Skip to content

Commit 44ca982

Browse files
authored
Merge pull request #1892 from fluxcd/fluxcd/gha-workflows
ci: Refactor CI with `fluxcd/gha-workflows`
2 parents efb4d21 + 48c3d35 commit 44ca982

File tree

10 files changed

+64
-357
lines changed

10 files changed

+64
-357
lines changed

.github/workflows/backport.yaml

Lines changed: 6 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -1,34 +1,12 @@
11
name: backport
2-
32
on:
43
pull_request_target:
54
types: [closed, labeled]
6-
7-
permissions:
8-
contents: read
9-
105
jobs:
11-
pull-request:
12-
runs-on: ubuntu-latest
6+
backport:
137
permissions:
14-
contents: write
15-
pull-requests: write
16-
if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
17-
steps:
18-
- name: Checkout
19-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
20-
with:
21-
ref: ${{ github.event.pull_request.head.sha }}
22-
- name: Create backport PRs
23-
uses: korthout/backport-action@ca4972adce8039ff995e618f5fc02d1b7961f27a # v3.3.0
24-
# xref: https://github.com/korthout/backport-action#inputs
25-
with:
26-
# Use token to allow workflows to be triggered for the created PR
27-
github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
28-
# Match labels with a pattern `backport:<target-branch>`
29-
label_pattern: '^backport:([^ ]+)$'
30-
# A bit shorter pull-request title than the default
31-
pull_title: '[${target_branch}] ${pull_title}'
32-
# Simpler PR description than default
33-
pull_description: |-
34-
Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
8+
contents: write # for reading and creating branches.
9+
pull-requests: write # for creating pull requests against release branches.
10+
uses: fluxcd/gha-workflows/.github/workflows/[email protected]
11+
secrets:
12+
github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/cifuzz.yaml

Lines changed: 4 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -4,27 +4,16 @@ on:
44
branches:
55
- 'main'
66
- 'release/**'
7-
paths-ignore:
8-
- 'CHANGELOG.md'
9-
- 'README.md'
10-
- 'MAINTAINERS'
11-
12-
permissions:
13-
contents: read
14-
157
jobs:
168
smoketest:
179
runs-on: ubuntu-latest
10+
permissions:
11+
contents: read # for reading the repository code.
1812
steps:
19-
- name: Checkout
20-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
21-
- name: Setup Go
22-
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
13+
- name: Test suite setup
14+
uses: fluxcd/gha-workflows/.github/actions/[email protected]
2315
with:
2416
go-version: 1.25.x
25-
cache-dependency-path: |
26-
**/go.sum
27-
**/go.mod
2817
- name: Smoke test Fuzzers
2918
run: make fuzz-smoketest
3019
env:

.github/workflows/e2e.yaml

Lines changed: 6 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -1,46 +1,28 @@
11
name: e2e
2-
32
on:
43
workflow_dispatch:
54
pull_request:
6-
branches:
7-
- 'main'
8-
- 'release/**'
95
push:
106
branches:
117
- 'main'
128
- 'release/**'
13-
14-
permissions:
15-
contents: read # for actions/checkout to fetch code
16-
179
jobs:
18-
1910
kind-linux-amd64:
2011
runs-on: ubuntu-latest
12+
permissions:
13+
contents: read # for reading the repository code.
2114
steps:
22-
- name: Checkout
23-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
24-
- name: Setup Go
25-
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
15+
- name: Test suite setup
16+
uses: fluxcd/gha-workflows/.github/actions/[email protected]
2617
with:
2718
go-version: 1.25.x
28-
cache-dependency-path: |
29-
**/go.sum
30-
**/go.mod
19+
- name: Verify
20+
run: make verify
3121
- name: Enable integration tests
3222
# Only run integration tests for main and release branches
3323
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')
3424
run: |
3525
echo 'GO_TAGS=integration' >> $GITHUB_ENV
36-
- name: Setup Kubernetes
37-
uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
38-
with:
39-
cluster_name: kind
40-
- name: Setup Kustomize
41-
uses: fluxcd/pkg/actions/kustomize@main
42-
- name: Setup Helm
43-
uses: fluxcd/pkg/actions/helm@main
4426
- name: Run E2E tests
4527
env:
4628
SKIP_COSIGN_VERIFICATION: true

.github/workflows/nightly.yml

Lines changed: 0 additions & 35 deletions
This file was deleted.

