.github/workflows/build.yml - trafficserver-ingress-controller - Git at Google

 name: Build and Integrate

 on:
   push:
     branches:
     - 'master'
     paths-ignore:
     - '.vscode/**'
     - 'charts/**'
     - 'docs/**'

 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: apache/ats-ingress

 jobs:
   build-and-integrate:
     runs-on: ubuntu-22.04
     permissions:
       contents: read
       packages: write
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results

     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           submodules: 'true'

       - name: Setup Minikube
         uses: manusa/actions-setup-minikube@v2.13.0
         with:
           minikube version: 'v1.37.0'
           kubernetes version: 'v1.32.10'
           driver: 'docker'
           container runtime: 'docker'
           github token: ${{ secrets.GITHUB_TOKEN }}

       - name: Set up Python 3.9
         uses: actions/setup-python@v5
         with:
           python-version: '3.9.23'

       - name: Build ATS Alpine
         run: |
           eval $(minikube -p minikube docker-env)
           docker build -t ats-ingress . --network=host

 #      - name: Build Exporter
 #        run: docker build -t ats-ingress-exporter k8s/images/trafficserver_exporter/

       - name: Build App 1
         run: |
           eval $(minikube -p minikube docker-env)
           docker build -t node-app-1 k8s/images/node-app-1/

       - name: Build App 2
         run: |
           eval $(minikube -p minikube docker-env)
           docker build -t node-app-2 k8s/images/node-app-2/

       - name: Build Caching App
         run: |
           eval $(minikube -p minikube docker-env)
           docker build -t caching-app k8s/images/caching-app/

       - name: Create CA to sign certificates
         run: |
           mkdir -p tests/certs
           openssl genrsa -out tests/certs/rootCA.key 4096
           openssl req -x509 -new -key tests/certs/rootCA.key -sha256 -days 1 -out tests/certs/rootCA.crt -subj "/C=US/ST=State/L=City/O=MyOrg/OU=MyUnit/CN=TestRootCA" -addext "basicConstraints=critical,CA:TRUE" -addext "keyUsage=critical,keyCertSign,cRLSign" -addext "subjectKeyIdentifier=hash"

       - name: Create Certs for node-app-4
         run: |
           openssl genrsa -out k8s/images/node-app-4/origin.key 4096
           openssl req -x509 -new -key k8s/images/node-app-4/origin.key -sha256 -days 1 -out k8s/images/node-app-4/origin.crt -subj "/C=US/ST=State/L=City/O=MyOrg/OU=MyUnit/CN=test.example.com"

       - name: Create Certs for node-app-3
         run: |
           openssl genrsa -out k8s/images/node-app-3/backend.key 2048
           openssl req -new -key k8s/images/node-app-3/backend.key -out k8s/images/node-app-3/backend.csr -subj "/C=US/ST=State/L=City/O=TestOrg/CN=test.example.com.backend.svc.cluster.local"
           openssl x509 -req -in k8s/images/node-app-3/backend.csr -CA tests/certs/rootCA.crt -CAkey tests/certs/rootCA.key -CAcreateserial -out k8s/images/node-app-3/backend.crt -days 1 -sha256

       - name: Build App 3
         run: |
           eval $(minikube -p minikube docker-env)
           docker build -t node-app-3 k8s/images/node-app-3/

       - name: Build App 4
         run: |
           eval $(minikube -p minikube docker-env)
           docker build -t node-app-4 k8s/images/node-app-4/

       - name: Install dependencies
         run: |
           cd tests
           python -m pip install --upgrade pip
           pip install -r requirements.txt

       - name: Test
         run: |
           cd tests
           pytest -q --minikubeip="$(minikube ip)" suite/test_ingress.py

       - name: Log in to the Container registry
         if: github.repository == 'apache/trafficserver-ingress-controller'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}

       - name: Extract metadata (tags, labels) for Docker
         if: github.repository == 'apache/trafficserver-ingress-controller'
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
             type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }}

       - name: Build and push Docker image
         if: github.repository == 'apache/trafficserver-ingress-controller'
         uses: docker/build-push-action@v5
         with:
           context: .
           push: true
           no-cache: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}

       - name: Run Trivy vulnerability scanner
         if: github.repository == 'apache/trafficserver-ingress-controller'
         uses: aquasecurity/trivy-action@0.24.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
           format: 'sarif'
           output: 'trivy-results.sarif'

