chore(deps): update golang docker tag to v1.23 #3418

Workflow file for this run

	name: Validate SecureSign
	on:
	workflow_dispatch:
	push:
	branches: [ "main", "release*" ]
	tags: [ "*" ]
	pull_request:
	branches: [ "main", "release*" ]

	env:
	GO_VERSION: 1.22
	IMG: ttl.sh/securesign/secure-sign-operator-${{github.run_number}}:1h
	BUNDLE_IMG: ttl.sh/securesign/bundle-secure-sign-${{github.run_number}}:1h
	CATALOG_IMG: ttl.sh/securesign/catalog-${{github.run_number}}:1h
	CONTAINER_TOOL: podman

	jobs:
	build-operator:
	name: Build-operator
	runs-on: ubuntu-20.04
	steps:
	- name: Checkout source
	uses: actions/checkout@v4

	- name: Install Go
	uses: actions/setup-go@v5
	with:
	go-version: ${{ env.GO_VERSION }}

	- name: Replace images
	run: make dev-images && cat internal/controller/constants/images.go

	- name: Build operator container
	run: make docker-build docker-push

	- name: Save container image
	run: podman save -o /tmp/operator-oci.tar --format oci-archive $IMG

	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: operator-image
	path: /tmp/operator-oci.tar
	retention-days: 1

	build-bundle:
	name: Build-bundle-image
	runs-on: ubuntu-20.04
	steps:
	- name: Checkout source
	uses: actions/checkout@v4

	- name: Replace images
	run: make dev-images && cat internal/controller/constants/images.go

	- name: Build operator bundle
	run: make bundle bundle-build bundle-push

	- name: Save container image
	run: podman save -o /tmp/bundle-oci.tar --format oci-archive $BUNDLE_IMG

	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: bundle-image
	path: /tmp/bundle-oci.tar
	retention-days: 1

	build-fbc:
	name: Build-fbc
	runs-on: ubuntu-20.04
	needs: build-bundle
	steps:
	- name: Checkout source
	uses: actions/checkout@v4

	- name: Log in to registry.redhat.io
	uses: redhat-actions/podman-login@v1
	with:
	username: ${{ secrets.REGISTRY_USER }}
	password: ${{ secrets.REGISTRY_PASSWORD }}
	registry: registry.redhat.io
	auth_file_path: /tmp/config.json

	- name: Download artifact
	uses: actions/download-artifact@v4
	with:
	pattern: "*-image"
	merge-multiple: true
	path: /tmp

	- name: Load images
	run: podman load -i /tmp/bundle-oci.tar

	- name: Install OPM
	run: \|
	make opm
	echo "OPM=${{ github.workspace }}/bin/opm" >> $GITHUB_ENV

	- name: Checkout FBC source
	uses: actions/checkout@v4
	with:
	repository: "securesign/fbc"
	path: fbc

	- name: Build catalog
	run: \|
	cd fbc
	chmod +x ./generate-fbc.sh && OPM_CMD=${{ env.OPM }} ./generate-fbc.sh --init-basic v4.14 jq
	cat << EOF >> v4.14/graph.json
	{
	"schema": "olm.bundle",
	"image": "$BUNDLE_IMG"
	}
	EOF
	#TODO: versions needs to be maintained - try to eliminate
	cat <<< $(jq 'select(.schema == "olm.channel" and .name == "stable").entries += [{"name":"rhtas-operator.v1.2.0", "replaces": "rhtas-operator.v1.1.0"}]' v4.14/graph.json) > v4.14/graph.json
	cat v4.14/graph.json
	${{ env.OPM }} alpha render-template basic v4.14/graph.json > v4.14/catalog/rhtas-operator/catalog.json
	${{ env.OPM }} validate v4.14/catalog/rhtas-operator
	podman build v4.14 -f v4.14/catalog.Dockerfile -t $CATALOG_IMG
	podman push $CATALOG_IMG

	- name: Save container image
	run: podman save -o /tmp/catalog-oci.tar --format oci-archive $CATALOG_IMG

