Skip to content

Commit

Permalink
task: add actionlint to GH action (#2704)
Browse files Browse the repository at this point in the history
  • Loading branch information
@gssbzn
gssbzn committed Mar 5, 2024
1 parent 343a8e3 commit a513e19
Show file tree
Hide file tree
Showing 4 changed files with 74 additions and 46 deletions.
17 changes: 17 additions & 0 deletions .github/actionlint-matcher.json
View file
@@ -0,0 +1,17 @@
{
"problemMatcher": [
{
"owner": "actionlint",
"pattern": [
{
"regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$",
"file": 1,
"line": 2,
"column": 3,
"message": 4,
"code": 5
}
]
}
]
}
49 changes: 34 additions & 15 deletions .github/workflows/code-health.yml
View file
Expand Up @@ -100,17 +100,32 @@ jobs:
go-version-file: 'go.mod'
- name: Generate docs
run: make gen-docs > /dev/null
- name: Check for uncommited files
- name: Check for uncommitted files
run: |
export FILES=$(git ls-files -o -m --directory --exclude-standard --no-empty-directory)
export LINES=$(echo "$FILES" | awk 'NF' | wc -l)
if [ $LINES -ne 0 ]; then
export FILES=
FILES=$(git ls-files -o -m --directory --exclude-standard --no-empty-directory)
export LINES=
LINES=$(echo "$FILES" | awk 'NF' | wc -l)
if [ "$LINES" -ne 0 ]; then
echo "Detected files that need to be committed:"
echo "$FILES" | sed -e "s/^/ /"
echo "${FILES//^/ }"
echo ""
echo "Try running: make gen-docs"
exit 1
fi
actionlint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download actionlint
id: get_actionlint
run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
shell: bash
- name: Check workflow files
run: |
echo "::add-matcher::.github/actionlint-matcher.json"
${{ steps.get_actionlint.outputs.executable }} -color
shell: bash
mocks:
runs-on: ubuntu-latest
steps:
Expand All @@ -124,13 +139,15 @@ jobs:
run: go install github.com/golang/mock/mockgen@latest
- name: Generate mocks
run: make gen-mocks
- name: Check for uncommited files
- name: Check for uncommitted files
run: |
export FILES=$(git ls-files -o -m --directory --exclude-standard --no-empty-directory)
export LINES=$(echo "$FILES" | awk 'NF' | wc -l)
if [ $LINES -ne 0 ]; then
export FILES=
FILES=$(git ls-files -o -m --directory --exclude-standard --no-empty-directory)
export LINES=
LINES=$(echo "$FILES" | awk 'NF' | wc -l)
if [ "$LINES" -ne 0 ]; then
echo "Detected files that need to be committed:"
echo "$FILES" | sed -e "s/^/ /"
echo "${FILES//^/ }"
echo ""
echo "Try running: make gen-mocks"
exit 1
Expand All @@ -153,13 +170,15 @@ jobs:
go-version-file: 'go.mod'
- name: Run 'go mod tidy'
run: go mod tidy
- name: Check for uncommited files
- name: Check for uncommitted files
run: |
export FILES=$(git ls-files -o -m --directory --exclude-standard --no-empty-directory)
export LINES=$(echo "$FILES" | awk 'NF' | wc -l)
if [ $LINES -ne 0 ]; then
export FILES=
FILES=$(git ls-files -o -m --directory --exclude-standard --no-empty-directory)
export LINES=
LINES=$(echo "$FILES" | awk 'NF' | wc -l)
if [ "$LINES" -ne 0 ]; then
echo "Detected files that need to be committed:"
echo "$FILES" | sed -e "s/^/ /"
echo "${FILES//^/ }"
echo ""
echo "Try running: go mod tidy"
exit 1
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependabot.yml
View file
Expand Up @@ -21,7 +21,7 @@
- name: Find JIRA team
id: find
run: |
echo "assigned_team="$(git diff HEAD~1..HEAD -- go.mod | grep -v "// indirect" | grep -i "^\-" | grep -v "^\-\-\-" | awk '{print $2}' | xargs -I $ echo "jq -r \".\\\"$\\\"\" < build/ci/library_owners.json" | sh | xargs -I $ echo "jq -r \".\\\"$\\\"\" < build/ci/library_owners_jira.json" | sh | head -1) >> "${GITHUB_OUTPUT}"
echo "assigned_team=$(git diff HEAD~1..HEAD -- go.mod | grep -v "// indirect" | grep -i "^\-" | grep -v "^\-\-\-" | awk '{print $2}' | xargs -I $ echo "jq -r \".\\\"$\\\"\" < build/ci/library_owners.json" | sh | xargs -I $ echo "jq -r \".\\\"$\\\"\" < build/ci/library_owners_jira.json" | sh | head -1)" >> "${GITHUB_OUTPUT}"
- name: Create JIRA ticket
id: create
shell: bash
Expand Down
52 changes: 22 additions & 30 deletions .github/workflows/docker-release.yml
View file
Expand Up @@ -18,7 +18,7 @@ jobs:
id: set-date
run: |
DATE=$(date +'%Y-%m-%d')
echo DATE=${DATE} >> $GITHUB_ENV
echo "DATE=${DATE}" >> "$GITHUB_ENV"
- name: 'Get latest tag'
id: get-latest-tag
uses: oprypin/find-latest-tag@e1e0e606cc7e9ede25140a5a139b3a5a1b717ece
