Skip to content

fix: unify secret handling for hydra #163

fix: unify secret handling for hydra

fix: unify secret handling for hydra #163

Workflow file for this run

name: CI
on:
create:
push:
branches:
- "master"
tags:
- "v*"
pull_request:
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
jobs:
dependencies:
name: Prepare Dependencies
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: "1.17"
- name: Setup dependencies
uses: ./.github/actions/deps-setup
detect-repo-changes:
name: Detected Repo Changes
runs-on: ubuntu-22.04
outputs:
helms-changed: ${{ steps.changed_charts.outputs.matrix }}
no-changes: ${{ steps.changed_charts.outputs.no_changes }}
cicd-definition-changed: ${{ steps.filter.outputs.cicd-definitions }}
steps:
- name: Checkout
uses: actions/checkout@v3
- uses: dorny/[email protected]
id: filter
with:
base: master
#`-helm` suffix aims that we can easily filter helm charts
filters: |
example-idp-helm:
- 'helm/charts/example-idp/**'
- 'hacks/values/example-idp.yaml'
hydra-helm:
- 'helm/charts/hydra/**'
- 'hacks/values/hydra-maester.yaml'
hydra-maester-helm:
- 'helm/charts/hydra-maester/**'
- 'hacks/values/hydra-maester.yaml'
keto-helm:
- 'helm/charts/keto/**'
- 'hacks/values/keto.yaml'
kratos-helm:
- 'helm/charts/kratos/**'
- 'hacks/values/kratos.yaml'
kratos-selfservice-ui-node-helm:
- 'helm/charts/kratos-selfservice-ui-node/**'
- 'hacks/values/kratos-selfservice-ui-node.yaml'
oathkeeper-helm:
- 'helm/charts/oathkeeper/**'
- 'hacks/values/oathkeeper.yaml'
oathkeeper-maester-helm:
- 'helm/charts/oathkeeper-maester/**'
- 'hacks/values/oathkeeper-maester.yaml'
cicd-definitions:
- '.github/workflows/**'
- '.github/actions/**'
# This step will take output from paths-filter and then process it in order to get what helm charts have been updated
# It allows us to do matrix in validating & testing process
- name: Generate helm chart matrix to be validated
id: changed_charts
env:
FILTER_OUTPUT: ${{ toJson(steps.filter.outputs) }}
FORCE_FULL_RUN:
${{ github.ref_type == 'tag' ||
steps.filter.outputs['cicd-definitions'] == 'true' }}
shell: bash
run: |
updated_charts=$(echo "$FILTER_OUTPUT" | jq -r 'to_entries | map(select((.key | endswith("-helm")) and .value == "true")) | map(.key)')
# shellcheck disable=SC2001
updated_charts=$(echo "$updated_charts" | sed "s/-helm//g")
echo "ForceFullRun: ${FORCE_FULL_RUN}"
if [[ "$FORCE_FULL_RUN" == "true" ]]; then
echo "Forcing tests to be running on every charts as CI running in release context"
# shellcheck disable=SC2012
updated_charts=$(ls ${{ github.workspace }}/helm/charts/ | tr -d " " | jq --raw-input --slurp 'split("\n") | map(select(. != ""))')
fi
if [[ "$updated_charts" == "[]" ]]; then
echo "no_changes=true" >> "$GITHUB_OUTPUT"
fi
# shellcheck disable=SC2116,SC2086
echo "matrix={\"chart\":$(echo $updated_charts)}\"" >> "$GITHUB_OUTPUT"
echo "Charts array to run CI on: $updated_charts"
check:
name: Check Helm Chart '${{ matrix.chart }}'
if:
${{ needs.detect-repo-changes.outputs.no-changes != 'true' && github.ref
!= 'ref/heads/master' }}
needs: [dependencies, detect-repo-changes]
runs-on: ubuntu-22.04
env:
HELM_PLUGINS: ${{ github.workspace }}/.bin/plugins
HELM_CHART: ${{ matrix.chart }}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Checkout dependencies
uses: ./.github/actions/deps-setup
- name: Lint helm chart
run: make helm-lint
- name: Validate helm chart
run: make helm-validate
- uses: kubescape/github-action@main
with:
format: json
outputFile: results
files: "helm/charts/${{ matrix.chart }}"
verbose: true
severityThreshold: high
controlsConfig: ".github/kubescape-control.json"
exceptions: ".github/kubescape-exceptions.json"
frameworks: |
AllControls,ArmoBest,DevOpsBest,mitre,nsa
strategy:
matrix: ${{ fromJson(needs.detect-repo-changes.outputs.helms-changed) }}
test-upgrade:
name: Upgrade Helm Chart '${{ matrix.chart }}'
if:
${{ needs.detect-repo-changes.outputs.no-changes != 'true' && github.ref
!= 'ref/heads/master' }}
needs: [check, detect-repo-changes, dependencies]
runs-on: ubuntu-22.04
env:
HELM_PLUGINS: ${{ github.workspace }}/.bin/plugins
HELM_CHART: ${{ matrix.chart }}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Checkout dependencies
uses: ./.github/actions/deps-setup
- name: Test upgrade for helm chart
run: make helm-upgrade
strategy:
matrix: ${{ fromJson(needs.detect-repo-changes.outputs.helms-changed) }}
test-install:
name: Install Helm Chart '${{ matrix.chart }}'
if:
${{ needs.detect-repo-changes.outputs.no-changes != 'true' && github.ref
!= 'ref/heads/master' }}
needs: [check, detect-repo-changes, dependencies]
runs-on: ubuntu-22.04
env:
HELM_PLUGINS: ${{ github.workspace }}/.bin/plugins
HELM_CHART: ${{ matrix.chart }}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Checkout dependencies
uses: ./.github/actions/deps-setup
- name: Test install for helm chart
run: make helm-test
strategy:
matrix: ${{ fromJson(needs.detect-repo-changes.outputs.helms-changed) }}
helm-docs:
name: Generate documentation
runs-on: ubuntu-22.04
if: ${{ always() && github.ref == 'refs/heads/master' }}
env:
HELM_DOCS_VERSION: "1.11.0"
steps:
- name: Checkout
uses: actions/checkout@v3
with:
token: ${{ secrets.ORY_BOT_PAT }}
- name: Checkout dependencies
uses: ./.github/actions/deps-setup
- name: Push commit
shell: bash
run: |
git config --global user.email "[email protected]"
git config --global user.name "ory-bot"
git checkout -b dirty HEAD
git add -A
git commit -m "Regenerate helm docs
[skip ci]" || echo "No changes to commit"
git push origin HEAD:master
release:
name: Release
if: ${{ github.ref_type == 'tag' }}
needs: [test-install, test-upgrade]
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v3
with:
token: ${{ secrets.ORY_BOT_PAT }}
- name: Checkout dependencies
uses: ./.github/actions/deps-setup
- name: Define current tag version
shell: bash
run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> "$GITHUB_ENV"
- name: Release helm charts
run: make release
- name: Push commit for release
shell: bash
run: |
git config --global user.email "[email protected]"
git config --global user.name "ory-bot"
git checkout -b make-release HEAD
git add -A
git commit -a -m "Release ${RELEASE_VERSION}
[skip ci]" || echo "No changes to commit"
git push origin HEAD:master
gha-lint:
name: Lint GithubAction files
if:
${{ needs.detect-repo-changes.outputs.cicd-definition-changed == 'true' }}
needs: [detect-repo-changes]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: actionlint
id: actionlint
uses: raven-actions/actionlint@v1
with:
fail-on-error: true