mirror of
https://github.com/argoproj/argo-cd
synced 2026-04-21 17:07:16 +00:00
e3940cd2bf
* chore: generate Snyk reports Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> dashboard Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> cron job Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> more consistent formatting Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> clarification Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif files Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> fix naming, fix doc get text Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> blarn Signed-off-by: CI <michael@crenshaw.dev> ignore errors due to vulns Signed-off-by: CI <michael@crenshaw.dev> specify target branch in script Signed-off-by: CI <michael@crenshaw.dev> don't checkout before running script Signed-off-by: CI <michael@crenshaw.dev> make sure dest dir exists Signed-off-by: CI <michael@crenshaw.dev> fix workflow Signed-off-by: CI <michael@crenshaw.dev> * update scans Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * use latest ignore rules Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports, add link to latest, push to master instead of stable Signed-off-by: CI <michael@crenshaw.dev> * fix for double-digit patch versions Signed-off-by: CI <michael@crenshaw.dev> * clean up testing changes Signed-off-by: CI <michael@crenshaw.dev>
114 lines
4.3 KiB
YAML
114 lines
4.3 KiB
YAML
name: Image
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
pull_request:
|
|
branches:
|
|
- master
|
|
types: [ labeled, unlabeled, opened, synchronize, reopened ]
|
|
|
|
env:
|
|
GOLANG_VERSION: '1.18'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
publish:
|
|
if: github.repository == 'argoproj/argo-cd'
|
|
runs-on: ubuntu-22.04
|
|
env:
|
|
GOPATH: /home/runner/work/argo-cd/argo-cd
|
|
steps:
|
|
- uses: actions/setup-go@v1
|
|
with:
|
|
go-version: ${{ env.GOLANG_VERSION }}
|
|
- uses: actions/checkout@master
|
|
with:
|
|
path: src/github.com/argoproj/argo-cd
|
|
|
|
# get image tag
|
|
- run: echo ::set-output name=tag::$(cat ./VERSION)-${GITHUB_SHA::8}
|
|
working-directory: ./src/github.com/argoproj/argo-cd
|
|
id: image
|
|
|
|
# login
|
|
- run: |
|
|
docker login ghcr.io --username $USERNAME --password $PASSWORD
|
|
docker login quay.io --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
|
|
if: github.event_name == 'push'
|
|
env:
|
|
USERNAME: ${{ secrets.USERNAME }}
|
|
PASSWORD: ${{ secrets.TOKEN }}
|
|
DOCKER_USERNAME: ${{ secrets.RELEASE_QUAY_USERNAME }}
|
|
DOCKER_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
|
|
|
|
# build
|
|
- uses: docker/setup-qemu-action@v1
|
|
- uses: docker/setup-buildx-action@v1
|
|
|
|
- name: Run non-container Snyk scans
|
|
if: github.event_name == 'push'
|
|
working-directory: ./src/github.com/argoproj/argo-cd
|
|
env:
|
|
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
|
run: |
|
|
npm install -g snyk
|
|
|
|
./hack/snyk-non-container-tests.sh
|
|
- uses: github/codeql-action/upload-sarif@v1
|
|
if: github.event_name == 'push'
|
|
with:
|
|
category: Snyk code scan
|
|
sarif_file: /tmp/argocd-test.sarif
|
|
- uses: github/codeql-action/upload-sarif@v1
|
|
if: github.event_name == 'push'
|
|
with:
|
|
category: Snyk IaC scan for cluster install manifests
|
|
sarif_file: /tmp/argocd-iac-test-install.sarif
|
|
- uses: github/codeql-action/upload-sarif@v1
|
|
if: github.event_name == 'push'
|
|
with:
|
|
category: Snyk IaC scan for namespace install manifests
|
|
sarif_file: /tmp/argocd-iac-test-namespace-install.sarif
|
|
- run: |
|
|
IMAGE_PLATFORMS=linux/amd64
|
|
if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-arm-image') }}" == "true" ]]
|
|
then
|
|
IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
|
|
fi
|
|
echo "Building image for platforms: $IMAGE_PLATFORMS"
|
|
docker buildx build --platform $IMAGE_PLATFORMS --push="${{ github.event_name == 'push' }}" \
|
|
-t ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }} \
|
|
-t quay.io/argoproj/argocd:latest .
|
|
working-directory: ./src/github.com/argoproj/argo-cd
|
|
|
|
- name: Run container Snyk scans
|
|
if: github.event_name == 'push'
|
|
working-directory: ./src/github.com/argoproj/argo-cd
|
|
env:
|
|
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
|
run: |
|
|
make snyk-container-tests
|
|
- uses: github/codeql-action/upload-sarif@v1
|
|
if: github.event_name == 'push'
|
|
with:
|
|
category: Snyk scan for Argo CD image
|
|
sarif_file: /tmp/argocd-image.sarif
|
|
|
|
# deploy
|
|
- run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
|
|
if: github.event_name == 'push'
|
|
env:
|
|
TOKEN: ${{ secrets.TOKEN }}
|
|
- run: |
|
|
docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }}
|
|
git config --global user.email 'ci@argoproj.com'
|
|
git config --global user.name 'CI'
|
|
git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ steps.image.outputs.tag }}' && git push)
|
|
if: github.event_name == 'push'
|
|
working-directory: argoproj-deployments/argocd
|
|
# TODO: clean up old images once github supports it: https://github.community/t5/How-to-use-Git-and-GitHub/Deleting-images-from-GitHub-Package-Registry/m-p/41202/thread-id/9811
|