fix: update github-actions to latest SHA (42304ed) #23256
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # yamllint disable rule:line-length rule:truthy | |
| name: Release | |
| # Generated by: gromit policy | |
| # Distribution channels covered by this workflow | |
| # - Ubuntu and Debian | |
| # - RHEL and AL | |
| # - docker hub | |
| # - devenv ECR | |
| # - Cloudsmith | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| on: | |
| # Trigger release every monday at midnight for master CI images | |
| schedule: | |
| - cron: "0 0 * * 1" | |
| pull_request: | |
| types: [opened, synchronize, reopened, labeled] | |
| push: | |
| branches: | |
| - master | |
| - release-** | |
| tags: | |
| - 'v*' | |
| env: | |
| GOPRIVATE: github.com/TykTechnologies | |
| VARIATION: prod-variation | |
| DOCKER_BUILD_SUMMARY: false | |
| DOCKER_BUILD_RECORD_UPLOAD: false | |
| # startsWith covers pull_request_target too | |
| BASE_REF: ${{startsWith(github.event_name, 'pull_request') && github.base_ref || github.ref_name}} | |
| jobs: | |
| dep-guard: | |
| uses: TykTechnologies/github-actions/.github/workflows/dependency-guard.yml@42304edda365365e0a887cf018d8edc34b960b82 # main | |
| permissions: | |
| contents: read | |
| goreleaser: | |
| needs: [dep-guard] | |
| if: github.event.pull_request.draft == false | |
| name: '${{ matrix.golang_cross }}' | |
| runs-on: ${{ vars.DEFAULT_RUNNER }} | |
| permissions: | |
| id-token: write # AWS OIDC JWT | |
| contents: read # actions/checkout | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| golang_cross: | |
| - 1.25-bullseye | |
| include: | |
| - golang_cross: 1.25-bullseye | |
| goreleaser: 'ci/goreleaser/goreleaser.yml' | |
| cgo: 1 | |
| rpmvers: 'el/7 el/8 el/9 amazon/2 amazon/2023' | |
| debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy ubuntu/noble debian/jessie debian/buster debian/bullseye debian/bookworm debian/trixie' | |
| outputs: | |
| ee_tags: ${{ steps.ci_metadata_ee.outputs.tags }} | |
| std_tags: ${{ steps.ci_metadata_std.outputs.tags }} | |
| commit_author: ${{ steps.set_outputs.outputs.commit_author}} | |
| steps: | |
| - name: Checkout of tyk | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set some outputs for later | |
| id: set_outputs | |
| shell: bash | |
| env: | |
| HEAD_REF: ${{github.head_ref}} | |
| run: | | |
| echo "commit_author=$(git show -s --format='%ae' HEAD)" >> $GITHUB_OUTPUT | |
| echo "branch=${HEAD_REF##*/}" >> $GITHUB_OUTPUT | |
| - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 | |
| - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| - name: Login to DockerHub | |
| if: startsWith(github.ref, 'refs/tags') | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Login to Cloudsmith | |
| if: startsWith(github.ref, 'refs/tags') | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | |
| with: | |
| registry: docker.tyk.io | |
| username: ${{ secrets.CLOUDSMITH_USERNAME }} | |
| password: ${{ secrets.CLOUDSMITH_API_KEY }} | |
| - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 | |
| with: | |
| role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk | |
| role-session-name: cipush | |
| aws-region: eu-central-1 | |
| # Don't mask to pass it across job boundaries | |
| mask-aws-account-id: false | |
| - uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2 | |
| id: ecr | |
| if: ${{ matrix.golang_cross == '1.25-bullseye' }} | |
| with: | |
| mask-password: 'true' | |
| - uses: WarpBuilds/cache@f643a1ba29942d56621d07fc2d4284c7219868ad # v1 | |
| with: | |
| path: | | |
| ~/.cache/go-build | |
| ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| - name: Build | |
| env: | |
| NFPM_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }} | |
| PKG_SIGNING_KEY: ${{ secrets.SIGNING_KEY }} | |
| PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }} | |
| run: | | |
| echo '#!/bin/sh | |
| ci/bin/unlock-agent.sh | |
| git config --global url."https://${{ secrets.ORG_GH_TOKEN }}@github.com".insteadOf "https://github.com" | |
| git config --global --add safe.directory /go/src/github.com/TykTechnologies/tyk | |
| goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign,docker' || '--skip=docker' }}' | tee /tmp/build.sh | |
| chmod +x /tmp/build.sh | |
| docker run --rm --privileged -e GITHUB_TOKEN=${{ github.token }} \ | |
| -e GOPRIVATE=github.com/TykTechnologies \ | |
| -e DEBVERS='${{ matrix.debvers }}' \ | |
| -e RPMVERS='${{ matrix.rpmvers }}' \ | |
| -e CGO_ENABLED=${{ matrix.cgo }} \ | |
