Skip to content

Bump secrecy from 0.8.0 to 0.10.2 #692

Bump secrecy from 0.8.0 to 0.10.2

Bump secrecy from 0.8.0 to 0.10.2 #692

Workflow file for this run

name: CI
on:
push:
branches: ["main"]
tags: ["helm/**", "v*"]
pull_request:
branches: ["main"]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
CACHE: ${{ (github.event_name == 'push'
|| github.event_name == 'pull_request')
&& github.ref != 'refs/heads/main'
&& !startsWith(github.ref, 'refs/tags/v')
&& !contains(github.event.head_commit.message, '[fresh ci]') }}
RUST_BACKTRACE: 1
RUST_VER: "1.81"
jobs:
################
# Pull Request #
################
pr:
if: ${{ github.event_name == 'pull_request' }}
needs:
- clippy
- docker
- helm-lint
- rustdoc
- rustfmt
- test-e2e-debug
- test-e2e-release
- test-unit
runs-on: ubuntu-latest
steps:
- run: true
##########################
# Linting and formatting #
##########################
clippy:
if: ${{ !startsWith(github.ref, 'refs/tags/helm/') }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@v1
with:
toolchain: ${{ env.RUST_VER }}
components: clippy
- uses: Swatinem/rust-cache@v2
if: ${{ env.CACHE == 'true' }}
- run: make cargo.lint
helm-lint:
name: helm lint
if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
strategy:
fail-fast: false
matrix:
chart: ["baza"]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: azure/setup-helm@v4
- run: make helm.lint chart=${{ matrix.chart }}
rustfmt:
if: ${{ !startsWith(github.ref, 'refs/tags/helm/') }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@v1
with:
toolchain: nightly
components: rustfmt
- run: make cargo.fmt check=yes
###########
# Testing #
###########
test-e2e-debug: # as a separate CI job to omit waiting `docker` CI job
name: test (E2E, debug)
if: ${{ !startsWith(github.ref, 'refs/tags/helm/') }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@v1
with:
toolchain: nightly
components: rust-src
- uses: dtolnay/rust-toolchain@v1
with:
toolchain: ${{ env.RUST_VER }}
- uses: Swatinem/rust-cache@v2
if: ${{ env.CACHE == 'true' }}
- run: cargo install cargo-careful
- run: make up background=yes dockerized=no
debug=yes careful=yes
- run: sleep 5
- run: make test.e2e start-app=no
test-e2e-release:
name: test (E2E, release)
if: ${{ !startsWith(github.ref, 'refs/tags/helm/') }}
needs: ["docker"]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@v1
with:
toolchain: ${{ env.RUST_VER }}
- uses: Swatinem/rust-cache@v2
if: ${{ env.CACHE == 'true' }}
- uses: satackey/action-docker-layer-caching@v0.0.11
with:
key: test-e2e-release-{hash}
restore-keys: test-e2e-release-
continue-on-error: true
timeout-minutes: 10
if: ${{ env.CACHE == 'true' }}
- uses: actions/download-artifact@v4
with:
name: docker-${{ github.run_number }}
path: .cache/docker/
- run: make docker.untar
- run: make up background=yes dockerized=yes
tag=build-${{ github.run_number }}
- run: sleep 5
- run: make test.e2e start-app=no
test-unit:
name: test (unit, ${{ matrix.toolchain }})
if: ${{ !startsWith(github.ref, 'refs/tags/helm/') }}
strategy:
fail-fast: false
matrix:
toolchain: ["stable", "nightly"]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@v1
with:
toolchain: ${{ (matrix.toolchain == 'stable' && env.RUST_VER)
|| matrix.toolchain }}
components: rust-src
- uses: Swatinem/rust-cache@v2
if: ${{ env.CACHE == 'true' }}
- run: cargo install cargo-careful
if: ${{ matrix.toolchain == 'nightly' }}