	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: catalog-image
	path: /tmp/catalog-oci.tar
	retention-days: 1

	build-tuftool:
	name: Build-tuftool
	runs-on: ubuntu-20.04
	steps:
	- name: Checkout tough source
	uses: actions/checkout@v4
	with:
	repository: "securesign/tough"
	path: tough
	- uses: actions-rs/toolchain@v1
	with:
	toolchain: stable
	profile: minimal
	- uses: actions/cache@v4
	with:
	path: \|
	~/.cargo/bin/
	~/.cargo/registry/index/
	~/.cargo/registry/cache/
	~/.cargo/git/db/
	/tmp/tuftool
	key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
	- run: cd tough && cargo build --release --target-dir /tmp/tuftool

	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: tuftool
	path: /tmp/tuftool/release/tuftool
	retention-days: 1
	if-no-files-found: error


	test-kind:
	name: Test kind deployment
	runs-on: ubuntu-20.04
	needs:
	- build-operator
	- build-tuftool
	steps:
	- name: Checkout source
	uses: actions/checkout@v4

	- name: Install Go
	uses: actions/setup-go@v5
	with:
	go-version: ${{ env.GO_VERSION }}

	- name: Download tuftool
	uses: actions/download-artifact@v4
	with:
	name: tuftool
	path: /tmp/tuftool
	- run: echo "/tmp/tuftool" >> $GITHUB_PATH

	- name: Log in to registry.redhat.io
	uses: redhat-actions/podman-login@v1
	with:
	username: ${{ secrets.REGISTRY_USER }}
	password: ${{ secrets.REGISTRY_PASSWORD }}
	registry: registry.redhat.io
	auth_file_path: /tmp/config.json

	- name: Download artifact
	uses: actions/download-artifact@v4
	with:
	pattern: "*-image"
	merge-multiple: true
	path: /tmp

	- name: Load images
	run: podman load -i /tmp/operator-oci.tar

	- name: Install Cluster
	uses: ./.github/actions/kind-cluster
	with:
	config: ./ci/config.yaml
	prometheus: 'true'
	keycloak: 'true'
	olm: 'true'

	- name: Deploy operator container
	env:
	OPENSHIFT: false
	run: make deploy

	- name: Wait for operator to be ready
	run: \|
	kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager --timeout=120s -n openshift-rhtas-operator

	- name: Add service hosts to /etc/hosts
	run: \|
	sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local tsa-server.local" \| sudo tee -a /etc/hosts
	- name: Install cosign
	run: go install github.com/sigstore/cosign/v2/cmd/[email protected]

	- name: Replace images
	run: make dev-images && cat internal/controller/constants/images.go

	- name: Run tests
	run: make test-e2e

	- name: Archive test artifacts
	uses: actions/upload-artifact@v4
	if: always()
	with:
	name: test-kind
	path: test/*/k8s-dump-.tar.gz

	- name: dump the logs of the operator
	run: kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager
	if: always()

	test-upgrade:
	name: Test upgrade operator
	runs-on: ubuntu-20.04
	needs:
	- build-operator
	- build-bundle
	- build-fbc
	steps:
	- name: Free Disk Space (Ubuntu)
	uses: jlumbroso/free-disk-space@main
	with:
	tool-cache: true
	- name: Checkout source
	uses: actions/checkout@v4

	- name: Install Go
	uses: actions/setup-go@v5
	with:
	go-version: ${{ env.GO_VERSION }}

	- name: Log in to registry.redhat.io
	uses: redhat-actions/podman-login@v1
	with:
	username: ${{ secrets.REGISTRY_USER }}
	password: ${{ secrets.REGISTRY_PASSWORD }}
	registry: registry.redhat.io
	auth_file_path: /tmp/config.json

	- name: Download artifact
	uses: actions/download-artifact@v4
	with:
	pattern: "*-image"
	merge-multiple: true
	path: /tmp

	- name: Load images
	run: \|
	podman load -i /tmp/operator-oci.tar
	podman load -i /tmp/bundle-oci.tar
	podman load -i /tmp/catalog-oci.tar

	- name: Install Cluster
	uses: ./.github/actions/kind-cluster
	with:
	config: ./ci/config.yaml
	prometheus: 'true'
	keycloak: 'true'
	olm: 'true'

	- name: Add service hosts to /etc/hosts
	run: \|
	sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local tsa-server.local" \| sudo tee -a /etc/hosts
	- name: Install cosign
	run: go install github.com/sigstore/cosign/v2/cmd/[email protected]