| -e NFPM_PASSPHRASE="$NFPM_PASSPHRASE" \ | |
| -e GPG_FINGERPRINT=12B5D62C28F57592D1575BD51ED14C59E37DAC20 \ | |
| -e PKG_SIGNING_KEY="$PKG_SIGNING_KEY" \ | |
| -e PACKAGECLOUD_TOKEN=$PACKAGECLOUD_TOKEN \ | |
| -v ${{github.workspace}}:/go/src/github.com/TykTechnologies/tyk \ | |
| -v /var/run/docker.sock:/var/run/docker.sock \ | |
| -v ~/.docker/config.json:/root/.docker/config.json \ | |
| -e GOCACHE=/cache/go-build \ | |
| -e GOMODCACHE=/go/pkg/mod \ | |
| -v ~/go/pkg/mod:/go/pkg/mod \ | |
| -v ~/.cache/go-build:/cache/go-build \ | |
| -v /tmp/build.sh:/tmp/build.sh \ | |
| -w /go/src/github.com/TykTechnologies/tyk \ | |
| tykio/golang-cross:${{ matrix.golang_cross }} /tmp/build.sh | |
| - name: Docker metadata for ee CI | |
| id: ci_metadata_ee | |
| if: ${{ matrix.golang_cross == '1.25-bullseye' }} | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 | |
| with: | |
| images: | | |
| ${{ steps.ecr.outputs.registry }}/tyk-ee | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=sha,format=long | |
| type=semver,pattern={{major}},prefix=v | |
| type=semver,pattern={{major}}.{{minor}},prefix=v | |
| type=semver,pattern={{version}},prefix=v | |
| - name: push ee image to CI | |
| if: ${{ matrix.golang_cross == '1.25-bullseye' }} | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | |
| with: | |
| context: "dist" | |
| platforms: linux/amd64,linux/arm64,linux/s390x | |
| file: ci/Dockerfile.distroless | |
| provenance: mode=max | |
| sbom: true | |
| push: true | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| tags: ${{ steps.ci_metadata_ee.outputs.tags }} | |
| labels: ${{ steps.ci_metadata_ee.outputs.labels }} | |
| build-args: | | |
| BUILD_PACKAGE_NAME=tyk-gateway-ee | |
| - name: Docker metadata for ee tag push | |
| id: tag_metadata_ee | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 | |
| with: | |
| images: | | |
| docker.tyk.io/tyk-gateway/tyk-gateway-ee | |
| tykio/tyk-gateway-ee | |
| flavor: | | |
| latest=false | |
| prefix=v | |
| tags: | | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{version}} | |
| labels: | | |
| org.opencontainers.image.title=Tyk Gateway Enterprise Edition | |
| org.opencontainers.image.description=Tyk API Gateway Enterprise Edition written in Go, supporting REST, GraphQL, TCP and gRPC protocols | |
| org.opencontainers.image.vendor=tyk.io | |
| org.opencontainers.image.version=${{ github.ref_name }} | |
| - name: push ee image to prod | |
| if: ${{ matrix.golang_cross == '1.25-bullseye' }} | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | |
| with: | |
| context: "dist" | |
| platforms: linux/amd64,linux/arm64,linux/s390x | |
| file: ci/Dockerfile.distroless | |
| provenance: mode=max | |
| sbom: true | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| push: ${{ startsWith(github.ref, 'refs/tags') }} | |
| tags: ${{ steps.tag_metadata_ee.outputs.tags }} | |
| labels: ${{ steps.tag_metadata_ee.outputs.labels }} | |
| build-args: | | |
| BUILD_PACKAGE_NAME=tyk-gateway-ee | |
| - name: Docker metadata for std CI | |
| id: ci_metadata_std | |
| if: ${{ matrix.golang_cross == '1.25-bullseye' }} | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 | |
| with: | |
| images: | | |
| ${{ steps.ecr.outputs.registry }}/tyk | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=sha,format=long | |
| type=semver,pattern={{major}},prefix=v | |
| type=semver,pattern={{major}}.{{minor}},prefix=v | |
| type=semver,pattern={{version}},prefix=v | |
| - name: push std image to CI | |
| if: ${{ matrix.golang_cross == '1.25-bullseye' }} | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | |
| with: | |
| context: "dist" | |
| platforms: linux/amd64,linux/arm64,linux/s390x | |
| file: ci/Dockerfile.distroless | |
| provenance: mode=max | |
| sbom: true | |
| push: true | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| tags: ${{ steps.ci_metadata_std.outputs.tags }} | |
| labels: ${{ steps.ci_metadata_std.outputs.labels }} | |
| build-args: | | |
| BUILD_PACKAGE_NAME=tyk-gateway | |
| - name: Docker metadata for std tag push | |
| id: tag_metadata_std | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 | |
| with: | |
| images: | | |
| docker.tyk.io/tyk-gateway/tyk-gateway | |
| tykio/tyk-gateway | |
| flavor: | | |
| latest=false | |
| prefix=v | |
| tags: | | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{version}} | |
| labels: | | |
| org.opencontainers.image.title=Tyk Gateway | |
| org.opencontainers.image.description=Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols | |
| org.opencontainers.image.vendor=tyk.io | |
| org.opencontainers.image.version=${{ github.ref_name }} | |
| - name: push std image to prod | |
| if: ${{ matrix.golang_cross == '1.25-bullseye' }} | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | |
| with: | |
| context: "dist" | |
| platforms: linux/amd64,linux/arm64,linux/s390x | |
| file: ci/Dockerfile.distroless | |
| provenance: mode=max | |
| sbom: true | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| push: ${{ startsWith(github.ref, 'refs/tags') }} | |
| tags: ${{ steps.tag_metadata_std.outputs.tags }} | |
| labels: ${{ steps.tag_metadata_std.outputs.labels }} | |
| build-args: | | |
| BUILD_PACKAGE_NAME=tyk-gateway | |
| - name: save deb | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| if: ${{ matrix.golang_cross == '1.25-bullseye' }} | |
| with: | |
| name: deb | |
| retention-days: 1 | |
| path: | | |
| dist/*.deb | |
| !dist/*PAYG*.deb | |
| !dist/*fips*.deb | |
| - name: save rpm | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| if: ${{ matrix.golang_cross == '1.25-bullseye' }} | |
| with: | |
| name: rpm | |
| retention-days: 1 | |
| path: | | |
| dist/*.rpm | |
| !dist/*PAYG*.rpm | |
| !dist/*fips*.rpm | |
| resolve-dashboard-image: | |
| if: github.event.pull_request.draft == false | |
| needs: goreleaser | |
| runs-on: ${{ vars.DEFAULT_RUNNER }} | |
| permissions: | |
| id-token: write | |
| contents: read | |
| outputs: | |
| dashboard_image: ${{ steps.resolve.outputs.dashboard_image }} | |
| needs_build: ${{ steps.resolve.outputs.needs_build }} | |
| dashboard_branch: ${{ steps.resolve.outputs.dashboard_branch }} | |
| strategy: ${{ steps.resolve.outputs.strategy }} | |
| steps: | |
| - name: Checkout tyk repository | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Check for relevant package changes in PR | |
| id: check_changes | |
| shell: bash | |
| env: | |
| RELEVANT_PACKAGES: ${{ vars.DASHBOARD_DEPENDENCY_PACKAGES || 'pkg apidef lib common certs log config test user header' }} | |
| run: | | |
| echo "Checking PR for changes in packages: $RELEVANT_PACKAGES" | |
| echo "Comparing PR against base branch: ${{ env.BASE_REF }}" | |
| # Compare entire PR against base branch | |
| git fetch origin ${{ env.BASE_REF }} 2>/dev/null || true | |
| CHANGED_FILES=$(git diff --name-only origin/${{ env.BASE_REF }}...HEAD 2>/dev/null || echo "") | |
| echo "Changed files in PR:" | |
| echo "$CHANGED_FILES" | |
| # Check if any changed files are in relevant packages | |
| HAS_RELEVANT_CHANGES=false | |
| for pkg in $RELEVANT_PACKAGES; do | |
| if echo "$CHANGED_FILES" | grep -q "^${pkg}/"; then | |
| echo "✓ Found changes in package: $pkg" | |
| HAS_RELEVANT_CHANGES=true | |
| fi | |
| done | |
| if [ "$HAS_RELEVANT_CHANGES" = "true" ]; then | |
| echo "has_relevant_changes=true" >> $GITHUB_OUTPUT | |
| echo "📦 Relevant package changes in PR - will build dashboard" | |
| else | |
| echo "has_relevant_changes=false" >> $GITHUB_OUTPUT | |
| echo "ℹ️ No relevant package changes in PR" | |
| fi | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 | |
| with: | |
| role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk | |
| role-session-name: cipush | |
| aws-region: eu-central-1 | |
| mask-aws-account-id: false | |
| - name: Login to Amazon ECR | |
| id: ecr | |
| uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2 | |
| with: | |
| mask-password: 'true' | |
| - name: Check if tyk-analytics branch exists | |
| id: check_branch | |
| shell: bash | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.ORG_GH_TOKEN }} | |
| HEAD_REF: ${{ github.head_ref }} | |
| run: | | |
| if [ -z "$HEAD_REF" ]; then | |
| echo "Not a pull request, skipping branch check" | |
| echo "branch_exists=false" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| BRANCH=${HEAD_REF##*/} | |
| echo "Checking for branch: $BRANCH in tyk-analytics" | |
| if git ls-remote --heads https://$GITHUB_TOKEN@github.com/TykTechnologies/tyk-analytics.git refs/heads/$BRANCH | grep -q .; then | |
| echo "✓ Branch '$BRANCH' exists in tyk-analytics" | |
| echo "branch_exists=true" >> $GITHUB_OUTPUT | |
| echo "branch=$BRANCH" >> $GITHUB_OUTPUT | |
| else | |
| echo "✗ Branch '$BRANCH' not found in tyk-analytics" | |
| echo "branch_exists=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Check if ECR image exists for this PR | |
| id: check_ecr | |
| shell: bash | |
| env: | |
