Skip to content

chore: Part 5 - documentation updates #212

chore: Part 5 - documentation updates

chore: Part 5 - documentation updates #212

name: Create, Scan and Publish KAITO image
on:
pull_request:
branches:
- main
- release-**
types: [ closed ]
permissions:
contents: write
packages: write
env:
REGISTRY: ghcr.io
GO_VERSION: '1.20'
IMAGE_NAME: 'workspace'
IMG_TAG: 'latest'
jobs:
export-registry:
if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts')
runs-on: ubuntu-20.04
outputs:
registry: ${{ steps.export.outputs.registry }}
steps:
- id: export
run: |
# registry must be in lowercase
echo "registry=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" >> $GITHUB_OUTPUT
create-tag:
if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts')
runs-on: ubuntu-20.04
outputs:
tag: ${{ steps.get-tag.outputs.tag }}
steps:
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true
- id: get-tag
name: Get tag
run: echo "tag=$(echo ${{ github.event.pull_request.head.ref }} | tr -d release-)" >> $GITHUB_OUTPUT
- name: Create tag
uses: actions/github-script@v7
with:
script: |
github.rest.git.createRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: 'refs/tags/${{ steps.get-tag.outputs.tag }}',
sha: context.sha
})
publish-images:
if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts')
needs:
- create-tag
- export-registry
env:
IMG_TAG: ${{ needs.create-tag.outputs.tag }}
REGISTRY: ${{ needs.export-registry.outputs.registry }}
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
with:
submodules: true
fetch-depth: 0
ref: ${{ steps.get-tag.outputs.tag }}
- name: Login to ${{ env.REGISTRY }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set Image tag
run: |
ver=${{ needs.create-tag.outputs.tag }}
echo "IMG_TAG=${ver#"v"}" >> $GITHUB_ENV
- name: Build image
run: |
OUTPUT_TYPE=type=registry make docker-build-kaito
env:
VERSION: ${{ env.IMG_TAG }}
- name: Scan ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
timeout: '5m0s'
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Save registry and tag as an artifact for other workflows that run on workflow_run to download them
run: |
mkdir -p /tmp/artifacts
echo ${{ needs.create-tag.outputs.tag }} >> /tmp/artifacts/tag.txt
cat /tmp/artifacts/tag.txt
- uses: actions/upload-artifact@v4
with:
name: artifacts
path: /tmp/artifacts