Make a release #304
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Make a release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: Tag [e.g. 1.7.8-tetrate-v0] | |
| required: true | |
| jobs: | |
| build_fips_proxy: | |
| # Only run this job when the release type equals "fips". | |
| if: false | |
| name: build fips proxy binary | |
| timeout-minutes: 1440 # 12 hours | |
| runs-on: ['self-hosted','Linux','x64','m5.large'] | |
| env: | |
| RELEASE_GCS_PATH: gs://getistio-build/proxy-fips | |
| steps: | |
| - name: Get normalized tag | |
| id: get_minor_ver | |
| run: echo ::set-output name=NORMALIZED_TAG::$(echo $TAG | sed 's/-.*//g') | |
| shell: bash | |
| env: | |
| TAG: ${{ github.event.inputs.tag }} | |
| - name: Checkout | |
| uses: actions/checkout@v2 | |
| with: | |
| repository: "istio/proxy" | |
| ref: ${{ steps.get_minor_ver.outputs.NORMALIZED_TAG }} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v0 | |
| with: | |
| project_id: ${{ secrets.GCP_PROJECT_ID }} | |
| service_account_key: ${{ secrets.GCP_SA_KEY }} | |
| export_default_credentials: true | |
| - name: Check if already built | |
| id: check_already_built | |
| run: | | |
| set +e | |
| SHA=$(git rev-parse --verify HEAD) | |
| gsutil ls ${RELEASE_GCS_PATH} | grep ${SHA} | |
| echo ::set-output name=should_build::$? | |
| - name: Tweak make recipe | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| # 1) remove unnecessary dependency on naive "build" target | |
| # 2) remove "-p" flag to not push and build container, | |
| # 3) replace RELEASE_GCS_PATH var with the literal due to docker build. | |
| # from push_release. | |
| run: | | |
| ESCAPED_RELEASE_GCS_PATH=$(printf '%s\n' "$RELEASE_GCS_PATH" | sed -e 's/[\/&]/\\&/g') | |
| sed -i "s/\-p//g; s/push_release: build/push_release:/g; s/\"\$(RELEASE_GCS_PATH)\"/${ESCAPED_RELEASE_GCS_PATH}/g" Makefile.core.mk | |
| - name: Tweak release-binary script | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| # 1) Setup in-docker auth against gcloud | |
| # 2) Remove unnecessary debug build | |
| # 3) Remove unnecessary Wasm build and publish | |
| # Note that /work is the mount destination of the current home of make command with BUILD_WITH_CONTAINER=1. | |
| run: | | |
| CREDENTIAL_FILE_NAME=$(echo ${GOOGLE_APPLICATION_CREDENTIALS} | awk -F/ '{print $NF}') | |
| cp scripts/release-binary.sh scripts/release-binary.sh.tmp | |
| echo gcloud auth activate-service-account --key-file="/work/${CREDENTIAL_FILE_NAME}" > scripts/release-binary.sh | |
| cat scripts/release-binary.sh.tmp >> scripts/release-binary.sh | |
| sed -i 's/release release\-symbol debug/release release\-symbol/' scripts/release-binary.sh | |
| sed -i -n '/Build and publish Wasm plugins/q;p' scripts/release-binary.sh | |
| cat scripts/release-binary.sh | |
| - name: Add FIPS flag | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| run: echo "build --define boringssl=fips" >> .bazelrc | |
| - name: Build and push | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| env: | |
| BUILD_WITH_CONTAINER: 1 | |
| run: make push_release | |
| - name: Put CentOS binary | |
