Skip to content

Fix CVEs

Fix CVEs #134

Workflow file for this run

---
name: ci
on:
push:
branches:
- main
tags:
- v*
paths-ignore:
- '**.md'
pull_request:
paths-ignore:
- '**.md'
jobs:
setup_github_runner:
name: Setup actions runner
runs-on: ubuntu-latest
env:
METAL_AUTH_TOKEN: ${{ secrets.PACKET_AUTH_TOKEN }}
METAL_PROJECT_ID: ${{ secrets.PACKET_PROJECT_ID }}
SERVER_NAME: "nsm-govpp-builder"
SERVER_TYPE: "c3.medium.x86"
METRO: da
steps:
- name: Check out code
uses: actions/checkout@v2
with:
path: ${{ github.repository }}
- name: Install metal CLI
run: |
curl -L https://github.com/equinix/metal-cli/releases/download/v0.25.0/metal-linux-amd64 -o metal
chmod +x ./metal
mv ./metal /usr/local/bin/metal
metal -v
# Setup ssh to be able to connect to the Packet server
- name: Setup ssh
id: setup_ssh
run: |
echo "${{ secrets.PACKET_SSH_KEY }}" > /tmp/sshkey
chmod 600 /tmp/sshkey
ssh-keygen -t ed25519 -f /tmp/sshkey -y > /tmp/sshkey.pub
printf '\n' >> /tmp/sshkey.pub
metal ssh-key create --key ssh-rsa "$(cat /tmp/sshkey.pub)" --label $SERVER_NAME-ssh -o json | jq -r '.id'
# Create server and wait to be ready
- name: Create server
run: |
metal device create -p $METAL_PROJECT_ID -P $SERVER_TYPE -m $METRO -H $SERVER_NAME -O ubuntu_20_04
max_retry=20
for i in $(seq 1 $max_retry); do
state=$(metal device get -p $METAL_PROJECT_ID -o json | jq -r '.[] | select(.hostname==env.SERVER_NAME) | .state')
[ "$state" == "active" ] && break
[[ ${i} -eq $max_retry ]] && echo "Failed!" && exit 1
sleep 30s
echo "Try #$i"
done
# Install GitHub action runner on the Packet server. The script uses RUNNER_TOKEN that we can get from GitHub api (gh api ...)
# Redirect the script output to file to not show the token
- name: Setup actions runner
working-directory: ${{ github.repository }}
run: |
RUNNER_TOKEN=$(gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/networkservicemesh/govpp/actions/runners/registration-token | jq -r '.token')
SSH_OPTS="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -i /tmp/sshkey"
server_ip=$(metal device get -p $METAL_PROJECT_ID -o json | jq -r '.[] | select(.hostname==env.SERVER_NAME) | .ip_addresses[] | select(.public==true and .address_family==4) | .address')
scp ${SSH_OPTS} scripts/setup-actions-runner.sh root@${server_ip}:setup-actions-runner.sh
ssh ${SSH_OPTS} root@${server_ip} "./setup-actions-runner.sh $RUNNER_TOKEN &> f.log"
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
build:
name: build
needs: setup_github_runner
runs-on: self-hosted
outputs:
docker_tag: ${{ steps.docker_push.outputs.docker_tag }}
steps:
- name: Docker install
run: |
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable"
apt update
apt install docker-ce -y
- name: Check out code
uses: actions/checkout@v2
- uses: actions/setup-go@v4
with:
go-version: 1.20.8
# Use buildx to build for two platforms (amd64, arm64) in one image
- name: Docker Build
run: |
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
docker buildx create --use --bootstrap
echo "docker buildx inspect --bootstrap"
docker buildx inspect --bootstrap
echo "docker buildx build --platform linux/amd64,linux/arm64 ."
docker buildx build --platform linux/amd64,linux/arm64 .
docker buildx build -t vpp:version --target version --load .
branch=${{github.event.workflow_run.head_branch}}
if [[ $branch == *release/* ]]; then
TAG=${branch#release/}
else
VPP_VERSION=$(docker run vpp:version)
TAG=v${VPP_VERSION/\~/-}
fi
echo "TAG=${TAG}" >> $GITHUB_ENV
