTOMIZE_CONTROLLER_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then
KUSTOMIZE_CONTROLLER_VERSION=${KUSTOMIZE_CONTROLLER_BASE_VERSION}-${KUSTOMIZE_CONTROLLER_SUFFIX_VERSION}
else
KUSTOMIZE_CONTROLLER_VERSION=${KUSTOMIZE_CONTROLLER_BASE_VERSION}-wa
fi
if [[ "$HELM_CONTROLLER_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then
HELM_CONTROLLER_VERSION=${HELM_CONTROLLER_BASE_VERSION}-${HELM_CONTROLLER_SUFFIX_VERSION}
else
HELM_CONTROLLER_VERSION=${HELM_CONTROLLER_BASE_VERSION}-wa
fi
if [[ "$NOTIFICATION_CONTROLLER_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then
NOTIFICATION_CONTROLLER_VERSION=${NOTIFICATION_CONTROLLER_BASE_VERSION}-${NOTIFICATION_CONTROLLER_SUFFIX_VERSION}
else
NOTIFICATION_CONTROLLER_VERSION=${NOTIFICATION_CONTROLLER_BASE_VERSION}-wa
fi
if [[ "$IMAGE_REFLECTOR_CONTROLLER_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then
IMAGE_REFLECTOR_CONTROLLER_VERSION=${IMAGE_REFLECTOR_CONTROLLER_BASE_VERSION}-${IMAGE_REFLECTOR_CONTROLLER_SUFFIX_VERSION}
else
IMAGE_REFLECTOR_CONTROLLER_VERSION=${IMAGE_REFLECTOR_CONTROLLER_BASE_VERSION}-wa
fi
if [[ "$IMAGE_AUTOMATION_CONTROLLER_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then
IMAGE_AUTOMATION_CONTROLLER_VERSION=${IMAGE_AUTOMATION_CONTROLLER_BASE_VERSION}-${IMAGE_AUTOMATION_CONTROLLER_SUFFIX_VERSION}
else
IMAGE_AUTOMATION_CONTROLLER_VERSION=${IMAGE_AUTOMATION_CONTROLLER_BASE_VERSION}-wa
fi
unlink patches-flux
echo "iac=${IMAGE_AUTOMATION_CONTROLLER_VERSION}" >> $GITHUB_OUTPUT
echo "irc=${IMAGE_REFLECTOR_CONTROLLER_VERSION}" >> $GITHUB_OUTPUT
echo "nc=${NOTIFICATION_CONTROLLER_VERSION}" >> $GITHUB_OUTPUT
echo "hc=${HELM_CONTROLLER_VERSION}" >> $GITHUB_OUTPUT
echo "kc=${KUSTOMIZE_CONTROLLER_VERSION}" >> $GITHUB_OUTPUT
echo "sc=${SOURCE_CONTROLLER_VERSION}" >> $GITHUB_OUTPUT
echo "flux2=${FLUX2_VERSION}" >> $GITHUB_OUTPUT
oras pull ghcr.io/weaveworks/flux-images-digests:$LATEST
source image_digests
echo "sc=${SOURCE_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
echo "kc=${KUSTOMIZE_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
echo "hc=${HELM_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
echo "nc=${NOTIFICATION_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
echo "irc=${IMAGE_REFLECTOR_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
echo "iac=${IMAGE_AUTOMATION_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
echo "flux2=${FLUX_CLI_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
scan-trivy:
runs-on: ubuntu-latest
Expand All @@ -83,7 +53,7 @@ jobs:
- name: Scan source-controller image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/weaveworks/source-controller:${{ needs.get-image-version.outputs.sc }}'
image-ref: 'ghcr.io/weaveworks/source-controller@${{ needs.get-image-version.outputs.sc }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
Expand All @@ -92,7 +62,7 @@ jobs:
- name: Scan kustomize-controller image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/weaveworks/kustomize-controller:${{ needs.get-image-version.outputs.kc }}'
image-ref: 'ghcr.io/weaveworks/kustomize-controller@${{ needs.get-image-version.outputs.kc }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
Expand All @@ -101,7 +71,7 @@ jobs:
- name: Scan helm-controller image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/weaveworks/helm-controller:${{ needs.get-image-version.outputs.hc }}'
image-ref: 'ghcr.io/weaveworks/helm-controller@${{ needs.get-image-version.outputs.hc }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
Expand All @@ -110,7 +80,7 @@ jobs:
- name: Scan notification-controller image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/weaveworks/notification-controller:${{ needs.get-image-version.outputs.nc }}'