| # Copy the binary built on Ubuntu to CentOS path - this binar cannot run on CentOS/RHEL 7, but fine with CentOS 8. | |
| # The point is that we cannot build FIPS binary directly on CentOS 7 due to the constraints described in the BoringCrypto certification. | |
| run: | | |
| SHA=$(git rev-parse --verify HEAD) | |
| gsutil cp ${RELEASE_GCS_PATH}/envoy-alpha-${SHA}.tar.gz ${RELEASE_GCS_PATH}/envoy-centos-alpha-${SHA}.tar.gz | |
| - name: Put Wasm binary | |
| # Copy the built Wasm binary in the upstream to the bucket - Wasm is nothing to do with FIPS stuff. | |
| env: | |
| UPSTREAM_GCSP_PATH: gs://istio-build/proxy | |
| run: | | |
| SHA=$(git rev-parse --verify HEAD) | |
| gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA}*" ${RELEASE_GCS_PATH}/ | |
| gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA}*" ${RELEASE_GCS_PATH}/ | |
| gsutil cp "${UPSTREAM_GCSP_PATH}/attributegen-${SHA}*" ${RELEASE_GCS_PATH}/ | |
| build_arm_proxy: | |
| # Do not run this job when the release type equals "fips". | |
| if: "contains(github.event.ref, 'multiarch')" | |
| name: build ARM proxy binary | |
| timeout-minutes: 1440 # 12 hours | |
| runs-on: ["self-hosted", "arm64"] | |
| env: | |
| RELEASE_GCS_PATH: gs://getistio-build/proxy-arm | |
| steps: | |
| - name: Get normalized tag | |
| id: get_minor_ver | |
| run: | | |
| echo ::set-output name=NORMALIZED_TAG::$(echo $TAG | sed 's/-.*//g') | |
| echo ::set-output name=RELEASE_VERSION::$(echo $TAG | sed 's/-.*//g' | sed 's/\.[^\.]*$//g') | |
| shell: bash | |
| env: | |
| TAG: ${{ github.event.inputs.tag }} | |
| - name: Checkout | |
| uses: actions/checkout@v2 | |
| with: | |
| repository: "istio/proxy" | |
| ref: ${{ steps.get_minor_ver.outputs.NORMALIZED_TAG }} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v0 | |
| with: | |
| project_id: ${{ secrets.GCP_PROJECT_ID }} | |
| service_account_key: ${{ secrets.GCP_SA_KEY }} | |
| export_default_credentials: true | |
| - name: Check if already built | |
| id: check_already_built | |
| run: | | |
| SHA=$(git rev-parse --verify HEAD) | |
| SHOULD_BUILD=1 | |
| if gsutil ls ${RELEASE_GCS_PATH} | grep ${SHA} ; then | |
| SHOULD_BUILD=0 | |
| fi | |
| echo ::set-output name=should_build::${SHOULD_BUILD} | |
| - name: Tweak make recipe | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| # 1) remove unnecessary dependency on naive "build" target | |
| # 2) remove "-p" flag to not push and build container, | |
| # 3) replace RELEASE_GCS_PATH var with the literal due to docker build. | |
| # from push_release. | |
| run: | | |
| ESCAPED_RELEASE_GCS_PATH=$(printf '%s\n' "$RELEASE_GCS_PATH" | sed -e 's/[\/&]/\\&/g') | |
| sed -i "s/\-p//g; s/push_release: build/push_release:/g; s/\"\$(RELEASE_GCS_PATH)\"/${ESCAPED_RELEASE_GCS_PATH}/g" Makefile.core.mk | |
| - name: Tweak release-binary script | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| # 1) Setup in-docker auth against gcloud | |
| # 2) Remove unnecessary debug build | |
| # 3) Remove unnecessary Wasm build and publish | |
| # Note that /work is the mount destination of the current home of make command with BUILD_WITH_CONTAINER=1. | |
| run: | | |
