Build & Release Providers #1960
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Build & Release Providers' | |
| on: | |
| push: | |
| branches: ['main'] | |
| paths: ['providers/**'] | |
| workflow_dispatch: | |
| inputs: | |
| build_all: | |
| description: 'Force build all providers' | |
| type: boolean | |
| required: false | |
| default: false | |
| skip_publish: | |
| description: 'Skip publishing' | |
| type: boolean | |
| required: false | |
| default: false | |
| use-test-cert: | |
| description: "Use test certificate profile (not publicly trusted)" | |
| required: false | |
| default: false | |
| type: boolean | |
| env: | |
| BUCKET: releases-us.mondoo.io | |
| SKIP_PROVIDERS: "core" | |
| jobs: | |
| scoping: | |
| name: "Scoping" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| outputs: | |
| providers: ${{ steps.providers.outputs.providers }} | |
| build_list: ${{ steps.providers.outputs.build_list }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Dump all inputs | |
| run: echo "${{ toJSON(inputs) }}" | |
| - name: Detect providers | |
| id: providers | |
| run: | | |
| providers=$(find providers -mindepth 1 -maxdepth 1 -type d -exec basename {} \;) | |
| echo "providers=$(echo -n $providers | jq -Rsc 'split(" ")')" >> $GITHUB_OUTPUT | |
| build="" | |
| root=$PWD | |
| for p in $providers; do | |
| skip=0 | |
| for s in $SKIP_PROVIDERS; do | |
| if [[ $p == $s ]]; then | |
| skip=1 | |
| fi | |
| done | |
| if [[ $skip == 1 ]]; then | |
| echo "$p is on the skip list. Skipping." | |
| continue | |
| fi | |
| cd providers/$p | |
| REPO_VERSION=$(grep Version: config/config.go | cut -f2 -d\") | |
| STATUS_CODE=$(curl -s -o /dev/null -I -w "%{http_code}" https://releases.mondoo.com/providers/${p}/latest.json) | |
| if [ "$STATUS_CODE" -eq "404" ]; then | |
| DIST_VERSION="unreleased" | |
| else | |
| DIST_VERSION=$(curl -s https://releases.mondoo.com/providers/${p}/latest.json | jq -r .version) | |
| fi | |
| printf "PROVIDER $p:\n Local version: $REPO_VERSION\n Remote version: $DIST_VERSION\n" | |
| if [[ $REPO_VERSION != $DIST_VERSION ]]; then | |
| echo " Adding $p to build list" | |
| build="$build $p" | |
| else | |
| echo " Skipping: Provider version unchanged." | |
| fi | |
| cd $root | |
| done | |
| echo "build_list=$(echo -n $build | jq -Rsc 'split(" ")')" >> $GITHUB_OUTPUT | |
| build_all=${{ github.event.inputs.build_all }} | |
| if [[ $build_all == true ]]; then | |
| echo "=== BUILD OF ALL PROVIDERS FORCED ===" | |
| printf '%s\n' "${providers[@]}" | jq -R . | jq -sc . > providers.json | |
| echo "build_list=$(cat providers.json)" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Build List | |
| run: | | |
| echo "=== Providers detected:" | |
| echo ${{ steps.providers.outputs.providers }} | |
| echo "=== Providers select to build:" | |
| echo ${{ steps.providers.outputs.build_list }} | |
| provider-build: | |
| name: "${{ matrix.provider }}" | |
| runs-on: self-hosted | |
| environment: prod | |
| timeout-minutes: 120 | |
| permissions: | |
| contents: 'read' | |
| # Add "id-token" for OIDC Azure Login | |
| id-token: 'write' | |
| needs: scoping | |
| if: ${{ needs.scoping.outputs.build_list != '[]' }} | |
| strategy: | |
| fail-fast: false | |
| max-parallel: 2 | |
| matrix: | |
| provider: ${{ fromJSON(needs.scoping.outputs.build_list) }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Import environment variables from file | |
| run: cat ".github/env" >> $GITHUB_ENV | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ">=${{ env.golang-version }}" | |
| cache: false | |
| - name: Install Protoc | |
| uses: arduino/setup-protoc@v3 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| version: ${{ env.protoc-version }} | |
