Backport of ci(security-scanner): add support for Red Hat UBI images … #8430
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) HashiCorp, Inc. | |
| # SPDX-License-Identifier: MPL-2.0 | |
| name: build | |
| on: | |
| push: | |
| # Sequence of patterns matched against refs/heads | |
| branches: | |
| # Push events on the main branch | |
| - main | |
| - release/** | |
| env: | |
| PKG_NAME: consul | |
| # TODO(spatel): CE refactor | |
| METADATA: oss | |
| GOPRIVATE: github.com/hashicorp # Required for enterprise deps | |
| jobs: | |
| get-go-version: | |
| uses: ./.github/workflows/reusable-get-go-version.yml | |
| set-product-version: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| product-version: ${{ steps.set-product-version.outputs.product-version }} | |
| base-product-version: ${{ steps.set-product-version.outputs.base-product-version }} | |
| product-date: ${{ steps.get-product-version.outputs.product-date }} | |
| pre-version: ${{ steps.set-product-version.outputs.prerelease-product-version }} | |
| shared-ldflags: ${{ steps.shared-ldflags.outputs.shared-ldflags }} | |
| steps: | |
| - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
| # action-set-product-version implicitly sets fields like 'product-version' using version/VERSION | |
| # https://github.com/hashicorp/actions-set-product-version | |
| - name: set product version | |
| id: set-product-version | |
| uses: hashicorp/actions-set-product-version@v2 | |
| - name: get product version | |
| id: get-product-version | |
| run: | | |
| CONSUL_DATE=$(build-support/scripts/build-date.sh) | |
| echo "product-date=${CONSUL_DATE}" >> "$GITHUB_OUTPUT" | |
| - name: Set shared -ldflags | |
| id: shared-ldflags | |
| run: | | |
| T="github.com/hashicorp/consul/version" | |
| echo "shared-ldflags=-X ${T}.GitCommit=${GITHUB_SHA::8} \ | |
| -X ${T}.GitDescribe=${{ steps.set-product-version.outputs.product-version }} \ | |
| -X ${T}.BuildDate=${{ steps.get-product-version.outputs.product-date }} \ | |
| " >> "$GITHUB_OUTPUT" | |
| validate-outputs: | |
| needs: set-product-version | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Validate Outputs | |
| run: | | |
| echo "Product Version: ${{ needs.set-product-version.outputs.product-version }}" | |
| echo "Base Product Version: ${{ needs.set-product-version.outputs.base-product-version }}" | |
| echo "Product Metadata: ${{ env.METADATA }}" | |
| echo "Product Date: ${{ needs.set-product-version.outputs.product-date }}" | |
| echo "Prerelease Version: ${{ needs.set-product-version.outputs.pre-version }}" | |
| echo "Ldflags: ${{ needs.set-product-version.outputs.shared-ldflags }}" | |
| generate-metadata-file: | |
| needs: set-product-version | |
| runs-on: ubuntu-latest | |
| outputs: | |
| filepath: ${{ steps.generate-metadata-file.outputs.filepath }} | |
| steps: | |
| - name: 'Checkout directory' | |
| uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
| - name: Generate metadata file | |
| id: generate-metadata-file | |
| uses: hashicorp/actions-generate-metadata@v1 | |
| with: | |
| version: ${{ needs.set-product-version.outputs.product-version }} | |
| product: ${{ env.PKG_NAME }} | |
| - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
| with: | |
| name: metadata.json | |
| path: ${{ steps.generate-metadata-file.outputs.filepath }} | |
| build: | |
| needs: | |
| - set-product-version | |
| - get-go-version | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - {goos: "linux", goarch: "386"} | |
| - {goos: "linux", goarch: "amd64"} | |
| - {goos: "linux", goarch: "arm"} | |
| - {goos: "linux", goarch: "arm64"} | |
| - {goos: "darwin", goarch: "amd64"} | |
| - {goos: "darwin", goarch: "arm64"} | |
| - {goos: "freebsd", goarch: "386"} | |
| - {goos: "freebsd", goarch: "amd64"} | |
| - {goos: "windows", goarch: "386"} | |
| - {goos: "windows", goarch: "amd64"} | |
| - {goos: "solaris", goarch: "amd64"} | |
| fail-fast: true | |
| name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build | |
| steps: | |
| - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