- run: make test.unit
careful=${{ (matrix.toolchain == 'nightly' && 'yes')
|| 'no' }}
############
# Building #
############
docker:
if: ${{ !startsWith(github.ref, 'refs/tags/helm/') }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: docker/setup-buildx-action@v3
- run: make docker.image debug=no no-cache=yes
tag=build-${{ github.run_number }}
- run: make docker.tar
tags=build-${{ github.run_number }}
- uses: actions/upload-artifact@v4
with:
name: docker-${{ github.run_number }}
path: .cache/docker/image.tar
retention-days: 1
rustdoc:
if: ${{ !startsWith(github.ref, 'refs/tags/helm/') }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@v1
with:
toolchain: ${{ env.RUST_VER }}
- uses: Swatinem/rust-cache@v2
if: ${{ env.CACHE == 'true' }}
- run: make cargo.doc private=yes open=no
env:
RUSTFLAGS: -D warnings
#############
# Releasing #
#############
docker-push:
name: docker push
if: ${{ github.event_name == 'push'
&& (github.ref == 'refs/heads/main'
|| startsWith(github.ref, 'refs/tags/v')) }}
needs: ["docker", "test-e2e-release"]
strategy:
fail-fast: false
matrix:
registry: ["docker.io", "ghcr.io", "quay.io"]
runs-on: ubuntu-latest
steps:
# Skip if this is fork and no credentials are provided.
- id: skip
run: echo "no=${{ !(
github.repository_owner != 'instrumentisto'
&& ((matrix.registry == 'quay.io'
&& secrets.QUAYIO_ROBOT_USER == '')
|| (matrix.registry == 'docker.io'
&& secrets.DOCKERHUB_BOT_USER == ''))
) }}" >> $GITHUB_OUTPUT
- uses: actions/checkout@v4
if: ${{ steps.skip.outputs.no == 'true' }}
- uses: actions/download-artifact@v4
with:
name: docker-${{ github.run_number }}
path: .cache/docker/
if: ${{ steps.skip.outputs.no == 'true' }}
- run: make docker.untar
if: ${{ steps.skip.outputs.no == 'true' }}
- name: Login to ${{ matrix.registry }} container registry
uses: docker/login-action@v3
with:
registry: ${{ matrix.registry }}
username: ${{ (matrix.registry == 'docker.io'
&& secrets.DOCKERHUB_BOT_USER)
|| (matrix.registry == 'quay.io'
&& secrets.QUAYIO_ROBOT_USER)
|| github.repository_owner }}
password: ${{ (matrix.registry == 'docker.io'
&& secrets.DOCKERHUB_BOT_PASS)
|| (matrix.registry == 'quay.io'
&& secrets.QUAYIO_ROBOT_TOKEN)
|| secrets.GITHUB_TOKEN }}
if: ${{ steps.skip.outputs.no == 'true' }}
- name: Parse semver versions from Git tag
id: semver
uses: actions-ecosystem/action-regex-match@v2
with:
text: ${{ github.ref }}
regex: '^refs/tags/v((([0-9]+)\.[0-9]+)\.[0-9]+(-.+)?)$'
if: ${{ steps.skip.outputs.no == 'true'
&& startsWith(github.ref, 'refs/tags/v') }}
- name: Form version Docker tags
id: tags
uses: actions/github-script@v7
with:
result-encoding: string
script: |
let versions = '${{ steps.semver.outputs.group1 }}';
if ('${{ steps.semver.outputs.group4 }}' === '') {
versions += ',${{ steps.semver.outputs.group2 }}';
if ('${{ steps.semver.outputs.group3 }}' !== '0') {
versions += ',${{ steps.semver.outputs.group3 }}';
}
versions += ',latest';
}
return versions;
if: ${{ steps.skip.outputs.no == 'true'
&& startsWith(github.ref, 'refs/tags/v') }}
- run: make docker.tags
registries=${{ matrix.registry }}
of=build-${{ github.run_number }}
tags=${{ (startsWith(github.ref, 'refs/tags/v')
&& steps.tags.outputs.result)
|| 'edge' }}
if: ${{ steps.skip.outputs.no == 'true' }}
- run: make docker.push
registries=${{ matrix.registry }}
tags=${{ (startsWith(github.ref, 'refs/tags/v')
&& steps.tags.outputs.result)