.github/workflows/release.yml

Lines changed: 10 additions & 104 deletions
Original file line numberDiff line numberDiff line change
@@ -7,115 +7,21 @@ on:
77
inputs:
88
tag:
99
description: 'image tag prefix'
10-
default: 'preview'
10+
default: 'rc'
1111
required: true
12-
13-
permissions:
14-
contents: read
15-
16-
env:
17-
CONTROLLER: ${{ github.event.repository.name }}
18-
1912
jobs:
2013
release:
21-
outputs:
22-
hashes: ${{ steps.slsa.outputs.hashes }}
23-
image_url: ${{ steps.slsa.outputs.image_url }}
24-
image_digest: ${{ steps.slsa.outputs.image_digest }}
25-
runs-on: ubuntu-latest
2614
permissions:
2715
contents: write # for creating the GitHub release.
2816
id-token: write # for creating OIDC tokens for signing.
2917
packages: write # for pushing and signing container images.
30-
steps:
31-
- name: Checkout
32-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
33-
- name: Setup Kustomize
34-
uses: fluxcd/pkg/actions/kustomize@main
35-
- name: Prepare
36-
id: prep
37-
run: |
38-
VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}"
39-
if [[ $GITHUB_REF == refs/tags/* ]]; then
40-
VERSION=${GITHUB_REF/refs\/tags\//}
41-
fi
42-
echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
43-
echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
44-
- name: Setup QEMU
45-
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
46-
- name: Setup Docker Buildx
47-
id: buildx
48-
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
49-
- name: Login to GitHub Container Registry
50-
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
51-
with:
52-
registry: ghcr.io
53-
username: fluxcdbot
54-
password: ${{ secrets.GHCR_TOKEN }}
55-
- name: Login to Docker Hub
56-
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
57-
with:
58-
username: fluxcdbot
59-
password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
60-
- name: Generate images meta
61-
id: meta
62-
uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
63-
with:
64-
images: |
65-
fluxcd/${{ env.CONTROLLER }}
66-
ghcr.io/fluxcd/${{ env.CONTROLLER }}
67-
tags: |
68-
type=raw,value=${{ steps.prep.outputs.VERSION }}
69-
- name: Publish images
70-
id: build-push
71-
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
72-
with:
73-
sbom: true
74-
provenance: true
75-
push: true
76-
builder: ${{ steps.buildx.outputs.name }}
77-
context: .
78-
file: ./Dockerfile
79-
platforms: linux/amd64,linux/arm/v7,linux/arm64
80-
tags: ${{ steps.meta.outputs.tags }}
81-
labels: ${{ steps.meta.outputs.labels }}
82-
- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
83-
- name: Sign images
84-
env:
85-
COSIGN_EXPERIMENTAL: 1
86-
run: |
87-
cosign sign --yes fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
88-
cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
89-
- name: Generate release artifacts
90-
if: startsWith(github.ref, 'refs/tags/v')
91-
run: |
92-
mkdir -p config/release
93-
kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml
94-
kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml
95-
- uses: anchore/sbom-action/download-syft@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5
96-
- name: Create release and SBOM
97-
id: run-goreleaser
98-
if: startsWith(github.ref, 'refs/tags/v')
99-
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
100-
with:
101-
version: latest
102-
args: release --clean --skip=validate
103-
env:
104-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
105-
- name: Generate SLSA metadata
106-
id: slsa
107-
env:
108-
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
109-
run: |
110-
hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
111-
echo "hashes=$hashes" >> $GITHUB_OUTPUT
112-
113-
image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
114-
echo "image_url=$image_url" >> $GITHUB_OUTPUT
115-
116-
image_digest=${{ steps.build-push.outputs.digest }}
117-
echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
118-
18+
uses: fluxcd/gha-workflows/.github/workflows/[email protected]
19+
with:
20+
controller: ${{ github.event.repository.name }}
21+
release-candidate-prefix: ${{ github.event.inputs.tag }}
22+
secrets:
23+
github-token: ${{ secrets.GITHUB_TOKEN }}
24+
dockerhub-token: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
11925
release-provenance:
12026
needs: [release]
12127
permissions:
@@ -128,10 +34,10 @@ jobs:
12834
provenance-name: "provenance.intoto.jsonl"
12935
base64-subjects: "${{ needs.release.outputs.hashes }}"
13036
upload-assets: true
131-
13237
dockerhub-provenance:
13338
needs: [release]
13439
permissions:
40+
contents: read # for reading the repository code.
13541
actions: read # for detecting the Github Actions environment.
13642
id-token: write # for creating OIDC tokens for signing.
13743
packages: write # for uploading attestations.
@@ -143,10 +49,10 @@ jobs:
14349
registry-username: fluxcdbot
14450
secrets:
14551
registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
146-
14752
ghcr-provenance:
14853
needs: [release]
14954
permissions:
55+
contents: read # for reading the repository code.
15056
actions: read # for detecting the Github Actions environment.
15157
id-token: write # for creating OIDC tokens for signing.
15258
packages: write # for uploading attestations.

