add Intel SGX vault support with file storage implementation #1815
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| branches: | |
| - "main" | |
| tags: | |
| - "v*" | |
| - "rc*" | |
| pull_request: | |
| name: Test and publish | |
| permissions: | |
| contents: write | |
| deployments: write | |
| issues: write | |
| packages: write | |
| env: | |
| GO_VERSION: '1.21' | |
| jobs: | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: "${{ env.GO_VERSION }}" | |
| - uses: actions/checkout@v5 | |
| - name: Run tests | |
| run: | | |
| export GIT_COMMIT_SHA='${{ github.sha }}' | |
| export GIT_BRANCH="$(echo '${{ github.ref }}' | sed -E -e 's/.*\/(.*)/\1/')" | |
| echo "Running tests..." | |
| mkdir unitcoverage | |
| go test -cover $(go list ./... | grep -v integration_test) -args -test.gocoverdir="$PWD/unitcoverage" | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: unit-test-coverage | |
| path: ./unitcoverage/ | |
| publish: | |
| name: Goreleaser | |
| runs-on: ubuntu-latest | |
| needs: test | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Write .env file | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| touch .env | |
| echo GITHUB_TOKEN="$GITHUB_TOKEN" >> .env | |
| - name: Login to GHCR | |
| uses: docker/login-action@v3 | |
| if: "!startsWith(github.ref, 'refs/tags/v')" | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: goreleaser release preview | |
| run: make release-preview | |
| if: "!startsWith(github.ref, 'refs/tags/v')" | |
| - name: remove slash from image tag | |
| uses: mad9000/actions-find-and-replace-string@5 | |
| id: replaceslash | |
| with: | |
| source: ${{ github.head_ref || github.ref_name }} | |
| find: '/' | |
| replace: '-' | |
| if: "!startsWith(github.ref, 'refs/tags/v')" | |
| - name: Tag Docker images appropriately | |
| run: > | |
| docker tag ghcr.io/ecadlabs/signatory:${{ github.sha }}-amd64 ghcr.io/ecadlabs/signatory:${{ steps.replaceslash.outputs.value }}-amd64; | |
| docker tag ghcr.io/ecadlabs/signatory:${{ github.sha }}-arm64 ghcr.io/ecadlabs/signatory:${{ steps.replaceslash.outputs.value }}-arm64; | |
| docker tag ghcr.io/ecadlabs/signatory:${{ github.sha }}-armv7 ghcr.io/ecadlabs/signatory:${{ steps.replaceslash.outputs.value }}-armv7; | |
| if: "!startsWith(github.ref, 'refs/tags/v')" | |
| - name: Push Signatory preview images to GH Container Registry | |
| run: > | |
| docker push ghcr.io/ecadlabs/signatory:${{ steps.replaceslash.outputs.value }}-amd64; | |
| docker push ghcr.io/ecadlabs/signatory:${{ steps.replaceslash.outputs.value }}-arm64; | |
| docker push ghcr.io/ecadlabs/signatory:${{ steps.replaceslash.outputs.value }}-armv7; | |
| if: "!startsWith(github.ref, 'refs/tags/v')" | |
| - name: goreleaser release | |
| run: make release | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| deploy-ec2: | |
| if: "!startsWith(github.ref, 'refs/tags/v')" | |
| needs: publish | |
| runs-on: ec2 | |
| steps: | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v3 | |
| if: "!startsWith(github.ref, 'refs/tags/v')" | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: remove slash from image tag | |
| uses: mad9000/actions-find-and-replace-string@5 | |
| id: replaceslash | |
| with: | |
| source: ${{ github.head_ref || github.ref_name }} | |
| find: '/' | |
| replace: '-' | |
| if: "!startsWith(github.ref, 'refs/tags/v')" | |
| - name: pull and start the Signatory image under test | |
| env: | |
| IMAGE: ghcr.io/ecadlabs/signatory:${{ steps.replaceslash.outputs.value }}-amd64 | |
| run: > | |
| docker pull $IMAGE; | |
| docker stop signatory; | |
| docker rm signatory; | |
| docker run -d --name signatory --privileged --mount type=bind,src=/etc/signatory,dst=/etc/signatory --mount type=bind,src=/var/lib/signatory,dst=/var/lib/signatory -p 6732:6732 -p 9583:9583 --entrypoint "/bin/signatory" $IMAGE -c /etc/signatory/config.yml serve | |
| if: "!startsWith(github.ref, 'refs/tags/v')" | |
| integration-tests: | |
| # if: "!startsWith(github.ref, 'refs/tags/v')" | |
| if: false | |
| needs: deploy-ec2 | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| testenvs: | |
| - current | |
| - next | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v3 | |
| if: "!startsWith(github.ref, 'refs/tags/v')" | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: remove slash from image tag | |
| uses: mad9000/actions-find-and-replace-string@5 | |
| id: replaceslash | |
| with: | |
| source: ${{ github.head_ref || github.ref_name }} | |
| find: '/' | |
| replace: '-' | |
| if: "!startsWith(github.ref, 'refs/tags/v')" | |