	- name: Replace images
	run: make dev-images && cat internal/controller/constants/images.go

	- name: Run tests
	env:
	TEST_BASE_CATALOG: registry.redhat.io/redhat/redhat-operator-index:v4.14
	TEST_TARGET_CATALOG: ${{ env.CATALOG_IMG }}
	OPENSHIFT: false
	run: go test -p 1 ./test/e2e/... -tags=upgrade -timeout 20m

	- name: Archive test artifacts
	uses: actions/upload-artifact@v4
	if: always()
	with:
	name: test-upgrade
	path: test/*/k8s-dump-.tar.gz

	test-custom-install:
	name: Test with custom operator installation
	runs-on: ubuntu-20.04
	needs:
	- build-operator
	steps:
	- name: Free Disk Space (Ubuntu)
	uses: jlumbroso/free-disk-space@main
	with:
	tool-cache: true
	- name: Checkout source
	uses: actions/checkout@v4

	- name: Install Go
	uses: actions/setup-go@v5
	with:
	go-version: ${{ env.GO_VERSION }}

	- name: Log in to registry.redhat.io
	uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1
	with:
	username: ${{ secrets.REGISTRY_USER }}
	password: ${{ secrets.REGISTRY_PASSWORD }}
	registry: registry.redhat.io
	auth_file_path: /tmp/config.json

	- name: Image prune
	run: podman image prune -af

	- name: Download artifact
	uses: actions/download-artifact@v4
	with:
	pattern: "*-image"
	merge-multiple: true
	path: /tmp

	- name: Load images
	run: podman load -i /tmp/operator-oci.tar

	- name: Install Cluster
	uses: ./.github/actions/kind-cluster
	with:
	config: ./ci/config.yaml

	- name: Add service hosts to /etc/hosts
	run: \|
	sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local rekor-search-ui.local cli-server.local" \| sudo tee -a /etc/hosts

	- name: Replace images
	run: make dev-images && cat internal/controller/constants/images.go

	- name: Run tests
	env:
	TEST_MANAGER_IMAGE: ${{ env.IMG }}
	OPENSHIFT: false
	run: make install && go test ./test/e2e/... -tags=custom_install -p 1 -timeout 20m

	- name: Archive test artifacts
	uses: actions/upload-artifact@v4
	if: always()
	with:
	name: test-custom-install
	path: test/*/k8s-dump-.tar.gz

	test-e2e:
	name: Execute securesign/sigstore-e2e
	runs-on: ubuntu-24.04
	needs:
	- build-operator
	env:
	TEST_NAMESPACE: test
	steps:
	- name: Checkout source
	uses: actions/checkout@v4
	- name: Checkout test source repository
	uses: actions/checkout@v4
	with:
	repository: "securesign/sigstore-e2e"
	path: e2e

	- name: Install Go
	uses: actions/setup-go@v5
	with:
	go-version: ${{ env.GO_VERSION }}

	- name: Log in to registry.redhat.io
	uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1
	with:
	username: ${{ secrets.REGISTRY_USER }}
	password: ${{ secrets.REGISTRY_PASSWORD }}
	registry: registry.redhat.io
	auth_file_path: /tmp/config.json

	- name: Image prune
	run: podman image prune -af

	- name: Download artifact
	uses: actions/download-artifact@v4
	with:
	pattern: "*-image"
	merge-multiple: true
	path: /tmp

	- name: Load images
	run: \|
	podman load -i /tmp/operator-oci.tar

	- name: Install Cluster
	id: kind
	uses: ./.github/actions/kind-cluster
	with:
	config: ./ci/config.yaml
	keycloak: 'true'
	olm: 'true'
	prometheus: 'true'

	- name: Add service hosts to /etc/hosts
	run: \|
	sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local rekor-search-ui.local cli-server.local" \| sudo tee -a /etc/hosts

	- name: Deploy operator container
	env:
	OPENSHIFT: false
	run: make deploy

	- name: Wait for operator to be ready
	run: \|
	kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager --timeout=120s -n openshift-rhtas-operator

