-
Notifications
You must be signed in to change notification settings - Fork 0
151 lines (143 loc) · 5.93 KB
/
release-artifacts.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: Release Workflow
on:
push:
branches:
- main
paths:
- "genval/defaultpolicies/rego/terraform_policies/**"
- "genval/defaultpolicies/rego/dockerfile_policies/**"
- "genval/defaultpolicies/rego/input_policies/**"
- "genval/defaultpolicies/rego/infrafile_policies/**"
- "genval/modules/cuemod-k8s*/**"
- "genval/modules/cuemod-tektoncd*/**"
- "genval/modules/cuemod-argocd*/**"
permissions:
contents: write
id-token: write
packages: write
pull-requests: write
jobs:
check-updates:
runs-on: ubuntu-latest
strategy:
matrix:
policy:
- name: dockerfile_policies
path: genval/defaultpolicies/rego/dockerfile_policies/**
source: genval/defaultpolicies/rego/dockerfile_policies/
version-file: ./.github/versions/dockerfile_version.env
artifact-name: dockerfile_policies
output: DOCKERFILE_POLICIES
- name: terraform_policies
path: genval/defaultpolicies/rego/terraform_policies/**
source: genval/defaultpolicies/rego/terraform_policies/
version-file: ./.github/versions/terraform_version.env
artifact-name: terraform_policies
output: TERRAFORM_POLICIES
- name: input_policies
path: genval/defaultpolicies/rego/input_policies/**
source: genval/defaultpolicies/rego/input_policies/
version-file: ./.github/versions/input_version.env
artifact-name: terraform_policies
output: INPUT_POLICIES
- name: infrafile_policies
path: genval/defaultpolicies/rego/infrafile_policies/**
source: genval/defaultpolicies/rego/infrafile_policies/
version-file: ./.github/versions/infrafile_version.env
artifact-name: infrafile_policies
output: INFRAFILE_POLICIES
- name: k8s-module
path: genval/modules/cuemod-k8s*/**
source: genval/modules/cuemod-k8s*/
version-file: ./.github/versions/k8s_mod_version.env
artifact-name: k8s-cuemods
output: K8S_MODULE
- name: tektonCD_module
path: genval/modules/cuemod-tektoncd*/
source: genval/modules/cuemod-tektoncd*/
version-file: ./.github/versions/tektoncd_mod_version.env
artifact-name: tektonCD_cuemods
output: TEKTONCD_MODULE
- name: argoCD_module
path: genval/modules/cuemod-argocd*/
source: genval/modules/cuemod-argocd:v2.11.3/**
version-file: ./.github/versions/argocd_mod_version.env
artifact-name: argoCD_cuemods
output: ARGOCD_MODULE
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
fetch-depth: "0"
- name: Set matrix output
id: set-matrix-output
run: |
matrix=$((
echo '${{ toJSON(matrix) }}'
) | jq -c .)
echo "::set-output name=matrix::$matrix"
- name: Path filter
id: changes
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
with:
base: main
filters: |
src:
- '${{ matrix.policy.path }}'
- name: setup Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
with:
go-version: "1.22"
- name: Conditionally set tag
if: steps.changes.outputs.src == 'true'
run: |
echo "tag=$(./.github/get_version.sh ${{ matrix.policy.version-file }})" >> $GITHUB_ENV
echo "tag=${{ env.tag }}"
- name: Install genval
if: steps.changes.outputs.src == 'true'
run: |
go install github.com/intelops/genval@main
- name: Login to GitHub Container Registry
if: steps.changes.outputs.src == 'true'
uses: docker/login-action@v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push ${{ matrix.policy.name }}
if: steps.changes.outputs.src == 'true' && env.tag != ''
id: push_policies
run: |
GIT_TAG=${{ env.tag }}
GENVAL_OUTPUT=$(genval artifact push --reqinput ${{ matrix.policy.source }} \
--dest oci://ghcr.io/intelops/policyhub/genval/${{ matrix.policy.artifact-name }}:${GIT_TAG} \
--annotations="authors=intelops inc.")
echo "${GENVAL_OUTPUT}"
echo "OUTPUT=oci://ghcr.io/intelops/policyhub/genval/${{ matrix.policy.artifact-name }}:${GIT_TAG}" >> $GITHUB_ENV
# Write OCI URL to output file
- name: Write policy URL
if: steps.changes.outputs.src == 'true'
uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 # v1.3
with:
path: "genval/outputs/${{ matrix.policy.output }}.env"
write-mode: overwrite
contents: |
# GitHub generated file
# Please do not modify or delete this file
${{ matrix.policy.output}}=${{ env.OUTPUT }}
- name: Commit & Push
if: steps.changes.outputs.src == 'true'
uses: Andro999b/push@c77535fe7a94645f7ceca83e48e6cc977620710e # v1.3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: "${{ matrix.policy.name}}-${{ github.run_number }}"
force: true
message: "Overwritten by GitHub Actions - ${{ github.run_number }}"
- name: Create Pull Request
if: steps.changes.outputs.src == 'true'
uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
branch: "${{ matrix.policy.name}}-${{ github.run_number }}"
title: "Update policy URL for ${{ matrix.policy.name }}"
body: "This pull request updates the policy URL for ${{ matrix.policy.name }}."
base: main