| echo H4sIAJNQ32EAA+VXbXPaOBD+zq/YczMFCgKcBkjSY6aE0CTTBDIBru31OoxsC9Bgyz5LbkLT/PdbWZhA3m7au364Kx9Col3tap/dZ3fj8ckECJlyBbQq3ZhHSlajRM6IxxxORUXOwHlEkOPCY1dQ223UX7oNVqm8dKhbn3hNsGu1Zr2eI4Q8ajVXKpUet/z6NZDGTtm2oaS/GoAHE56DHHz8COQLWFvXR53B+Lw9PL6x4NMneP78VtIfDc9Hw/HhycVKlkg6ZXi95FLJUKeQCBowIEHRAi5yJQDrarcxbuxYRTho/949HbcvOscta75rvXqViimN3dk9eXZqlF4UgbmzEKyRkEkUhbFiHmgNrpirkpiVIUikAoeB8QZhjPJAGwB2hTmwtSEmqZuDZzBYBD4XcwleKPIKLsN4XsZIGEwS34eIqhlQCRQUC9AXjRepCo3DRHiV1ABj+zBTKpL71SqmeJY4FTcMqlwqHq5+yoTJql1v2jswwfd4TFHuy9TAfJeEkQIuQc0YhImKEgUejzGaEN1p9SyQSPGAf8F4nYT7noQCcfVhGWSI9eWGYsKnrZj5DBNA5CJwQh+o8O7JiqljOWO+786YO0d3kjo+aw0621hpOWLgxxy3MI0O/cJ8zOAkhK1rIzkYnZweYnqOBjfLF481VMWqCabqcGHlSt9tJVPQ+b+5NbisioOTXvviA9q8Xjm4qaow9GUVi9tATqI4vFpYupifCtR7iJkZgOgT871JznuyJT+btfrepO7ayE9X/1Lffpif9+9vUvS+XLN0t1beRpbiV0pSPoGPmoOHgyGSr9UCS4SCIQ1f6RISOQBAUcvC8FM+k2dwRucMJLIjLbKlF0i9cIb1jQJdUwpCkVXbyEmESsBuVGo7UHjPBKd+MUcy553jbuctuifsT7DBNAd9bpL6pn8x7nR7w/5gqVJbvY5AGoBRvlsHFvzSghfWWsEGoWLEeoE95vY+wOhg1BuOxhfd02570G1tXW8e7JOtgi+dcRYo8oTI4o25a1xvXjA45q/SKPO6oX39Ctem0+TPdD+JE6HBeRCVSn7VWiB1grCTpaP1Lpi6SNF9yoXRuGOT+d8JvL0O/LcVQocJ1R9AcxnLVuHXKlNu1cXjUJLsroqBeC7ka2Svkv/qYvMiHvxRATKxi2lxNq3NYK31YDMfZZiGCl24VMEdD0XrISSIuKXAWoTGwxBjIzxtmOgDW6tA49T3w0tsniqcMlSP4RK7tX6sUatY6f3UUY7oDOreoS2lvcRgtACdTWyfg+O27mq6c8TsM4lorMuMfGYxnyzguNs+LOruo9lr15rI29LedtneXtH3oefr4tQ4mZI40D2eiykOH8Eul+4r+SWn/ztDtqRhXHXq/Z924qalYO+V8UEl267pbzzyQpN2ADPWxgfYjca99lnXDDj8YynQZzeE+tGMWtmd83bnbfuou35pc/yZz5Ozfun9X5n4/9DWY3PffLCi0m9rE2+rmCl0+r03J0e4sF60zwYt65H8WN8G+J1LDyD+f4WZSipuwX0Gvf6wuw8+d1xcWZA83gJbD3exrS5AMxpZwgVSCkUpW5Yl/7JuSn678b0lr9/xE+KPy2wy/fvqNmrfBunmnae7yB3lHwyy50x/BMgrsxsgm38C0zLF9+shbe/tlXfXd2xjv9v7rf8hg7DfO/1wb7mC5epQy+bzQ8tfNprv7EODOY8iPenftQdnhjt6NRK3u3jkU4VjKahk47WmVyEzWVN1PXOixPE5/rfyjsoAbyRTLmQO1RUTEvcb2SpIRZWEAEehRxUdsyt3RsWUAVUq5k6i2JQJrLfh2flYP6W1VQjmegzrJYngqEbDZGmYvF99irm/AJDMXDzhEAAA \ | |
| | base64 -d | gunzip | patch -p1 | |
| CREDENTIAL_FILE_NAME=$(echo ${GOOGLE_APPLICATION_CREDENTIALS} | awk -F/ '{print $NF}') | |
| cp scripts/release-binary.sh scripts/release-binary.sh.tmp | |
| echo gcloud auth activate-service-account --key-file="/work/${CREDENTIAL_FILE_NAME}" > scripts/release-binary.sh | |
| cat scripts/release-binary.sh.tmp >> scripts/release-binary.sh | |
| sed -i 's/release release\-symbol debug/release release\-symbol/' scripts/release-binary.sh | |
| sed -i -n '/Build and publish Wasm plugins/q;p' scripts/release-binary.sh | |
| cat scripts/release-binary.sh | |
| - name: Build and push | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| env: | |
| BUILD_WITH_CONTAINER: 1 | |
| IMG: gcr.io/tetrate-istio-arm/build-tools-proxy:release-${{ steps.get_minor_ver.outputs.RELEASE_VERSION }}-tid | |
| run: make push_release | |
| - name: Put CentOS binary | |
| # Copy the binary built on Ubuntu to CentOS path - this binar cannot run on CentOS/RHEL 7, but fine with CentOS 8. | |
| # The point is that we cannot build FIPS binary directly on CentOS 7 due to the constraints described in the BoringCrypto certification. | |
| run: | | |
| SHA=$(git rev-parse --verify HEAD) | |
