CRT: suppress GO-2022-0635 #3011
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build | |
on: | |
push: | |
branches-ignore: | |
- 'docs/**' | |
workflow_dispatch: | |
inputs: | |
version: | |
description: "Version to build, e.g. 0.1.0" | |
type: string | |
required: false | |
env: | |
PKG_NAME: "vault-secrets-operator" | |
# used by scripts that fetch build tools from GH | |
GH_GET_RETRIES: 5 | |
jobs: | |
get-product-version: | |
runs-on: ubuntu-latest | |
outputs: | |
product-version: ${{ steps.get-product-version.outputs.product-version }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: get product version | |
id: get-product-version | |
run: | | |
VERSION="${{ github.event.inputs.version || '0.0.0-dev' }}" | |
echo "Using version ${VERSION}" | |
echo "product-version=${VERSION}" >> $GITHUB_OUTPUT | |
build-pre-checks: | |
runs-on: ubuntu-latest | |
needs: get-product-version | |
outputs: | |
go-version: ${{ steps.setup-go.outputs.go-version }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- id: setup-go | |
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version-file: .go-version | |
- name: go mod download all | |
run: | | |
# download all dependencies to warm up the module cache | |
# make sure to run go mod tidy after this since the go.sum file will be updated | |
go mod download all | |
- name: go mod tidy | |
run: | | |
go mod tidy | |
test -z "$(git status --porcelain)" | |
- name: go fmt | |
run: | | |
make check-fmt | |
- name: tf fmt | |
run: | | |
make check-tffmt | |
- name: check versions | |
run: | | |
make check-versions VERSION=${{ needs.get-product-version.outputs.product-version }} | |
- name: generate manifests | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
make generate manifests | |
if [ -n "$(git status --porcelain)" ]; then | |
echo "Generated manifests are out of date. Please run 'make generate manifests' and commit the changes." | |
exit 1 | |
fi | |
- name: go vet | |
run: | | |
make vet | |
unit-tests: | |
runs-on: ubuntu-latest | |
needs: | |
- build-pre-checks | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version-file: .go-version | |
- run: make ci-test | |
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
node-version: '20' | |
- run: npm install -g bats@${BATS_VERSION} | |
shell: bash | |
env: | |
BATS_VERSION: '1.10.0' | |
- run: bats -v | |
shell: bash | |
- run: make unit-test | |
generate-metadata-file: | |
needs: get-product-version | |
runs-on: ubuntu-latest | |
outputs: | |
filepath: ${{ steps.generate-metadata-file.outputs.filepath }} | |
steps: | |
- name: Checkout directory | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Generate metadata file | |
id: generate-metadata-file | |
uses: hashicorp/actions-generate-metadata@v1 | |
with: | |
version: ${{ needs.get-product-version.outputs.product-version }} | |
product: ${{ env.PKG_NAME }} | |
repositoryOwner: "hashicorp" | |
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: metadata.json | |
path: ${{ steps.generate-metadata-file.outputs.filepath }} | |
build: | |
name: Go ${{ needs.build-pre-checks.outputs.go-version }} linux ${{ matrix.arch }} build | |
needs: | |
- get-product-version | |
- build-pre-checks | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
arch: ["arm64", "amd64"] | |
fail-fast: true | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup go | |
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version-file: .go-version | |
- name: Build binary | |
id: build-binary | |
env: | |
GOOS: "linux" | |
GOARCH: ${{ matrix.arch }} | |
VERSION: ${{ needs.get-product-version.outputs.product-version }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
shell: bash | |
run: | | |
BUILD_DIR=dist | |
make ci-build BUILD_DIR="${BUILD_DIR}" | |
OUT_DIR="${BUILD_DIR}/out" | |
mkdir -p "${OUT_DIR}" | |
cp -a LICENSE "${BUILD_DIR}/LICENSE.txt" | |
