generated from hashicorp/terraform-provider-scaffolding
-
Notifications
You must be signed in to change notification settings - Fork 16
106 lines (91 loc) · 3.54 KB
/
mega-module.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
name: Test Chainguard Images
on:
pull_request:
branches: ['main']
push:
branches: ['main']
concurrency:
group: presubmit-build-${{ github.head_ref }}
cancel-in-progress: true
permissions:
# WARNING: This is mattmoor being a bit *too* clever.
# We want to be able to test the reproducibility of things via the upstream
# check-reproducibility test, which requires ambient credentials, but those
# are only available to pull requests under two circumstances:
# 1. The trigger is `pull_request_target`, and
# 2. The pull request is from a branch on the main repo.
# However, this doesn't cause things to fail when the pull request is from a
# fork, it will just make the tf-cosign rules NOPs and the
# check-repoducibility skip.
#
# But why not just use pull_request_target?
# This is because to pull in breaking changes to apko, we will need to update
# our apko Go dependency and the APKO_IMAGE (below) in the same PR, and the
# latter cannot be checked with the former if the workflow is
# pull_request_target.
#
# All of that said, dependabot and digestabot PRs come from branches on the
# main repo, so the net effect of this SHOULD be that we get an error
# presubmit when digestabot wants to pull in an update that is not
# reproducible with the version of the apko Go library we depend on.
id-token: write
jobs:
build-the-world:
runs-on: ubuntu-latest
steps:
# In some cases, we runs out of disk space during tests, so this hack frees up approx 10G.
# See the following issue for more info: https://github.com/actions/runner-images/issues/2840#issuecomment-1284059930
- name: Free up runner disk space
shell: bash
run: |
set -x
sudo rm -rf /usr/share/dotnet
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
- uses: actions/setup-go@v4
with:
go-version: '1.20'
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
path: tf-apko
- working-directory: tf-apko
run: go build .
# Make cosign/crane CLI available to the tests
- uses: sigstore/cosign-installer@v3.1.1
- uses: imjasonh/setup-crane@v0.3
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
repository: chainguard-images/images
path: images
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: '1.3.*'
terraform_wrapper: false
- uses: chainguard-dev/actions/setup-k3d@main
with:
k3s-image: cgr.dev/chainguard/k3s:latest@sha256:83852bedb0ff480fee871500225321c9cd741db4062fb9b186dccf48a9289458
registry-authority: registry.local:5000
- working-directory: images
env:
TF_VAR_target_repository: registry.local:5000/tf-apko
APKO_IMAGE: ghcr.io/wolfi-dev/apko:latest@sha256:f41b7a5f70d741a117202b5911aad0c0565f46f60d234e44a5d1e47a487b3c85
run: |
terraform init
cat > ~/.terraformrc <<EOF
provider_installation {
dev_overrides {
"chainguard-dev/apko" = "${{ github.workspace }}/tf-apko"
}
}
EOF
terraform apply -auto-approve \
-target=module.go \
-target=module.jdk \
-target=module.python \
-target=module.kubernetes
# TODO(joshwolf): reinclude this once we understand why the tests are failing.
# -target=module.k3s
- name: Collect diagnostics and upload
if: ${{ failure() }}
uses: chainguard-dev/actions/k8s-diag@main
with:
cluster-type: k3d