diff --git a/.github/workflows/agent-build-test.yml b/.github/workflows/agent-build-test.yml new file mode 100644 index 0000000..7b03cf1 --- /dev/null +++ b/.github/workflows/agent-build-test.yml @@ -0,0 +1,38 @@ +name: Build Cluster Agent v1 +on: + pull_request: + branches: + - main + paths-ignore: + - 'v2/**' + - '.github/workflows/agentv2.yml' + - 'charts/ror-cluster-agent-v2/**' +env: + APP: agent + APP_PATH: cmd/agent +jobs: + build-app: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: '1.23' + - name: Test + run: | + echo testing... + go get -t ./... + go vet ./... + go test -v ./... + - name: Build + run: | + echo building v1... + export SHA_SHORT=$(git rev-parse --short HEAD) + export LIB_VER=$(cat go.mod | grep "github.com/NorskHelsenett/ror " | cut -d' ' -f2) + go get ./... + CGO_ENABLED=0 go build -o dist/${{ env.APP }} -ldflags "-w -extldflags '-static' -X github.com/NorskHelsenett/ror/pkg/config/rorversion.Version=$ROR_VERSION -X github.com/NorskHelsenett/ror/pkg/config/rorversion.Commit=$SHA_SHORT -X github.com/NorskHelsenett/ror/pkg/config/rorversion.LibVer=$LIB_VER" ${{ env.APP_PATH }}/main.go + env: + ROR_VERSION: v0.0.1-build diff --git a/.github/workflows/agent-release.yml b/.github/workflows/agent-release.yml new file mode 100644 index 0000000..a342743 --- /dev/null +++ b/.github/workflows/agent-release.yml @@ -0,0 +1,152 @@ +name: Release Cluster Agent v1 + +on: + push: + tags: ["v1", "v1.[0-9]+", "v1.[0-9]+.[0-9]+", "v1.[0-9]+.[0-9]+-*"] +env: + REGISTRY: ghcr.io + IMAGE_NAME: norskhelsenett/ror-cluster-agent + APP: ror-cluster-agent + APP_PATH: cmd/agent +jobs: + setenv: + permissions: + contents: read + runs-on: ubuntu-latest + outputs: + rorversion: ${{ steps.env.outputs.ROR_VERSION }} + shortsha: ${{ steps.env.outputs.SHA_SHORT }} + libver: ${{ steps.env.outputs.LIB_VER }} + steps: + - uses: actions/checkout@v3 + - id: env + name: Set env + run: | + echo "ROR_VERSION=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT" + echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" + echo "LIB_VER=$(cat go.mod | grep 'github.com/NorskHelsenett/ror ' | cut -d' ' -f2)" >> "$GITHUB_OUTPUT" + build-app: + permissions: + contents: read + if: github.ref_type == 'tag' + runs-on: ubuntu-latest + needs: setenv + steps: + - uses: actions/checkout@v3 + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: '1.23' + - name: Start build + run: | + echo "Building ${{ env.APP }} ${{ needs.setenv.outputs.rorversion}} (${{ needs.setenv.outputs.shortsha}})" + - name: Build + run: | + go get ./... + mkdir -p dist/isbuilt + CGO_ENABLED=0 go build -o dist/${{ env.APP }} -ldflags "-w -extldflags '-static' -X github.com/NorskHelsenett/ror/pkg/config/rorversion.Version=${{ needs.setenv.outputs.rorversion}} -X github.com/NorskHelsenett/ror/pkg/config/rorversion.Commit=${{ needs.setenv.outputs.shortsha}} -X github.com/NorskHelsenett/ror/pkg/config/rorversion.LibVer=${{ needs.setenv.outputs.libver}}" ${{ env.APP_PATH }}/main.go + touch dist/isbuilt/${{ env.APP }} + - name: Archive binary + uses: actions/upload-artifact@v4 + with: + name: binary-build + path: | + dist/${{ env.APP }} + dist/isbuilt/${{ env.APP }} + retention-days: 1 + build-container-image: + runs-on: ubuntu-latest + #if: ${{ ! startsWith(github.ref, 'refs/tags/') }} + needs: + - build-app + - setenv + permissions: + contents: read + packages: write + id-token: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Download binary build artifacts + uses: actions/download-artifact@v4 + - name: Check env + run: | + echo "Building container ${{ env.APP }} ${{ needs.setenv.outputs.rorversion}} (${{ needs.setenv.outputs.shortsha}})" + - name: Move artifacts + run: | + mv binary-build dist + chmod +x dist/${{ env.APP }} + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 + with: + cosign-release: 'v2.2.4' + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=latest + type=raw,value=latestv1 + type=raw,value=${{ needs.setenv.outputs.rorversion }} + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + publish-helm: + permissions: + contents: read + packages: write + id-token: write + runs-on: ubuntu-latest + needs: + - build-container-image + - setenv + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Check env + run: | + echo "Building helm chart for ${{ env.APP }} ${{ needs.setenv.outputs.rorversion }} (${{ needs.setenv.outputs.shortsha}})" + - name: Install helm + uses: azure/setup-helm@v1 + with: + version: v3.15.0 + - name: install-yq + run: | + wget https://github.com/mikefarah/yq/releases/download/${VERSION}/${BINARY}.tar.gz -O - | tar xz && mv ${BINARY} yq && chmod +x yq + env: + VERSION: v4.44.5 + BINARY: yq_linux_amd64 + - name: Build helm chart + run: | + export HELM_VERSION=${ROR_VERSION#v*} + ./yq e -i '.version = strenv(HELM_VERSION),.appVersion = strenv(ROR_VERSION)' charts/ror-cluster-agent-v1/Chart.yaml + ./yq e -i '.image.tag = strenv(ROR_VERSION),.image.repository = "ghcr.io/norskhelsenett/${{ env.APP }}"' charts/ror-cluster-agent-v1/values.yaml + helm package charts/ror-cluster-agent-v1 + echo ${{ secrets.GITHUB_TOKEN }} | helm registry login -u ${{ github.actor }} ${{ env.REGISTRY }} --password-stdin + helm push ${{ env.APP }}-${HELM_VERSION}.tgz oci://${{ env.REGISTRY }}/norskhelsenett/helm/ + env: + ROR_VERSION: ${{ needs.setenv.outputs.rorversion }} \ No newline at end of file diff --git a/.github/workflows/agent.yml b/.github/workflows/agent.yml deleted file mode 100644 index d88a04f..0000000 --- a/.github/workflows/agent.yml +++ /dev/null @@ -1,195 +0,0 @@ -name: Build Cluster Agent v1 - -on: - push: - paths-ignore: - - 'v2/**' - - '.github/workflows/agentv2.yml' - - 'charts/ror-cluster-agent-v2/**' - # Publish semver tags as releases. - #tags: [ 'v*.*.*' ] - pull_request: - branches: - - main - - -env: - # Use docker.io for Docker Hub if empty - REGISTRY: ghcr.io - # github.repository as / - # test - IMAGE_NAME: norskhelsenett/ror-cluster-agent - GH_TOKEN: ${{ secrets.VARTOKEN }} - -jobs: - bump-version: - runs-on: ubuntu-latest - outputs: - ror_version: ${{ steps.set_version.outputs.ror_version }} - steps: - - uses: actions/checkout@v4 - - id: set_version - run: | - PREV_VERSION=$(gh variable get V1VERSION) - ROR_VERSION=$(echo $PREV_VERSION | awk -F. '{$NF = $NF + 1;} 1' | sed 's/ /./g') - echo "ror_version=$ROR_VERSION" >> "$GITHUB_OUTPUT" - gh variable set V1VERSION --body $ROR_VERSION - echo "version bumped from $PREV_VERSION to $ROR_VERSION" - build-app: - runs-on: ubuntu-latest - needs: bump-version - steps: - - uses: actions/checkout@v3 - - - name: Set up Go - uses: actions/setup-go@v4 - with: - go-version: '1.23' - - name: Cache Go modules - uses: actions/cache@v3 - with: - path: | - ~/.cache/go-build - ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - name: Build - run: | - echo $ROR_VERSION - go get ./... - mkdir -p dist/isbuilt - CGO_ENABLED=0 go build -o dist/agent -ldflags "-w -extldflags '-static' -X github.com/NorskHelsenett/ror-agent/internal/config.version=$ROR_VERSION -X github.com/NorskHelsenett/ror-agent/internal/config.commit=$CI_COMMIT_SHORT_SHA" cmd/agent/main.go - touch dist/isbuilt/agent - env: - ROR_VERSION: ${{ needs.bump-version.outputs.ror_version }} - - - name: Archive binary - uses: actions/upload-artifact@v4 - with: - name: binary-build - path: | - dist/agent - dist/isbuilt/agent - retention-days: 1 - - - build-container-image: - runs-on: ubuntu-latest - #if: ${{ ! startsWith(github.ref, 'refs/tags/') }} - needs: - - build-app - - bump-version - permissions: - contents: read - packages: write - id-token: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Download