| - name: Setup with node and yarn | |
| uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
| with: | |
| node-version: '18' | |
| cache: 'yarn' | |
| cache-dependency-path: 'ui/yarn.lock' | |
| - name: Build UI | |
| run: | | |
| CONSUL_VERSION=${{ needs.set-product-version.outputs.product-version }} | |
| CONSUL_DATE=${{ needs.set-product-version.outputs.product-date }} | |
| CONSUL_BINARY_TYPE=${CONSUL_BINARY_TYPE} | |
| CONSUL_COPYRIGHT_YEAR=$(git show -s --format=%cd --date=format:%Y HEAD) | |
| echo "consul_version is ${CONSUL_VERSION}" | |
| echo "consul_date is ${CONSUL_DATE}" | |
| echo "consul binary type is ${CONSUL_BINARY_TYPE}" | |
| echo "consul copyright year is ${CONSUL_COPYRIGHT_YEAR}" | |
| cd ui && make && cd .. | |
| rm -rf agent/uiserver/dist | |
| mv ui/packages/consul-ui/dist agent/uiserver/ | |
| - name: Go Build | |
| env: | |
| PRODUCT_VERSION: ${{ needs.set-product-version.outputs.product-version }} | |
| PRERELEASE_VERSION: ${{ needs.set-product-version.outputs.pre-version }} | |
| CGO_ENABLED: "0" | |
| GOLDFLAGS: "${{needs.set-product-version.outputs.shared-ldflags}}" | |
| uses: hashicorp/actions-go-build@make-clean-flag-optional | |
| with: | |
| product_name: ${{ env.PKG_NAME }} | |
| product_version: ${{ needs.set-product-version.outputs.product-version }} | |
| go_version: ${{ needs.get-go-version.outputs.go-version }} | |
| os: ${{ matrix.goos }} | |
| arch: ${{ matrix.goarch }} | |
| reproducible: nope | |
| clean: false | |
| instructions: |- | |
| cp LICENSE $TARGET_DIR/LICENSE.txt | |
| go build -ldflags="$GOLDFLAGS" -o "$BIN_PATH" -trimpath -buildvcs=false | |
| - name: Copy license file | |
| if: ${{ !endsWith(github.repository, '-enterprise') }} | |
| env: | |
| LICENSE_DIR: ".release/linux/package/usr/share/doc/${{ env.PKG_NAME }}" | |
| run: | | |
| mkdir -p "$LICENSE_DIR" | |
| cp LICENSE "$LICENSE_DIR/LICENSE.txt" | |
| - name: Package | |
| if: ${{ matrix.goos == 'linux' }} | |
| uses: hashicorp/actions-packaging-linux@v1 | |
| with: | |
| name: ${{ github.event.repository.name }} | |
| description: "Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure. " | |
| arch: ${{ matrix.goarch }} | |
| version: ${{ needs.set-product-version.outputs.product-version }} | |
| maintainer: "HashiCorp" | |
| homepage: "https://github.com/hashicorp/consul" | |
| license: "BSL-1.1" | |
| binary: "dist/${{ env.PKG_NAME }}" | |
| deb_depends: "openssl" | |
| rpm_depends: "openssl" | |
| config_dir: ".release/linux/package" | |
| preinstall: ".release/linux/preinstall" | |
| postinstall: ".release/linux/postinstall" | |
| preremove: ".release/linux/preremove" | |
| postremove: ".release/linux/postremove" | |
| - name: Set Package Names | |
| if: ${{ matrix.goos == 'linux' }} | |
| run: | | |
| echo "RPM_PACKAGE=$(basename out/*.rpm)" >> $GITHUB_ENV | |
| echo "DEB_PACKAGE=$(basename out/*.deb)" >> $GITHUB_ENV | |
| - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
| if: ${{ matrix.goos == 'linux' }} | |
| with: | |
| name: ${{ env.RPM_PACKAGE }} | |
| path: out/${{ env.RPM_PACKAGE }} | |
| - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
| if: ${{ matrix.goos == 'linux' }} | |
| with: | |
| name: ${{ env.DEB_PACKAGE }} | |
| path: out/${{ env.DEB_PACKAGE }} | |
| build-s390x: | |
| needs: | |
| - set-product-version | |
| - get-go-version | |
| if: ${{ endsWith(github.repository, '-enterprise') }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - {goos: "linux", goarch: "s390x"} | |
| fail-fast: true | |
| name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build | |
| steps: | |
| - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
| - name: Setup with node and yarn | |
| uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
| with: | |
| node-version: '18' | |
| cache: 'yarn' | |
| cache-dependency-path: 'ui/yarn.lock' | |
| - name: Build UI | |
| run: | | |
| CONSUL_VERSION=${{ needs.set-product-version.outputs.product-version }} | |
| CONSUL_DATE=${{ needs.set-product-version.outputs.product-date }} | |
| CONSUL_BINARY_TYPE=${CONSUL_BINARY_TYPE} | |