| REGISTRY: ${{ steps.ecr.outputs.registry }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| if [ -z "$PR_NUMBER" ]; then | |
| echo "Not a pull request, skipping ECR check" | |
| echo "image_exists=false" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| IMAGE_TAG="tyk-${PR_NUMBER}" | |
| echo "Checking for ECR image: tyk-analytics:${IMAGE_TAG}" | |
| if aws ecr describe-images \ | |
| --repository-name tyk-analytics \ | |
| --image-ids imageTag=${IMAGE_TAG} \ | |
| --region eu-central-1 2>/dev/null | grep -q imageId; then | |
| echo "✓ ECR image exists: ${IMAGE_TAG}" | |
| echo "image_exists=true" >> $GITHUB_OUTPUT | |
| echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
| else | |
| echo "✗ ECR image not found: ${IMAGE_TAG}" | |
| echo "image_exists=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Resolve dashboard image strategy | |
| id: resolve | |
| shell: bash | |
| env: | |
| REGISTRY: ${{ steps.ecr.outputs.registry }} | |
| BRANCH_EXISTS: ${{ steps.check_branch.outputs.branch_exists }} | |
| IMAGE_EXISTS: ${{ steps.check_ecr.outputs.image_exists }} | |
| BRANCH: ${{ steps.check_branch.outputs.branch }} | |
| IMAGE_TAG: ${{ steps.check_ecr.outputs.image_tag }} | |
| BASE_REF: ${{ env.BASE_REF }} | |
| COMMIT_SHA: ${{ github.sha }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| HAS_RELEVANT_CHANGES: ${{ steps.check_changes.outputs.has_relevant_changes }} | |
| run: | | |
| echo "==================================" | |
| echo "📊 Dashboard Image Resolution" | |
| echo "==================================" | |
| echo "PR number: $PR_NUMBER" | |
| echo "Base ref: $BASE_REF" | |
| echo "Branch exists: $BRANCH_EXISTS" | |
| echo "PR image exists: $IMAGE_EXISTS" | |
| echo "Branch name: $BRANCH" | |
| echo "PR image tag: $IMAGE_TAG" | |
| echo "Commit SHA: $COMMIT_SHA" | |
| echo "Has relevant changes in PR: $HAS_RELEVANT_CHANGES" | |
| echo "==================================" | |
| # Only use custom build strategies for PRs targeting master | |
| if [ "$BASE_REF" != "master" ]; then | |
| echo "ℹ️ Strategy: Use gromit default (base branch is not master)" | |
| echo " → Custom builds only for master branch PRs" | |
| echo "dashboard_image=" >> $GITHUB_OUTPUT | |
| echo "needs_build=false" >> $GITHUB_OUTPUT | |
| echo "dashboard_branch=" >> $GITHUB_OUTPUT | |
| echo "strategy=gromit-default" >> $GITHUB_OUTPUT | |
| # Strategy 1: Matching branch exists in tyk-analytics → use gromit | |
| elif [ "$BRANCH_EXISTS" = "true" ]; then | |
| echo "📋 Strategy: Use matching branch '$BRANCH' via gromit" | |
| echo " → No override needed, gromit will handle it" | |
| echo "dashboard_image=" >> $GITHUB_OUTPUT | |
| echo "needs_build=false" >> $GITHUB_OUTPUT | |
| echo "dashboard_branch=$BRANCH" >> $GITHUB_OUTPUT | |
| echo "strategy=gromit-branch" >> $GITHUB_OUTPUT | |
| # Strategy 2a: PR has relevant changes → build new image | |
| elif [ "$HAS_RELEVANT_CHANGES" = "true" ]; then | |
| PR_IMAGE_TAG="tyk-${PR_NUMBER}" | |
| echo "🔨 Strategy: Build dashboard (PR has relevant package changes)" | |
| echo " → Will update gateway ref to $COMMIT_SHA" | |
| echo " → Will push to: ${REGISTRY}/tyk-analytics:${PR_IMAGE_TAG}" | |
| echo "dashboard_image=${REGISTRY}/tyk-analytics:${PR_IMAGE_TAG}" >> $GITHUB_OUTPUT | |
| echo "needs_build=true" >> $GITHUB_OUTPUT | |
| echo "dashboard_branch=$BASE_REF" >> $GITHUB_OUTPUT | |
| echo "strategy=build-required" >> $GITHUB_OUTPUT | |
| # Strategy 2b: PR image exists and no relevant changes → reuse existing image | |
| elif [ "$IMAGE_EXISTS" = "true" ]; then | |
| echo "🐳 Strategy: Reuse existing PR image (no relevant package changes in PR)" | |
| echo " → Image: ${REGISTRY}/tyk-analytics:${IMAGE_TAG}" | |
| echo "dashboard_image=${REGISTRY}/tyk-analytics:${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
| echo "needs_build=false" >> $GITHUB_OUTPUT | |
| echo "dashboard_branch=" >> $GITHUB_OUTPUT | |
| echo "strategy=reuse-pr-image" >> $GITHUB_OUTPUT | |
| # Strategy 3: Fallback to gromit default | |
| else | |
| echo "ℹ️ Strategy: Use gromit default" | |
| echo " → No matching branch, no existing PR image, no relevant changes" | |
| echo "dashboard_image=" >> $GITHUB_OUTPUT | |
| echo "needs_build=false" >> $GITHUB_OUTPUT | |
| echo "dashboard_branch=" >> $GITHUB_OUTPUT | |
| echo "strategy=gromit-default" >> $GITHUB_OUTPUT | |
| fi | |
| echo "==================================" | |
| echo "✅ Resolution complete" | |
| echo "==================================" | |
| build-dashboard-image: | |