binary build artifacts - uses: actions/download-artifact@v4 - - - name: Move artifacts - run: | - mv binary-build dist - chmod +x dist/agent - - - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 - with: - cosign-release: 'v2.2.4' - - # Set up BuildKit Docker container builder to be able to build - # multi-platform images and export cache - # https://github.com/docker/setup-buildx-action - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - type=raw,value=latest - type=raw,value=latestv1 - type=raw,value=${{ env.ROR_VERSION }} - env: - ROR_VERSION: ${{ needs.bump-version.outputs.ror_version }} - - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} - publish-helm: - runs-on: ubuntu-latest - needs: - - bump-version - - build-container-image - env: - ROR_VERSION: ${{ needs.bump-version.outputs.ror_version }} - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Install helm - uses: azure/setup-helm@v1 - with: - version: v3.15.0 - - - name: install-yq - run: | - wget https://github.com/mikefarah/yq/releases/download/${VERSION}/${BINARY}.tar.gz -O - | tar xz && mv ${BINARY} yq && chmod +x yq - env: - VERSION: v4.44.5 - BINARY: yq_linux_amd64 - - - name: Build helm chart - run: | - ./yq e -i '.version = strenv(ROR_VERSION),.appVersion = strenv(ROR_VERSION)' charts/ror-cluster-agent-v1/Chart.yaml - ./yq e -i '.image.tag = strenv(ROR_VERSION)' charts/ror-cluster-agent-v1/values.yaml - ./yq e -i '.image.repository = "ghcr.io/norskhelsenett/ror-cluster-agent"' charts/ror-cluster-agent-v1/values.yaml - helm package charts/ror-cluster-agent-v1 - echo ${{ secrets.GITHUB_TOKEN }} | helm registry login -u ${{ github.actor }} ${{ env.REGISTRY }} --password-stdin - helm push ror-cluster-agent-${ROR_VERSION}.tgz oci://${{ env.REGISTRY }}/norskhelsenett/helm/ - diff --git a/.github/workflows/agentv2-build-test.yml b/.github/workflows/agentv2-build-test.yml new file mode 100644 index 0000000..40c8a54 --- /dev/null +++ b/.github/workflows/agentv2-build-test.yml @@ -0,0 +1,41 @@ +name: Build and test Cluster Agent v2 +on: + pull_request: + branches: + - main + paths: + - v2/** + - .github/workflows/agentv2-build-test.yml + - 'charts/ror-cluster-agent-v2/**' +env: + APP: agent + APP_PATH: cmd/agent +jobs: + build-app: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: '1.23' + - name: Test + run: | + echo testing... + cd v2 + go get -t ./... + go vet ./... + go test -v ./... + - name: Build + run: | + echo building v2... + cd v2 + export SHA_SHORT=$(git rev-parse --short HEAD) + export LIB_VER=$(cat go.mod | grep "github.com/NorskHelsenett/ror " | cut -d' ' -f2) + go get ./... + CGO_ENABLED=0 go build -o dist/${{ env.APP }} -ldflags "-w -extldflags '-static' -X github.com/NorskHelsenett/ror/pkg/config/rorversion.Version=$ROR_VERSION -X github.com/NorskHelsenett/ror/pkg/config/rorversion.Commit=$SHA_SHORT -X github.com/NorskHelsenett/ror/pkg/config/rorversion.LibVer=$LIB_VER" ${{ env.APP_PATH }}/main.go + env: + ROR_VERSION: v0.0.1-build + diff --git a/.github/workflows/agentv2-release.yml b/.github/workflows/agentv2-release.yml new file mode 100644 index 0000000..17c2dd3 --- /dev/null +++ b/.github/workflows/agentv2-release.yml @@ -0,0 +1,152 @@ +name: Release Cluster Agent v2 + +on: + push: + tags: ["v2", "v2.[0-9]+", "v2.[0-9]+.[0-9]+", "v2.[0-9]+.