Skip to content

Commit

Permalink
Add new Go-WASI actions
Browse files Browse the repository at this point in the history 
This provides a way to build Go-WASI policies that are signed, have
SBOMs,... all the good things we do for the other KW policies.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
  • Loading branch information
@flavio
flavio committed Sep 13, 2024
1 parent 1365ef9 commit 15b917b
Show file tree
Hide file tree
Showing 3 changed files with 181 additions and 0 deletions.
58 changes: 58 additions & 0 deletions .github/workflows/reusable-release-policy-go-wasi.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: Build and release a Kubewarden policy written in Go targeting KW WASI policy mode

on:
workflow_call:
inputs:
oci-target:
type: string
required: true
artifacthub:
description: "check artifacthub-pkg.yml for submission to ArtifactHub"
required: false
type: boolean
default: true

jobs:
release:
runs-on: ubuntu-latest
steps:
- name: Install dependencies
uses: kubewarden/github-actions/policy-gh-action-dependencies@v3.3.5
- uses: actions/checkout@v4
with:
# until https://github.com/actions/checkout/pull/579 is released
fetch-depth: 0
- id: calculate-version
# skip when releasing :latest from main, versions will not match
if: startsWith(github.ref, 'refs/tags/v') && inputs.artifacthub
# obtain latest tag. Here it must be the current release tag
run: echo "version=$(git describe --tags --abbrev=0 | cut -c2-)" >> $GITHUB_OUTPUT
shell: bash
- name: Check that artifacthub-pkg.yml is up-to-date
# skip when releasing :latest from main, versions will not match
if: startsWith(github.ref, 'refs/tags/v') && inputs.artifacthub
uses: kubewarden/github-actions/check-artifacthub@v3.3.5
with:
version: ${{ steps.calculate-version.outputs.version }}
- name: Build and annotate policy
uses: kubewarden/github-actions/policy-build-go-wasi@v3.3.5
- name: Run e2e tests
run: |
make e2e-tests
- name: Release
uses: kubewarden/github-actions/policy-release@v3.3.5
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
oci-target: ${{ inputs.oci-target }}
push-artifacthub:
# skip when releasing :latest from main, versions will not match
if: startsWith(github.ref, 'refs/tags/v') && inputs.artifacthub
needs: release
permissions:
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository.
contents: write
runs-on: ubuntu-latest
steps:
- name: Push artifacthub files to artifacthub branch
uses: kubewarden/github-actions/push-artifacthub@v3.3.5
69 changes: 69 additions & 0 deletions .github/workflows/reusable-test-policy-go-wasi.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
name: Tests and linters

on:
workflow_call:
inputs:
artifacthub:
description: "check artifacthub-pkg.yml for submission to ArtifactHub"
required: false
type: boolean
default: true
secrets: {}

jobs:
unit-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: setup Go
uses: actions/setup-go@v5
with:
go-version: "1.21"

- name: run Go unit tests
run: make test

e2e-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies
uses: kubewarden/github-actions/policy-gh-action-dependencies@v3.3.5
- name: Build and annotate policy
with:
generate-sbom: false
uses: kubewarden/github-actions/policy-build-go-wasi@v3.3.5
- name: Run e2e tests
run: make e2e-tests

lint:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-go@v5
with:
go-version: "1.21"
- uses: actions/checkout@v4
- name: golangci-lint
uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
with:
version: "latest"

check-artifacthub:
if: ${{ inputs.artifacthub }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
# until https://github.com/actions/checkout/pull/579 is released
fetch-depth: 0
- name: Install kwctl
uses: kubewarden/github-actions/kwctl-installer@v3.3.5
- id: calculate-version
run: echo "version=$(git describe --tags --abbrev=0 | cut -c2-)" >> $GITHUB_OUTPUT
shell: bash
- name: Check that artifacthub-pkg.yml is up-to-date
uses: kubewarden/github-actions/check-artifacthub@v3.3.5
with:
version: ${{ steps.calculate-version.outputs.version }}
check_version: false # must match a git tag that hasn't been created yet, so let's ignore until then
54 changes: 54 additions & 0 deletions policy-build-go-wasi/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: "kubewarden-policy-build-go-wasi"
description: "Build a Go policy using the official Go compiler, targetting WASI"
branding:
icon: "package"
color: "blue"
inputs:
generate-sbom:
required: false
description: "Generate and sign SBOM files"
# Boolean input should be compared with string
# until https://github.com/actions/runner/issues/2238 resolved
default: "true"
runs:
using: "composite"
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: setup Go
uses: actions/setup-go@v5
with:
go-version: "1.23"
- name: Build Wasm module
shell: bash
run: |
make policy.wasm
- name: Generate the SBOM files
if: ${{ inputs.generate-sbom == 'true' }}
shell: bash
run: |
spdx-sbom-generator -f json
# SBOM files should have "sbom" in the name due the CLO monitor
# https://clomonitor.io/docs/topics/checks/#software-bill-of-materials-sbom
mv bom-go-mod.json policy-sbom.spdx.json
- name: Annotate Wasm module
shell: bash
run: |
make annotated-policy.wasm
- name: Sign BOM file
if: ${{ inputs.generate-sbom == 'true' }}
shell: bash
run: |
cosign sign-blob --yes --output-certificate policy-sbom.spdx.cert \
--output-signature policy-sbom.spdx.sig \
policy-sbom.spdx.json
- name: Upload policy SBOM files
if: ${{ inputs.generate-sbom == 'true' }}
uses: actions/upload-artifact@v4
with:
name: policy-sbom
path: |
policy-sbom.spdx.json
policy-sbom.spdx.cert
policy-sbom.spdx.sig

0 comments on commit 15b917b

Please sign in to comment.