diff --git a/.github/workflows/reusable-release-policy-go-wasi.yml b/.github/workflows/reusable-release-policy-go-wasi.yml new file mode 100644 index 0000000..5629a7d --- /dev/null +++ b/.github/workflows/reusable-release-policy-go-wasi.yml @@ -0,0 +1,58 @@ +name: Build and release a Kubewarden policy written in Go targeting KW WASI policy mode + +on: + workflow_call: + inputs: + oci-target: + type: string + required: true + artifacthub: + description: "check artifacthub-pkg.yml for submission to ArtifactHub" + required: false + type: boolean + default: true + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Install dependencies + uses: kubewarden/github-actions/policy-gh-action-dependencies@v3.3.5 + - uses: actions/checkout@v4 + with: + # until https://github.com/actions/checkout/pull/579 is released + fetch-depth: 0 + - id: calculate-version + # skip when releasing :latest from main, versions will not match + if: startsWith(github.ref, 'refs/tags/v') && inputs.artifacthub + # obtain latest tag. Here it must be the current release tag + run: echo "version=$(git describe --tags --abbrev=0 | cut -c2-)" >> $GITHUB_OUTPUT + shell: bash + - name: Check that artifacthub-pkg.yml is up-to-date + # skip when releasing :latest from main, versions will not match + if: startsWith(github.ref, 'refs/tags/v') && inputs.artifacthub + uses: kubewarden/github-actions/check-artifacthub@v3.3.5 + with: + version: ${{ steps.calculate-version.outputs.version }} + - name: Build and annotate policy + uses: kubewarden/github-actions/policy-build-go-wasi@v3.3.5 + - name: Run e2e tests + run: | + make e2e-tests + - name: Release + uses: kubewarden/github-actions/policy-release@v3.3.5 + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + oci-target: ${{ inputs.oci-target }} + push-artifacthub: + # skip when releasing :latest from main, versions will not match + if: startsWith(github.ref, 'refs/tags/v') && inputs.artifacthub + needs: release + permissions: + # Give the default GITHUB_TOKEN write permission to commit and push the + # added or changed files to the repository. + contents: write + runs-on: ubuntu-latest + steps: + - name: Push artifacthub files to artifacthub branch + uses: kubewarden/github-actions/push-artifacthub@v3.3.5 diff --git a/.github/workflows/reusable-test-policy-go-wasi.yml b/.github/workflows/reusable-test-policy-go-wasi.yml new file mode 100644 index 0000000..227d71d --- /dev/null +++ b/.github/workflows/reusable-test-policy-go-wasi.yml @@ -0,0 +1,69 @@ +name: Tests and linters + +on: + workflow_call: + inputs: + artifacthub: + description: "check artifacthub-pkg.yml for submission to ArtifactHub" + required: false + type: boolean + default: true + secrets: {} + +jobs: + unit-tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: setup Go + uses: actions/setup-go@v5 + with: + go-version: "1.21" + + - name: run Go unit tests + run: make test + + e2e-tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Install dependencies + uses: kubewarden/github-actions/policy-gh-action-dependencies@v3.3.5 + - name: Build and annotate policy + with: + generate-sbom: false + uses: kubewarden/github-actions/policy-build-go-wasi@v3.3.5 + - name: Run e2e tests + run: make e2e-tests + + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/setup-go@v5 + with: + go-version: "1.21" + - uses: actions/checkout@v4 + - name: golangci-lint + uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 + with: + version: "latest" + + check-artifacthub: + if: ${{ inputs.artifacthub }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + # until https://github.com/actions/checkout/pull/579 is released + fetch-depth: 0 + - name: Install kwctl + uses: kubewarden/github-actions/kwctl-installer@v3.3.5 + - id: calculate-version + run: echo "version=$(git describe --tags --abbrev=0 | cut -c2-)" >> $GITHUB_OUTPUT + shell: bash + - name: Check that artifacthub-pkg.yml is up-to-date + uses: kubewarden/github-actions/check-artifacthub@v3.3.5 + with: + version: ${{ steps.calculate-version.outputs.version }} + check_version: false # must match a git tag that hasn't been created yet, so let's ignore until then diff --git a/policy-build-go-wasi/action.yml b/policy-build-go-wasi/action.yml new file mode 100644 index 0000000..0b90088 --- /dev/null +++ b/policy-build-go-wasi/action.yml @@ -0,0 +1,54 @@ +name: "kubewarden-policy-build-go-wasi" +description: "Build a Go policy using the official Go compiler, targetting WASI" +branding: + icon: "package" + color: "blue" +inputs: + generate-sbom: + required: false + description: "Generate and sign SBOM files" + # Boolean input should be compared with string + # until https://github.com/actions/runner/issues/2238 resolved + default: "true" +runs: + using: "composite" + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: setup Go + uses: actions/setup-go@v5 + with: + go-version: "1.23" + - name: Build Wasm module + shell: bash + run: | + make policy.wasm + - name: Generate the SBOM files + if: ${{ inputs.generate-sbom == 'true' }} + shell: bash + run: | + spdx-sbom-generator -f json + + # SBOM files should have "sbom" in the name due the CLO monitor + # https://clomonitor.io/docs/topics/checks/#software-bill-of-materials-sbom + mv bom-go-mod.json policy-sbom.spdx.json + - name: Annotate Wasm module + shell: bash + run: | + make annotated-policy.wasm + - name: Sign BOM file + if: ${{ inputs.generate-sbom == 'true' }} + shell: bash + run: | + cosign sign-blob --yes --output-certificate policy-sbom.spdx.cert \ + --output-signature policy-sbom.spdx.sig \ + policy-sbom.spdx.json + - name: Upload policy SBOM files + if: ${{ inputs.generate-sbom == 'true' }} + uses: actions/upload-artifact@v4 + with: + name: policy-sbom + path: | + policy-sbom.spdx.json + policy-sbom.spdx.cert + policy-sbom.spdx.sig