[0-9]+-*"] +env: + REGISTRY: ghcr.io + IMAGE_NAME: norskhelsenett/ror-cluster-agent + APP: ror-cluster-agent + APP_PATH: cmd/agent +jobs: + setenv: + permissions: + contents: read + runs-on: ubuntu-latest + outputs: + rorversion: ${{ steps.env.outputs.ROR_VERSION }} + shortsha: ${{ steps.env.outputs.SHA_SHORT }} + libver: ${{ steps.env.outputs.LIB_VER }} + steps: + - uses: actions/checkout@v3 + - id: env + name: Set env + run: | + echo "ROR_VERSION=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT" + echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" + echo "LIB_VER=$(cat go.mod | grep 'github.com/NorskHelsenett/ror ' | cut -d' ' -f2)" >> "$GITHUB_OUTPUT" + build-app: + permissions: + contents: read + if: github.ref_type == 'tag' + runs-on: ubuntu-latest + needs: setenv + steps: + - uses: actions/checkout@v3 + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: '1.23' + - name: Start build + run: | + echo "Building ${{ env.APP }} ${{ needs.setenv.outputs.rorversion}} (${{ needs.setenv.outputs.shortsha}})" + - name: Build + run: | + cd v2 + go get ./... + mkdir -p dist/isbuilt + CGO_ENABLED=0 go build -o dist/${{ env.APP }} -ldflags "-w -extldflags '-static' -X github.com/NorskHelsenett/ror/pkg/config/rorversion.Version=${{ needs.setenv.outputs.rorversion}} -X github.com/NorskHelsenett/ror/pkg/config/rorversion.Commit=${{ needs.setenv.outputs.shortsha}} -X github.com/NorskHelsenett/ror/pkg/config/rorversion.LibVer=${{ needs.setenv.outputs.libver}}" ${{ env.APP_PATH }}/main.go + touch dist/isbuilt/${{ env.APP }} + - name: Archive binary + uses: actions/upload-artifact@v4 + with: + name: binary-build + path: | + v2/dist/${{ env.APP }} + v2/dist/isbuilt/${{ env.APP }} + retention-days: 1 + build-container-image: + runs-on: ubuntu-latest + #if: ${{ ! startsWith(github.ref, 'refs/tags/') }} + needs: + - build-app + - setenv + permissions: + contents: read + packages: write + id-token: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Download binary build artifacts + uses: actions/download-artifact@v4 + - name: Check env + run: | + echo "Building container ${{ env.APP }} ${{ needs.setenv.outputs.rorversion}} (${{ needs.setenv.outputs.shortsha}})" + - name: Move artifacts + run: | + mv binary-build v2/dist + chmod +x v2/dist/${{ env.APP }} + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 + with: + cosign-release: 'v2.2.4' + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=latestv2 + type=raw,value=${{ needs.setenv.outputs.rorversion }} + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + context: v2 + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + publish-helm: + permissions: + contents: read + packages: write + id-token: write + runs-on: ubuntu-latest + needs: + - build-container-image + - setenv + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Check env + run: | + echo "Building helm chart for ${{ env.APP }} ${{ needs.setenv.outputs.rorversion }} (${{ needs.setenv.outputs.shortsha}})" + - name: Install helm + uses: azure/setup-helm@v1 + with: + version: v3.15.0 + - name: install-yq + run: | + wget https://github.com/mikefarah/yq/releases/download/${VERSION}/${BINARY}.tar.gz -O - | tar xz && mv ${BINARY} yq && chmod +x yq + env: + VERSION: v4.44.5 + BINARY: yq_linux_amd64 + - name: Build helm chart + run: | + export HELM_VERSION=${ROR_VERSION#v*} + ./yq e -i '.version = strenv(HELM_VERSION),.appVersion = strenv(ROR_VERSION)' charts/ror-cluster-agent-v2/Chart.yaml + ./yq e -i '.image.tag = strenv(ROR_VERSION),.image.repository = "ghcr.io/norskhelsenett/${{ env.APP }}"' charts/ror-cluster-agent-v2/values.yaml + helm package charts/ror-cluster-agent-v2 + echo ${{ secrets.GITHUB_TOKEN }} | helm registry login -u ${{ github.actor }} ${{ env.REGISTRY }} --password-stdin + helm push ${{ env.APP }}-${HELM_VERSION}.tgz oci://${{ env.REGISTRY }}/norskhelsenett/helm/ + env: + ROR_VERSION: ${{ needs.setenv.outputs.rorversion }} \ No newline at end of file diff --git a/.github/workflows/agentv2.yml b/.github/workflows/agentv2.yml deleted file mode 100644 index 02fea82..0000000 --- a/.github/workflows/agentv2.yml +++ /dev/null @@ -1,193 +0,0 @@ -name: Build Cluster Agent v2 - -on: - push: - paths: - - v2/** - - .github/workflows/agentv2.yml - - 'charts/ror-cluster-agent-v2/**' - # Publish semver tags as releases. - #tags: [ 'v*.