Expand All @@ -29,7 +29,7 @@ jobs:
- name: Extract version
run: |
release_tag=${{ steps.get-latest-tag.outputs.tag }}
echo "LATEST_VERSION=${release_tag#*/}" >> $GITHUB_ENV
echo "LATEST_VERSION=${release_tag#*/}" >> "$GITHUB_ENV"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226
- name: Login to Docker Hub
Expand Down Expand Up @@ -69,7 +69,7 @@ jobs:
id: set-date
run: |
DATE=$(date +'%Y-%m-%d')
echo DATE=${DATE} >> $GITHUB_ENV
echo "DATE=${DATE}" >> "$GITHUB_ENV"
- name: 'Get latest tag'
id: get-latest-tag
uses: oprypin/find-latest-tag@e1e0e606cc7e9ede25140a5a139b3a5a1b717ece
Expand All @@ -80,7 +80,7 @@ jobs:
- name: Extract version
run: |
release_tag=${{ steps.get-latest-tag.outputs.tag }}
echo "LATEST_VERSION=${release_tag#*/}" >> $GITHUB_ENV
echo "LATEST_VERSION=${release_tag#*/}" >> "$GITHUB_ENV"
- name: Enable containerd image store # See https://github.com/docker/setup-buildx-action/issues/257#issuecomment-1722284952
uses: crazy-max/ghaction-setup-docker@c2351bbd0bfab8cd65e684219ad8ea46a6d093f3
with:
Expand Down Expand Up @@ -109,15 +109,15 @@ jobs:
IMAGE: ${{ env.STAGING_IMAGE_REPOSITORY }}:latest
run: |
docker pull "${IMAGE}"
# DIGESTS contains a list of three digests separated by a comma.
DIGESTS=$(docker buildx imagetools inspect $IMAGE --format '{{- range .Manifest.Manifests}}{{- if eq .Platform.OS "linux" }}{{ .Digest }},{{- end }}{{- end }}{{- .Manifest.Digest }}
DIGESTS=$(docker buildx imagetools inspect "${IMAGE}" --format '{{- range .Manifest.Manifests}}{{- if eq .Platform.OS "linux" }}{{ .Digest }},{{- end }}{{- end }}{{- .Manifest.Digest }}
')
echo "These are the Docker image DIGESTS: ${DIGESTS}"
echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}" >> "signing-envfile"
echo "GRS_CONFIG_USER1_PASSWORD=${GRS_PASSWORD}" >> "signing-envfile"
echo "COSIGN_REPOSITORY=${SIGNATURE_REPO}" >> "signing-envfile"
{
echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}"
echo "GRS_CONFIG_USER1_PASSWORD=${GRS_PASSWORD}"
} >> "signing-envfile"
echo "${DOCKERHUB_SECRET}" | docker login --password-stdin --username "${DOCKERHUB_USER}"
for DIGEST in $(echo "$DIGESTS" | tr ',' ' '); do
Expand All @@ -127,10 +127,10 @@ jobs:
--env-file=signing-envfile \
--rm \
-v ~/.docker/config.json:/root/.docker/config.json \
-v $(pwd):$(pwd) \
-w $(pwd) \
-v "$(pwd):$(pwd)" \
-w "$(pwd)" \
artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-cosign \
cosign sign --key "${PKCS11_URI}" --sign-container-identity=index.docker.io/mongodb/atlas --tlog-upload=false "${IMAGE}@${DIGEST}"
cosign sign --key "${PKCS11_URI}" --sign-container-identity=index.docker.io/mongodb/atlas --tlog-upload=false "${IMAGE}@${DIGEST}"
done
- name: Push image to dockerhub public registry
run: |
Expand Down Expand Up @@ -178,18 +178,14 @@ jobs:
- name: Verify Signature Docker Image
env:
IMAGE: ${{ env.IMAGE_REPOSITORY }}:latest
COSIGN_REPOSITORY: docker:io/mongodb/signatures
run: |
# Download MongoDB Atlas CLI Public Key
curl https://cosign.mongodb.com/atlas-cli.pem > atlas-cli.pem
# Download Docker Image
docker pull "${IMAGE}"
curl https://cosign.mongodb.com/atlas-cli.pem > atlas-cli.pem
docker pull "${IMAGE}"
# Verify the signature
COSIGN_REPOSITORY=docker.io/mongodb/signatures cosign verify --private-infrastructure --key=./atlas-cli.pem "docker.io/${IMAGE}"
# Check the exit status of cosign verify
if [ $? -ne 0 ]; then
if cosign verify --private-infrastructure --key=./atlas-cli.pem "docker.io/${IMAGE}";
then
echo "Error: Signature verification for ${IMAGE} failed."
exit 1
fi
Expand Down Expand Up @@ -221,18 +217,14 @@ jobs:
- name: Verify Signature Quay Image
env:
IMAGE: ${{ env.QUAY }}/${{ env.IMAGE_REPOSITORY }}:latest
COSIGN_REPOSITORY: docker:io/mongodb/signatures
run: |
# Download MongoDB Atlas CLI Public Key
curl https://cosign.mongodb.com/atlas-cli.pem > atlas-cli.pem
# Download Quay Image
docker pull "${IMAGE}"
curl https://cosign.mongodb.com/atlas-cli.pem > atlas-cli.pem
docker pull "${IMAGE}"
# Verify the signature
COSIGN_REPOSITORY=docker.io/mongodb/signatures cosign verify --private-infrastructure --key=./atlas-cli.pem "${IMAGE}"
# Check the exit status of cosign verify
if [ $? -ne 0 ]; then
if ! cosign verify --private-infrastructure --key=./atlas-cli.pem "${IMAGE}";
then
echo "Error: Signature verification for ${IMAGE} failed."
exit 1
fi
Expand Down

0 comments on commit a513e19

Please sign in to comment.