| gsutil cp ${RELEASE_GCS_PATH}/envoy-alpha-${SHA}.tar.gz ${RELEASE_GCS_PATH}/envoy-centos-alpha-${SHA}.tar.gz | |
| - name: Put Wasm binary | |
| # Copy the built Wasm binary in the upstream to the bucket - Wasm is nothing to do with FIPS stuff. | |
| env: | |
| UPSTREAM_GCSP_PATH: gs://istio-build/proxy | |
| run: | | |
| SHA=$(git rev-parse --verify HEAD) | |
| gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA}*" ${RELEASE_GCS_PATH}/ | |
| gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA}*" ${RELEASE_GCS_PATH}/ | |
| gsutil cp "${UPSTREAM_GCSP_PATH}/attributegen-${SHA}*" ${RELEASE_GCS_PATH}/ | |
| create-images-arm64: | |
| name: create-images-arm64 | |
| runs-on: ["self-hosted", "arm64"] | |
| env: | |
| TARGETARCH: arm64 | |
| DOCKER_ARCHITECTURES: linux/arm64 | |
| HUB: ${{ secrets.CLOUDSMITH_HUB }} | |
| needs: [build_arm_proxy] | |
| # 'if' condition causes this job to run even if some of the dependent jobs | |
| # have been skipped, e.g. `build_fips_proxy`. | |
| # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful | |
| if: "contains(github.event.ref, 'multiarch')" | |
| steps: | |
| - name: Checkout to choosen tag | |
| uses: actions/checkout@v2 | |
| with: | |
| ref: ${{ github.event.inputs.tag }} | |
| fetch-depth: 0 | |
| - name: Login to CloudSmith | |
| uses: docker/login-action@v1 | |
| with: | |
| registry: ${{ env.HUB }} | |
| username: ${{ secrets.CLOUDSMITH_USER }} | |
| password: ${{ secrets.CLOUDSMITH_API_KEY }} | |
| - name: Get Registry | |
| id: get_registry | |
| run: | | |
| [[ ${HUB} == *.* ]] && REGISTRY=$(echo ${HUB} | cut -d/ -f1) | |
| echo REGISTRY=${REGISTRY} | |
| echo REGISTRY=${REGISTRY} >> $GITHUB_ENV | |
| - name: Get the tag | |
| id: get_tag | |
| run: echo ::set-output name=TAG::${GITHUB_REF/refs\/tags\/test-/} | |
| shell: bash | |
| - name: Get minor version | |
| id: get_minor_ver | |
| run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') | |
| shell: bash | |
| env: | |
| TAG: ${{ github.event.inputs.tag }} | |
| - name: build and push images | |
| run: bash ./tetrateci/create_istio_release.sh | |
| env: | |
| CLOUDSMITH_USER: ${{ secrets.CLOUDSMITH_USER }} | |
| CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} | |
| TAG: ${{ github.event.inputs.tag }} | |
| REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| create-images-amd64: | |
| name: create-images-amd64 | |
| runs-on: ['self-hosted','Linux','x64','c5.4xlarge'] | |
| needs: [build_fips_proxy] | |
| # 'if' condition causes this job to run even if some of the dependent jobs | |
| # have been skipped, e.g. `build_fips_proxy`. | |
| # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful | |
| if: ${{ !cancelled() && !failure() }} | |
| env: | |
| HUB: ${{ secrets.CLOUDSMITH_HUB }} | |
| steps: | |
| - name: Checkout to choosen tag | |
| uses: actions/checkout@v2 | |
| with: | |
| ref: ${{ github.event.inputs.tag }} | |
| fetch-depth: 0 | |
| - name: Login to CloudSmith | |
| uses: docker/login-action@v1 | |
| with: | |
| registry: ${{ env.HUB }} | |
| username: ${{ secrets.CLOUDSMITH_USER }} | |
| password: ${{ secrets.CLOUDSMITH_API_KEY }} | |
| - name: Get Registry | |
| id: get_registry | |
| run: | | |