| - name: 'Authenticate to Google Cloud' | |
| uses: 'google-github-actions/auth@v2' | |
| with: | |
| credentials_json: ${{ secrets.GCP_RELEASE_SERVICE_ACCOUNT}} | |
| - name: 'Set up gcloud CLI' | |
| uses: 'google-github-actions/setup-gcloud@v2' | |
| # jsign and azure-cli are both requirements for Azure Trusted Signing and these actions to authenticate | |
| # These packages have been installed on the self-hosted runner using ansible from the private repo | |
| - name: Azure login | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.TSIGN_AZURE_CLIENT_ID }} | |
| tenant-id: ${{ vars.TSIGN_AZURE_TENANT_ID}} | |
| subscription-id: ${{ vars.TSIGN_AZURE_SUBSCRIPTION_ID }} | |
| - name: Get Azure AD Access Token to trusted signing | |
| id: get_token | |
| run: | | |
| set -e # Stop on first error | |
| TSIGN_ACCESS_TOKEN=$(az account get-access-token --resource https://codesigning.azure.net --query accessToken -o tsv) | |
| if [ -z "$TSIGN_ACCESS_TOKEN" ]; then | |
| echo "Error: Access token is empty" | |
| exit 1 | |
| fi | |
| PREFIX="${TSIGN_ACCESS_TOKEN:0:8}" | |
| echo "Access token prefix: ${PREFIX}..." | |
| echo "TSIGN_ACCESS_TOKEN=$TSIGN_ACCESS_TOKEN" >> $GITHUB_OUTPUT | |
| - name: 'Build dependencies' | |
| run: | | |
| make providers/proto | |
| go build -o lr ./providers-sdk/v1/lr/cli/main.go | |
| - name: 'Build Provider' | |
| id: build-providers | |
| run: | | |
| rm -rf ./dist | |
| scripts/provider_bundler.sh ${{ matrix.provider }} | |
| env: | |
| TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }} | |
| TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }} | |
| TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }} | |
| TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }} | |
| - name: 'Publish Provider' | |
| if: ${{ ! inputs.skip_publish }} | |
| run: | | |
| for pkg in $(ls dist | cut -f1,2 -d_ | uniq); do | |
| PROVIDER=$(echo $pkg | cut -f1 -d_) | |
| VERSION=$(echo $pkg | cut -f2 -d_) | |
| echo "Publishing $pkg: $PROVIDER $VERSION" | |
| echo "Publishing $pkg to gs://${BUCKET}/providers/${PROVIDER}/${VERSION}/" | |
| gsutil -m cp -c dist/${pkg}*.xz gs://${BUCKET}/providers/${PROVIDER}/${VERSION}/ | |
| gsutil -m cp -c dist/${pkg}_SHA256SUMS gs://${BUCKET}/providers/${PROVIDER}/${VERSION}/ | |
| done | |
| - name: 'Save Artifacts' | |
| if: ${{ inputs.skip_publish }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.provider }} | |
| path: dist | |
| - name: Send Slack notification on failure | |
| uses: slackapi/slack-github-action@v2.1.1 | |
| if: ${{ always() && steps.build-providers.outcome != 'success' }} | |
| with: | |
| method: chat.postMessage | |
| token: ${{ secrets.SLACK_BOT_TOKEN }} | |
| payload: | | |
| { | |
| "channel": "C07QZDJFF89", | |
| "text": "⚠️ Provider Build failed for ${{ matrix.provider }}", | |
| "blocks": [ | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": ":x: *Provider Build failed for ${{ matrix.provider }}*: <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View GitHub Action Run>" | |
| } | |
| } | |
| ] | |
| } | |
| provider-index: | |
| needs: [provider-build, scoping] | |
| runs-on: ubuntu-latest | |
| if: ${{ ! inputs.skip_publish }} | |
| steps: | |
| - name: Generate token | |
| id: generate-token | |
| uses: actions/create-github-app-token@v2 | |
| with: | |
| app-id: ${{ secrets.MONDOO_MERGEBOT_APP_ID }} | |
| private-key: ${{ secrets.MONDOO_MERGEBOT_APP_PRIVATE_KEY }} | |
| owner: mondoohq | |
| repositories: | | |
| releasr | |
| - name: Trigger Reindex of releases.mondoo.com | |
| uses: peter-evans/repository-dispatch@v3 | |
| with: | |
| token: ${{ steps.generate-token.outputs.token }} | |
| repository: "mondoohq/releasr" | |
| event-type: reindex |