image-ref: 'ghcr.io/weaveworks/notification-controller@${{ needs.get-image-version.outputs.nc }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
Expand All @@ -119,7 +89,7 @@ jobs:
- name: Scan image-reflector-controller image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/weaveworks/image-reflector-controller:${{ needs.get-image-version.outputs.irc }}'
image-ref: 'ghcr.io/weaveworks/image-reflector-controller@${{ needs.get-image-version.outputs.irc }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
Expand All @@ -128,7 +98,7 @@ jobs:
- name: Scan image-automation-controller image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/weaveworks/image-automation-controller:${{ needs.get-image-version.outputs.iac }}'
image-ref: 'ghcr.io/weaveworks/image-automation-controller@${{ needs.get-image-version.outputs.iac }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
Expand All @@ -137,7 +107,7 @@ jobs:
- name: Scan flux2 image Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/weaveworks/flux-cli:${{ needs.get-image-version.outputs.flux2 }}'
image-ref: 'ghcr.io/weaveworks/flux-cli@${{ needs.get-image-version.outputs.flux2 }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
Expand All @@ -158,48 +128,48 @@ jobs:
uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
with:
command: cves
image: 'ghcr.io/weaveworks/source-controller:${{ needs.get-image-version.outputs.sc }}'
image: 'ghcr.io/weaveworks/source-controller@${{ needs.get-image-version.outputs.sc }}'
only-severities: critical,high
exit-code: true
- name: Scan kustomize-controller image
uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
with:
command: cves
image: 'ghcr.io/weaveworks/kustomize-controller:${{ needs.get-image-version.outputs.kc }}'
image: 'ghcr.io/weaveworks/kustomize-controller@${{ needs.get-image-version.outputs.kc }}'
only-severities: critical,high
exit-code: true
- name: Scan helm-controller image
uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
with:
command: cves
image: 'ghcr.io/weaveworks/helm-controller:${{ needs.get-image-version.outputs.hc }}'
image: 'ghcr.io/weaveworks/helm-controller@${{ needs.get-image-version.outputs.hc }}'
only-severities: critical,high
exit-code: true
- name: Scan notification-controller image
uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
with:
command: cves
image: 'ghcr.io/weaveworks/notification-controller:${{ needs.get-image-version.outputs.nc }}'
image: 'ghcr.io/weaveworks/notification-controller@${{ needs.get-image-version.outputs.nc }}'
only-severities: critical,high
exit-code: true
- name: Scan image-reflector-controller image
uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
with:
command: cves
image: 'ghcr.io/weaveworks/image-reflector-controller:${{ needs.get-image-version.outputs.irc }}'
image: 'ghcr.io/weaveworks/image-reflector-controller@${{ needs.get-image-version.outputs.irc }}'
only-severities: critical,high
exit-code: true
- name: Scan image-automation-controller image
uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
with:
command: cves
image: 'ghcr.io/weaveworks/image-automation-controller:${{ needs.get-image-version.outputs.iac }}'
image: 'ghcr.io/weaveworks/image-automation-controller@${{ needs.get-image-version.outputs.iac }}'
only-severities: critical,high
exit-code: true
- name: Scan flux2 image
uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
with:
command: cves
image: 'ghcr.io/weaveworks/flux-cli:${{ needs.get-image-version.outputs.flux2 }}'
image: 'ghcr.io/weaveworks/flux-cli@${{ needs.get-image-version.outputs.flux2 }}'
only-severities: critical,high
exit-code: true

0 comments on commit 6fedee3

Please sign in to comment.