| CONSUL_COPYRIGHT_YEAR=$(git show -s --format=%cd --date=format:%Y HEAD) | |
| echo "consul_version is ${CONSUL_VERSION}" | |
| echo "consul_date is ${CONSUL_DATE}" | |
| echo "consul binary type is ${CONSUL_BINARY_TYPE}" | |
| echo "consul copyright year is ${CONSUL_COPYRIGHT_YEAR}" | |
| cd ui && make && cd .. | |
| rm -rf agent/uiserver/dist | |
| mv ui/packages/consul-ui/dist agent/uiserver/ | |
| - name: Go Build | |
| env: | |
| PRODUCT_VERSION: ${{ needs.set-product-version.outputs.product-version }} | |
| PRERELEASE_VERSION: ${{ needs.set-product-version.outputs.pre-version }} | |
| CGO_ENABLED: "0" | |
| GOLDFLAGS: "${{needs.set-product-version.outputs.shared-ldflags}}" | |
| uses: hashicorp/actions-go-build@make-clean-flag-optional | |
| with: | |
| product_name: ${{ env.PKG_NAME }} | |
| product_version: ${{ needs.set-product-version.outputs.product-version }} | |
| go_version: ${{ needs.get-go-version.outputs.go-version }} | |
| os: ${{ matrix.goos }} | |
| arch: ${{ matrix.goarch }} | |
| reproducible: nope | |
| clean: false | |
| instructions: |- | |
| cp LICENSE $TARGET_DIR/LICENSE.txt | |
| go build -ldflags="$GOLDFLAGS" -o "$BIN_PATH" -trimpath -buildvcs=false | |
| build-docker: | |
| name: Docker ${{ matrix.arch }} build | |
| needs: | |
| - set-product-version | |
| - build | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - { arch: "386" } | |
| - { arch: "arm" } | |
| - { arch: "amd64" } | |
| - { arch: "arm64" } | |
| env: | |
| repo: ${{github.event.repository.name}} | |
| version: ${{needs.set-product-version.outputs.product-version}} | |
| steps: | |
| - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
| # Strip everything but MAJOR.MINOR from the version string and add a `-dev` suffix | |
| # This naming convention will be used ONLY for per-commit dev images | |
| - name: Set docker dev tag | |
| run: | | |
| echo "full_dev_tag=${{ env.version }}" | |
| echo "full_dev_tag=${{ env.version }}" >> $GITHUB_ENV | |
| echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" | |
| echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" >> $GITHUB_ENV | |
| - name: Docker Build (Action) | |
| uses: hashicorp/actions-docker-build@v2 | |
| with: | |
| version: ${{env.version}} | |
| target: default | |
| arch: ${{matrix.arch}} | |
| tags: | | |
| docker.io/hashicorp/${{env.repo}}:${{env.version}} | |
| public.ecr.aws/hashicorp/${{env.repo}}:${{env.version}} | |
| dev_tags: | | |
| docker.io/hashicorppreview/${{ env.repo }}:${{ env.full_dev_tag }} | |
| docker.io/hashicorppreview/${{ env.repo }}:${{ env.full_dev_tag }}-${{ github.sha }} | |
| docker.io/hashicorppreview/${{ env.repo }}:${{ env.minor_dev_tag }} | |
| docker.io/hashicorppreview/${{ env.repo }}:${{ env.minor_dev_tag }}-${{ github.sha }} | |
| smoke_test: .github/scripts/verify_docker.sh v${{ env.version }} | |
| build-docker-ubi-dockerhub: | |
| name: Docker Build UBI Images | |
| needs: | |
| - set-product-version | |
| - build | |
| runs-on: ubuntu-latest | |
| env: | |
| repo: ${{github.event.repository.name}} | |
| version: ${{needs.set-product-version.outputs.product-version}} | |
| steps: | |
| - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
| # Strip everything but MAJOR.MINOR from the version string and add a `-dev` suffix | |
| # This naming convention will be used ONLY for per-commit dev images | |
| - name: Set docker dev tag | |
| run: | | |
| echo "full_dev_tag=${{ env.version }}" | |
| echo "full_dev_tag=${{ env.version }}" >> $GITHUB_ENV | |
| echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" | |
| echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" >> $GITHUB_ENV | |
| - uses: hashicorp/actions-docker-build@v2 | |
| with: | |
| version: ${{env.version}} | |
| target: ubi | |
| arch: amd64 | |
| tags: | | |
| docker.io/hashicorp/${{env.repo}}:${{env.version}}-ubi | |
| public.ecr.aws/hashicorp/${{env.repo}}:${{env.version}}-ubi | |
| dev_tags: | | |
| docker.io/hashicorppreview/${{ env.repo }}:${{ env.full_dev_tag }}-ubi | |