       - name: Upload Trivy scan results to GitHub Security tab
         if: github.repository == 'apache/trafficserver-ingress-controller'
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'
	name: Build and Integrate

	on:
	push:
	branches:
	- 'master'
	paths-ignore:
	- '.vscode/**'
	- 'charts/**'
	- 'docs/**'

	env:
	REGISTRY: ghcr.io
	IMAGE_NAME: apache/ats-ingress

	jobs:
	build-and-integrate:
	runs-on: ubuntu-22.04
	permissions:
	contents: read
	packages: write
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results

	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: 'true'

	- name: Setup Minikube
	uses: manusa/actions-setup-minikube@v2.13.0
	with:
	minikube version: 'v1.37.0'
	kubernetes version: 'v1.32.10'
	driver: 'docker'
	container runtime: 'docker'
	github token: ${{ secrets.GITHUB_TOKEN }}

	- name: Set up Python 3.9
	uses: actions/setup-python@v5
	with:
	python-version: '3.9.23'

	- name: Build ATS Alpine
	run: \|
	eval $(minikube -p minikube docker-env)
	docker build -t ats-ingress . --network=host

	# - name: Build Exporter
	# run: docker build -t ats-ingress-exporter k8s/images/trafficserver_exporter/

	- name: Build App 1
	run: \|
	eval $(minikube -p minikube docker-env)
	docker build -t node-app-1 k8s/images/node-app-1/

	- name: Build App 2
	run: \|
	eval $(minikube -p minikube docker-env)
	docker build -t node-app-2 k8s/images/node-app-2/

	- name: Build Caching App
	run: \|
	eval $(minikube -p minikube docker-env)
	docker build -t caching-app k8s/images/caching-app/

	- name: Create CA to sign certificates
	run: \|
	mkdir -p tests/certs
	openssl genrsa -out tests/certs/rootCA.key 4096
	openssl req -x509 -new -key tests/certs/rootCA.key -sha256 -days 1 -out tests/certs/rootCA.crt -subj "/C=US/ST=State/L=City/O=MyOrg/OU=MyUnit/CN=TestRootCA" -addext "basicConstraints=critical,CA:TRUE" -addext "keyUsage=critical,keyCertSign,cRLSign" -addext "subjectKeyIdentifier=hash"

	- name: Create Certs for node-app-4
	run: \|
	openssl genrsa -out k8s/images/node-app-4/origin.key 4096
	openssl req -x509 -new -key k8s/images/node-app-4/origin.key -sha256 -days 1 -out k8s/images/node-app-4/origin.crt -subj "/C=US/ST=State/L=City/O=MyOrg/OU=MyUnit/CN=test.example.com"

	- name: Create Certs for node-app-3
	run: \|
	openssl genrsa -out k8s/images/node-app-3/backend.key 2048
	openssl req -new -key k8s/images/node-app-3/backend.key -out k8s/images/node-app-3/backend.csr -subj "/C=US/ST=State/L=City/O=TestOrg/CN=test.example.com.backend.svc.cluster.local"
	openssl x509 -req -in k8s/images/node-app-3/backend.csr -CA tests/certs/rootCA.crt -CAkey tests/certs/rootCA.key -CAcreateserial -out k8s/images/node-app-3/backend.crt -days 1 -sha256

	- name: Build App 3
	run: \|
	eval $(minikube -p minikube docker-env)
	docker build -t node-app-3 k8s/images/node-app-3/

	- name: Build App 4
	run: \|
	eval $(minikube -p minikube docker-env)
	docker build -t node-app-4 k8s/images/node-app-4/

	- name: Install dependencies
	run: \|
	cd tests
	python -m pip install --upgrade pip
	pip install -r requirements.txt

	- name: Test
	run: \|
	cd tests
	pytest -q --minikubeip="$(minikube ip)" suite/test_ingress.py

	- name: Log in to the Container registry
	if: github.repository == 'apache/trafficserver-ingress-controller'
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Extract metadata (tags, labels) for Docker
	if: github.repository == 'apache/trafficserver-ingress-controller'
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
	tags: \|
	type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }}

	- name: Build and push Docker image
	if: github.repository == 'apache/trafficserver-ingress-controller'
	uses: docker/build-push-action@v5
	with:
	context: .
	push: true
	no-cache: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}

	- name: Run Trivy vulnerability scanner
	if: github.repository == 'apache/trafficserver-ingress-controller'
	uses: aquasecurity/trivy-action@0.24.0
	with:
	image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
	format: 'sarif'
	output: 'trivy-results.sarif'

	- name: Upload Trivy scan results to GitHub Security tab
	if: github.repository == 'apache/trafficserver-ingress-controller'
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: 'trivy-results.sarif'