Skip to content

Commit de395b7

Browse files
authored
Always build & test Zarf Agent during pull requests; publish latest Zarf Agent on release (zarf-dev#651)
- Adds the Zarf Agent (mutating webook) automatic build in test with the latest code - Fix issue with out of sync Zarf Agent image tag, always cut a new agent image before a release - Test the release once more before publishing - Full support for Linux ARM, closes Complete ARM Support zarf-dev#386
1 parent 939e68b commit de395b7

15 files changed

+211
-150
lines changed

.github/workflows/build-rust-injector.yml

+33-26
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,4 @@
1-
name: Build Rust Binary
2-
3-
env:
4-
zarfInjectorPath: 'src/injector/stage1/target/x86_64-unknown-linux-musl/release/zarf-injector'
1+
name: Publish Injector Stage I
52

63
on:
74
workflow_dispatch:
@@ -12,48 +9,58 @@ on:
129
branchName:
1310
description: "Branch to build the injector from"
1411
required: false
15-
default: 'master'
12+
default: "master"
1613

1714
jobs:
1815
build-injector:
19-
runs-on: ubuntu-latest
16+
runs-on: self-hosted
2017
steps:
18+
- name: "Dependency: Install cosign"
19+
uses: sigstore/cosign-installer@v2.5.0
20+
21+
- name: "Dependency: Setup rust toolchain"
22+
run: |
23+
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --no-modify-path
24+
echo "$HOME/.cargo/bin" >> $GITHUB_PATH
25+
2126
- name: "Checkout Repo"
2227
uses: actions/checkout@v3
2328
with:
2429
ref: ${{ github.event.inputs.branchName }}
2530

26-
- name: "Install cosign"
27-
uses: sigstore/cosign-installer@v2.5.0
28-
29-
- name: "Install Rust And Build"
30-
uses: gmiam/rust-musl-action@v1.1.1
31-
with:
32-
args: cargo build --target x86_64-unknown-linux-musl --release --manifest-path src/injector/stage1/Cargo.toml
31+
- name: "Build Rust Binary for x86_64"
32+
working-directory: src/injector/stage1
33+
run: |
34+
cargo build --target x86_64-unknown-linux-musl --release
35+
strip target/x86_64-unknown-linux-musl/release/zarf-injector
3336
34-
- name: "Strip The Binary Down"
35-
run: sudo strip ${{ env.zarfInjectorPath }}
36-
37-
- name: "Upload Rust Binary"
38-
uses: actions/upload-artifact@v3
39-
with:
40-
name: zarf-injector
41-
path: ${{ env.zarfInjectorPath }}
37+
- name: "Build Rust Binary for aarch64"
38+
working-directory: src/injector/stage1
39+
run: |
40+
rustup target add aarch64-unknown-linux-musl
41+
curl https://musl.cc/aarch64-linux-musl-cross.tgz | tar -xz
42+
export PATH="$PWD/aarch64-linux-musl-cross/bin:$PATH"
43+
cargo build --target aarch64-unknown-linux-musl --release
44+
aarch64-linux-musl-strip target/aarch64-unknown-linux-musl/release/zarf-injector
4245
4346
- name: Login to Docker Hub
4447
uses: docker/login-action@v2
4548
with:
4649
username: ${{ secrets.DOCKERHUB_USERNAME }}
4750
password: ${{ secrets.DOCKERHUB_TOKEN }}
4851

49-
- name: "Upload Binary To DockerHub"
50-
run: cosign upload blob -f ${{ env.zarfInjectorPath }} defenseunicorns/zarf-injector:${{ github.event.inputs.versionTag }}
52+
- name: "Upload Binaries To DockerHub"
53+
working-directory: src/injector/stage1/target
54+
run: |
55+
cosign upload blob -f x86_64-unknown-linux-musl/release/zarf-injector defenseunicorns/zarf-injector:amd64-${{ github.event.inputs.versionTag }}
56+
cosign upload blob -f aarch64-unknown-linux-musl/release/zarf-injector defenseunicorns/zarf-injector:arm64-${{ github.event.inputs.versionTag }}
5157
52-
- name: "Sign the binary"
53-
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=${{ github.event.inputs.versionTag }} defenseunicorns/zarf-injector:${{ github.event.inputs.versionTag }}
58+
- name: "Sign the binaries"
59+
run: |
60+
cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=${{ github.event.inputs.versionTag }} defenseunicorns/zarf-injector:amd64-${{ github.event.inputs.versionTag }}
61+
cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=${{ github.event.inputs.versionTag }} defenseunicorns/zarf-injector:arm64-${{ github.event.inputs.versionTag }}
5462
env:
5563
COSIGN_EXPERIMENTAL: 1
5664
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
5765
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
5866
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
59-

.github/workflows/build-zarf-agent.yml

-66
This file was deleted.