ZIP_FILE="${OUT_DIR}/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_linux_${{ matrix.arch }}.zip" | |
zip -r -j "${ZIP_FILE}" dist/${{ env.GOOS }}/${{ env.GOARCH }}/${{ env.PKG_NAME }} ${BUILD_DIR}/LICENSE.txt | |
echo "path=${ZIP_FILE}" >> $GITHUB_OUTPUT | |
echo "name=$(basename ${ZIP_FILE})" >> $GITHUB_OUTPUT | |
- name: Upload binary | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: ${{ steps.build-binary.outputs.name }} | |
path: ${{ steps.build-binary.outputs.path }} | |
build-docker: | |
name: Docker ${{ matrix.arch }} build | |
needs: | |
- get-product-version | |
- build-pre-checks | |
- build | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
arch: ["arm64", "amd64"] | |
env: | |
repo: ${{github.event.repository.name}} | |
version: ${{needs.get-product-version.outputs.product-version}} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup scripts directory | |
shell: bash | |
run: | | |
make ci-build-scripts-dir GOARCH="${{ matrix.arch }}" | |
- name: Docker Build (Action) | |
uses: hashicorp/actions-docker-build@v2 | |
env: | |
VERSION: ${{ needs.get-product-version.outputs.product-version }} | |
GO_VERSION: ${{ needs.build-pre-checks.outputs.go-version }} | |
with: | |
version: ${{env.version}} | |
target: release-default | |
arch: ${{matrix.arch}} | |
tags: | | |
docker.io/hashicorp/${{env.repo}}:${{env.version}} | |
public.ecr.aws/hashicorp/${{env.repo}}:${{env.version}} | |
- name: Check binary version in container | |
shell: bash | |
run: | | |
version_output=$(docker run hashicorp/${{env.repo}}:${{env.version}} --version --output=json) | |
echo $version_output | |
git_version=$(echo $version_output | jq -r .gitVersion) | |
if [ "$git_version" != "${{ env.version }}" ]; then | |
echo "$gitVersion expected to be ${{ env.version }}" | |
exit 1 | |
fi | |
build-docker-ubi: | |
name: UBI ${{ matrix.arch }} build | |
needs: | |
- get-product-version | |
- build-pre-checks | |
- build | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
arch: ["arm64", "amd64"] | |
env: | |
repo: ${{github.event.repository.name}} | |
version: ${{needs.get-product-version.outputs.product-version}} | |
image_tag: ${{needs.get-product-version.outputs.product-version}}-ubi | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup scripts directory | |
shell: bash | |
run: | | |
make ci-build-scripts-dir GOARCH="${{ matrix.arch }}" | |
- name: Docker Build (Action) | |
uses: hashicorp/actions-docker-build@v2 | |
env: | |
VERSION: ${{ needs.get-product-version.outputs.product-version }} | |
GO_VERSION: ${{ needs.build-pre-checks.outputs.go-version }} | |
with: | |
version: ${{env.version}} | |
target: release-ubi | |
arch: ${{matrix.arch}} | |
tags: | | |
docker.io/hashicorp/${{env.repo}}:${{env.image_tag}} | |
public.ecr.aws/hashicorp/${{env.repo}}:${{env.image_tag}} | |
- name: Check binary version in container | |
shell: bash | |
run: | | |
version_output=$(docker run hashicorp/${{env.repo}}:${{env.image_tag}} --version --output=json) | |
echo $version_output | |
git_version=$(echo $version_output | jq -r .gitVersion) | |
if [ "$git_version" != "${{ env.version }}" ]; then | |
echo "$gitVersion expected to be ${{ env.version }}" | |
exit 1 | |
fi | |
build-docker-ubi-redhat: | |
name: UBI ${{ matrix.arch }} RedHat build | |
needs: | |
- get-product-version | |
- build-pre-checks | |
- build | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
# Building only amd64 for the RedHat registry for now | |
arch: ["amd64"] | |
env: | |
repo: ${{github.event.repository.name}} | |
version: ${{needs.get-product-version.outputs.product-version}} | |
image_tag: ${{needs.get-product-version.outputs.product-version}}-ubi | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup scripts directory | |
shell: bash | |
run: | | |
make ci-build-scripts-dir GOARCH="${{ matrix.arch }}" | |
- name: Docker Build (Action) | |
uses: hashicorp/actions-docker-build@v2 | |
env: | |
