ci: create canary build after main branch changes (#1638)

Co-authored-by: knqyf263 <knqyf263@gmail.com>
2025-12-05 20:40:16 -08:00 · 2022-06-29 13:58:11 +00:00
parent 7111301fa4
commit 0ed39fc805
4 changed files with 205 additions and 60 deletions
--- a/.github/workflows/canary.yaml
+++ b/.github/workflows/canary.yaml
@@ -0,0 +1,55 @@
+name: Canary build
+on:
+  push:
+    branches:
+      - 'main'
+  workflow_dispatch:
+
+jobs:
+  build-binaries:
+    name: Build binaries
+    uses: ./.github/workflows/reusable-release.yaml
+    with:
+      goreleaser_config: goreleaser-canary.yml
+      goreleaser_options: '--snapshot --rm-dist --timeout 60m' # will not release
+    secrets: inherit
+
+  upload-binaries:
+    name: Upload binaries
+    needs: build-binaries # run this job after 'build-binaries' job completes
+    runs-on: ubuntu-latest
+    steps:
+      - name: Restore Trivy binaries from cache
+        uses: actions/cache@v3.0.2
+        with:
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
+        # Upload artifacts
+      - name: Upload artifacts (trivy_Linux-64bit)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_Linux-64bit
+          path: dist/trivy_*_Linux-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_Linux-ARM64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_Linux-ARM64
+          path: dist/trivy_*_Linux-ARM64.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-64bit)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_macOS-64bit
+          path: dist/trivy_*_macOS-64bit.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifacts (trivy_macOS-ARM64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy_macOS-ARM64
+          path: dist/trivy_*_macOS-ARM64.tar.gz
+          if-no-files-found: error
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -3,76 +3,37 @@ on:
  push:
    tags:
      - "v*"
-env:
-  GO_VERSION: "1.18"
-  GH_USER: "aqua-bot"
+
 jobs:
  release:
    name: Release
+    uses: ./.github/workflows/reusable-release.yaml
+    with:
+      goreleaser_config: goreleaser.yml
+      goreleaser_options: '--rm-dist --timeout 60m'
+    secrets: inherit
+
+  deploy-packages:
+    name: Deploy rpm/dep packages
+    needs: release # run this job after 'release' job completes
    runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
-    env:
-      DOCKER_CLI_EXPERIMENTAL: "enabled"
-    permissions:
-      id-token: write # For cosign
-      packages: write # For GHCR
-      contents: read  # Not required for public repositories, but for clarity
    steps:
-      - name: Install dependencies
-        run: |
-          sudo apt-get -y update
-          sudo apt-get -y install rpm reprepro createrepo distro-info
-      - uses: sigstore/cosign-installer@536b37ec5d5b543420bdfd9b744c5965bd4d8730
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2
-      - name: Show available Docker Buildx platforms
-        run: echo ${{ steps.buildx.outputs.platforms }}
-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
-      - name: Cache Go modules
+
+      - name: Restore Trivy binaries from cache
        uses: actions/cache@v3.0.2
        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-      - name: Login to docker.io registry
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to ghcr.io registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ env.GH_USER }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login to ECR
-        uses: docker/login-action@v2
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
-          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
-      - name: Generate SBOM
-        uses: CycloneDX/gh-gomod-generate-sbom@v1
-        with:
-          args: mod -licenses -json -output bom.json
-          version: ^v1
-      - name: Release
-        uses: goreleaser/goreleaser-action@v3
-        with:
-          version: v1.4.1
-          args: release --rm-dist --timeout 60m
-        env:
-          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+          path: dist/
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get -y update
+          sudo apt-get -y install rpm reprepro createrepo distro-info
+
      - name: Checkout trivy-repo
        uses: actions/checkout@v3
        with:
@@ -80,13 +41,17 @@ jobs:
          path: trivy-repo
          fetch-depth: 0
          token: ${{ secrets.ORG_REPO_TOKEN }}
+
      - name: Setup git settings
        run: |
          git config --global user.email "knqyf263@gmail.com"
          git config --global user.name "Teppei Fukuda"
+
      - name: Create rpm repository
        run: ci/deploy-rpm.sh
+
      - name: Import GPG key
        run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import
+
      - name: Create deb repository
-        run: ci/deploy-deb.sh
+        run: ci/deploy-deb.sh
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -0,0 +1,94 @@
+name: Reusable release
+on:
+  workflow_call:
+    inputs:
+      goreleaser_config:
+        description: 'file path to GoReleaser config'
+        required: true
+        type: string
+      goreleaser_options:
+        description: 'GoReleaser options separated by spaces'
+        default: ''
+        required: false
+        type: string
+
+env:
+  GO_VERSION: "1.18"
+  GH_USER: "aqua-bot"
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    permissions:
+      id-token: write # For cosign
+      packages: write # For GHCR
+      contents: read  # Not required for public repositories, but for clarity
+    steps:
+      - name: Cosign install
+        uses: sigstore/cosign-installer@536b37ec5d5b543420bdfd9b744c5965bd4d8730
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Show available Docker Buildx platforms
+        run: echo ${{ steps.buildx.outputs.platforms }}
+
+      - name: Login to docker.io registry
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to ghcr.io registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ env.GH_USER }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to ECR
+        uses: docker/login-action@v2
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
+          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
+
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Generate SBOM
+        uses: CycloneDX/gh-gomod-generate-sbom@v1
+        with:
+          args: mod -licenses -json -output bom.json
+          version: ^v1
+
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          version: v1.4.1
+          args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
+        env:
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+
+      - name: Cache Trivy binaries
+        uses: actions/cache@v3.0.2
+        with:
+          path: dist/
+          # use 'github.sha' to create a unique cache folder for each run.
+          # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
+          # e.g. build and release runs
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
--- a/goreleaser-canary.yml
+++ b/goreleaser-canary.yml
@@ -0,0 +1,31 @@
+project_name: trivy_canary_build
+builds:
+  -
+    main: cmd/trivy/main.go
+    binary: trivy
+    ldflags:
+      - -s -w
+      - "-extldflags '-static'"
+      - -X main.version={{.Version}}
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+      - linux
+    goarch:
+      - amd64
+      - arm64
+
+archives:
+  -
+    format: tar.gz
+    name_template: "{{.ProjectName}}_{{.Version}}_{{.Os}}-{{.Arch}}"
+    replacements:
+      amd64: 64bit
+      arm64: ARM64
+      darwin: macOS
+      linux: Linux
+    files:
+      - README.md
+      - LICENSE
+      - contrib/*.tpl