Add GitHub Actions workflow for automatic PR updates from upstream re… #1
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Main | |
on: | |
push: | |
branches: | |
- master | |
tags: | |
- '**' | |
pull_request: | |
jobs: | |
vulnerability-scanning: | |
name: Trivy vulnerability-scanning using the image from values.yaml | |
runs-on: ubuntu-latest | |
env: | |
# USE WITH CAUTION, IT IMPLIES RISK | |
# This is a list of vulnerabilities that will be skipped from the check | |
# It is mostly used for vulnerabilities which haven't fixed by the depending projects | |
# The format is space separated string: "CVE-XXXX-XXXX CVE-XXXX-XXXX CVE-XXXX-XXXX" | |
SKIPPED_VULN: "" | |
if: ${{ !github.event.pull_request.head.repo.fork }} # no PRs from fork | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Skip vulnerabilities | |
if: ${{ env.SKIPPED_VULN != '' }} | |
run: | | |
echo "${{ env.SKIPPED_VULN }}" | tr ' ' '\n' > .trivyignore | |
- name: Get image.tag from values.yaml | |
id: get_image_tag | |
run: echo "IMAGE_TAG=$(yq e '.image.tag' weaviate/values.yaml)" >> $GITHUB_ENV | |
- name: Get image.repo from values.yaml | |
id: get_image_repo | |
run: echo "IMAGE_REPO=$(yq e '.image.repo' weaviate/values.yaml)" >> $GITHUB_ENV | |
- name: Get image.registry from values.yaml | |
id: get_image_registry | |
run: echo "IMAGE_REGISTRY=$(yq e '.image.registry' weaviate/values.yaml)" >> $GITHUB_ENV | |
- name: Pull Docker image | |
run: docker pull ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }} | |
- name: Run Trivy vulnerability scanner for the built image | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: '${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}' | |
exit-code: '1' | |
format: 'table' | |
ignore-unfixed: true | |
severity: 'HIGH,CRITICAL' | |
create-helm-chart: | |
name: Test and release | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Test | |
run: ./.cicd/test.sh | |
- name: Release | |
if: startsWith(github.ref, 'refs/tags/') | |
run: .cicd/release.sh | |
- name: Create Release | |
if: startsWith(github.ref, 'refs/tags/') | |
uses: softprops/action-gh-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
generate_release_notes: true | |
draft: true | |
files: weaviate/weaviate.tgz | |
create-gh-page: | |
name: create gh page | |
runs-on: ubuntu-latest | |
needs: create-helm-chart | |
if: startsWith(github.ref, 'refs/tags/') | |
permissions: | |
contents: write | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
# chartpress requires git history to set chart version and image tags | |
# correctly | |
fetch-depth: 0 | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: "3.10" | |
- name: Configure Git | |
run: | | |
git config user.name "$GITHUB_ACTOR" | |
git config user.email "[email protected]" | |
- name: Install Helm | |
uses: azure/setup-helm@v3 | |
with: | |
version: v3.10.2 | |
- name: Install chart publishing dependencies (chartpress, helm) | |
run: pip install chartpress | |
- name: Setup push rights to jupyterhub/helm-chart | |
# This was setup by... | |
# 1. Generating a private/public key pair: | |
# ssh-keygen -t ed25519 -C "weaviate/weaviate-helm" -f ./deploy_key | |
# 2. Registering the private key (./deploy_key) as a secret for this | |
# repo: | |
# https://github.com/weaviate/weaviate-helm/settings/secrets/actions | |
# 3. Registering the public key (./deploy_key.pub) as a deploy key | |
# with push rights for the jupyterhub/helm chart repo: | |
# https://github.com/weaviate/weaviate-helm/settings/keys | |
run: | | |
mkdir -p ~/.ssh | |
ssh-keyscan github.com >> ~/.ssh/known_hosts | |
echo "${{ secrets.WEAVIATE_HELM_CHART_DEPLOY_KEY }}" > ~/.ssh/id_ed25519 | |
chmod 600 ~/.ssh/id_ed25519 | |
- name: Configure a git user | |
# Having a user.email and user.name configured with git is required to | |
# make commits, which is something chartpress does when publishing. | |
# While Travis CI had a dummy user by default, GitHub Actions doesn't | |
# and require this explicitly setup. | |
run: | | |
git config --global user.email "[email protected]" | |
git config --global user.name "GitHub Actions user" | |
- name: Run chart-releaser | |
run: chartpress --publish-chart |