| - if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref, 'refs/tags/v')}} | |
| name: Tailscale | |
| uses: tailscale/github-action@v1 | |
| with: | |
| authkey: ${{ secrets.TAILSCALE_AUTHKEY }} | |
| version: 1.32.2 | |
| - name: Run tests | |
| env: | |
| IMAGE: ghcr.io/ecadlabs/signatory:${{ steps.replaceslash.outputs.value }}-amd64 | |
| VAULT_AWS_USER: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_USER }} | |
| VAULT_AWS_KEY: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_KEY }} | |
| VAULT_AWS_SECRET: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_SECRET }} | |
| VAULT_AWS_REGION: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_REGION }} | |
| VAULT_AWS_TZ2: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ2 }} | |
| VAULT_AWS_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ3 }} | |
| VAULT_AWS_TZ3_PK: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ3_PK }} | |
| VAULT_AZ_CLIENTCERTTHUMB: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_CLIENTCERTTHUMB }} | |
| VAULT_AZ_CLIENTID: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_CLIENTID }} | |
| VAULT_AZ_RESGROUP: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_RESGROUP }} | |
| VAULT_AZ_SP_KEY: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_SP_KEY }} | |
| VAULT_AZ_SUBID: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_SUBID }} | |
| VAULT_AZ_TENANTID: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_TENANTID }} | |
| VAULT_AZ_VAULT: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_VAULT }} | |
| VAULT_AZ_TZ2: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_TZ2 }} | |
| VAULT_AZ_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_TZ3 }} | |
| VAULT_AZ_TZ3_PK: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_TZ3_PK }} | |
| VAULT_GCP_PROJECTID: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_PROJECTID }} | |
| VAULT_GCP_PRIVATEKEYID: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_PRIVATEKEYID }} | |
| VAULT_GCP_PRIVATEKEY: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_PRIVATEKEY }} | |
| VAULT_GCP_CLIENTEMAIL: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_CLIENTEMAIL }} | |
| VAULT_GCP_CLIENTID: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_CLIENTID }} | |
| VAULT_GCP_X509_URL: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_X509_URL }} | |
| VAULT_GCP_KEYRING: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_KEYRING }} | |
| VAULT_GCP_LOCATION: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_LOCATION }} | |
| VAULT_GCP_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_TZ3 }} | |
| VAULT_GCP_TZ3_PK: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_TZ3_PK }} | |
| run: > | |
| cd integration_test; | |
| export ARCH=amd64; | |
| . ./.env.${{ matrix.testenvs }}; | |
| envsubst < gcp-token-template.json > gcp-token.json; | |
| echo $VAULT_AZ_SP_KEY |base64 -d >service-principal.key; | |
| chmod 777 ./hashicerts; | |
| docker compose up -d --wait --pull always; | |
| cd tests; | |
| go test -p 1 ./...; | |
| cd ..; | |
| docker compose kill; | |
| rm -f gcp-token.json; | |
| rm -f service-principal.key; | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: integration-test-coverage-env${{ matrix.testenvs }} | |
| path: ./integration_test/coverage/ | |
| report-coverage: | |
| if: false | |
| needs: integration-tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: "${{ env.GO_VERSION }}" | |
| - uses: actions/download-artifact@v5 | |
| with: | |
| name: unit-test-coverage | |
| path: unit-test-coverage | |
| - uses: actions/download-artifact@v5 | |
| with: | |
| name: integration-test-coverage-envcurrent | |
| path: integration-test-coverage-envcurrent | |
| - uses: actions/download-artifact@v5 | |
| with: | |
| name: integration-test-coverage-envnext | |
| path: integration-test-coverage-envnext | |
| - name: Combine Coverages | |
| run: | | |
| echo "Generating coverage report..." | |
| export GIT_COMMIT_SHA='${{ github.sha }}' | |
| export GIT_BRANCH="$(echo '${{ github.ref }}' | sed -E -e 's/.*\/(.*)/\1/')" | |
| go tool covdata textfmt -i=./unit-test-coverage,./integration-test-coverage-envcurrent,./integration-test-coverage-envnext -o ./c.out | |
| rm -rf ./unit-test-coverage | |
| rm -rf ./integration-test-coverage-envcurrent | |
| rm -rf ./integration-test-coverage-envnext | |
| sed -i 's/\/go\/src\/github.com/github.com/g' ./c.out | |
| - uses: qltysh/qlty-action/coverage@v2 | |
| with: | |
| token: ${{ secrets.QLTY_COVERAGE_TOKEN }} | |
| files: c.out | |
| strip-prefix: github.com/ecadlabs/signatory/ |