chore: update action kit api dependency #1195
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| tags: | |
| - 'v*' | |
| pull_request: | |
| branches: | |
| - 'main' | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build_jars: | |
| name: Build Jars | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v5 | |
| with: | |
| distribution: zulu | |
| java-version: 21 | |
| cache: maven | |
| - name: Build javaagent binaries | |
| run: mvn -s .github/workflows/maven-settings.xml clean install -B -V -U -f javaagents/pom.xml | |
| - name: Upload JARs | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: java-agents | |
| path: javaagents/download/target/javaagent/*.jar | |
| if-no-files-found: error | |
| retention-days: 3 | |
| audit: | |
| name: Audit | |
| needs: | |
| - build_jars | |
| runs-on: | |
| labels: steadybit_runner_ubuntu_latest_4cores_16GB | |
| timeout-minutes: 60 | |
| env: | |
| sonar_available: ${{ secrets.SONAR_TOKEN != '' && 'true' || 'false' }} | |
| snyk_available: ${{ secrets.SNYK_TOKEN != '' && 'true' || 'false' }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download JARs | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: java-agents | |
| path: javaagents/download/target/javaagent | |
| - uses: actions/setup-go@v6 | |
| with: | |
| go-version: '^1.25.7' | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v5 | |
| with: | |
| distribution: zulu | |
| java-version: 21 | |
| cache: maven | |
| - uses: docker/setup-qemu-action@v4 # NOSONAR githubactions:S7637 - verified action creator | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 # NOSONAR githubactions:S7637 - verified action creator | |
| - name: Audit | |
| run: | | |
| go mod download | |
| minikube config set WantUpdateNotification false | |
| minikube config set cpus max | |
| minikube config set memory 8g | |
| make audit | |
| - name: "[release] Snyk test" | |
| if: ${{ startsWith(github.ref, 'refs/tags/') && env.snyk_available == 'true' }} | |
| uses: snyk/actions/golang@master # NOSONAR githubactions:S7637 - verified action creator | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| args: --severity-threshold=high --project-name=${{ github.repository }} --target-reference=${{ github.ref_name }} | |
| command: test | |
| - name: SonarCloud Scan | |
| if: ${{ env.sonar_available == 'true' }} | |
| uses: sonarsource/sonarqube-scan-action@v7 # NOSONAR githubactions:S7637 - verified action creator | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| - name: "[release] SonarCloud Quality Gate check" | |
| if: ${{ startsWith(github.ref, 'refs/tags/') && env.sonar_available == 'true' }} | |
| uses: sonarsource/sonarqube-quality-gate-action@v1 # NOSONAR githubactions:S7637 - verified action creator | |
| timeout-minutes: 5 | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| build-images: | |
| name: Build Docker Images | |
| needs: [audit] | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| permissions: | |
| contents: read | |
| packages: write | |
| outputs: | |
| version: ${{ steps.meta.outputs.version }} | |
| deployer_available: ${{ secrets.PAT_TOKEN_EXTENSION_DEPLOYER != '' }} | |
| version_bump_available: ${{ vars.VERSION_BUMPER_APPID != '' && secrets.VERSION_BUMPER_SECRET != '' }} | |
| env: | |
| snyk_available: ${{ secrets.SNYK_TOKEN != '' && 'true' || 'false' }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: docker/setup-qemu-action@v4 # NOSONAR githubactions:S7637 - verified action creator | |
| - uses: docker/setup-buildx-action@v4 # NOSONAR githubactions:S7637 - verified action creator | |
| - name: Log in to the container registry | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v4 # NOSONAR githubactions:S7637 - verified action creator | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v6 # NOSONAR githubactions:S7637 - verified action creator | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| - name: Download JARs | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: java-agents | |
| path: javaagents/download/target/javaagent | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v6 # NOSONAR githubactions:S7637 - verified action creator | |
| with: | |
| context: ./ | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| platforms: linux/amd64,linux/arm64 | |
| build-args: | | |
| BUILD_SNAPSHOT=${{ !startsWith(github.ref, 'refs/tags/') }} | |
| NAME=${{ github.repository }} | |
| VERSION=${{ steps.meta.outputs.version }} | |
| REVISION=${{ github.sha }} | |
| snyk-test: | |
| name: "Snyk Test ${{ startsWith(github.ref, 'refs/tags/') && '- If this breaks for CVEs, you need to revoke the published image (and move latest tag)!' || '' }}" | |
| uses: steadybit/extension-kit/.github/workflows/reusable-snyk-scan.yml@main # NOSONAR githubactions:S7637 - our own action | |
| needs: [build-images] | |
| with: | |
| command: test | |
| container_image: ghcr.io/${{ github.repository }}:latest | |
| secrets: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| snyk-monitor: | |
| name: "[Release] Snyk Monitor latest" | |
| uses: steadybit/extension-kit/.github/workflows/reusable-snyk-scan.yml@main # NOSONAR githubactions:S7637 - our own action | |
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| needs: [build-images] | |
| with: | |
| command: monitor | |
| container_image: ghcr.io/${{ github.repository }}:latest | |
| target_ref: latest | |
| secrets: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| build-packages: | |