VERSION: ${{ needs.get-product-version.outputs.product-version }} | |
GO_VERSION: ${{ needs.build-pre-checks.outputs.go-version }} | |
with: | |
version: ${{env.version}} | |
target: release-ubi-redhat | |
arch: ${{matrix.arch}} | |
# The quay id here corresponds to the project id on RedHat's portal | |
redhat_tag: quay.io/redhat-isv-containers/64b072322e2773c28d30d988:${{env.image_tag}} | |
- name: Check binary version in container | |
shell: bash | |
run: | | |
version_output=$(docker run quay.io/redhat-isv-containers/64b072322e2773c28d30d988:${{env.image_tag}} --version --output=json) | |
echo $version_output | |
git_version=$(echo $version_output | jq -r .gitVersion) | |
if [ "$git_version" != "${{ env.version }}" ]; then | |
echo "$gitVersion expected to be ${{ env.version }}" | |
exit 1 | |
fi | |
chart-upgrade-tests: | |
runs-on: ubuntu-latest | |
needs: | |
- get-product-version | |
- build-pre-checks | |
- build-docker | |
strategy: | |
fail-fast: false | |
matrix: | |
# Test upgrading from the previous version to the current build. | |
# This list should be updated with each new release. | |
# We probably only want to maintain the last 5-6 versions. | |
start-chart-version: | |
- "0.2.0" | |
- "0.3.1" | |
- "0.4.0" | |
- "0.5.0" | |
- "0.6.0" | |
- "0.7.1" | |
- "0.8.0" | |
- "0.9.0" | |
steps: | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: ${{ github.event.repository.name }}_release-default_linux_amd64_${{ needs.get-product-version.outputs.product-version }}_${{ github.sha }}.docker.tar | |
- name: Load docker image | |
shell: bash | |
run: | | |
docker load --input ${{ github.event.repository.name }}_release-default_linux_amd64_${{ needs.get-product-version.outputs.product-version }}_${{ github.sha }}.docker.tar | |
- name: Install kind | |
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 | |
with: | |
version: "v0.25.0" | |
install_only: true | |
- uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 | |
id: setup-helm | |
with: | |
version: "v3.15.1" | |
- name: Add repo | |
shell: bash | |
run: | | |
helm repo add hashicorp https://helm.releases.hashicorp.com | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup go | |
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version-file: .go-version | |
- name: Run tests | |
shell: bash | |
run: | | |
export TEST_START_CHART_VERSION="${{ matrix.start-chart-version }}" | |
make integration-test-chart VERSION="${{ needs.get-product-version.outputs.product-version }}" | |
versions: | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "setting versions" | |
outputs: | |
# JSON encoded array of k8s versions | |
K8S_VERSIONS: '["1.31.2", "1.30.6", "1.29.10", "1.28.15", "1.27.16"]' | |
VAULT_N: "1.18.2" | |
VAULT_N_1: "1.17.9" | |
VAULT_N_2: "1.16.13" | |
oom-tests: | |
runs-on: ubuntu-latest | |
needs: | |
- get-product-version | |
- build-pre-checks | |
- build-docker | |
- versions | |
strategy: | |
fail-fast: false | |
matrix: | |
k8s-version: ${{ fromJson(needs.versions.outputs.K8S_VERSIONS) }} | |
steps: | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: ${{ github.event.repository.name }}_release-default_linux_amd64_${{ needs.get-product-version.outputs.product-version }}_${{ github.sha }}.docker.tar | |
- name: Load docker image | |
shell: bash | |
run: | | |
docker load --input ${{ github.event.repository.name }}_release-default_linux_amd64_${{ needs.get-product-version.outputs.product-version }}_${{ github.sha }}.docker.tar | |
- name: Install kind | |
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 | |
with: | |
version: "v0.25.0" | |
install_only: true | |
- uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 | |
id: setup-helm | |
with: | |
version: "v3.15.1" | |
- name: Add repo | |
shell: bash | |
run: | | |
helm repo add hashicorp https://helm.releases.hashicorp.com | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup go | |