| if: needs.resolve-dashboard-image.outputs.needs_build == 'true' | |
| needs: resolve-dashboard-image | |
| runs-on: ${{ vars.DEFAULT_RUNNER }} | |
| permissions: | |
| id-token: write | |
| contents: read | |
| outputs: | |
| dashboard_image: ${{ steps.output.outputs.image }} | |
| steps: | |
| - name: Checkout tyk-analytics | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| repository: TykTechnologies/tyk-analytics | |
| ref: ${{ needs.resolve-dashboard-image.outputs.dashboard_branch }} | |
| token: ${{ secrets.ORG_GH_TOKEN }} | |
| fetch-depth: 1 | |
| submodules: true | |
| - name: Update gateway reference to PR branch | |
| shell: bash | |
| env: | |
| GATEWAY_BRANCH: ${{ github.head_ref }} | |
| ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }} | |
| run: | | |
| echo "📦 Updating tyk-gateway dependency to branch: $GATEWAY_BRANCH" | |
| # Configure git for go get | |
| git config --global url."https://${ORG_GH_TOKEN}@github.com".insteadOf "https://github.com" | |
| # Update dependency using branch name | |
| go get github.com/TykTechnologies/tyk@$GATEWAY_BRANCH | |
| # Update replace directive if present | |
| go mod edit -replace github.com/TykTechnologies/tyk=github.com/TykTechnologies/tyk@$GATEWAY_BRANCH | |
| go mod tidy | |
| echo "✅ Updated go.mod:" | |
| grep "github.com/TykTechnologies/tyk" go.mod | |
| - name: Fetch pre-built UI assets from S3 | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_BINDATA_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_BINDATA_SECRET_ACCESS_KEY }} | |
| AWS_REGION: eu-central-1 | |
| AWS_SESSION_TOKEN: "" | |
| run: | | |
| # Read the vendored commit SHA | |
| ASSETS_COMMIT=$(cat .assets_vendor | head -n 1 | tr -d '\n') | |
| echo "Fetching UI assets for commit: ${ASSETS_COMMIT}" | |
| aws s3 sync s3://tyk-dashboard-assets-ci/commits/${ASSETS_COMMIT}/ internal/uiassets/dist/ | |
| if [ ! -f internal/uiassets/dist/_index.html ]; then | |
| echo "❌ Failed to fetch assets: _index.html not found" | |
| exit 1 | |
| fi | |
| echo "✓ Assets fetched successfully to internal/uiassets/dist/" | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 | |
| with: | |
| role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk | |
| role-session-name: cipush | |
| aws-region: eu-central-1 | |
| - name: Login to Amazon ECR | |
| id: ecr | |
| uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2 | |
| with: | |
| mask-password: 'true' | |
| - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 | |
| - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| - uses: WarpBuilds/cache@f643a1ba29942d56621d07fc2d4284c7219868ad # v1 | |
| with: | |
| path: | | |
| ~/.cache/go-build | |
| ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-dashboard-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go-dashboard- | |
| - name: Build dashboard packages for current architecture | |
| shell: bash | |
| env: | |
| ECR_REGISTRY: ${{ steps.ecr.outputs.registry }} | |
| IMAGE_TAG: tyk-${{ github.event.pull_request.number }} | |
| GOPRIVATE: github.com/TykTechnologies | |
| ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }} | |
| run: | | |
| # Detect current architecture | |
| ARCH=$(uname -m) | |
| case $ARCH in | |
| x86_64) | |
| GOARCH=amd64 | |
| ;; | |
| aarch64) | |
| GOARCH=arm64 | |
| ;; | |
| *) | |
| echo "Unsupported architecture: $ARCH" | |
| exit 1 | |
| ;; | |
| esac | |
| echo "🔨 Building tyk-analytics packages for linux/$GOARCH" | |
| echo " Target image: ${ECR_REGISTRY}/tyk-analytics:${IMAGE_TAG}" | |
| # Build using goreleaser for current platform only | |
| cat > /tmp/build-dashboard.sh <<'EOF' | |
| #!/bin/sh | |
| set -eax | |
| git config --global url."https://${ORG_GH_TOKEN}@github.com".insteadOf "https://github.com" | |
| git config --global --add safe.directory /go/src/github.com/TykTechnologies/tyk-analytics | |
| # Build packages for current platform (GOOS and GOARCH are set via docker -e) | |
| goreleaser release --clean -f ci/goreleaser/goreleaser.yml --snapshot --skip=sign,docker | |
| EOF | |
| chmod +x /tmp/build-dashboard.sh | |
| # Build in golang-cross container | |
| docker run --rm --privileged -e GITHUB_TOKEN=${ORG_GH_TOKEN} \ | |
| -e GOPRIVATE=github.com/TykTechnologies \ | |
| -e CGO_ENABLED=1 \ | |
| -e GOOS=linux \ | |
| -e GOARCH=$GOARCH \ | |
| -v ${{ github.workspace }}:/go/src/github.com/TykTechnologies/tyk-analytics \ | |
| -v ~/.cache/go-build:/cache/go-build \ | |
| -v ~/go/pkg/mod:/go/pkg/mod \ | |
| -e GOCACHE=/cache/go-build \ | |