.github/workflows/docs.yml

+13-8
Original file line numberDiff line numberDiff line change
@@ -2,16 +2,21 @@ name: docs
22
on:
33
pull_request:
44
paths:
5-
- '**.md'
6-
- '**.jpg'
7-
- '**.png'
8-
- '**.gif'
9-
- '**.svg'
10-
- 'adr/**'
11-
- 'docs/**'
5+
- "**.md"
6+
- "**.jpg"
7+
- "**.png"
8+
- "**.gif"
9+
- "**.svg"
10+
- "adr/**"
11+
- "docs/**"
12+
13+
# Abort prior jobs in the same workflow / PR
14+
concurrency:
15+
group: ${{ github.workflow }}-${{ github.ref }}
16+
cancel-in-progress: true
1217

1318
jobs:
1419
validate:
1520
runs-on: ubuntu-latest
1621
steps:
17-
- run: 'echo "Not required, non-code changes only." '
22+
- run: 'echo "Not required, non-code changes only." '

.github/workflows/labels.yml

+7-3
Original file line numberDiff line numberDiff line change
@@ -3,11 +3,15 @@ on:
33
pull_request:
44
types: [labeled, unlabeled, opened, edited, synchronize]
55

6+
# Abort prior jobs in the same workflow / PR
7+
concurrency:
8+
group: ${{ github.workflow }}-${{ github.ref }}
9+
cancel-in-progress: true
610

711
jobs:
812
enforce:
913
runs-on: ubuntu-latest
1014
steps:
11-
- uses: yogevbd/enforce-label-action@2.2.2
12-
with:
13-
BANNED_LABELS: "needs-docs,needs-tests,needs-adr,needs-git-sign-off"
15+
- uses: yogevbd/enforce-label-action@2.2.2
16+
with:
17+
BANNED_LABELS: "needs-docs,needs-tests,needs-adr,needs-git-sign-off"

.github/workflows/release.yml

+39-17
Original file line numberDiff line numberDiff line change
@@ -3,31 +3,56 @@ name: Publish Zarf Packages on Tag
33
on:
44
push:
55
tags:
6-
- 'v*'
6+
- "v*"
77

88
jobs:
99
push-resources:
1010
runs-on: self-hosted
1111
steps:
12-
- name: Install GoLang
12+
- name: "Dependency: Install Golang"
1313
uses: actions/setup-go@v3
1414
with:
1515
go-version: 1.18.x
1616

17-
- name: Checkout Repo
17+
- name: "Dependency: Install Docker Buildx"
18+
id: buildx
19+
uses: docker/setup-buildx-action@v2
20+
21+
- name: "Checkout Repo"
1822
uses: actions/checkout@v3
1923
with:
2024
fetch-depth: 0
2125

22-
- name: "Setup caching"
23-
uses: actions/cache@v3
26+
- name: "Build CLI"
27+
run: make build-cli-linux
28+
29+
- name: "Zarf Agent: Login to Docker Hub"
30+
uses: docker/login-action@v2
2431
with:
25-
path: |
26-
~/.cache/go-build
27-
~/go/pkg/mod
28-
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
29-
restore-keys: |
30-
${{ runner.os }}-go-
32+
username: ${{ secrets.DOCKERHUB_USERNAME }}
33+
password: ${{ secrets.DOCKERHUB_TOKEN }}
34+
35+
- name: "Zarf Agent: Build and Publish the Image"
36+
run: |
37+
cp build/zarf build/zarf-linux-amd64 && cp build/zarf-arm build/zarf-linux-arm64
38+
docker buildx build --push linux/arm64/v8,linux/amd64 --tag defenseunicorns/zarf-agent:$GITHUB_REF_NAME .
39+
40+
- name: "Zarf Agent: Sign the Image"
41+
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME defenseunicorns/zarf-agent:$GITHUB_REF_NAME
42+
env:
43+
COSIGN_EXPERIMENTAL: 1
44+
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
45+
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
46+
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
47+
48+
# Builds init packages since GoReleaser won't handle this for us
49+
- name: "Build init-packages For Release"
50+
run: |
51+
make init-package ARCH=amd64 AGENT_IMAGE=defenseunicorns/zarf-agent:$GITHUB_REF_NAME
52+
make init-package ARCH=arm64 AGENT_IMAGE=defenseunicorns/zarf-agent:$GITHUB_REF_NAME
53+
54+
- name: "Run Tests"
55+
run: sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true make test-e2e ARCH=amd64
3156

3257
# Set up AWS credentials for GoReleaser to upload backups of artifacts to S3
3358
- name: Set AWS Credentials
@@ -37,12 +62,6 @@ jobs:
3762
aws-secret-access-key: ${{ secrets.AWS_GOV_SECRET_ACCESS_KEY }}
3863
aws-region: us-gov-west-1
3964