| [[ ${HUB} == *.* ]] && REGISTRY=$(echo ${HUB} | cut -d/ -f1) | |
| echo REGISTRY=${REGISTRY} | |
| echo REGISTRY=${REGISTRY} >> $GITHUB_ENV | |
| - name: Get minor version | |
| id: get_minor_ver | |
| run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') | |
| shell: bash | |
| env: | |
| TAG: ${{ github.event.inputs.tag }} | |
| - name: build and push images | |
| run: bash ./tetrateci/create_istio_release.sh | |
| env: | |
| CLOUDSMITH_USER: ${{ secrets.CLOUDSMITH_USER }} | |
| CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} | |
| TAG: ${{ github.event.inputs.tag }} | |
| REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| Scan: | |
| name: Scanner | |
| runs-on: ubuntu-20.04 | |
| needs: [create-images-amd64] | |
| if: ${{ !cancelled() && !failure() }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Get minor version | |
| id: get_minor_ver | |
| run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') | |
| shell: bash | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| - name: List docker images | |
| run: bash ./tetrateci/images.sh && pwd | |
| env: | |
| TAG: ${{ github.event.inputs.tag }} | |
| - name: Scan images for CRITICAL vulnerabilities | |
| uses: docker://ghcr.io/aquasecurity/trivy | |
| with: | |
| entrypoint: /bin/sh | |
| args: -c "trivy image --clear-cache; for img in $(cat list.txt); do trivy image --exit-code 0 --severity HIGH,CRITICAL --no-progress --quiet --format sarif $img >> $img.sarif ;done " | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v1 | |
| with: | |
| sarif_file: containers.istio.tetratelabs.com | |
| create-multiarch-images: | |
| name: create-multiarch-images | |
| runs-on: ubuntu-latest | |
| needs: [create-images-amd64, create-images-arm64] | |
| # 'if' condition causes this job to run even if some of the dependent jobs | |
| # have been skipped, e.g. `build_fips_proxy`. | |
| # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful | |
| if: "contains(github.event.ref, 'multiarch')" | |
| env: | |
| HUB: ${{ secrets.CLOUDSMITH_HUB }} | |
| steps: | |
| - name: Checkout to choosen tag | |
| uses: actions/checkout@v2 | |
| with: | |
| ref: ${{ github.event.inputs.tag }} | |
| fetch-depth: 0 | |
| - name: Login to CloudSmith | |
| uses: docker/login-action@v1 | |
| with: | |
| registry: ${{ env.HUB }} | |
| username: ${{ secrets.CLOUDSMITH_USER }} | |
| password: ${{ secrets.CLOUDSMITH_API_KEY }} | |
| - name: Get Registry | |
| id: get_registry | |
| run: | | |
| [[ ${HUB} == *.* ]] && REGISTRY=$(echo ${HUB} | cut -d/ -f1) | |
| echo REGISTRY=${REGISTRY} | |
| echo REGISTRY=${REGISTRY} >> $GITHUB_ENV | |
| - name: Get minor version | |
| id: get_minor_ver | |
| run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') | |
| shell: bash | |
| env: | |
| TAG: ${{ github.event.inputs.tag }} | |
| - name: build and push images | |
| run: bash ./tetrateci/create_multiarch_images.sh | |
| env: | |
| CLOUDSMITH_USER: ${{ secrets.CLOUDSMITH_USER }} | |
| CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} | |
| TAG: ${{ github.event.inputs.tag }} | |
| REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} |