| -e GOMODCACHE=/go/pkg/mod \ | |
| -v /tmp/build-dashboard.sh:/tmp/build-dashboard.sh \ | |
| -w /go/src/github.com/TykTechnologies/tyk-analytics \ | |
| tykio/golang-cross:1.25-bookworm /tmp/build-dashboard.sh | |
| echo "✅ Packages built successfully for $GOARCH" | |
| - name: Detect platform for Docker build | |
| id: platform | |
| shell: bash | |
| run: | | |
| ARCH=$(uname -m) | |
| case $ARCH in | |
| x86_64) | |
| PLATFORM=linux/amd64 | |
| ;; | |
| aarch64) | |
| PLATFORM=linux/arm64 | |
| ;; | |
| *) | |
| echo "Unsupported architecture: $ARCH" | |
| exit 1 | |
| ;; | |
| esac | |
| echo "platform=$PLATFORM" >> $GITHUB_OUTPUT | |
| echo "Building for platform: $PLATFORM" | |
| - name: Build and push dashboard Docker image | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | |
| with: | |
| context: dist | |
| file: ci/Dockerfile.distroless | |
| platforms: ${{ steps.platform.outputs.platform }} | |
| push: true | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| tags: ${{ steps.ecr.outputs.registry }}/tyk-analytics:tyk-${{ github.event.pull_request.number }} | |
| labels: | | |
| org.opencontainers.image.title=Tyk Dashboard (Custom Build for PR) | |
| org.opencontainers.image.description=Built from ${{ needs.resolve-dashboard-image.outputs.dashboard_branch }} with gateway branch ${{ github.head_ref }} | |
| org.opencontainers.image.revision=${{ github.sha }} | |
| org.opencontainers.image.source=https://github.com/TykTechnologies/tyk-analytics | |
| tyk.gateway.branch=${{ github.head_ref }} | |
| tyk.gateway.pr=${{ github.event.pull_request.number }} | |
| tyk.dashboard.branch=${{ needs.resolve-dashboard-image.outputs.dashboard_branch }} | |
| build-args: | | |
| BUILD_PACKAGE_NAME=tyk-dashboard | |
| - name: Output image reference | |
| id: output | |
| shell: bash | |
| run: | | |
| IMAGE="${{ steps.ecr.outputs.registry }}/tyk-analytics:tyk-${{ github.event.pull_request.number }}" | |
| echo "image=$IMAGE" >> $GITHUB_OUTPUT | |
| echo "✅ Dashboard image built and pushed: $IMAGE" | |
| test-controller-api: | |
| if: github.event.pull_request.draft == false | |
| needs: | |
| - goreleaser | |
| runs-on: ${{ vars.DEFAULT_RUNNER }} | |
| outputs: | |
| envfiles: ${{ steps.params.outputs.envfiles }} | |
| pump: ${{ steps.params.outputs.pump }} | |
| sink: ${{ steps.params.outputs.sink }} | |
| steps: | |
| - name: Set test parameters | |
| uses: TykTechnologies/github-actions/.github/actions/tests/test-controller@42304edda365365e0a887cf018d8edc34b960b82 # main | |
| id: params | |
| with: | |
| variation: ${{ env.VARIATION }} | |
| base_ref: ${{ env.BASE_REF }} | |
| test_type: api | |
| api-tests: | |
| needs: | |
| - test-controller-api | |
| - goreleaser | |
| - resolve-dashboard-image | |
| - build-dashboard-image | |
| # build-dashboard-image may be skipped, so use if: always() to run regardless | |
| if: | | |
| always() && | |
| needs.test-controller-api.result == 'success' && | |
| needs.goreleaser.result == 'success' && | |
| needs.resolve-dashboard-image.result == 'success' && | |
| (needs.build-dashboard-image.result == 'success' || needs.build-dashboard-image.result == 'skipped') | |
| runs-on: ${{ vars.DEFAULT_RUNNER }} | |
| env: | |
| XUNIT_REPORT_PATH: ${{ github.workspace}}/test-results.xml | |
| permissions: | |
| id-token: write # This is required for requesting the Github JWT | |
| contents: read # This is required for actions/checkout | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| envfiles: ${{ fromJson(needs.test-controller-api.outputs.envfiles) }} | |
| pump: ${{ fromJson(needs.test-controller-api.outputs.pump) }} | |
| sink: ${{ fromJson(needs.test-controller-api.outputs.sink) }} | |
| exclude: | |
| - pump: tykio/tyk-pump-docker-pub:v1.8 | |
| sink: $ECR/tyk-sink:master | |
| - pump: $ECR/tyk-pump:master | |
| sink: tykio/tyk-mdcb-docker:v2.4 | |
| steps: | |
| - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 | |
| with: | |
| role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk | |
| role-session-name: cipush | |
| aws-region: eu-central-1 | |
| - id: ecr | |
| uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2 | |
| with: | |
| mask-password: 'true' | |
| - name: Setup tmate session only in debug mode | |
| uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3 | |
| if: runner.debug == '1' | |
| with: | |
| detached: true | |
| limit-access-to-actor: true | |
| # Only ${{ github.actor }} has access | |
