feat(github): testing out aqua workflows

buroa · Dec 20, 2023 · 132d046 · 132d046
1 parent 9a76c2a
commit 132d046
Show file tree

Hide file tree

Showing 7 changed files with 100 additions and 32 deletions.
diff --git a/.github/aqua.yaml b/.github/aqua.yaml
@@ -0,0 +1,11 @@
+---
+registries:
+  - type: standard
+    ref: v4.107.0
+
+packages:
+  - name: fluxcd/[email protected]
+  - name: helm/[email protected]
+  - name: kubernetes-sigs/kustomize@kustomize/v5.3.0
+  - name: kubernetes/[email protected]
+  - name: mikefarah/[email protected]
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -12,6 +12,7 @@
     ":semanticCommits",
     ":skipStatusChecks",
     ":timezone(America/Chicago)",
+    "github>aquaproj/aqua-renovate-config:file#1.13.0(.github/aqua.yaml)",
     "github>buroa/k8s-gitops//.github/renovate/allowedVersions.json5",
     "github>buroa/k8s-gitops//.github/renovate/autoMerge.json5",
     "github>buroa/k8s-gitops//.github/renovate/commitMessage.json5",

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
@@ -7,9 +7,7 @@ on:
     paths: ["kubernetes/**.yaml"]
 
 env:
-  DEBCONF_NONINTERACTIVE_SEEN: "true"
-  DEBIAN_FRONTEND: noninteractive
-  APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
+  AQUA_CONFIG: ./.github/aqua.yaml
 
 jobs:
   flux-diff:
@@ -29,18 +27,39 @@ jobs:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+
+      - name: Install System Tools
+        shell: bash
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
+
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        id: cache
+        with:
+          path: ~/.local/share/aquaproj-aqua
+          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('./.github/aqua.yaml') }}
+          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
+
+      - name: Install Aqua and CLI Tools
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
+        with:
+          aqua_version: v2.16.4
+          aqua_opts: -a
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: ghcr.io
           username: "${{ secrets.BOT_APP_ID }}"
           password: "${{ steps.app-token.outputs.token }}"
 
-      - name: Setup Flux
-        uses: fluxcd/flux2/action@5c5c15ea212b8f029a110f9975851d25c8272695 # v2.2.2
-
       - name: Diff Resources
-        # uses: allenporter/flux-local/action/diff@19bfc6920e8964a479363bc230e6c329120ead02 # 3.2.0
         uses: allenporter/flux-local/action/diff@flux-build
         id: diff
         with:

diff --git a/.github/workflows/flux-hr-sync.yaml b/.github/workflows/flux-hr-sync.yaml
@@ -16,9 +16,7 @@ on:
     paths: ["kubernetes/**/helmrelease.yaml"]
 
 env:
-  DEBCONF_NONINTERACTIVE_SEEN: "true"
-  DEBIAN_FRONTEND: noninteractive
-  APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
+  AQUA_CONFIG: ./.github/aqua.yaml
 
 jobs:
   sync:
@@ -38,17 +36,25 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
-      - name: Setup Tools
+      - name: Install System Tools
         shell: bash
-        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
-      - name: Setup Kube Tools
-        uses: yokawasa/action-setup-kube-tools@af4ebb1af1efd30c5bd84a2e9773355ad6362a33 # v0.9.3
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        id: cache
         with:
-          setup-tools: yq
+          path: ~/.local/share/aquaproj-aqua
+          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('./.github/aqua.yaml') }}
+          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
 
-      - name: Setup Flux
-        uses: fluxcd/flux2/action@5c5c15ea212b8f029a110f9975851d25c8272695 # v2.2.2
+      - name: Install Aqua and CLI Tools
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
+        with:
+          aqua_version: v2.16.4
+          aqua_opts: -a
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Write kubeconfig
         id: kubeconfig

diff --git a/.github/workflows/flux-hr-test-image.yaml b/.github/workflows/flux-hr-test-image.yaml
@@ -7,11 +7,7 @@ on:
     paths: ["kubernetes/**/helmrelease.yaml"]
 
 env:
-  DEBCONF_NONINTERACTIVE_SEEN: "true"
-  DEBIAN_FRONTEND: noninteractive
-  APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
-  WORKFLOW_RESOURCE_DIR: ./.github/workflows/resources
-  WORKFLOW_KUBERNETES_DIR: ./kubernetes
+  AQUA_CONFIG: ./.github/aqua.yaml
 
 jobs:
   changed-files:
@@ -70,17 +66,32 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
-      - name: Setup Kube Tools
-        uses: yokawasa/action-setup-kube-tools@af4ebb1af1efd30c5bd84a2e9773355ad6362a33 # v0.9.3
+      - name: Install System Tools
+        shell: bash
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
+
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        id: cache
+        with:
+          path: ~/.local/share/aquaproj-aqua
+          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('./.github/aqua.yaml') }}
+          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
+
+      - name: Install Aqua and CLI Tools
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
-          setup-tools: helm kustomize
+          aqua_version: v2.16.4
+          aqua_opts: -a
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Extract Images from HelmRelease
         id: extract-images
         run: |
           images=$(
-            npx zx ${{ env.WORKFLOW_RESOURCE_DIR }}/extract-images.mjs \
-              --kubernetes-dir "${{ env.WORKFLOW_KUBERNETES_DIR }}" \
+            npx zx ./.github/scripts/extract-images.mjs \
+              --kubernetes-dir "./kubernetes" \
               --helmrelease "${{ matrix.files }}"
           )
           echo "images=${images}" >> $GITHUB_OUTPUT

diff --git a/.github/workflows/publish-terraform.yaml b/.github/workflows/publish-terraform.yaml
@@ -7,6 +7,9 @@ on:
     branches: ["master"]
     paths: ["terraform/**"]
 
+env:
+  AQUA_CONFIG: ./.github/aqua.yaml
+
 jobs:
   publish-terraform:
     name: Publish Terraform
@@ -27,6 +30,26 @@ jobs:
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
+      - name: Install System Tools
+        shell: bash
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
+
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        id: cache
+        with:
+          path: ~/.local/share/aquaproj-aqua
+          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('./.github/aqua.yaml') }}
+          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
+
+      - name: Install Aqua and CLI Tools
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
+        with:
+          aqua_version: v2.16.4
+          aqua_opts: -a
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
@@ -37,9 +60,6 @@ jobs:
           # username: "${{ secrets.BOT_APP_ID }}"
           # password: "${{ steps.app-token.outputs.token }}"
 
-      - name: Setup Flux
-        uses: fluxcd/flux2/action@5c5c15ea212b8f029a110f9975851d25c8272695 # v2.2.2
-
       - name: Generate tag
         id: generate-tag
         shell: bash

diff --git a/...ub/workflows/resources/extract-images.mjs → .github/workflows/scripts/extract-images.mjs b/...ub/workflows/resources/extract-images.mjs → .github/workflows/scripts/extract-images.mjs
@@ -72,10 +72,10 @@ async function helmTemplate(release, repository) {
   // Template out helm values into Kubernetes manifests
   let manifests
   if ('type' in repository.spec && repository.spec.type == 'oci') {
-    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false ${repository.spec.url}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
+    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false --skip-tests ${repository.spec.url}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
   } else {
     await $`${helm} repo add ${release.spec.chart.spec.sourceRef.name} ${repository.spec.url}`
-    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false ${release.spec.chart.spec.sourceRef.name}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
+    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false --skip-tests ${release.spec.chart.spec.sourceRef.name}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
   }
 
   let documents = YAML.parseAllDocuments(manifests.stdout.trim()).map((item) => item.toJS())