-
Notifications
You must be signed in to change notification settings - Fork 73
136 lines (119 loc) · 6.48 KB
/
build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Build and publish xk6-kafka
on:
push:
tags:
- "v*"
jobs:
build:
name: Build xk6-kafka
runs-on: ubuntu-latest
steps:
- name: Checkout 🛎️
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Go 🧑💻
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
uses: actions/setup-go@v5
with:
go-version: "1.23"
- name: Install xk6 and build xk6-kafka for different platforms 🏗️
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
run: |
mkdir dist
go install go.k6.io/xk6/cmd/xk6@latest
# ------------------------- Linux amd64 -------------------------
GOOS=linux GOARCH=amd64 xk6 build --output dist/xk6-kafka_${{ github.ref_name }}_linux_amd64 --with github.com/mostafa/xk6-kafka@${{ github.ref_name }}=.
tar cvzf dist/xk6-kafka_${{ github.ref_name }}_linux_amd64.tar.gz dist/xk6-kafka_${{ github.ref_name }}_linux_amd64
# ------------------------- Linux arm64 -------------------------
GOOS=linux GOARCH=arm64 xk6 build --output dist/xk6-kafka_${{ github.ref_name }}_linux_arm64 --with github.com/mostafa/xk6-kafka@${{ github.ref_name }}=.
tar cvzf dist/xk6-kafka_${{ github.ref_name }}_linux_arm64.tar.gz dist/xk6-kafka_${{ github.ref_name }}_linux_arm64
# ------------------------- macOS amd64 -------------------------
GOOS=darwin GOARCH=amd64 xk6 build --output dist/xk6-kafka_${{ github.ref_name }}_darwin_amd64 --with github.com/mostafa/xk6-kafka@${{ github.ref_name }}=.
tar cvzf dist/xk6-kafka_${{ github.ref_name }}_darwin_amd64.tar.gz dist/xk6-kafka_${{ github.ref_name }}_darwin_amd64
# ------------------------- macOS arm64 -------------------------
GOOS=darwin GOARCH=arm64 xk6 build --output dist/xk6-kafka_${{ github.ref_name }}_darwin_arm64 --with github.com/mostafa/xk6-kafka@${{ github.ref_name }}=.
tar cvzf dist/xk6-kafka_${{ github.ref_name }}_darwin_arm64.tar.gz dist/xk6-kafka_${{ github.ref_name }}_darwin_arm64
# ------------------------- Windows amd64 -------------------------
GOOS=windows GOARCH=amd64 xk6 build --output dist/xk6-kafka_${{ github.ref_name }}_windows_amd64.exe --with github.com/mostafa/xk6-kafka@${{ github.ref_name }}=.
tar cvzf dist/xk6-kafka_${{ github.ref_name }}_windows_amd64.tar.gz dist/xk6-kafka_${{ github.ref_name }}_windows_amd64.exe
# ------------------------- Windows arm64 -------------------------
GOOS=windows GOARCH=arm64 xk6 build --output dist/xk6-kafka_${{ github.ref_name }}_windows_arm64.exe --with github.com/mostafa/xk6-kafka@${{ github.ref_name }}=.
tar cvzf dist/xk6-kafka_${{ github.ref_name }}_windows_arm64.tar.gz dist/xk6-kafka_${{ github.ref_name }}_windows_arm64.exe
- name: Generate CycloneDX SBOM artifacts 📃
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
run: |
go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
cyclonedx-gomod mod -json -licenses -output code-cyclonedx-xk6-kafka-${{ github.ref_name }}.json
- name: Docker meta 📝
id: meta
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
uses: docker/metadata-action@v4
with:
images: mostafamoradian/xk6-kafka
tags: |
type=semver,pattern={{version}}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub 🔒
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push Docker image 🛳️
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
uses: docker/build-push-action@v5
with:
context: .
push: true
platforms: linux/amd64,linux/arm64
build-args: VERSION_TAG=${{ github.ref_name }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Install cosign ⬇️
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
uses: sigstore/cosign-installer@main
- name: Sign the Docker image ✍️
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign -y docker.io/{}
- name: Verify the Docker image signature ✅
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
run: |
echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign verify --certificate-identity ${IDENTITY} --certificate-oidc-issuer ${OIDC_ISSUER_URL} docker.io/{}
env:
IDENTITY: ${{ secrets.IDENTITY }}
OIDC_ISSUER_URL: ${{ secrets.OIDC_ISSUER_URL }}
- name: Scan code with Trivy vulnerability scanner 🔍
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
uses: aquasecurity/trivy-action@0.29.0
with:
scan-type: "fs"
format: "sarif"
output: "trivy-results.sarif"
exit-code: 1
ignore-unfixed: true
severity: "CRITICAL,HIGH"
skip-dirs: "fixtures"
- name: Upload Trivy scan results to GitHub Security tab ⬆️
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: "trivy-results.sarif"
- name: Scan Docker image with Syft and generate SBOM 🦉
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
uses: anchore/sbom-action@v0
with:
artifact-name: docker-image-cyclonedx-xk6-kafka-${{ github.ref_name }}.json
format: cyclonedx-json
dependency-snapshot: true
- name: Create Release 📦 and add binaries and SBOM files 💾
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
uses: softprops/action-gh-release@v1
with:
files: |
dist/*.tar.gz
code-cyclonedx-xk6-kafka-${{ github.ref_name }}.json
docker-image-cyclonedx-xk6-kafka-${{ github.ref_name }}.json