	- name: Install securesign
	run: \|
	sed -i 's#https://your-oidc-issuer-url#${{ steps.kind.outputs.oidc_url }}#' config/samples/rhtas_v1alpha1_securesign.yaml
	sed -i 's#rhtas.redhat.com/metrics: "true"#rhtas.redhat.com/metrics: "false"#' config/samples/rhtas_v1alpha1_securesign.yaml
	kubectl create ns ${{ env.TEST_NAMESPACE }}
	kubectl create -f config/samples/rhtas_v1alpha1_securesign.yaml -n ${{ env.TEST_NAMESPACE }}
	sleep 1
	kubectl wait --for=condition=Ready securesign/securesign-sample -n ${{ env.TEST_NAMESPACE }}

	- name: Run tests
	run: \|
	export SIGSTORE_OIDC_ISSUER=${{ steps.kind.outputs.oidc_url }}
	export FULCIO_URL=$(kubectl get securesign -o jsonpath='{.items[0].status.fulcio.url}' -n ${{ env.TEST_NAMESPACE }})
	export REKOR_URL=$(kubectl get securesign -o jsonpath='{.items[0].status.rekor.url}' -n ${{ env.TEST_NAMESPACE }})
	export TUF_URL=$(kubectl get securesign -o jsonpath='{.items[0].status.tuf.url}' -n ${{ env.TEST_NAMESPACE }})
	export TSA_URL=$(kubectl get securesign -o jsonpath='{.items[0].status.tsa.url}' -n ${{ env.TEST_NAMESPACE }})

	export CLI_STRATEGY=cli_server
	export CLI_SERVER_URL="http://cli-server.local"

	cd e2e
	go test -v ./test/...

	- name: dump the logs of the operator
	run: \|
	kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager
	if: failure()

	test-eks:
	name: Test EKS deployment
	runs-on: ubuntu-20.04
	needs: build-operator
	if: github.event_name == 'schedule' \|\| github.event_name == 'workflow_dispatch'
	env:
	AWS_REGION: us-east-2
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	TEST_NAMESPACE: test
	OIDC_ISSUER_URL: ${{ secrets.testing_keycloak }}
	steps:
	- name: Checkout source
	uses: actions/checkout@v4

	- name: Install Go
	uses: actions/setup-go@v5
	with:
	go-version: ${{ env.GO_VERSION }}

	- name: Install eksctl
	run: \|
	ARCH=amd64
	PLATFORM=$(uname -s)_$ARCH
	curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz"
	tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && rm eksctl_$PLATFORM.tar.gz
	sudo mv /tmp/eksctl /usr/local/bin

	- name: Install kubectl
	run: \|
	ARCH=amd64
	PLATFORM=$(uname -s)_$ARCH
	curl -sLO "https://dl.k8s.io/release/v1.22.0/bin/linux/amd64/kubectl"
	chmod +x kubectl
	sudo mv kubectl /usr/local/bin

	- name: run eksctl create cluster
	run: \|
	eksctl create cluster --alb-ingress-access --external-dns-access --name rhtas-eks-${GITHUB_RUN_ID} --nodes 1 --node-type m5.xlarge --spot
	eksctl utils associate-iam-oidc-provider --region=us-east-2 --cluster=rhtas-eks-${GITHUB_RUN_ID} --approve
	eksctl create iamserviceaccount --region us-east-2 --name ebs-csi-controller-sa --namespace kube-system --cluster rhtas-eks-${GITHUB_RUN_ID} --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy --approve --role-only --role-name AmazonEKS_EBS_CSI_DriverRole
	eksctl create addon --name aws-ebs-csi-driver --cluster rhtas-eks-${GITHUB_RUN_ID} --service-account-role-arn arn:aws:iam::${{ secrets.AWS }}:role/AmazonEKS_EBS_CSI_DriverRole --force
	kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/aws/deploy.yaml
	kubectl patch storageclass gp2 -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'

	- name: Log in to registry.redhat.io
	uses: redhat-actions/podman-login@v1
	with:
	username: ${{ secrets.REGISTRY_USER }}
	password: ${{ secrets.REGISTRY_PASSWORD }}
	registry: registry.redhat.io
	auth_file_path: /tmp/config.json

	- name: Download artifact
	uses: actions/download-artifact@v4
	with:
	pattern: "*-image"
	merge-multiple: true
	path: /tmp