|| 'edge' }}
if: ${{ steps.skip.outputs.no == 'true' }}
# On GitHub Container Registry README is automatically updated on pushes.
- name: Update README on Docker Hub
uses: christian-korneck/update-container-description-action@v1
with:
provider: dockerhub
destination_container_repo: ${{ github.repository }}
readme_file: README.md
env:
DOCKER_USER: ${{ secrets.DOCKERHUB_BOT_USER }}
DOCKER_PASS: ${{ secrets.DOCKERHUB_BOT_PASS }}
if: ${{ steps.skip.outputs.no == 'true'
&& matrix.registry == 'docker.io' }}
- name: Update README on Quay.io
uses: christian-korneck/update-container-description-action@v1
with:
provider: quay
destination_container_repo: ${{ matrix.registry }}/${{ github.repository }}
readme_file: README.md
env:
DOCKER_APIKEY: ${{ secrets.QUAYIO_API_TOKEN }}
if: ${{ steps.skip.outputs.no == 'true'
&& matrix.registry == 'quay.io' }}
helm-push:
name: helm push
if: ${{ startsWith(github.ref, 'refs/tags/helm/') }}
needs: ["helm-lint"]
strategy:
max-parallel: 1
matrix:
chart: ["baza"]
runs-on: ubuntu-latest
steps:
- id: skip
run: echo "no=${{
startsWith(github.ref,
format('refs/tags/helm/{0}/', matrix.chart))
}}" >> $GITHUB_OUTPUT
- uses: actions/checkout@v4
if: ${{ steps.skip.outputs.no == 'true' }}
- uses: azure/setup-helm@v4
if: ${{ steps.skip.outputs.no == 'true' }}
- name: Parse semver versions from Git tag
id: semver
uses: actions-ecosystem/action-regex-match@v2
with:
text: ${{ github.ref }}
regex: '^refs/tags/helm/${{ matrix.chart }}/((([0-9]+)\.[0-9]+)\.[0-9]+(-.+)?)$'
if: ${{ steps.skip.outputs.no == 'true' }}
- name: Verify Git tag version matches `Chart.yaml` version
run: |
test "${{ steps.semver.outputs.group1 }}" \
== "$(grep -m1 'version: ' helm/${{ matrix.chart }}/Chart.yaml \
| cut -d' ' -f2)"
if: ${{ steps.skip.outputs.no == 'true' }}
- run: make helm.package chart=${{ matrix.chart }}
out-dir=.cache/helm/ clean=yes
if: ${{ steps.skip.outputs.no == 'true' }}
# Helm's digest is just SHA256 checksum:
# https://github.com/helm/helm/blob/v3.9.2/pkg/provenance/sign.go#L417-L418
- name: Generate SHA256 checksum
run: ls -1 | xargs -I {} sh -c "sha256sum {} > {}.sha256sum"
working-directory: .cache/helm/
if: ${{ steps.skip.outputs.no == 'true' }}
- name: Show generated SHA256 checksum
run: cat *.sha256sum
working-directory: .cache/helm/
if: ${{ steps.skip.outputs.no == 'true' }}
- name: Parse CHANGELOG link
id: changelog
run: echo "link=${{ github.server_url }}/${{ github.repository }}/blob/helm%2F${{ matrix.chart }}%2F${{ steps.semver.outputs.group1 }}/helm/${{ matrix.chart }}/CHANGELOG.md#$(sed -n '/^## \[${{ steps.semver.outputs.group1 }}\]/{s/^## \[\(.*\)\][^0-9]*\([0-9].*\)/\1--\2/;s/[^0-9a-z-]*//g;p;}' helm/${{ matrix.chart }}/CHANGELOG.md)"
>> $GITHUB_OUTPUT
- name: Create GitHub release
uses: softprops/action-gh-release@v2
with:
name: helm/${{ matrix.chart }} ${{ steps.semver.outputs.group1 }}
body: >
[Changelog](${{ steps.changelog.outputs.link }}) |
