feat: add kcl-run promotion step #16730
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| branches-ignore: | |
| - newdocs | |
| merge_group: | |
| push: | |
| branches: | |
| - main | |
| - release-* | |
| permissions: | |
| contents: read | |
| jobs: | |
| test-unit: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: &golangImage golang:1.26.1-trixie | |
| steps: | |
| # Install Git from "trixie" repository to get a more recent version than | |
| # the one available in "stable". This can be removed once the version in | |
| # "stable" is updated to >= 2.42.0 (which supports `--orphan` for `git | |
| # worktree add`). | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Update Git to >= 2.42 | |
| run: | | |
| echo "deb http://deb.debian.org/debian trixie main" > /etc/apt/sources.list.d/trixie.list | |
| apt update && apt install -y -t trixie git | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: /go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Run unit tests | |
| run: make test-unit | |
| - name: Remove generated code from report | |
| run: | | |
| for report in $(find . -maxdepth 4 -type f -name 'coverage.txt'); do | |
| tmp_file=$(dirname $report)/coverage.tmp | |
| grep -v .pb.go $report | grep -v zz_ | grep -v .connect.go | grep -v 'pkg/client/generated/' > $tmp_file | |
| mv $tmp_file $report | |
| done | |
| - name: Upload coverage reports | |
| uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| lint-and-typecheck-ui: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: ~/.pnpm-store | |
| key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pnpm- | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 | |
| with: | |
| package_json_file: ui/package.json | |
| - name: Install nodejs | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: "24.7.0" | |
| cache: "pnpm" | |
| cache-dependency-path: "**/pnpm-lock.yaml" | |
| - name: Run typecheck | |
| run: make typecheck-ui | |
| - name: Run linter | |
| run: make lint-ui | |
| lint-go: | |
| permissions: | |
| contents: read # Permissions to read the repository, required because we override the default permissions | |
| checks: write # Used to create checks (linting comments) on PRs | |
| runs-on: ubuntu-latest | |
| container: | |
| image: *golangImage | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Cache golangci-lint | |
| id: cache-golangci-lint | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: | | |
| hack/bin/golangci-lint | |
| hack/bin/golangci-lint-* | |
| key: ${{ runner.os }}-golangci-lint-${{ hashFiles('hack/tools/go.mod') }} | |
| - name: Install golangci-lint | |
| if: steps.cache-golangci-lint.outputs.cache-hit != 'true' | |
| run: make install-golangci-lint | |
| - name: Configure Git | |
| run: git config --global --add safe.directory '*' | |
| - name: Run linter | |
| run: make lint-go | |
| lint-charts: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: *golangImage | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Cache helm | |
| id: cache-helm | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: | | |
| hack/bin/helm | |
| hack/bin/helm-* | |
| key: | |
| ${{ runner.os }}-helm-${{ hashFiles('hack/tools/go.mod') }} | |
| - name: Install helm | |
| if: steps.cache-helm.outputs.cache-hit != 'true' | |
| run: make install-helm | |
| - name: Run linter | |
| run: make lint-charts | |
| lint-proto: | |
| permissions: | |
| contents: read # Permissions to read the repository, required because we override the default permissions | |
| checks: write # Used to create checks (linting comments) on PRs | |
| runs-on: ubuntu-latest | |
| container: | |
| image: *golangImage | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Cache buf | |
| id: cache-buf | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: | | |
| hack/bin/buf | |
| hack/bin/buf-* | |
| key: ${{ runner.os }}-buf-${{ hashFiles('hack/tools/go.mod') }} | |
| - name: Install buf | |
| if: steps.cache-buf.outputs.cache-hit != 'true' | |
| run: make install-buf | |
| - name: Run linter | |
| env: | |
| BUF_LINT_ERROR_FORMAT: github-actions | |
| run: make lint-proto | |
| check-codegen: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: *golangImage | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install tools | |
| run: apt update && apt install unzip | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 | |
| with: | |
| package_json_file: ui/package.json | |
| - name: Install nodejs | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: "24.7.0" | |
| cache: "pnpm" | |
| cache-dependency-path: "**/pnpm-lock.yaml" | |
| - name: Install nodejs dependencies | |
| run: pnpm install --dev | |
| working-directory: ./ui | |
| - name: Cache Go modules | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: /go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| - name: Cache tools | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: | | |
| hack/bin | |
| hack/include | |
| key: ${{ runner.os }}-tools-${{ hashFiles('hack/tools/go.mod', 'hack/tools.mk') }} | |
| - name: Git stuff | |
| # As of go 1.20, this seems to be necessary for invoking git commands | |
| # within the container | |
| run: git config --global --add safe.directory /__w/kargo/kargo | |
| - name: Run Codegen | |
| run: make codegen | |
| - name: Check nothing has changed | |
| run: git diff --exit-code -- . | |
| build-image: | |
| needs: [test-unit, lint-go, lint-charts, lint-proto, lint-and-typecheck-ui, check-codegen] | |
| runs-on: ubuntu-latest | |
| services: | |
| registry: | |
| image: registry:3.0.0 | |
| ports: | |
| - 5000:5000 | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 | |
| with: | |
| driver-opts: network=host | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Build base image | |
| run: | | |
| BASE_IMAGE=localhost:5000/kargo-base make build-base-image | |
| docker push localhost:5000/kargo-base:latest-arm64 | |
| docker push localhost:5000/kargo-base:latest-amd64 | |
| - name: Build final image | |
| uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 | |
| with: | |
| platforms: linux/amd64,linux/arm64 | |
| build-args: | | |
| BASE_IMAGE=localhost:5000/kargo-base | |
| push: false | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-cli: | |
| needs: [test-unit, lint-go, lint-charts, lint-proto, lint-and-typecheck-ui, check-codegen] | |
| runs-on: ubuntu-latest | |
| container: | |
| image: *golangImage | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: /go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Build CLI | |
| env: | |
| GOFLAGS: -buildvcs=false | |
| run: make build-cli |