*.*' ] - pull_request: - branches: - - main - - -env: - # Use docker.io for Docker Hub if empty - REGISTRY: ghcr.io - # github.repository as / - # test - IMAGE_NAME: norskhelsenett/ror-cluster-agent - GH_TOKEN: ${{ secrets.VARTOKEN }} - -jobs: - - bump-version: - runs-on: ubuntu-latest - outputs: - ror_version: ${{ steps.set_version.outputs.ror_version }} - steps: - - uses: actions/checkout@v4 - - id: set_version - run: | - PREV_VERSION=$(gh variable get V2VERSION) - ROR_VERSION=$(echo $PREV_VERSION | awk -F. '{$NF = $NF + 1;} 1' | sed 's/ /./g') - echo "ror_version=$ROR_VERSION" >> "$GITHUB_OUTPUT" - gh variable set V2VERSION --body $ROR_VERSION - echo "version bumped from $PREV_VERSION to $ROR_VERSION" - build-app: - runs-on: ubuntu-latest - needs: bump-version - steps: - - uses: actions/checkout@v3 - - - name: Set up Go - uses: actions/setup-go@v4 - with: - go-version: '1.23' - - name: Cache Go modules - uses: actions/cache@v3 - with: - path: | - ~/.cache/go-build - ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - name: Build - run: | - echo $ROR_VERSION - cd v2 - go get ./... - mkdir -p dist/isbuilt - CGO_ENABLED=0 go build -o dist/agent -ldflags "-w -extldflags '-static' -X github.com/NorskHelsenett/ror-agent/v2/internal/agentconfig.version=$ROR_VERSION -X github.com/NorskHelsenett/ror-agent/v2/internal/agentconfig.commit=$CI_COMMIT_SHORT_SHA" cmd/agent/main.go - touch dist/isbuilt/agentv2 - env: - ROR_VERSION: ${{ needs.bump-version.outputs.ror_version }} - - name: Archive binary - uses: actions/upload-artifact@v4 - with: - name: binary-build - path: | - v2/dist/agent - v2/dist/isbuilt/agentv2 - retention-days: 1 - - - build-container-image: - runs-on: ubuntu-latest - #if: ${{ ! startsWith(github.ref, 'refs/tags/') }} - needs: - - build-app - - bump-version - permissions: - contents: read - packages: write - id-token: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Download binary build artifacts - uses: actions/download-artifact@v4 - - - name: Move artifacts - run: | - mv binary-build v2/dist - chmod +x v2/dist/agent - - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 - with: - cosign-release: 'v2.2.4' - - # Set up BuildKit Docker container builder to be able to build - # multi-platform images and export cache - # https://github.com/docker/setup-buildx-action - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - type=raw,value=latestv2 - type=raw,value=${{ env.ROR_VERSION }} - env: - ROR_VERSION: ${{ needs.bump-version.outputs.ror_version }} - - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 - with: - context: v2 - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} - publish-helm: - runs-on: ubuntu-latest - needs: - - build-container-image - - bump-version - env: - ROR_VERSION: ${{ needs.bump-version.outputs.ror_version }} - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Install helm - uses: azure/setup-helm@v1 - with: - version: v3.15.0 - - - name: install-yq - run: | - wget https://github.com/mikefarah/yq/releases/download/${VERSION}/${BINARY}.tar.gz -O - | tar xz && mv ${BINARY} yq && chmod +x yq - env: - VERSION: v4.44.5 - BINARY: yq_linux_amd64 - - - name: Build helm chart - run: | - ./yq e -i '.version = strenv(ROR_VERSION),.appVersion = strenv(ROR_VERSION)' charts/ror-cluster-agent-v2/Chart.yaml - ./yq e -i '.image.tag = strenv(ROR_VERSION)' charts/ror-cluster-agent-v2/values.yaml - ./yq e -i '.image.repository = "ghcr.io/norskhelsenett/ror-cluster-agent"' charts/ror-cluster-agent-v2/values.yaml - helm package charts/ror-cluster-agent-v2 - echo ${{ secrets.GITHUB_TOKEN }} | helm registry login -u ${{ github.actor }} ${{ env.REGISTRY }} --password-stdin - helm push ror-cluster-agent-${ROR_VERSION}.tgz oci://${{ env.REGISTRY }}/norskhelsenett/helm/