Skip to content

Merge pull request #26 from SG60/renovate/rui314-setup-mold-digest #70

Merge pull request #26 from SG60/renovate/rui314-setup-mold-digest

Merge pull request #26 from SG60/renovate/rui314-setup-mold-digest #70

Workflow file for this run

name: Rust
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
workflow_dispatch:
# Automatically cancel in-progress actions on the same branch
concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }}
cancel-in-progress: true
env:
DOCKER_CONTAINER_IMAGE_BASE: lhr.ocir.io/lrdyqp2xtoja/argocd-appset-checked-pr-generator
# get correct commit sha for pull requests as well
COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
target:
- rust: aarch64-unknown-linux-musl
docker: linux/arm64
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: rui314/setup-mold@2e332a0b602c2fc65d2d3995941b1b29a5f554a0 # v1
- uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target.rust }}
- uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2
with:
cache-all-crates: "true"
cache-on-failure: "true"
- uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3
# nix dev shell setup
- uses: DeterminateSystems/nix-installer-action@main
- uses: cachix/cachix-action@18cf96c7c98e048e10a83abd92116114cd8504be # v14
with: { name: "nix-community" }
- uses: DeterminateSystems/magic-nix-cache-action@main
- name: test
run: nix develop -c cargo test
- name: build
env:
TARGET_CC: clang
run: nix develop .#${{ matrix.target.rust }} -c cargo build --target ${{ matrix.target.rust }} --release
- name: Login to Docker registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3
with:
registry: lhr.ocir.io
username: ${{ secrets.OCIR_USERNAME }}
password: ${{ secrets.OCIR_TOKEN }}
- name: Docker meta tags generator
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
# use correct sha for pr commits
env:
DOCKER_METADATA_PR_HEAD_SHA: true
with:
images: |
${{ env.DOCKER_CONTAINER_IMAGE_BASE }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=edge
type=sha,format=long
- name: Build Dockerfile
id: build-and-push-action-1
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5
with:
context: .
file: Dockerfile
load: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha
platforms: ${{ matrix.target.docker }}
build-args: |
RUST_TARGET_DIR=target/${{ matrix.target.rust }}/release
- run: docker push --all-tags $DOCKER_CONTAINER_IMAGE_BASE
- name: get image digest
id: docker-image-digest
run: |
# get digest of pushed image, and get rid of everything up to the actual digest (i.e. remove the repo and name)
DOCKER_IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${DOCKER_CONTAINER_IMAGE_BASE}:sha-${COMMIT_SHA} | sed 's/.*@//')
echo docker_image_digest=$DOCKER_IMAGE_DIGEST >> $GITHUB_OUTPUT
echo "image digest: \`${DOCKER_IMAGE_DIGEST}\`" >> $GITHUB_STEP_SUMMARY
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.DOCKER_CONTAINER_IMAGE_BASE }}:sha-${{ env.COMMIT_SHA }}
format: "table"
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL"
outputs:
pushed-image-digest: ${{ steps.docker-image-digest.outputs.docker_image_digest }}
deploy:
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
token: ${{ secrets.WRITE_BACK_TO_REPO_TOKEN }}
- name: install kustomize
id: kustomize-installation
run: |
curl -sfLo kustomize.tar.gz https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv4.5.7/kustomize_v4.5.7_linux_amd64.tar.gz
tar xzf ./kustomize.tar.gz
echo "KUSTOMIZE_COMMAND=$PWD/kustomize" >> $GITHUB_OUTPUT
- name: Update kustomization for new image
# in 'prod' folder
env:
KUSTOMIZE_COMMAND: ${{ steps.kustomize-installation.outputs.KUSTOMIZE_COMMAND }}
run: |
cd k8s/overlays/prod
# update image digest
$KUSTOMIZE_COMMAND edit set image \
${DOCKER_CONTAINER_IMAGE_BASE}=${DOCKER_CONTAINER_IMAGE_BASE}:sha-${COMMIT_SHA}@${{ needs.build.outputs.pushed-image-digest }}
- name: Update version label
uses: mikefarah/yq@9adde1ac14bb283b8955d2b0d567bcaf3c69e639 # v4.42.1
with:
cmd: yq -i '.labels[].pairs."app.kubernetes.io/version" = strenv(COMMIT_SHA)' k8s/overlays/prod/kustomization.yaml
- name: Commit to git
run: |
git config user.name github-actions
git config user.email github-actions@github.com
git add k8s/overlays/prod
git commit -m "update: image to version $COMMIT_SHA
[no ci]"
git pull --rebase
git push
echo "Committed to infra" >> $GITHUB_STEP_SUMMARY