Run all the example pipelines #2109
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CI | |
on: | |
pull_request: | |
types: | |
- opened | |
- synchronize | |
- reopened | |
push: | |
branches: | |
- main | |
workflow_dispatch: {} | |
permissions: | |
contents: read | |
jobs: | |
lint: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: mfinelli/setup-shfmt@031e887e39d899d773a7e9b6dd6472c2c23ff50d # v3.0.1 | |
- name: Lint all | |
run: make lint | |
setup: | |
runs-on: ubuntu-latest | |
needs: | |
lint | |
name: Test FRSCA Installation | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup go | |
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version: "~1.21.0" | |
- name: Vendor Dependencies | |
run: | | |
./platform/vendor/vendor.sh | |
./platform/vendor/vendor-helm-all.sh | |
- name: Check commit is clean | |
run: test -z "$(git status --porcelain)" || (git status; git diff; false) | |
- name: Start minikube | |
run: | | |
make setup-minikube | |
- name: Try the cluster ! | |
run: kubectl get pods -A | |
- name: Initialize FRSCA | |
run: | | |
make setup-frsca | |
- name: Run buildpacks pipeline | |
run: | | |
./platform/wait-for-pipelinerun.sh -m example-buildpacks -n example-buildpacks- | |
# tail PipelineRun logs | |
tkn pr logs --last -f | |
if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then | |
tkn pr describe --last | |
exit 1 | |
fi | |
sleep 60 | |
TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) | |
echo "TASK_RUNS=${TASK_RUNS[@]}" | |
TASK_RUN="none"; IMAGE_URL="none" | |
for tr in "${TASK_RUNS[@]}"; do | |
image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name | match("IMAGE_URL$")) | .value') | |
if [ -n "${image}" ]; then | |
TASK_RUN="${tr}" | |
IMAGE_URL="${image}" | |
break | |
fi | |
done | |
if [ "${REGISTRY}" = "registry.registry" ]; then | |
IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" | |
fi | |
echo "TASK_RUN=${TASK_RUN}" | |
echo "IMAGE_URL=${IMAGE_URL}" | |
crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" | |
tkn tr describe --last -o json | jq -r '.metadata.annotations["chains.tekton.dev/signed"]' | |
cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
kubectl delete pr --all -A | |
- name: Run sample pipeline to test kyverno | |
run: | | |
./platform/wait-for-pipelinerun.sh -m example-sample-pipeline -n example-sample-pipeline- | |
# tail PipelineRun logs | |
tkn pr logs --last -f | |
if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then | |
tkn pr describe --last | |
exit 1 | |
fi | |
sleep 60 | |
TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) | |
echo "TASK_RUNS=${TASK_RUNS[@]}" | |
TASK_RUN="none"; IMAGE_URL="none" | |
for tr in "${TASK_RUNS[@]}"; do | |
image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value') | |
if [ -n "${image}" ]; then | |
TASK_RUN="${tr}" | |
IMAGE_URL="${image}" | |
break | |
fi | |
done | |
if [ "${REGISTRY}" = "registry.registry" ]; then | |
IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" | |
fi | |
echo "TASK_RUN=${TASK_RUN}" | |
echo "IMAGE_URL=${IMAGE_URL}" | |
crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" | |
cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
kubectl wait --timeout=5m --for=condition=ready pods -l app=picalc -n prod | |
kubectl delete pr --all -A | |
- name: Run go pipeline | |
run: | | |
./platform/wait-for-pipelinerun.sh -m example-golang-pipeline -n example-golang- | |
tkn pr logs --last -f | |
if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then | |
tkn pr describe --last | |
exit 1 | |
fi | |
sleep 60 | |
TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) | |
echo "TASK_RUNS=${TASK_RUNS[@]}" | |
TASK_RUN="none"; IMAGE_URL="none" | |
for tr in "${TASK_RUNS[@]}"; do | |
image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value') | |
if [ -n "${image}" ]; then | |
TASK_RUN="${tr}" | |
IMAGE_URL="${image}" | |
break | |
fi | |
done | |
if [ "${REGISTRY}" = "registry.registry" ]; then | |
IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" | |
fi | |
crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" | |
cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
kubectl delete pr --all -A | |
- name: Run IBM tutorial pipeline | |
run: | | |
./platform/wait-for-pipelinerun.sh -m example-ibm-tutorial -n example-ibm-tutorial- | |
tkn pr logs --last -f | |
if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then | |
tkn pr describe --last | |
exit 1 | |
fi | |
sleep 60 | |
TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) | |
echo "TASK_RUNS=${TASK_RUNS[@]}" | |
TASK_RUN="none"; IMAGE_URL="none" | |
for tr in "${TASK_RUNS[@]}"; do | |
image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value') | |
if [ -n "${image}" ]; then | |
TASK_RUN="${tr}" | |
IMAGE_URL="${image}" | |
break | |
fi | |
done | |
if [ "${REGISTRY}" = "registry.registry" ]; then | |
IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" | |
fi | |
crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" | |
cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
kubectl delete pr --all -A | |
- name: Run gradle pipeline | |
run: | | |
./platform/wait-for-pipelinerun.sh -m example-gradle-pipeline -n example-gradle- | |
tkn pr logs --last -f | |
if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then | |
tkn pr describe --last | |
exit 1 | |
fi | |
sleep 60 | |
TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) | |
echo "TASK_RUNS=${TASK_RUNS[@]}" | |
TASK_RUN="none"; IMAGE_URL="none" | |
for tr in "${TASK_RUNS[@]}"; do | |
image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value') | |
if [ -n "${image}" ]; then | |
TASK_RUN="${tr}" | |
IMAGE_URL="${image}" | |
break | |
fi | |
done | |
if [ "${REGISTRY}" = "registry.registry" ]; then | |
IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" | |
fi | |
crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" | |
cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
kubectl delete pr --all -A | |
- name: Run maven pipeline | |
run: | | |
./platform/wait-for-pipelinerun.sh -m example-maven -n example-maven- | |
tkn pr logs --last -f | |
if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then | |
tkn pr describe --last | |
exit 1 | |
fi | |
kubectl delete pr --all -A | |
- name: Run cosign pipeline | |
run: | | |
./platform/wait-for-pipelinerun.sh -m example-cosign -n ko-pipelinerun- | |
tkn pr logs --last -f | |
if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then | |
tkn pr describe --last | |
exit 1 | |
fi | |
sleep 60 | |
TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) | |
echo "TASK_RUNS=${TASK_RUNS[@]}" | |
TASK_RUN="none"; IMAGE_URL="none" | |
for tr in "${TASK_RUNS[@]}"; do | |
image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value') | |
if [ -n "${image}" ]; then | |
TASK_RUN="${tr}" | |
IMAGE_URL="${image}" | |
break | |
fi | |
done | |
if [ "${REGISTRY}" = "registry.registry" ]; then | |
IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" | |
fi | |
crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" | |
cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
kubectl delete pr --all -A |