mirror of
https://github.com/hashicorp/vault.git
synced 2026-06-27 01:50:31 -04:00
00281521f0
* actions: pin to latest actions - actions/checkout@9c091bb21b => v7.0.0 Adds a guardrail to prevent accidentally checking out fork pull request code in privileged GitHub Actions contexts (pull_request_target and PR-triggered workflow_run), with an explicit opt-in escape hatch for advanced workflows. - pnpm/action-setup@0ebf47130e => v6.0.9 Update pnpm to v11.7.0 - Add .github/actions/build-ui to ui changed files group - Add .github/actions/build-ui to ui/frontend CODEOWNERS Signed-off-by: Ryan Cragun <me@ryan.ec> Co-authored-by: Ryan Cragun <me@ryan.ec>
249 lines
8.1 KiB
YAML
249 lines
8.1 KiB
YAML
name: ce
|
|
|
|
# The inputs and outputs for this workflow have been carefully defined as a sort of workflow
|
|
# interface as defined in the build.yml workflow. The inputs and outputs here must be consistent
|
|
# across the build-artifacts-ce workflow and the build-artifacts-ent workflow.
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
build-all:
|
|
type: boolean
|
|
description: Build all extended artifacts
|
|
default: false
|
|
build-date:
|
|
type: string
|
|
description: The date associated with the revision SHA
|
|
required: true
|
|
checkout-ref:
|
|
type: string
|
|
description: The repo Git SHA to checkout
|
|
default: ""
|
|
compute-build:
|
|
type: string # JSON encoded to support passing arrays
|
|
description: A JSON encoded "runs-on" for build worfkflows
|
|
required: true
|
|
compute-small:
|
|
type: string # JSON encoded to support passing arrays
|
|
description: A JSON encoded "runs-on" for non-resource-intensive workflows
|
|
required: true
|
|
vault-revision:
|
|
type: string
|
|
description: The revision SHA of vault
|
|
required: true
|
|
vault-version:
|
|
type: string
|
|
description: The version of vault
|
|
required: true
|
|
vault-version-package:
|
|
type: string
|
|
description: Whether or not to package the binary as Debian and RPM packages
|
|
required: true
|
|
web-ui-cache-key:
|
|
type: string
|
|
description: The UI asset cache key
|
|
required: true
|
|
workflow_call:
|
|
inputs:
|
|
build-all:
|
|
type: boolean
|
|
default: false
|
|
build-date:
|
|
type: string
|
|
required: true
|
|
checkout-ref:
|
|
type: string
|
|
default: ""
|
|
compute-build:
|
|
type: string # JSON encoded to support passing arrays
|
|
description: A JSON encoded "runs-on" for build worfkflows
|
|
required: true
|
|
compute-small:
|
|
type: string # JSON encoded to support passing arrays
|
|
description: A JSON encoded "runs-on" for non-resource-intensive workflows
|
|
required: true
|
|
vault-revision:
|
|
type: string
|
|
required: true
|
|
vault-version:
|
|
type: string
|
|
required: true
|
|
vault-version-package:
|
|
type: string
|
|
required: true
|
|
web-ui-cache-key:
|
|
type: string
|
|
required: true
|
|
outputs:
|
|
testable-containers:
|
|
value: ${{ jobs.core.outputs.testable-containers }}
|
|
testable-packages:
|
|
value: ${{ jobs.core.outputs.testable-packages }}
|
|
|
|
jobs:
|
|
# Core are the Linux builds that are officially supported and tested as part of the normal
|
|
# CI/CD pipeline.
|
|
core:
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- goos: linux
|
|
goarch: amd64
|
|
redhat: true
|
|
- goos: linux
|
|
goarch: arm64
|
|
redhat: true
|
|
fail-fast: true
|
|
runs-on: ${{ fromJSON(inputs.compute-build) }}
|
|
name: (${{ matrix.goos }}, ${{ matrix.goarch }})
|
|
steps:
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
ref: ${{ inputs.checkout-ref }}
|
|
- uses: ./.github/actions/build-vault
|
|
with:
|
|
cgo-enabled: 0
|
|
create-docker-container: true
|
|
create-packages: true
|
|
create-redhat-container: ${{ matrix.redhat }}
|
|
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
goarch: ${{ matrix.goarch }}
|
|
goos: ${{ matrix.goos }}
|
|
go-tags: ui
|
|
package-name: vault
|
|
vault-binary-name: vault
|
|
vault-edition: ce
|
|
vault-version: ${{ inputs.vault-version }}
|
|
web-ui-cache-key: ${{ inputs.web-ui-cache-key }}
|
|
outputs:
|
|
# Outputs are strings so we need to encode our collection outputs as JSON.
|
|
testable-containers: |
|
|
[
|
|
{
|
|
"sample": "ce_default_linux_amd64_ent_docker",
|
|
"artifact": "vault_default_linux_amd64_${{ inputs.vault-version }}_${{ inputs.vault-revision }}.docker.tar",
|
|
"edition": "ce"
|
|
},
|
|
{
|
|
"sample": "ce_default_linux_arm64_ce_docker",
|
|
"artifact": "vault_default_linux_arm64_${{ inputs.vault-version }}_${{ inputs.vault-revision }}.docker.tar",
|
|
"edition": "ce"
|
|
},
|
|
{
|
|
"sample": "ce_ubi_linux_amd64_ce_redhat",
|
|
"artifact": "vault_ubi_linux_amd64_${{ inputs.vault-version}}_${{ inputs.vault-revision }}.docker.redhat.tar",
|
|
"edition": "ce"
|
|
},
|
|
{
|
|
"sample": "ce_ubi_linux_arm64_ce_redhat",
|
|
"artifact": "vault_ubi_linux_arm64_${{ inputs.vault-version}}_${{ inputs.vault-revision }}.docker.redhat.tar",
|
|
"edition": "ce"
|
|
}
|
|
]
|
|
testable-packages: |
|
|
[
|
|
{ "sample": "build_ce_linux_amd64_deb",
|
|
"artifact": "vault_${{ inputs.vault-version-package }}-1_amd64.deb",
|
|
"edition": "ce"
|
|
},
|
|
{ "sample": "build_ce_linux_arm64_deb",
|
|
"artifact": "vault_${{ inputs.vault-version-package }}-1_arm64.deb",
|
|
"edition": "ce"
|
|
},
|
|
{ "sample": "build_ce_linux_amd64_rpm",
|
|
"artifact": "vault-${{ inputs.vault-version-package }}-1.x86_64.rpm",
|
|
"edition": "ce"
|
|
},
|
|
{ "sample": "build_ce_linux_arm64_rpm",
|
|
"artifact": "vault-${{ inputs.vault-version-package }}-1.aarch64.rpm",
|
|
"edition": "ce"
|
|
},
|
|
{ "sample": "build_ce_linux_amd64_zip",
|
|
"artifact": "vault_${{ inputs.vault-version }}_linux_amd64.zip",
|
|
"edition": "ce"
|
|
},
|
|
{ "sample": "build_ce_linux_arm64_zip",
|
|
"artifact": "vault_${{ inputs.vault-version }}_linux_arm64.zip",
|
|
"edition": "ce"
|
|
}
|
|
]
|
|
|
|
# Extended build targets are best-case builds for non-Linux platforms that we create for
|
|
# convenience but are not built or tested as part our normal CI pipeline.
|
|
extended:
|
|
if: inputs.build-all == true
|
|
strategy:
|
|
matrix:
|
|
docker:
|
|
- false
|
|
packages:
|
|
- false
|
|
goos:
|
|
- freebsd
|
|
- windows
|
|
goarch:
|
|
- 386
|
|
- amd64
|
|
- arm
|
|
exclude:
|
|
- goos: windows
|
|
goarch: arm
|
|
- goos: freebsd
|
|
goarch: arm
|
|
include:
|
|
- goos: darwin
|
|
goarch: amd64
|
|
go-tags: ui netcgo
|
|
docker: false
|
|
packages: false
|
|
- goos: darwin
|
|
goarch: arm64
|
|
go-tags: ui netcgo
|
|
docker: false
|
|
packages: false
|
|
- goos: linux
|
|
goarch: 386
|
|
docker: true
|
|
packages: true
|
|
fail-fast: true
|
|
name: (${{ matrix.goos }}, ${{ matrix.goarch }})
|
|
runs-on: ${{ fromJSON(inputs.compute-build) }}
|
|
steps:
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
ref: ${{ inputs.checkout-ref }}
|
|
- uses: ./.github/actions/build-vault
|
|
with:
|
|
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
create-docker-container: ${{ matrix.docker }}
|
|
create-packages: ${{ matrix.packages }}
|
|
create-redhat-container: false
|
|
goarch: ${{ matrix.goarch }}
|
|
goos: ${{ matrix.goos }}
|
|
go-tags: ${{ matrix.go-tags != '' && matrix.go-tags || 'ui' }}
|
|
vault-binary-name: vault
|
|
vault-edition: ce
|
|
vault-version: ${{ inputs.vault-version }}
|
|
web-ui-cache-key: ${{ inputs.web-ui-cache-key }}
|
|
|
|
status:
|
|
if: always()
|
|
runs-on: ${{ fromJSON(inputs.compute-small) }}
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
needs:
|
|
- core
|
|
- extended
|
|
steps:
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
ref: ${{ inputs.checkout-ref }}
|
|
- name: Determine status
|
|
run: |
|
|
results=$(tr -d '\n' <<< '${{ toJSON(needs.*.result) }}')
|
|
if ! grep -q -v -E '(failure|cancelled)' <<< "$results"; then
|
|
echo "One or more required build workflows failed: ${results}"
|
|
exit 1
|
|
fi
|
|
exit 0
|