40-
# Builds init packages since GoReleaser won't handle this for us
41-
- name: "Build init-packages For Release"
42-
run: |
43-
make build-cli-linux-amd init-package ARCH=amd64
44-
make init-package ARCH=arm64
45-
4665
# Create the GitHub release notes, upload artifact backups to S3, publish homebrew recipe
4766
- name: Run GoReleaser
4867
uses: goreleaser/goreleaser-action@v3
@@ -53,3 +72,6 @@ jobs:
5372
env:
5473
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
5574
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.ZARF_ORG_PROJECT_TOKEN }}
75+
76+
- name: "Cleanup"
77+
run: sudo make destroy

.github/workflows/test-k3d.yml

+25-5
Original file line numberDiff line numberDiff line change
@@ -10,26 +10,46 @@ on:
1010
- "adr/**"
1111
- "docs/**"
1212

13+
# Abort prior jobs in the same workflow / PR
14+
concurrency:
15+
group: ${{ github.workflow }}-${{ github.ref }}
16+
cancel-in-progress: true
17+
1318
jobs:
1419
validate:
1520
runs-on: self-hosted
1621
steps:
17-
- name: "Install GoLang"
22+
- name: "Dependency: Install Golang"
1823
uses: actions/setup-go@v3
1924
with:
2025
go-version: 1.18.x
2126

22-
- name: "Checkout Repo"
23-
uses: actions/checkout@v3
27+
- name: "Dependency: Install Docker Buildx"
28+
id: buildx
29+
uses: docker/setup-buildx-action@v2
2430

25-
- name: "K3d cluster init"
31+
- name: "Dependency: K3d cluster init"
2632
run: k3d cluster delete && k3d cluster create
2733

34+
- name: "Checkout Repo"
35+
uses: actions/checkout@v3
36+
2837
- name: "Build CLI"
2938
run: make build-cli-linux-amd ARCH=amd64
3039

40+
- name: "Zarf Agent: Login to Docker Hub"
41+
uses: docker/login-action@v2
42+
with:
43+
username: zarfdev
44+
password: ${{ secrets.ZARF_DEV_DOCKERHUB }}
45+
46+
- name: "Zarf Agent: Build and Publish the Image"
47+
run: |
48+
cp build/zarf build/zarf-linux-amd64
49+
docker buildx build --push --platform linux/amd64 --tag zarfdev/agent:$GITHUB_SHA .
50+
3151
- name: "Make Packages"
32-
run: make init-package build-examples ARCH=amd64
52+
run: make init-package build-examples ARCH=amd64 AGENT_IMAGE=zarfdev/agent:$GITHUB_SHA
3353

3454
- name: "Run Tests"
3555
# NOTE: This test run will create its own K3d cluster. A single cluster will be used throughout the test run.

.github/workflows/test-k3s.yml

+22-2
Original file line numberDiff line numberDiff line change
@@ -10,23 +10,43 @@ on:
1010
- "adr/**"
1111
- "docs/**"
1212

13+
# Abort prior jobs in the same workflow / PR
14+
concurrency:
15+
group: ${{ github.workflow }}-${{ github.ref }}
16+
cancel-in-progress: true
17+
1318
jobs:
1419
validate:
1520
runs-on: self-hosted
1621
steps:
17-
- name: "Install GoLang"
22+
- name: "Dependency: Install Golang"
1823
uses: actions/setup-go@v3
1924
with:
2025
go-version: 1.18.x
2126

27+
- name: "Dependency: Install Docker Buildx"
28+
id: buildx
29+
uses: docker/setup-buildx-action@v2
30+
2231
- name: "Checkout Repo"
2332
uses: actions/checkout@v3
2433

2534
- name: "Build CLI"
2635
run: make build-cli-linux-amd ARCH=amd64
2736

37+
- name: "Zarf Agent: Login to Docker Hub"
38+
uses: docker/login-action@v2
39+
with:
40+
username: zarfdev
41+
password: ${{ secrets.ZARF_DEV_DOCKERHUB }}
42+
43+
- name: "Zarf Agent: Build and Publish the Image"
44+
run: |
45+
cp build/zarf build/zarf-linux-amd64
46+
docker buildx build --push --platform linux/amd64 --tag zarfdev/agent:$GITHUB_SHA .
47+
2848
- name: "Make Packages"
29-
run: make init-package build-examples ARCH=amd64
49+
run: make init-package build-examples ARCH=amd64 AGENT_IMAGE=zarfdev/agent:$GITHUB_SHA
3050

3151
- name: "Run Tests"
3252
# NOTE: "PATH=$PATH" preserves the default user $PATH. This is needed to maintain the version of go installed

0 commit comments

Comments
 (0)