Proposal: Try using Earthly instead of Make for one release #8014
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- master | |
- release-* | |
pull_request: {} | |
workflow_dispatch: {} | |
env: | |
# Common versions | |
EARTHLY_VERSION: '0.8.11' | |
GO_VERSION: '1.22.3' | |
# Force Earthly to use color output | |
FORCE_COLOR: "1" | |
# Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run | |
# a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether | |
# credentials have been provided before trying to run steps that need them. | |
DOCKER_USR: ${{ secrets.DOCKER_USR }} | |
AWS_USR: ${{ secrets.AWS_USR }} | |
UPBOUND_MARKETPLACE_PUSH_ROBOT_USR: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }} | |
jobs: | |
check-diff: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
with: | |
submodules: true | |
- name: Setup Earthly | |
uses: earthly/actions-setup@v1 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
version: ${{ env.EARTHLY_VERSION }} | |
- name: Login to DockerHub | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3 | |
if: env.DOCKER_USR != '' | |
with: | |
username: ${{ secrets.DOCKER_USR }} | |
password: ${{ secrets.DOCKER_PSW }} | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Generate Files | |
run: earthly --strict +generate | |
- name: Count Changed Files | |
id: changed_files | |
run: echo "count=$(git status --porcelain | wc -l)" >> $GITHUB_OUTPUT | |
- name: Fail if Files Changed | |
if: steps.changed_files.outputs.count != 0 | |
uses: actions/github-script@v7 | |
with: | |
script: core.setFailed('Found changed files after running earthly +generate.'') | |
lint: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
with: | |
submodules: true | |
- name: Setup Earthly | |
uses: earthly/actions-setup@v1 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
version: ${{ env.EARTHLY_VERSION }} | |
- name: Login to DockerHub | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3 | |
if: env.DOCKER_USR != '' | |
with: | |
username: ${{ secrets.DOCKER_USR }} | |
password: ${{ secrets.DOCKER_PSW }} | |
- name: Lint | |
run: earthly --strict +lint | |
# TODO(negz): Run this in Earthly? It seems like CodeQL needs to wrap the | |
# 'go build' command. | |
codeql: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
- name: Setup Go | |
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3 | |
with: | |
languages: go | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3 | |
trivy-scan-fs: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
with: | |
submodules: true | |
- name: Run Trivy | |
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 | |
with: | |
scan-type: 'fs' | |
ignore-unfixed: true | |
skip-dirs: design | |
scan-ref: '.' | |
severity: 'CRITICAL,HIGH' | |
format: sarif | |
output: 'trivy-results.sarif' | |
- name: Upload Trivy Results to GitHub | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
unit-tests: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
with: | |
submodules: true | |
- name: Setup Earthly | |
uses: earthly/actions-setup@v1 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
version: ${{ env.EARTHLY_VERSION }} | |
- name: Login to DockerHub | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3 | |
if: env.DOCKER_USR != '' | |
with: | |
username: ${{ secrets.DOCKER_USR }} | |
password: ${{ secrets.DOCKER_PSW }} | |
- name: Run Unit Tests | |
run: earthly --strict +test | |
- name: Publish Unit Test Coverage | |
uses: codecov/codecov-action@6d798873df2b1b8e5846dba6fb86631229fbcb17 # v4 | |
with: | |
flags: unittests | |
file: _output/tests/coverage.txt | |
token: ${{ secrets.CODECOV_TOKEN }} | |
e2e-tests: | |
runs-on: ubuntu-22.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
test-suite: | |
- base | |
- environment-configs | |
- usage | |
- ssa-claims | |
- realtime-compositions | |
steps: | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
with: | |
submodules: true | |
- name: Setup Earthly | |
uses: earthly/actions-setup@v1 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
version: ${{ env.EARTHLY_VERSION }} | |
