Bump actions/upload-artifact from 3.1.3 to 4.2.0 (#10896) #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Container Images | |
| on: | |
| pull_request: | |
| branches: | |
| - "*" | |
| paths: | |
| - 'images/**' | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - 'images/**' | |
| permissions: | |
| contents: write | |
| packages: write | |
| env: | |
| PLATFORMS: linux/amd64 | |
| jobs: | |
| changes: | |
| permissions: | |
| contents: read # for dorny/paths-filter to fetch a list of changed files | |
| pull-requests: read # for dorny/paths-filter to read pull requests | |
| runs-on: ubuntu-latest | |
| outputs: | |
| custom-error-pages: ${{ steps.filter.outputs.custom-error-pages }} | |
| cfssl: ${{ steps.filter.outputs.cfssl }} | |
| fastcgi-helloserver: ${{ steps.filter.outputs.fastcgi-helloserver }} | |
| e2e-test-echo: ${{ steps.filter.outputs.e2e-test-echo }} | |
| go-grpc-greeter-server: ${{ steps.filter.outputs.go-grpc-greeter-server }} | |
| httpbun: ${{ steps.filter.outputs.httpbun }} | |
| kube-webhook-certgen: ${{ steps.filter.outputs.kube-webhook-certgen }} | |
| ext-auth-example-authsvc: ${{ steps.filter.outputs.ext-auth-example-authsvc }} | |
| nginx: ${{ steps.filter.outputs.nginx }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 | |
| id: filter | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| filters: | | |
| custom-error-pages: | |
| - 'images/custom-error-pages/**' | |
| cfssl: | |
| - 'images/cfssl/**' | |
| fastcgi-helloserver: | |
| - 'images/fastcgi-helloserver/**' | |
| e2e-test-echo: | |
| - 'images/e2e-test-echo/**' | |
| go-grpc-greeter-server: | |
| - 'images/go-grpc-greeter-server/**' | |
| httpbun: | |
| - 'images/httpbun/**' | |
| kube-webhook-certgen: | |
| - 'images/kube-webhook-certgen/**' | |
| ext-auth-example-authsvc: | |
| - 'images/ext-auth-example-authsvc/**' | |
| nginx: | |
| - 'images/nginx/**' | |
| #### TODO: Make the below jobs 'less dumb' and use the job name as parameter (the github.job context does not work here) | |
| cfssl: | |
| needs: changes | |
| if: | | |
| (needs.changes.outputs.cfssl == 'true') | |
| uses: ./.github/workflows/zz-tmpl-images.yaml | |
| with: | |
| name: cfssl | |
| secrets: inherit | |
| custom-error-pages: | |
| needs: changes | |
| if: | | |
| (needs.changes.outputs.custom-error-pages == 'true') | |
| uses: ./.github/workflows/zz-tmpl-images.yaml | |
| with: | |
| name: custom-error-pages | |
| secrets: inherit | |
| e2e-test-echo: | |
| needs: changes | |
| if: | | |
| (needs.changes.outputs.e2e-test-echo == 'true') | |
| uses: ./.github/workflows/zz-tmpl-images.yaml | |
| with: | |
| name: e2e-test-echo | |
| secrets: inherit | |
| ext-auth-example-authsvc: | |
| needs: changes | |
| if: | | |
| (needs.changes.outputs.ext-auth-example-authsvc == 'true') | |
| uses: ./.github/workflows/zz-tmpl-images.yaml | |
| with: | |
| name: ext-auth-example-authsvc | |
| secrets: inherit | |
| fastcgi-helloserver: | |
| needs: changes | |
| if: | | |
| (needs.changes.outputs.fastcgi-helloserver == 'true') | |
| uses: ./.github/workflows/zz-tmpl-images.yaml | |
| with: | |
| name: fastcgi-helloserver | |
| secrets: inherit | |
| go-grpc-greeter-server: | |
| needs: changes | |
| if: | | |
| (needs.changes.outputs.go-grpc-greeter-server == 'true') | |
| uses: ./.github/workflows/zz-tmpl-images.yaml | |
| with: | |
| name: go-grpc-greeter-server | |
| secrets: inherit | |
| httpbun: | |
| needs: changes | |
| if: | | |
| (needs.changes.outputs.httpbun == 'true') | |
| uses: ./.github/workflows/zz-tmpl-images.yaml | |
| with: | |
| name: httpbun | |
| secrets: inherit | |
| kube-webhook-certgen: | |
| runs-on: ubuntu-latest | |
| needs: changes | |
| if: | | |
| (needs.changes.outputs.kube-webhook-certgen == 'true') | |
| strategy: | |
| matrix: | |
| k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0, 1.29.0] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Set up Go | |
| id: go | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version: '1.21.5' | |
| check-latest: true | |
| - name: image build | |
| run: | | |
| cd images/ && make NAME=kube-webhook-certgen build | |
| - name: Create Kubernetes cluster | |
| id: kind | |
| run: | | |
| kind create cluster --image=kindest/node:${{ matrix.k8s }} | |
| - name: image test | |
| run: | | |
| cd images/ && make NAME=kube-webhook-certgen test test-e2e | |
| nginx: | |
| runs-on: ubuntu-latest | |
| needs: changes | |
| if: | | |
| (needs.changes.outputs.nginx == 'true') | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: nginx-base-image | |
| run: | | |
| cd images/nginx/rootfs && docker build -t docker.io/nginx-test-workflow/nginx:${{ github.sha }} . | |
| - name: Run Trivy on NGINX Image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'docker.io/nginx-test-workflow/nginx:${{ github.sha }}' | |
| format: 'sarif' | |
| ignore-unfixed: true | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/[email protected] | |
| with: | |
| sarif_file: 'trivy-results.sarif' |