[Overview](${{ github.server_url }}/${{ github.repository }}/tree/helm%2F${{ matrix.chart }}%2F${{ steps.semver.outputs.group1 }}/helm/${{ matrix.chart }}) |
[Values](${{ github.server_url }}/${{ github.repository }}/blob/helm%2F${{ matrix.chart }}%2F${{ steps.semver.outputs.group1 }}/helm/${{ matrix.chart }}/values.yaml)
files: |
.cache/helm/*.tgz
.cache/helm/*.sha256sum
fail_on_unmatched_files: true
prerelease: ${{ contains(steps.semver.outputs.group1, '-') }}
if: ${{ steps.skip.outputs.no == 'true' }}
- name: Parse Git repository name
id: repo
uses: actions-ecosystem/action-regex-match@v2
with:
text: ${{ github.repository }}
regex: '^${{ github.repository_owner }}/(.+)$'
# TODO: Find or write a tool to build index idempotently from GitHub
# releases, and keep on GitHub Pages only the built index.
# https://github.com/helm/chart-releaser/issues/133
- name: Update Helm repository index
run: |
set -ex
git config --local user.email 'actions+${{ github.run_number }}@github.com'
git config --local user.name 'GitHub Actions'
git fetch origin gh-pages:gh-pages
git checkout gh-pages
git reset --hard
mkdir -p helm/
cp -rf .cache/helm/*.tgz helm/
helm repo index helm/ --url=https://${{ github.repository_owner }}.github.io/${{ steps.repo.outputs.group1 }}/helm
git add -v helm/
git commit -m 'Release ${{ steps.semver.outputs.group1 }} version of `${{ matrix.chart }}` Helm chart'
git checkout -
git push origin gh-pages
if: ${{ steps.skip.outputs.no == 'true' }}
release-github:
name: release (GitHub)
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
needs:
- clippy
- docker-push
- rustdoc
- rustfmt
- test-e2e-debug
- test-e2e-release
- test-unit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Parse semver versions from Git tag
id: semver
uses: actions-ecosystem/action-regex-match@v2
with:
text: ${{ github.ref }}
regex: '^refs/tags/v((([0-9]+)\.[0-9]+)\.[0-9]+(-.+)?)$'
- name: Verify Git tag version matches `Cargo.toml` version
run: |
test "${{ steps.semver.outputs.group1 }}" \
== "$(grep -m1 'version = "' Cargo.toml | cut -d'"' -f2)"
- name: Parse CHANGELOG link
id: changelog
run: echo "link=${{ github.server_url }}/${{ github.repository }}/blob/v${{ steps.semver.outputs.group1 }}/CHANGELOG.md#$(sed -n '/^## \[${{ steps.semver.outputs.group1 }}\]/{s/^## \[\(.*\)\][^0-9]*\([0-9].*\)/\1--\2/;s/[^0-9a-z-]*//g;p;}' CHANGELOG.md)"
>> $GITHUB_OUTPUT
- name: Parse milestone link
id: milestone
run: echo "link=${{ github.server_url }}/${{ github.repository }}/milestone/$(sed -n '/^## \[${{ steps.semver.outputs.group1 }}\]/,/Milestone/{s/.*milestone.\([0-9]*\).*/\1/p;}' CHANGELOG.md)"
>> $GITHUB_OUTPUT
- name: Create GitHub release
uses: softprops/action-gh-release@v2
with:
name: ${{ steps.semver.outputs.group1 }}
body: >
[Changelog](${{ steps.changelog.outputs.link }}) |
[Milestone](${{ steps.milestone.outputs.link }})
prerelease: ${{ contains(steps.semver.outputs.group1, '-') }}