	- name: Load images
	run: podman load -i /tmp/operator-oci.tar

	- name: Push images
	run: podman push $IMG

	- name: Create namespace and serviceaccounts with redhat registry login
	run: \|
	kubectl create ns ${{ env.TEST_NAMESPACE }}
	kubectl create secret generic redhat-registry -n ${{ env.TEST_NAMESPACE }} --from-file=.dockerconfigjson=/tmp/config.json --type=kubernetes.io/dockerconfigjson
	kubectl patch serviceaccount default --type=merge -p '{"imagePullSecrets": [{"name":"redhat-registry"}]}' -n ${{ env.TEST_NAMESPACE }}
	for NAME in "fulcio" "ctlog" "trillian" "rekor" "tuf" "tsa"
	do
	echo """
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: $NAME
	namespace: $TEST_NAMESPACE
	imagePullSecrets:
	- name: redhat-registry
	""" \|
	kubectl create -f -
	done

	- name: Deploy operator container
	env:
	OPENSHIFT: false
	run: make deploy

	# TODO: deploy ingress and execute e2e
	- name: Deploy RTHAS
	run: \|
	sed -i 's\|"https://your-oidc-issuer-url"\|${{ secrets.testing_keycloak }}\|g' config/samples/rhtas_v1alpha1_securesign.yaml
	sed -i 's\|enabled: true\|enabled: false\|g' config/samples/rhtas_v1alpha1_securesign.yaml
	sed -i 's\|rhtas.redhat.com/metrics: "true"\|rhtas.redhat.com/metrics: "false"\|g' config/samples/rhtas_v1alpha1_securesign.yaml
	kubectl apply -f config/samples/rhtas_v1alpha1_securesign.yaml -n ${{ env.TEST_NAMESPACE }}

	- name: Until shell script to wait for deployment to be created
	run: \|
	for i in trillian fulcio rekor tuf ctlog timestampAuthority; do
	until [ ! -z "$(kubectl get $i -n ${{ env.TEST_NAMESPACE }} 2>/dev/null)" ]
	do
	echo "Waiting for $i to be created."
	sleep 3
	done
	done
	shell: bash

	- name: Test components are ready
	run: \|
	kubectl wait --for=condition=ready trillian/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m
	kubectl wait --for=condition=ready fulcio/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m
	kubectl wait --for=condition=ready rekor/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m
	kubectl wait --for=condition=ready ctlog/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m
	kubectl wait --for=condition=ready tuf/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m
	kubectl wait --for=condition=ready timestampAuthority/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m

	- name: Test deployments are ready
	run: \|
	kubectl wait --for=condition=available deployment/trillian-db -n ${{ env.TEST_NAMESPACE }}
	kubectl wait --for=condition=available deployment/trillian-logserver -n ${{ env.TEST_NAMESPACE }}
	kubectl wait --for=condition=available deployment/trillian-logsigner -n ${{ env.TEST_NAMESPACE }}
	kubectl wait --for=condition=available deployment/fulcio-server -n ${{ env.TEST_NAMESPACE }}
	kubectl wait --for=condition=available deployment/rekor-server -n ${{ env.TEST_NAMESPACE }}
	kubectl wait --for=condition=available deployment/rekor-redis -n ${{ env.TEST_NAMESPACE }}
	kubectl wait --for=condition=available deployment/rekor-search-ui -n ${{ env.TEST_NAMESPACE }}
	kubectl wait --for=condition=available deployment/tuf -n ${{ env.TEST_NAMESPACE }}
	kubectl wait --for=condition=available deployment/ctlog -n ${{ env.TEST_NAMESPACE }}
	kubectl wait --for=condition=available deployment/tsa-server -n ${{ env.TEST_NAMESPACE }}

	- name: Archive test artifacts
	uses: actions/upload-artifact@v4
	if: always()
	with:
	name: test-eks
	path: test/*/k8s-dump-.tar.gz

	- name: dump the logs of the operator
	run: \|
	kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager
	if: always()

	- name: delete the cluster
	run: eksctl delete cluster --name rhtas-eks-${GITHUB_RUN_ID} --region us-east-2 --wait
	if: always()

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update golang docker tag to v1.23 #3418

Workflow file

chore(deps): update golang docker tag to v1.23 #3418

Jobs

Run details

Workflow file for this run