- name: Login to DockerHub | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3 | |
if: env.DOCKER_USR != '' | |
with: | |
username: ${{ secrets.DOCKER_USR }} | |
password: ${{ secrets.DOCKER_PSW }} | |
- name: Run E2E Tests | |
run: earthly --strict --allow-privileged +e2e --FLAGS="-test.failfast -fail-fast --test-suite ${{ matrix.test-suite }}" | |
- name: Publish E2E Test Flakes | |
if: '!cancelled()' | |
uses: buildpulse/buildpulse-action@d0d30f53585cf16b2e01811a5a753fd47968654a # v0.11.0 | |
with: | |
account: 45158470 | |
repository: 147886080 | |
key: ${{ secrets.BUILDPULSE_ACCESS_KEY_ID }} | |
secret: ${{ secrets.BUILDPULSE_SECRET_ACCESS_KEY }} | |
path: _output/tests/e2e-tests.xml | |
publish-artifacts: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Cleanup Disk | |
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 | |
with: | |
android: true | |
dotnet: true | |
haskell: true | |
tool-cache: true | |
swap-storage: false | |
# This works, and saves ~5GiB, but takes ~2 minutes to do it. | |
large-packages: false | |
# TODO(negz): Does having these around avoid Earthly needing to pull | |
# large images like golang? | |
docker-images: false | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
with: | |
fetch-depth: 0 | |
- name: Setup Earthly | |
uses: earthly/actions-setup@v1 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
version: ${{ env.EARTHLY_VERSION }} | |
- name: Login to DockerHub | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3 | |
if: env.DOCKER_USR != '' | |
with: | |
username: ${{ secrets.DOCKER_USR }} | |
password: ${{ secrets.DOCKER_PSW }} | |
- name: Login to Upbound | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3 | |
if: env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != '' | |
with: | |
registry: xpkg.upbound.io | |
username: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }} | |
password: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }} | |
- name: Build Artifacts | |
run: earthly --strict +artifacts --CROSSPLANE_VERSION=$(git describe --dirty --always --tags|sed -e 's/-/./2g') | |
- name: Publish Artifacts to GitHub | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 | |
with: | |
name: output | |
path: _output/** | |
fuzz-test: | |
runs-on: ubuntu-22.04 | |
steps: | |
# TODO(negz): Can we make this use our Go build and dependency cache? It | |
# seems to build Crossplane inside of a Docker image. | |
- name: Build Fuzzers | |
id: build | |
uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master | |
with: | |
oss-fuzz-project-name: "crossplane" | |
language: go | |
- name: Run Fuzzers | |
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master | |
with: | |
oss-fuzz-project-name: "crossplane" | |
fuzz-seconds: 300 | |
language: go | |
- name: Upload Crash | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 | |
if: failure() && steps.build.outcome == 'success' | |
with: | |
name: artifacts | |
path: ./out/artifacts | |
# TODO(negz): Refactor this job. Should the parts pertaining to release | |
# branches live in promote.yaml instead? | |
protobuf-schemas: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
- name: Setup Buf | |
uses: bufbuild/buf-setup-action@v1 | |
- name: Lint Protocol Buffers | |
uses: bufbuild/buf-lint-action@v1 | |
with: | |
input: apis | |
# buf-breaking-action doesn't support branches | |
# https://github.com/bufbuild/buf-push-action/issues/34 | |
- name: Detect Breaking Changes in Protocol Buffers | |
uses: bufbuild/buf-breaking-action@a074e988ee34efcd4927079e79c611f428354c01 # v1 | |
# We want to run this for the master branch, and PRs against master. | |
if: ${{ github.ref == 'refs/heads/master' || github.base_ref == 'master' }} | |
with: | |
input: apis | |
against: "https://github.com/${GITHUB_REPOSITORY}.git#branch=master,subdir=apis" | |
- name: Push Protocol Buffers to Buf Schema Registry | |
if: ${{ github.repository == 'crossplane/crossplane' && github.ref == 'refs/heads/master' }} | |
uses: bufbuild/buf-push-action@v1 | |
with: | |
input: apis | |
buf_token: ${{ secrets.BUF_TOKEN }} |