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version-file: .go-version | |
- name: Run tests | |
shell: bash | |
run: | | |
make integration-test-oom KIND_K8S_VERSION="v${{ matrix.k8s-version }}" VERSION=${{ needs.get-product-version.outputs.product-version }} | |
latest-vault: | |
name: vault:${{ matrix.vault-version }} kind:${{ matrix.k8s-version }} ${{ matrix.installation-method }} enterprise=${{ matrix.vault-enterprise }} | |
needs: | |
- get-product-version | |
- build-pre-checks | |
- build-docker | |
- versions | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
vault-version: | |
- ${{ needs.versions.outputs.VAULT_N }} | |
k8s-version: ${{ fromJson(needs.versions.outputs.K8S_VERSIONS) }} | |
installation-method: [helm, kustomize] | |
vault-enterprise: [true, false] | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: ./.github/actions/integration-test | |
name: vault:${{ matrix.vault-version }} kind:${{ matrix.k8s-version }} | |
with: | |
version: ${{ needs.get-product-version.outputs.product-version }} | |
k8s-version: ${{ matrix.k8s-version }} | |
vault-version: ${{ matrix.vault-version }} | |
vault-enterprise: ${{ matrix.vault-enterprise }} | |
installation-method: ${{ matrix.installation-method }} | |
operator-image-archive: ${{ github.event.repository.name }}_release-default_linux_amd64_${{ needs.get-product-version.outputs.product-version }}_${{ github.sha }}.docker.tar | |
vault-license-ci: ${{ secrets.VAULT_LICENSE_CI }} | |
hcp-organization-id: ${{ secrets.HCP_ORGANIZATION_ID }} | |
hcp-project-id: ${{ secrets.HCP_PROJECT_ID }} | |
hcp-client-id: ${{ secrets.HCP_CLIENT_ID }} | |
hcp-client-secret: ${{ secrets.HCP_CLIENT_SECRET }} | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
log-prefix: "latest-vault-" | |
latest-k8s: | |
name: vault:${{ matrix.vault-version }} kind:${{ matrix.k8s-version }} ${{ matrix.installation-method }} enterprise=${{ matrix.vault-enterprise }} | |
runs-on: ubuntu-latest | |
needs: | |
- get-product-version | |
- build-pre-checks | |
- build-docker | |
- versions | |
strategy: | |
fail-fast: false | |
matrix: | |
vault-version: | |
- ${{ needs.versions.outputs.VAULT_N_1 }} | |
- ${{ needs.versions.outputs.VAULT_N_2 }} | |
k8s-version: | |
- ${{ fromJson(needs.versions.outputs.K8S_VERSIONS)[0] }} | |
installation-method: [kustomize] | |
vault-enterprise: [true] | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: ./.github/actions/integration-test | |
name: vault:${{ matrix.vault-version }} kind:${{ matrix.k8s-version }} | |
with: | |
version: ${{ needs.get-product-version.outputs.product-version }} | |
k8s-version: ${{ matrix.k8s-version }} | |
vault-version: ${{ matrix.vault-version }} | |
vault-enterprise: ${{ matrix.vault-enterprise }} | |
installation-method: ${{ matrix.installation-method }} | |
operator-image-archive: ${{ github.event.repository.name }}_release-default_linux_amd64_${{ needs.get-product-version.outputs.product-version }}_${{ github.sha }}.docker.tar | |
vault-license-ci: ${{ secrets.VAULT_LICENSE_CI }} | |
hcp-organization-id: ${{ secrets.HCP_ORGANIZATION_ID }} | |
hcp-project-id: ${{ secrets.HCP_PROJECT_ID }} | |
hcp-client-id: ${{ secrets.HCP_CLIENT_ID }} | |
hcp-client-secret: ${{ secrets.HCP_CLIENT_SECRET }} | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
log-prefix: "latest-k8s-" | |
# This job is used as a requirement for the repo's branch protection setup. | |
build-done: | |
runs-on: ubuntu-latest | |
if: always() | |
needs: | |
- build | |
- build-docker | |
- build-docker-ubi | |
- build-docker-ubi-redhat | |
- chart-upgrade-tests | |
- unit-tests | |
- latest-vault | |
- latest-k8s | |
- oom-tests | |
steps: | |
- name: cancelled | |
if: ${{ (contains(needs.*.result, 'cancelled')) }} | |
run: exit 2 | |
- name: passed | |
if: ${{ !(contains(needs.*.result, 'failure')) }} | |
run: exit 0 | |
- name: failed | |
if: ${{ contains(needs.*.result, 'failure') }} | |
run: exit 1 |