-
Notifications
You must be signed in to change notification settings - Fork 1.1k
138 lines (118 loc) · 4.17 KB
/
main-build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: main-build
on:
push:
branches:
- main
permissions:
contents: read
jobs:
build:
name: build
runs-on: ARM64
permissions:
contents: read
packages: write
id-token: write # needed for signing the images with GitHub OIDC Token **not production ready**
# keda-tools is built from github.com/test-tools/tools/Dockerfile
container: ghcr.io/kedacore/keda-tools:1.23.3
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 1
- name: Register workspace path
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- id: go-paths
run: |
echo "mod_cache=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
echo "build_cache=$(go env GOCACHE)" >> $GITHUB_OUTPUT
- name: Go modules cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: ${{ steps.go-paths.outputs.mod_cache }}
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
- name: Go build cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: ${{ steps.go-paths.outputs.build_cache }}
key: ${{ runner.os }}-go-build-cache-${{ hashFiles('**/go.sum') }}
- name: Go modules sync
run: go mod tidy -compat=1.23
- name: Test
run: make test
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
# Username used to log in to a Docker registry. If not set then no login will occur
username: ${{ github.repository_owner }}
# Password or personal access token used to log in to a Docker registry. If not set then no login will occur
password: ${{ secrets.GH_AUTOMATION_PAT }}
# Server address of Docker registry. If not set then will default to Docker Hub
registry: ghcr.io
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Publish on GitHub Container Registry
run: make publish-multiarch
# https://github.com/sigstore/cosign-installer
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Check Cosign install!
run: cosign version
- name: Sign KEDA images published on GitHub Container Registry
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: make sign-images
validate:
needs: build
uses: kedacore/keda/.github/workflows/template-main-e2e-test.yml@main
secrets: inherit
validate-arm64:
needs: build
uses: kedacore/keda/.github/workflows/template-arm64-smoke-tests.yml@main
validate-k8s-versions:
needs: build
uses: kedacore/keda/.github/workflows/template-versions-smoke-tests.yml@main
trivy-scan:
needs: build
permissions:
contents: read
security-events: write
uses: kedacore/keda/.github/workflows/template-trivy-scan.yml@main
with:
runs-on: ubuntu-latest
scan-type: "fs"
format: "sarif"
exit-code: 0
publish: true
trivy-scan-metrics-server:
needs: build
permissions:
contents: read
security-events: write
strategy:
matrix:
runner: [ARM64, ubuntu-latest]
uses: kedacore/keda/.github/workflows/template-trivy-scan.yml@main
with:
runs-on: ${{ matrix.runner }}
scan-type: "image"
image-ref: ghcr.io/kedacore/keda-metrics-apiserver:main
format: "sarif"
exit-code: 0
publish: true
trivy-scan-keda:
needs: build
permissions:
contents: read
security-events: write
strategy:
matrix:
runner: [ARM64, ubuntu-latest]
uses: kedacore/keda/.github/workflows/template-trivy-scan.yml@main
with:
runs-on: ${{ matrix.runner }}
scan-type: "image"
image-ref: ghcr.io/kedacore/keda:main
format: "sarif"
exit-code: 0
publish: true