| docker.io/hashicorppreview/${{ env.repo }}:${{ env.full_dev_tag }}-ubi-${{ github.sha }} | |
| docker.io/hashicorppreview/${{ env.repo }}:${{ env.minor_dev_tag }}-ubi | |
| docker.io/hashicorppreview/${{ env.repo }}:${{ env.minor_dev_tag }}-ubi-${{ github.sha }} | |
| smoke_test: .github/scripts/verify_docker.sh v${{ env.version }} | |
| redhat_tag: quay.io/redhat-isv-containers/60f9fdbec3a80eac643abedf:${{env.version}}-ubi | |
| verify-linux: | |
| needs: | |
| - set-product-version | |
| - build | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - { arch: "386" } | |
| - { arch: "arm" } | |
| - { arch: "amd64" } | |
| - { arch: "arm64" } | |
| fail-fast: true | |
| env: | |
| version: ${{ needs.set-product-version.outputs.product-version }} | |
| zip_name: consul_${{ needs.set-product-version.outputs.product-version }}_linux_${{ matrix.arch }}.zip | |
| name: Verify ${{ matrix.arch }} linux binary | |
| steps: | |
| - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
| if: ${{ endsWith(github.repository, '-enterprise') || matrix.arch != 's390x' }} | |
| - name: Download ${{ matrix.arch }} zip | |
| if: ${{ endsWith(github.repository, '-enterprise') || matrix.arch != 's390x' }} | |
| uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
| with: | |
| name: ${{ env.zip_name }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | |
| if: ${{ matrix.arch == 'arm' || matrix.arch == 'arm64' }} | |
| with: | |
| # this should be a comma-separated string as opposed to an array | |
| platforms: arm,arm64 | |
| - name: Run verification for ${{ matrix.arch }} binary | |
| if: ${{ endsWith(github.repository, '-enterprise') || matrix.arch != 's390x' }} | |
| run: .github/scripts/verify_artifact.sh ${{ env.zip_name }} v${{ env.version }} | |
| verify-linux-packages-deb: | |
| needs: | |
| - build | |
| - set-product-version | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - { arch: "i386" } | |
| - { arch: "armhf" } | |
| - { arch: "amd64" } | |
| - { arch: "arm64" } | |
| # fail-fast: true | |
| env: | |
| version: ${{ needs.set-product-version.outputs.product-version }} | |
| name: Verify ${{ matrix.arch }} debian package | |
| steps: | |
| - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
| - name: Set package version | |
| run: | | |
| echo "pkg_version=$(echo ${{ needs.set-product-version.outputs.product-version }} | sed 's/\-/~/g')" >> $GITHUB_ENV | |
| - name: Set package name | |
| run: | | |
| echo "pkg_name=consul_${{ env.pkg_version }}-1_${{ matrix.arch }}.deb" >> $GITHUB_ENV | |
| - name: Download workflow artifacts | |
| uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
| with: | |
| name: ${{ env.pkg_name }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | |
| with: | |
| platforms: all | |
| - name: Verify ${{ matrix.arch }} debian package | |
| run: ./.github/scripts/verify_artifact.sh ${{ env.pkg_name }} v${{ env.version }} | |
| verify-linux-packages-rpm: | |
| needs: | |
| - build | |
| - set-product-version | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - { arch: "i386" } | |
| - { arch: "x86_64" } | |
| # TODO(eculver): re-enable when there is a smaller verification container available | |
| # - { arch: "armv7hl" } | |
| # - { arch: "aarch64" } | |
| env: | |
| version: ${{ needs.set-product-version.outputs.product-version }} | |
| name: Verify ${{ matrix.arch }} rpm | |
| steps: | |
| - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
| - name: Set package version | |
| run: | | |
| echo "pkg_version=$(echo ${{ needs.set-product-version.outputs.product-version }} | sed 's/\-/~/g')" >> $GITHUB_ENV | |
| - name: Set package name | |
| run: | | |
| echo "pkg_name=consul-${{ env.pkg_version }}-1.${{ matrix.arch }}.rpm" >> $GITHUB_ENV | |
| - name: Download workflow artifacts | |
| uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
| with: | |
| name: ${{ env.pkg_name }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | |
| with: | |
| platforms: all | |
| - name: Verify ${{ matrix.arch }} rpm | |
| run: ./.github/scripts/verify_artifact.sh ${{ env.pkg_name }} v${{ env.version }} |