chore: upgrade controller-runtime and fleet to fix CVEs (#182) #74
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: E2E Tests | |
| on: | |
| push: | |
| branches: | |
| - main | |
| create: | |
| # Publish semver tags as releases. | |
| tags: [ 'v*.*.*' ] | |
| workflow_dispatch: {} | |
| permissions: | |
| id-token: write | |
| contents: read | |
| env: | |
| GO_VERSION: '1.22.4' | |
| jobs: | |
| detect-noop: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| noop: ${{ steps.noop.outputs.should_skip }} | |
| steps: | |
| - name: Detect No-op Changes | |
| id: noop | |
| uses: fkirc/[email protected] | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| do_not_skip: '["workflow_dispatch", "schedule", "push"]' | |
| concurrent_skipping: false | |
| e2e-tests: | |
| strategy: | |
| # disable fail-fast to continue the in-progress pipeline when one failed job is detected to | |
| # get test results for all scenarios. | |
| fail-fast: false | |
| matrix: | |
| network-setting: [shared-vnet, peered-vnet, dynamic-ip-allocation] | |
| runs-on: ubuntu-latest | |
| needs: [ | |
| detect-noop, | |
| ] | |
| if: needs.detect-noop.outputs.noop != 'true' | |
| steps: | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@v4 | |
| - name: Prepare e2e variables | |
| run: | | |
| echo "AZURE_RESOURCE_GROUP="fleet-networking-e2e-$RANDOM"" >> $GITHUB_ENV | |
| # Reference: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure | |
| - name: 'OIDC Login to Azure Public Cloud' | |
| uses: azure/login@v1 | |
| with: | |
| client-id: ${{ secrets.E2E_AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.E2E_AZURE_SUBSCRIPTION_ID }} | |
| # Note (chenyu1): | |
| # | |
| # After a recent update, GitHub Actions has set the GitHub ID token expiration time | |
| # to 5 minutes for security reasons; as most of our E2E steps cannot finish within | |
| # the time range, expiration errors will occur. | |
| # | |
| # As a temporary mitigation, we will add a step to fetch token periodically (every | |
| # 4 minutes) to be exact. | |
| # | |
| # This should no longer be necessary after the Azure CLI supports ID token refresh. | |
| - name: Fetch token every 4 minutes | |
| run: | | |
| while true; do | |
| # $ACTIONS_ID_TOKEN_REQUEST_TOKEN and $ACTIONS_ID_TOKEN_REQUEST_URL env vars are provided by | |
| # GitHub Actions automatically. | |
| REQUEST_TOKEN=$ACTIONS_ID_TOKEN_REQUEST_TOKEN | |
| REQUEST_URI=$ACTIONS_ID_TOKEN_REQUEST_URL | |
| FED_TOKEN=$(curl -H "Authorization: bearer $REQUEST_TOKEN" "${REQUEST_URI}&audience=api://AzureADTokenExchange" | jq .value -r) | |
| az login --service-principal -u ${{ secrets.E2E_AZURE_CLIENT_ID }} -t ${{ secrets.AZURE_TENANT_ID }} --federated-token $FED_TOKEN --output none | |
| sleep 240 | |
| done & | |
| - name: Setup e2e Environment | |
| run: | | |
| make e2e-setup | |
| env: | |
| AZURE_SUBSCRIPTION_ID: ${{ secrets.E2E_AZURE_SUBSCRIPTION_ID }} | |
| AZURE_NETWORK_SETTING: ${{ matrix.network-setting }} | |
| AZURE_RESOURCE_GROUP: ${{ env.AZURE_RESOURCE_GROUP }} | |
| - name: Run e2e tests | |
| run: | | |
| make e2e-tests | |
| env: | |
| AZURE_SUBSCRIPTION_ID: ${{ secrets.E2E_AZURE_SUBSCRIPTION_ID }} | |
| AZURE_NETWORK_SETTING: ${{ matrix.network-setting }} | |
| AZURE_RESOURCE_GROUP: ${{ env.AZURE_RESOURCE_GROUP }} | |
| - name: Cleanup e2e | |
| if: always() | |
| run: | | |
| make e2e-cleanup | |
| env: | |
| AZURE_CLIENT_ID: ${{ secrets.E2E_AZURE_CLIENT_ID}} | |
| AZURE_CLIENT_SECRET: ${{ secrets.E2E_AZURE_CLIENT_SECRET }} | |
| AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
| AZURE_RESOURCE_GROUP: ${{ env.AZURE_RESOURCE_GROUP }} |