diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..77876ac9 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,53 @@ +name: ci + +on: + pull_request: + types: + - opened + - synchronize + +permissions: + contents: read + +concurrency: + group: ci-${{ github.event.pull_request.number }} + cancel-in-progress: true + +jobs: + lint: + uses: platform-mesh/.github/.github/workflows/job-golang-lint.yml@main + with: + useTask: true + + test: + uses: platform-mesh/.github/.github/workflows/job-golang-test-source.yml@main + with: + useTask: true + useLocalCoverageConfig: true + + docker-build: + uses: platform-mesh/.github/.github/workflows/job-docker-build.yml@main + with: + imageTagName: ghcr.io/platform-mesh/security-operator + + quality-gate: + if: always() + permissions: {} + needs: [lint, test, docker-build] + runs-on: ubuntu-latest + timeout-minutes: 1 + steps: + - name: Check results + run: | + if [[ "${{ needs.lint.result }}" != "success" ]]; then + echo "lint failed" + exit 1 + fi + if [[ "${{ needs.test.result }}" != "success" ]]; then + echo "test failed" + exit 1 + fi + if [[ "${{ needs.docker-build.result }}" != "success" ]]; then + echo "docker-build failed" + exit 1 + fi diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml deleted file mode 100644 index 685f0cee..00000000 --- a/.github/workflows/pipeline.yaml +++ /dev/null @@ -1,117 +0,0 @@ -name: ci - -on: - push: - branches: - - main - pull_request: - types: - - opened - - synchronize - -permissions: - contents: write - id-token: write - issues: write - packages: write - pull-requests: write - attestations: write - -concurrency: - group: ${{ github.ref }} - cancel-in-progress: true - -jobs: - # ────────────────────────────────────────────── - # Always-run jobs (PR + main) - # ────────────────────────────────────────────── - lint: - uses: platform-mesh/.github/.github/workflows/job-golang-lint.yml@main - with: - useTask: true - - test: - uses: platform-mesh/.github/.github/workflows/job-golang-test-source.yml@main - secrets: inherit - with: - useTask: true - useLocalCoverageConfig: true - - docker-build: - if: github.event_name == 'pull_request' - uses: platform-mesh/.github/.github/workflows/job-docker-build-push.yml@main - with: - imageTagName: ghcr.io/platform-mesh/security-operator - secrets: inherit - - # ────────────────────────────────────────────── - # Quality gate (aggregates required checks) - # ────────────────────────────────────────────── - quality-gate: - if: always() - permissions: {} - needs: [lint, test, docker-build] - runs-on: ubuntu-latest - timeout-minutes: 1 - steps: - - name: Check results - run: | - if [[ "${{ needs.lint.result }}" != "success" ]]; then - echo "lint failed" - exit 1 - fi - if [[ "${{ needs.test.result }}" != "success" ]]; then - echo "test failed" - exit 1 - fi - # docker-build is skipped on main pushes — allow skipped - if [[ "${{ needs.docker-build.result }}" != "success" && "${{ needs.docker-build.result }}" != "skipped" ]]; then - echo "docker-build failed" - exit 1 - fi - - # ────────────────────────────────────────────── - # Release jobs (main branch only) - # ────────────────────────────────────────────── - create-version: - if: github.ref == 'refs/heads/main' - uses: platform-mesh/.github/.github/workflows/job-create-version.yml@main - secrets: inherit - - docker-build-push: - if: github.ref == 'refs/heads/main' - needs: [create-version, lint, test] - uses: platform-mesh/.github/.github/workflows/job-docker-build-push.yml@main - with: - imageTagName: ghcr.io/platform-mesh/security-operator - version: ${{ needs.create-version.outputs.version }} - multiarch: true - secrets: inherit - - update-version: - if: github.ref == 'refs/heads/main' - needs: [create-version, docker-build-push] - uses: platform-mesh/.github/.github/workflows/job-chart-version-update.yml@main - secrets: inherit - with: - appVersion: ${{ needs.create-version.outputs.version }} - chart: security-operator - targetRepository: platform-mesh/helm-charts - - sbom: - if: github.ref == 'refs/heads/main' - needs: [create-version, docker-build-push] - uses: platform-mesh/.github/.github/workflows/job-sbom.yml@main - with: - imageReference: ghcr.io/platform-mesh/security-operator:${{ needs.create-version.outputs.version }} - - image-ocm: - if: github.ref == 'refs/heads/main' - needs: [create-version, docker-build-push, sbom] - uses: platform-mesh/.github/.github/workflows/job-image-ocm.yml@main - secrets: inherit - with: - imageReference: ghcr.io/platform-mesh/security-operator:${{ needs.create-version.outputs.version }} - appVersion: ${{ needs.create-version.outputs.version }} - repoName: security-operator - commit: ${{ github.sha }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..b29e423d --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,69 @@ +name: release + +on: + push: + branches: + - main + +permissions: + contents: write + id-token: write + issues: write + packages: write + pull-requests: write + attestations: write + +concurrency: + group: release-${{ github.ref }} + cancel-in-progress: false + +jobs: + lint: + uses: platform-mesh/.github/.github/workflows/job-golang-lint.yml@main + with: + useTask: true + + test: + uses: platform-mesh/.github/.github/workflows/job-golang-test-source.yml@main + secrets: inherit + with: + useTask: true + useLocalCoverageConfig: true + + create-version: + uses: platform-mesh/.github/.github/workflows/job-create-version.yml@main + secrets: inherit + + docker-build-push: + needs: [create-version, lint, test] + uses: platform-mesh/.github/.github/workflows/job-docker-build-push.yml@main + with: + imageTagName: ghcr.io/platform-mesh/security-operator + version: ${{ needs.create-version.outputs.version }} + multiarch: true + secrets: inherit + + update-version: + needs: [create-version, docker-build-push] + uses: platform-mesh/.github/.github/workflows/job-chart-version-update.yml@main + secrets: inherit + with: + appVersion: ${{ needs.create-version.outputs.version }} + chart: security-operator + targetRepository: platform-mesh/helm-charts + + sbom: + needs: [create-version, docker-build-push] + uses: platform-mesh/.github/.github/workflows/job-sbom.yml@main + with: + imageReference: ghcr.io/platform-mesh/security-operator:${{ needs.create-version.outputs.version }} + + image-ocm: + needs: [create-version, docker-build-push, sbom] + uses: platform-mesh/.github/.github/workflows/job-image-ocm.yml@main + secrets: inherit + with: + imageReference: ghcr.io/platform-mesh/security-operator:${{ needs.create-version.outputs.version }} + appVersion: ${{ needs.create-version.outputs.version }} + repoName: security-operator + commit: ${{ github.sha }} diff --git a/README.md b/README.md index 65201b3d..4c4736eb 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ # platform-mesh - security-operator [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/platform-mesh/security-operator/badge)](https://scorecard.dev/viewer/?uri=github.com/platform-mesh/security-operator) -![build status](https://github.com/platform-mesh/security-operator/actions/workflows/pipeline.yaml/badge.svg) +![build status](https://github.com/platform-mesh/security-operator/actions/workflows/ci.yml/badge.svg) ## Description Security-operator is responsible for security related configuration in Platform-mesh.