| # See https://github.com/mxschmitt/action-tmate#use-registered-public-ssh-keys | |
| - name: Fetch environment from tyk-pro | |
| uses: TykTechnologies/github-actions/.github/actions/tests/checkout-tyk-pro@42304edda365365e0a887cf018d8edc34b960b82 # main | |
| with: | |
| org_gh_token: ${{ github.token }} | |
| - name: Set up test environment | |
| uses: TykTechnologies/github-actions/.github/actions/tests/env-up@42304edda365365e0a887cf018d8edc34b960b82 # main | |
| timeout-minutes: 5 | |
| id: env_up | |
| with: | |
| base_ref: ${{ env.BASE_REF }} | |
| tags: ${{ needs.goreleaser.outputs.ee_tags || needs.goreleaser.outputs.std_tags || format('{0}/tyk-ee:master', steps.ecr.outputs.registry) }} | |
| dashboard_image: ${{ needs.resolve-dashboard-image.outputs.dashboard_image }} | |
| github_token: ${{ secrets.ORG_GH_TOKEN }} | |
| TYK_DB_LICENSEKEY: ${{ secrets.DASH_LICENSE }} | |
| TYK_MDCB_LICENSE: ${{ secrets.MDCB_LICENSE }} | |
| - name: Choose test code branch | |
| uses: TykTechnologies/github-actions/.github/actions/tests/choose-test-branch@42304edda365365e0a887cf018d8edc34b960b82 # main | |
| with: | |
| test_folder: api | |
| org_gh_token: ${{ secrets.ORG_GH_TOKEN }} | |
| - name: Run API tests | |
| uses: TykTechnologies/github-actions/.github/actions/tests/api-tests@42304edda365365e0a887cf018d8edc34b960b82 # main | |
| timeout-minutes: 45 | |
| id: test_execution | |
| with: | |
| user_api_secret: ${{ steps.env_up.outputs.USER_API_SECRET }} | |
| - name: Generate test reports and collect logs | |
| uses: TykTechnologies/github-actions/.github/actions/tests/reporting@42304edda365365e0a887cf018d8edc34b960b82 # main | |
| if: always() && (steps.test_execution.conclusion != 'skipped') | |
| with: | |
| report_xml: 'true' | |
| execution_status: ${{ steps.test_execution.outcome }} | |
| aggregator-ci-test: | |
| name: Aggregated CI Status | |
| runs-on: ${{ vars.DEFAULT_RUNNER }} | |
| # Dynamically determine which jobs to depend on based on repository configuration | |
| needs: [goreleaser, api-tests] | |
| if: ${{ always() && github.event_name == 'pull_request' }} | |
| steps: | |
| - name: Aggregate results | |
| run: | | |
| failed=() | |
| # Get the needs context as JSON once | |
| needs_json='${{ toJSON(needs) }}' | |
| # Loop through all jobs in the needs context | |
| for job in $(echo "$needs_json" | jq -r 'keys[]'); do | |
| job_result=$(echo "$needs_json" | jq -r --arg job "$job" '.[$job].result') | |
| if [[ "$job_result" != "success" ]]; then | |
| failed+=("$job") | |
| fi | |
| done | |
| if (( ${#failed[@]} )); then | |
| # Join the failed job names with commas | |
| failed_jobs=$(IFS=", "; echo "${failed[*]}") | |
| echo "❌ Failed jobs ----- : $failed_jobs" | |
| exit 1 | |
| fi | |
| echo "✅ All required jobs succeeded" | |
| test-controller-distros: | |
| if: github.event.pull_request.draft == false | |
| needs: | |
| - goreleaser | |
| runs-on: ${{ vars.DEFAULT_RUNNER }} | |
| outputs: | |
| deb: ${{ steps.params.outputs.deb }} | |
| rpm: ${{ steps.params.outputs.rpm }} | |
| steps: | |
| - name: set params | |
| id: params | |
| shell: bash | |
| env: | |
| # startsWith covers pull_request_target too | |
| BASE_REF: ${{startsWith(github.event_name, 'pull_request') && github.base_ref || github.ref_name}} | |
| run: | | |
| set -eo pipefail | |
| curl -s --retry 5 --retry-delay 10 --fail-with-body "http://tui.internal.dev.tyk.technology/v2/$VARIATION/tyk/$BASE_REF/${{ github.event_name}}/api/Distros.gho" | tee -a "$GITHUB_OUTPUT" | |
| if ! [[ $VARIATION =~ prod ]];then | |
| echo "::warning file=.github/workflows/release.yml,line=24,col=1,endColumn=8::Using test variation" | |
| fi | |
| upgrade-deb: | |
| services: | |
| httpbin.org: | |
| image: kennethreitz/httpbin | |
| runs-on: ${{ vars.DEFAULT_RUNNER }} | |
| needs: | |
| - test-controller-distros | |
| strategy: | |
| fail-fast: true | |
| matrix: | |
| arch: | |
| - amd64 | |
| - arm64 | |
| distro: ${{ fromJson(needs.test-controller-distros.outputs.deb) }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 1 | |
| sparse-checkout: ci | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 | |
| with: | |
| name: deb | |
| - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 | |
| - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| - name: generate dockerfile | |
| run: | | |
| echo 'FROM ${{ matrix.distro }} | |
| ARG TARGETARCH | |
| COPY tyk-gateway*_${TARGETARCH}.deb /tyk-gateway.deb | |
| RUN apt-get update && apt-get install -y curl | |