.github/workflows/scan.yaml

Lines changed: 10 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -1,52 +1,17 @@
11
name: scan
2-
32
on:
43
push:
5-
branches: [ 'main', 'release/**' ]
4+
branches: [ main ]
65
pull_request:
7-
branches: [ 'main', 'release/**' ]
6+
branches: [ main ]
87
schedule:
98
- cron: '18 10 * * 3'
10-
11-
permissions:
12-
contents: read # for actions/checkout to fetch code
13-
security-events: write # for codeQL to write security events
14-
159
jobs:
16-
fossa:
17-
name: FOSSA
18-
runs-on: ubuntu-latest
19-
steps:
20-
- name: Checkout
21-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
22-
- name: Run FOSSA scan and upload build data
23-
uses: fossa-contrib/fossa-action@3d2ef181b1820d6dcd1972f86a767d18167fa19b # v3.0.1
24-
with:
25-
# FOSSA Push-Only API Token
26-
fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
27-
github-token: ${{ github.token }}
28-
29-
codeql:
30-
name: CodeQL
31-
runs-on: ubuntu-latest
32-
steps:
33-
- name: Checkout
34-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
35-
- name: Setup Go
36-
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
37-
with:
38-
go-version: 1.25.x
39-
cache-dependency-path: |
40-
**/go.sum
41-
**/go.mod
42-
- name: Initialize CodeQL
43-
uses: github/codeql-action/init@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11
44-
with:
45-
languages: go
46-
# xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
47-
# xref: https://codeql.github.com/codeql-query-help/go/
48-
queries: security-and-quality
49-
- name: Autobuild
50-
uses: github/codeql-action/autobuild@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11
51-
- name: Perform CodeQL Analysis
52-
uses: github/codeql-action/analyze@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11
10+
analyze:
11+
permissions:
12+
contents: read # for reading the repository code.
13+
security-events: write # for uploading the CodeQL analysis results.
14+
uses: fluxcd/gha-workflows/.github/workflows/[email protected]
15+
secrets:
16+
github-token: ${{ secrets.GITHUB_TOKEN }}
17+
fossa-token: ${{ secrets.FOSSA_TOKEN }}

0 commit comments

Comments
 (0)