-
Notifications
You must be signed in to change notification settings - Fork 3
188 lines (163 loc) · 5.94 KB
/
pull-request-ci.yaml
File metadata and controls
188 lines (163 loc) · 5.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
---
name: Pull Request CI
on:
pull_request:
branches:
- main
- master
workflow_call:
workflow_dispatch:
concurrency:
group: "pr-ci-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
cancel-in-progress: true
jobs:
build-and-test:
name: Build and Test
runs-on: ubuntu-latest
defaults:
run:
shell: nix develop --command bash {0}
steps:
- name: Check out the repo
uses: actions/checkout@v5
- name: Install Nix
# Pinned to v21 commit SHA for supply-chain safety.
# To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
- name: Enable Nix cache
# Pinned to v13 commit SHA for supply-chain safety.
# To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
with:
use-flakehub: false
- name: Build
run: go build ./...
- name: Run Checks
run: just check
env:
SYSDIG_MCP_API_HOST: ${{ vars.SYSDIG_MCP_API_HOST }}
SYSDIG_MCP_API_TOKEN: ${{ secrets.SYSDIG_MCP_API_SECURE_TOKEN }}
test-image:
name: Test Image (${{ matrix.arch }})
runs-on: ubuntu-latest
needs: [build-and-test]
defaults:
run:
shell: nix develop --command bash {0}
permissions:
contents: read # required for actions/checkout
packages: write # required for pushing to GHCR
strategy:
max-parallel: 1
matrix:
include:
- arch: amd64
platform: linux/amd64
nix_package: sysdig-mcp-server-image-amd64
- arch: arm64
platform: linux/arm64
nix_package: sysdig-mcp-server-image-aarch64
steps:
- name: Check out the repo
uses: actions/checkout@v5
with:
ref: ${{ github.sha }}
fetch-depth: "0"
- name: Install Nix
# Pinned to v21 commit SHA for supply-chain safety.
# To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
- name: Enable Nix cache
# Pinned to v13 commit SHA for supply-chain safety.
# To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
with:
use-flakehub: false
- name: Build image
run: nix build .#${{ matrix.nix_package }} -o result
- name: Load image
id: load
run: |
IMAGE_TAG=$(docker load < result | sed -n 's/Loaded image: //p')
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Test image
if: matrix.arch == 'amd64'
run: docker run --rm "${{ steps.load.outputs.image_tag }}" --help | grep "Sysdig MCP Server"
- name: Scan Docker image
uses: sysdiglabs/scan-action@v6
with:
image-tag: ${{ steps.load.outputs.image_tag }}
sysdig-secure-token: ${{ secrets.SECURE_ENV_MON_API_KEY }}
sysdig-secure-url: ${{ secrets.SECURE_ENV_MON_ENDPOINT }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true
- name: Convert to OCI layout
run: |
skopeo copy docker-archive:result oci:/tmp/oci-image:latest
echo "FROM base" > /tmp/Dockerfile.push
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push image by digest
id: push
uses: docker/build-push-action@v6
with:
file: /tmp/Dockerfile.push
build-contexts: |
base=oci-layout:///tmp/oci-image
platforms: ${{ matrix.platform }}
provenance: false
outputs: type=image,name=ghcr.io/sysdiglabs/sysdig-mcp-server,push-by-digest=true,name-canonical=true,push=true
- name: Export digest
run: |
mkdir -p /tmp/digests
digest="${{ steps.push.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
- name: Upload digest
uses: actions/upload-artifact@v5
with:
name: digests-${{ matrix.arch }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
push-pr-image:
name: Push PR image to GitHub Packages
runs-on: ubuntu-latest
needs: [test-image]
if: github.event_name == 'pull_request'
permissions:
contents: read
packages: write
env:
REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server
steps:
- name: Download digests
uses: actions/download-artifact@v6
with:
path: /tmp/digests
pattern: digests-*
merge-multiple: true
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Create manifest list and push
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
working-directory: /tmp/digests
run: |
docker buildx imagetools create --tag $REGISTRY:pr-${PR_NUMBER} \
$(printf "$REGISTRY@sha256:%s " *)
- name: Inspect image
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
run: docker buildx imagetools inspect $REGISTRY:pr-${PR_NUMBER}