- name: Generate files
run: go generate ./...
- name: Check for changes in generated code
run: |
git diff -- binapi || (echo "Rerun go generate ./... locally and resubmit" && exit -1)
- name: Go Build
run: go build ./...
- name: Login to GitHub Container Registry
id: docker_login
if: ${{ github.event_name == 'push' }}
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
# Use the --push flag to publish the image. Currently, buildx only supports this way.
- name: Docker Push
id: docker_push
if: steps.docker_login.outcome == 'success'
run: |
docker buildx build --platform linux/amd64,linux/arm64 -t ghcr.io/${{github.repository}}/vpp:${TAG} . --target vpp --push
echo docker_tag=${TAG} >> $GITHUB_OUTPUT
- name: Push tag ${TAG}
id: tag_commit
if: ${{ steps.docker_push.outcome == 'success' && !contains(github.event.workflow_run.head_branch, 'release/') }}
run: |
git status
git tag ${TAG} ${{github.sha}}
git push origin ${TAG} -f
delete_github_runner:
name: Delete actions runner
if: ${{ always() }}
needs: [setup_github_runner, build]
runs-on: ubuntu-latest
env:
METAL_AUTH_TOKEN: ${{ secrets.PACKET_AUTH_TOKEN }}
METAL_PROJECT_ID: ${{ secrets.PACKET_PROJECT_ID }}
SERVER_NAME: "nsm-govpp-builder"
steps:
- name: Check out code
uses: actions/checkout@v2
with:
path: ${{ github.repository }}
- name: Install metal CLI
run: |
curl -L https://github.com/equinix/metal-cli/releases/download/v0.15.0/metal-linux-amd64 -o metal
chmod +x ./metal
mv ./metal /usr/local/bin/metal
metal -v
# Delete GitHub action runner from the Packet server
- name: Delete actions runner
working-directory: ${{ github.repository }}
run: |
RUNNER_TOKEN=$(gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/networkservicemesh/govpp/actions/runners/remove-token | jq -r '.token')
echo "${{ secrets.PACKET_SSH_KEY }}" > /tmp/sshkey
chmod 600 /tmp/sshkey
SSH_OPTS="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -i /tmp/sshkey"
server_ip=$(metal device get -p $METAL_PROJECT_ID -o json | jq -r '.[] | select(.hostname==env.SERVER_NAME) | .ip_addresses[] | select(.public==true and .address_family==4) | .address')
scp ${SSH_OPTS} scripts/delete-actions-runner.sh root@${server_ip}:delete-actions-runner.sh
ssh ${SSH_OPTS} root@${server_ip} "./delete-actions-runner.sh $RUNNER_TOKEN &> f.log"
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
- name: Delete server
run: |
device_id=$(metal device get -p $METAL_PROJECT_ID -o json | jq -r '.[] | select(.hostname==env.SERVER_NAME) | .id')
metal device delete -i $device_id -f
- name: Delete ssh
run: |
export ssh_label=$SERVER_NAME-ssh
ssh_id=$(metal ssh-key get -o json | jq -r '.[] | select(.label==env.ssh_label) | .id')
metal ssh-key delete -i $ssh_id -f
check-gomod-deps:
needs: [build]
if: ${{ contains(github.event.workflow_run.head_branch, 'release/') }}
uses: networkservicemesh/.github/.github/workflows/check-gomod-deps.yaml@main
with:
tag: ${{ needs.build.outputs.docker_tag }}
create-release:
needs: check-gomod-deps
if: ${{ contains(github.event.workflow_run.head_branch, 'release/') }}
uses: networkservicemesh/.github/.github/workflows/release.yaml@main
secrets:
token: ${{ secrets.NSM_BOT_GITHUB_TOKEN }}
update_dependent_repositories:
name: update_dependent_repositories
needs: build
if: ${{ github.event_name == 'push' }}
uses: networkservicemesh/govpp/.github/workflows/update-dependent-repositories.yaml@main
with:
docker_tag: ${{ needs.build.outputs.docker_tag }}
secrets:
token: ${{ secrets.NSM_BOT_GITHUB_TOKEN }}