| name: Build Linux Packages | |
| needs: [audit] | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download JARs | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: java-agents | |
| path: javaagents/download/target/javaagent | |
| - uses: actions/setup-go@v6 | |
| with: | |
| go-version: '^1.25.7' | |
| - name: Export GPG key | |
| env: | |
| SECRET: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} | |
| run: | | |
| mkdir -p gpg | |
| echo -n "$SECRET" > gpg.key | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@v7 # NOSONAR githubactions:S7637 - verified action creator | |
| with: | |
| distribution: goreleaser | |
| version: latest | |
| args: release --clean ${{ !startsWith(github.ref, 'refs/tags/') && '--snapshot' || '' }} ${{ github.event_name == 'pull_request' && '--skip sign' || '' }} | |
| env: | |
| NFPM_KEY_FILE: gpg.key | |
| NFPM_DEFAULT_PASSPHRASE: ${{ secrets.MAVEN_GPG_PRIVATE_KEY_PASSWORD }} | |
| GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} | |
| - name: "[build] Upload packages to gcp internal repositories" | |
| if: github.event_name != 'pull_request' | |
| uses: steadybit/.github/actions/gar-upload-linux-packages@main | |
| with: | |
| workload_identity_provider: ${{ secrets.GCP_ARTIFACT_REGISTRY_IDENTITY_PROVIDER }} | |
| service_account: ${{ vars.GCP_ARTIFACT_REGISTRY_PROJECT_SA }} | |
| project_id: ${{ vars.GCP_ARTIFACT_REGISTRY_PROJECT_ID }} | |
| location: ${{ vars.GCP_ARTIFACT_REGISTRY_PROJECT_LOCATION }} | |
| deb_repository: deb-dev | |
| yum_repository: yum-dev | |
| packages_dir: ./dist | |
| - name: "[release] Upload packages to gcp public repositories" | |
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| uses: steadybit/.github/actions/gar-upload-linux-packages@main | |
| with: | |
| workload_identity_provider: ${{ secrets.GCP_ARTIFACT_REGISTRY_IDENTITY_PROVIDER }} | |
| service_account: ${{ vars.GCP_ARTIFACT_REGISTRY_PROJECT_SA }} | |
| project_id: ${{ vars.GCP_ARTIFACT_REGISTRY_PROJECT_ID }} | |
| location: ${{ vars.GCP_ARTIFACT_REGISTRY_PROJECT_LOCATION }} | |
| deb_repository: deb-public | |
| yum_repository: yum-public | |
| packages_dir: ./dist | |
| test-helm-charts: | |
| name: "Test Helm Charts" | |
| runs-on: ubuntu-latest | |
| needs: [audit] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v4 # NOSONAR githubactions:S7637 - verified action creator | |
| with: | |
| version: v3.19.3 | |
| - name: Add dependency chart repos | |
| run: | | |
| helm repo add steadybit https://steadybit.github.io/helm-charts | |
| - uses: actions/setup-python@v6 # NOSONAR githubactions:S7637 - verified action creator | |
| with: | |
| python-version: "3.10" | |
| - name: Add unit testing plugin | |
| run: | | |
| helm plugin install https://github.com/helm-unittest/helm-unittest.git | |
| - name: Run unit tests | |
| run: make charttesting | |
| - name: Set up chart-testing | |
| uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0 | |
| - name: Run chart-testing (lint) | |
| run: ct lint --config chartTesting.yaml | |
| bump-chart-version: | |
| name: Bump Chart Patch Version on main branch | |
| needs: [build-images] | |
| if: needs.build-images.outputs.version_bump_available && startsWith(github.ref, 'refs/tags/') | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/create-github-app-token@v3 | |
| id: app-token | |
| with: | |
| app-id: ${{ vars.GH_APP_STEADYBIT_APP_ID }} | |
| private-key: ${{ secrets.GH_APP_STEADYBIT_PRIVATE_KEY }} | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: main | |
| fetch-depth: 0 | |
| token: ${{ steps.app-token.outputs.token }} | |
| # this commit will effectively cause another run of the workflow which then actually performs the helm chart release | |
| - run: | | |
| npm install --ignore-scripts -g semver | |
| make chart-bump-version APP_VERSION="${{ needs.build-images.outputs.version }}" | |
| git config user.name "$GITHUB_ACTOR" | |
| git config user.email "[email protected]" | |
| git commit -am "chore: update helm chart version" | |
| git push | |
| release-helm-chart: | |
| name: "Release Helm Chart" | |
| runs-on: ubuntu-latest | |
| needs: [test-helm-charts] | |
| if: github.ref == 'refs/heads/main' | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Configure Git | |
| run: | | |
| git config user.name "$GITHUB_ACTOR" | |
| git config user.email "[email protected]" | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v4 # NOSONAR githubactions:S7637 - verified action creator | |
| with: | |
| version: v3.12.2 | |
| - name: Add dependency chart repos | |
| run: | | |
| helm repo add steadybit https://steadybit.github.io/helm-charts | |
| - name: Run chart-releaser | |
| uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0 | |
| with: | |
| charts_dir: charts | |
| mark_as_latest: false | |
| env: | |
| CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| trigger-test-environment-updates: | |
| name: Trigger test environment updates | |
| if: github.ref == 'refs/heads/main' && needs.build-images.outputs.deployer_available | |
| needs: [build-images] | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| steps: | |
| - uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1 | |
| with: | |
| ref: main | |
| workflow: extension-restart.yml | |
| repo: steadybit/extension-deployer | |
| inputs: '{"extension":"${{ github.repository }}","version":"${{ needs.build-images.outputs.version }}","revision":"${{ github.sha }}"}' | |
| token: ${{ secrets.PAT_TOKEN_EXTENSION_DEPLOYER }} |