| # TODO: Pin packagecloud install script or vendor it — currently piping curl to bash | |
| RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.deb.sh | bash || echo "Repository setup failed, but continuing" | |
| RUN apt-get install -y tyk-gateway=3.0.8 || echo "Previous version not found, testing fresh install" | |
| RUN dpkg -i /tyk-gateway.deb | |
| RUN /opt/tyk-gateway/install/setup.sh --listenport=8080 --redishost=localhost --redisport=6379 --domain="" | |
| COPY ci/tests/api-functionality/data/api.json /opt/tyk-gateway/apps/ | |
| CMD ["/opt/tyk-gateway/tyk", "--conf", "/opt/tyk-gateway/tyk.conf"] | |
| ' | tee Dockerfile | |
| - name: install on ${{ matrix.distro }} | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | |
| with: | |
| context: "." | |
| platforms: linux/${{ matrix.arch }} | |
| build-args: | | |
| RHELARCH=${{ startsWith(matrix.arch, 'arm64') && 'aarch64' || 'x86_64' }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| file: Dockerfile | |
| push: false | |
| tags: test-${{ matrix.distro }}-${{ matrix.arch }} | |
| load: true | |
| - name: Test the built container image with api functionality test. | |
| run: | | |
| docker run -d -p8080:8080 --name=test --platform linux/${{ matrix.arch }} --network ${{ job.container.network }} --rm test-${{ matrix.distro }}-${{ matrix.arch }} | |
| sleep 2 | |
| ./ci/tests/api-functionality/api_test.sh | |
| sleep 2 | |
| docker stop test || true | |
| upgrade-rpm: | |
| services: | |
| httpbin.org: | |
| image: kennethreitz/httpbin | |
| runs-on: ${{ vars.DEFAULT_RUNNER }} | |
| needs: | |
| - test-controller-distros | |
| strategy: | |
| fail-fast: true | |
| matrix: | |
| arch: | |
| - amd64 | |
| - arm64 | |
| distro: ${{ fromJson(needs.test-controller-distros.outputs.rpm) }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 1 | |
| sparse-checkout: ci | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 | |
| with: | |
| name: rpm | |
| - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 | |
| - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| - name: generate dockerfile | |
| run: | | |
| echo 'FROM ${{ matrix.distro }} | |
| ARG RHELARCH | |
| COPY tyk-gateway*.${RHELARCH}.rpm /tyk-gateway.rpm | |
| RUN command -v curl || yum install -y curl | |
| RUN command -v useradd || yum install -y shadow-utils | |
| # TODO: Pin packagecloud install script or vendor it — currently piping curl to bash | |
| RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.rpm.sh | bash || echo "Repository setup failed, but continuing" | |
| RUN yum install -y tyk-gateway-3.0.8-1 || echo "Previous version not found, testing fresh install" | |
| RUN curl https://keyserver.tyk.io/tyk.io.rpm.signing.key.2020 -o tyk-gateway.key && rpm --import tyk-gateway.key | |
| RUN rpm --checksig /tyk-gateway.rpm | |
| RUN rpm -Uvh --force /tyk-gateway.rpm | |
| RUN /opt/tyk-gateway/install/setup.sh --listenport=8080 --redishost=localhost --redisport=6379 --domain="" | |
| COPY ci/tests/api-functionality/data/api.json /opt/tyk-gateway/apps/ | |
| CMD ["/opt/tyk-gateway/tyk", "--conf", "/opt/tyk-gateway/tyk.conf"] | |
| ' | tee Dockerfile | |
| - name: install on ${{ matrix.distro }} | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | |
| with: | |
| context: "." | |
| platforms: linux/${{ matrix.arch }} | |
| build-args: | | |
| RHELARCH=${{ startsWith(matrix.arch, 'arm64') && 'aarch64' || 'x86_64' }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| file: Dockerfile | |
| push: false | |
| tags: test-${{ matrix.distro }}-${{ matrix.arch }} | |
| load: true | |
| - name: Test the built container image with api functionality test. | |
| run: "docker run -d -p8080:8080 --name=test --platform linux/${{ matrix.arch }} --network ${{ job.container.network }} --rm test-${{ matrix.distro }}-${{ matrix.arch }}\nsleep 2\n./ci/tests/api-functionality/api_test.sh\nsleep 2\ndocker stop test || true \n" | |
| release-tests: | |
| needs: | |
| - goreleaser | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| actions: read # This is required for the report_logs job in the called workflow | |
| uses: ./.github/workflows/release-tests.yml | |
| secrets: inherit | |
| sbom: | |
| needs: goreleaser | |
| uses: TykTechnologies/github-actions/.github/workflows/sbom.yaml@42304edda365365e0a887cf018d8edc34b960b82 # main | |
| secrets: | |
| DEPDASH_URL: ${{ secrets.DEPDASH_URL }} | |
| DEPDASH_KEY: ${{ secrets.DEPDASH_KEY }} | |
| ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }} |