chore(deps): bump serde_json from 1.0.133 to 1.0.137 #1141
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Main CI | |
| on: | |
| push: | |
| branches: | |
| - "main" | |
| tags: | |
| - "v*" | |
| pull_request: | |
| branches: | |
| - "main" | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| services: | |
| localstack: | |
| image: localstack/localstack:latest | |
| ports: | |
| - 4566:4566 | |
| - 4571:4571 | |
| vault-server: | |
| image: vault:1.13.3 | |
| ports: | |
| - "8200:8200" | |
| env: | |
| VAULT_ADDR: "http://0.0.0.0:8200" | |
| VAULT_DEV_ROOT_TOKEN_ID: "vault-plaintext-root-token" | |
| env: | |
| AWS_REGION: ap-southeast-2 | |
| AWS_ACCESS_KEY_ID: foobar | |
| AWS_SECRET_ACCESS_KEY: foobar | |
| VAULT_ADDR: http://localhost:8200 | |
| VAULT_TOKEN: vault-plaintext-root-token | |
| steps: | |
| - name: Check out repository code | |
| uses: actions/checkout@v4 | |
| - name: ⚡ Cache Cargo | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| key: ${{ runner.os }}-cache-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cache-${{ hashFiles('**/Cargo.lock') }} | |
| ${{ runner.os }}-cache- | |
| - name: ⚡ Cache Cargo Target | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| target | |
| key: ${{ runner.os }}-target-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-target-${{ hashFiles('**/Cargo.lock') }} | |
| ${{ runner.os }}-target- | |
| - id: install-aws-cli | |
| uses: unfor19/install-aws-cli-action@master | |
| - name: Wait for localstack | |
| run: | | |
| ./wait-for.sh http://localhost:4566/_localstack/health -t 300 -s -- echo 'localstack up' | |
| make init-test && sleep 2 | |
| - name: Run unit tests | |
| run: | | |
| make test | |
| sanity-check: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| services: | |
| localstack: | |
| image: localstack/localstack:latest | |
| ports: | |
| - 4566:4566 | |
| - 4571:4571 | |
| env: | |
| DEBUG: 1 | |
| vault-server: | |
| image: vault:1.13.3 | |
| ports: | |
| - "8200:8200" | |
| env: | |
| VAULT_ADDR: "http://0.0.0.0:8200" | |
| VAULT_DEV_ROOT_TOKEN_ID: "vault-plaintext-root-token" | |
| env: | |
| AWS_REGION: ap-southeast-2 | |
| AWS_ACCESS_KEY_ID: foobar | |
| AWS_SECRET_ACCESS_KEY: foobar | |
| VAULT_ADDR: http://localhost:8200 | |
| VAULT_TOKEN: vault-plaintext-root-token | |
| steps: | |
| - name: Check out repository code | |
| uses: actions/checkout@v4 | |
| - name: Create k8s Kind Cluster | |
| uses: helm/[email protected] | |
| with: | |
| cluster_name: local | |
| ignore_failed_clean: true | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: controller | |
| # setup Docker buld action | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| install: true | |
| - name: ⚡ Cache Docker layers | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx- | |
| - name: Build image | |
| uses: docker/build-push-action@v6 | |
| id: build | |
| with: | |
| context: . | |
| tags: controller:local | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache-new | |
| push: false | |
| load: true | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: controller:local | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| - name: Move cache | |
| run: | | |
| rm -rf /tmp/.buildx-cache | |
| mv /tmp/.buildx-cache-new /tmp/.buildx-cache | |
| - id: install-aws-cli | |
| uses: unfor19/install-aws-cli-action@master | |
| - name: Setup remote secrets in kind | |
| run: | | |
| ./wait-for.sh http://localhost:4566/_localstack/health -t 300 -s -- echo 'localstack up' | |
| make init-test | |
| make kind-image-load | |
| make install-local | |
| kubectl apply -f e2e/dockerhost-linux.yaml | |
| kubectl wait deployment -n remote-secrets remote-secrets --for condition=Available=True --timeout=30s | |
| kubectl -n remote-secrets exec $(kubectl get pod -A | grep remote-secrets | awk '{print $2}') -- sh -c 'apk add --no-cache curl && curl http://dockerhost:4566/_localstack/health' | |
| - name: Sanity check remote secrets | |
| run: | | |
| kubectl apply -f config/simples/example.yaml | |
| e2e/integration-test.sh | |
| - name: Show logs | |
| if: failure() | |
| run: | | |
| kubectl get secret test-rsecret -o yaml || true | |
| kubectl -n remote-secrets get deploy remote-secrets -o yaml || true | |
| kubectl -n remote-secrets logs deploy/remote-secrets || true | |
| docker logs "${{ job.services.localstack.id }}" || true | |
| kubectl get rsecrets.jerry153fish.com test-rsecret -o yaml || true | |
| aws ssm get-parameters --endpoint-url http://localhost:4566 --names MyStringParameter MyJsonParameter | cat - | |
| aws secretsmanager list-secrets --endpoint-url http://localhost:4566 | cat - | |
| aws cloudformation describe-stacks --stack-name MyTestStack --endpoint-url http://localhost:4566 | cat - | |
| docker-push: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| if: ${{ github.event_name != 'pull_request' }} | |
| environment: main | |
| needs: [test, sanity-check] | |
| steps: | |
| - name: Check out repository code | |
| uses: actions/checkout@v4 | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@main | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: jerry153fish/remote-secrets | |
| # setup Docker buld action | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| install: true | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx- | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USER }} | |
| password: ${{ secrets.DOCKER_TOKEN }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| tags: | | |
| ${{ github.ref != 'refs/heads/main' && steps.meta.outputs.tags || '' }} | |
| ${{ github.ref == 'refs/heads/main' && 'jerry153fish/remote-secrets:latest' || '' }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| push: true | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache-new | |
| - name: Sign image with a key | |
| run: | | |
| cosign sign --key env://COSIGN_PRIVATE_KEY ${TAGS} -y | |
| env: | |
| TAGS: | | |
| ${{ github.ref != 'refs/heads/main' && steps.meta.outputs.tags || '' }} | |
| ${{ github.ref == 'refs/heads/main' && 'jerry153fish/remote-secrets:latest' || '' }} | |
| COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} | |
| COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} | |
| - name: Move cache | |
| run: | | |
| rm -rf /tmp/.buildx-cache | |
| mv /tmp/.buildx-cache-new /tmp/.buildx-cache |