intel
diff --git a/‎.github/workflows/ci.yaml‎
Lines changed: 14 additions & 127 deletions b/‎.github/workflows/ci.yaml‎
Lines changed: 14 additions & 127 deletions
diff --git a/‎.github/workflows/devel.yaml‎
Lines changed: 37 additions & 0 deletions b/‎.github/workflows/devel.yaml‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎.github/workflows/e2e.yaml‎
Lines changed: 12 additions & 0 deletions b/‎.github/workflows/e2e.yaml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎.github/workflows/lib-build.yaml‎
Lines changed: 51 additions & 0 deletions b/‎.github/workflows/lib-build.yaml‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎.github/workflows/e2e.yml‎ renamed to ‎.github/workflows/lib-e2e.yaml‎
Lines changed: 1 addition & 11 deletions b/‎.github/workflows/e2e.yml‎ renamed to ‎.github/workflows/lib-e2e.yaml‎
Lines changed: 1 addition & 11 deletions
diff --git a/‎.github/workflows/lib-publish.yaml‎
Lines changed: 61 additions & 0 deletions b/‎.github/workflows/lib-publish.yaml‎
Lines changed: 61 additions & 0 deletions
@@ -2,142 +2,29 @@ name: CI
 on:
   push:
     branches:
-      - main
       - 'release-*'
   pull_request:
     branches:
       - main
       - 'release-*'
-env:
-  K8S_VERSION: 1.27.1
 permissions:
   contents: read
+  pull-requests: read
 
 jobs:
+  trivy:
+    uses: "./.github/workflows/lib-trivy.yaml"
 
-  docs:
-    name: Check docs are buildable
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Install dependencies
-      run: |
-        sudo apt-get update
-        sudo apt-get install -y python3-venv
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-    - name: Set up doc directory
-      run: |
-        mkdir $HOME/output
-        touch $HOME/output/.nojekyll
-    - name: Build latest
-      run: |
-        GITHUB_SHA=$(git rev-parse HEAD)
-        export GITHUB_SHA
-        rm -rf _work/venv
-        make vhtml
-        mv _build/html/* $HOME/output/
-
-  golangci:
-    permissions:
-      contents: read  # for actions/checkout to fetch code
-      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
-    name: lint
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
-        with:
-          version: v1.52.1
-          args: -v --timeout 5m
+  validate:
+    uses: "./.github/workflows/lib-validate.yaml"
 
   build:
-    name: Build and check device plugins
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - name: Check Dockerfiles
-        run: make check-dockerfiles
-      - run: make go-mod-tidy
-      - run: make BUILDTAGS=kerneldrv
-      - run: make test BUILDTAGS=kerneldrv
-      - name: Install envtest tool and run envtest
-        run: |
-          go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
-          setup-envtest use ${K8S_VERSION}
-      - run: |
-          KUBEBUILDER_ASSETS=$(setup-envtest use -i -p path ${K8S_VERSION}) make envtest
-      - run: make check-github-actions
-      - name: Codecov report
-        run: bash <(curl -s https://codecov.io/bash)
-
-  image:
-    name: Build image
-    runs-on: ubuntu-22.04
-    strategy:
-      matrix:
-        image:
-          - intel-fpga-admissionwebhook
-          - intel-fpga-initcontainer
-          - intel-gpu-fakedev
-          - intel-gpu-initcontainer
-          - intel-gpu-plugin
-          - intel-fpga-plugin
-          - intel-qat-initcontainer
-          - intel-qat-plugin
-          - intel-qat-plugin-kerneldrv
-          - intel-deviceplugin-operator
-          - intel-sgx-admissionwebhook
-          - intel-sgx-plugin
-          - intel-sgx-initcontainer
-          - intel-dsa-plugin
-          - intel-iaa-plugin
-          - intel-idxd-config-initcontainer
-          - intel-dlb-plugin
-          - intel-dlb-initcontainer
-          - intel-xpumanager-sidecar
-
-          # Demo images
-          - crypto-perf
-          - accel-config-demo
-          - intel-opencl-icd
-          - opae-nlb-demo
-          - openssl-qat-engine
-          - sgx-sdk-demo
-          - sgx-aesmd-demo
-          - dlb-dpdk-demo
-          - dlb-libdlb-demo
-        builder: [buildah, docker]
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
-      - run: make -e vendor
-      - name: Build image
-        env:
-          IMAGE_NAME: ${{ matrix.image }}
-          BUILDER_NAME: ${{ matrix.builder }}
-        run: |
-          make ${IMAGE_NAME} BUILDER=${BUILDER_NAME}
-
-  terrascan:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-    - name: Install terrascan
-      run: |
-        curl -sL "$(curl -sL https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz
-        tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
-        install terrascan /usr/local/bin && rm terrascan
-    - name: Run Terrascan
-      run: make terrascan
-
+    needs:
+      - trivy
+      - validate
+    uses: "./.github/workflows/lib-build.yaml"
+
+  e2e:
+    needs:
+      - build
+    uses: "./.github/workflows/lib-e2e.yaml"
@@ -0,0 +1,37 @@
+name: Devel
+on:
+  push:
+    branches:
+      - main
+permissions:
+  contents: read
+  pull-requests: read
+  security-events: write
+
+jobs:
+  trivy:
+    uses: "./.github/workflows/lib-trivy.yaml"
+    with:
+      upload-to-github-security-tab: true
+
+  validate:
+    uses: "./.github/workflows/lib-validate.yaml"
+
+  build:
+    needs:
+      - validate
+      - trivy
+    uses: "./.github/workflows/lib-build.yaml"
+
+  e2e:
+    needs:
+      - build
+    uses: "./.github/workflows/lib-e2e.yaml"
+
+  # devel image push
+  publish:
+    needs:
+      - e2e
+      - build
+    uses: "./.github/workflows/lib-publish.yaml"
+    secrets: inherit
@@ -0,0 +1,12 @@
+name: e2e
+on:
+  schedule:
+    - cron: '0 4 * * *'
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  e2e:
+    uses: "./.github/workflows/lib-e2e.yaml"
@@ -0,0 +1,51 @@
+name: build
+on:
+  workflow_call:
+jobs:
+  image:
+    name: Build image
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        image:
+          - intel-fpga-admissionwebhook
+          - intel-fpga-initcontainer
+          - intel-gpu-fakedev
+          - intel-gpu-initcontainer
+          - intel-gpu-plugin
+          - intel-fpga-plugin
+          - intel-qat-initcontainer
+          - intel-qat-plugin
+          - intel-qat-plugin-kerneldrv
+          - intel-deviceplugin-operator
+          - intel-sgx-admissionwebhook
+          - intel-sgx-plugin
+          - intel-sgx-initcontainer
+          - intel-dsa-plugin
+          - intel-iaa-plugin
+          - intel-idxd-config-initcontainer
+          - intel-dlb-plugin
+          - intel-dlb-initcontainer
+          - intel-xpumanager-sidecar
+
+          # # Demo images
+          - crypto-perf
+          - accel-config-demo
+          - intel-opencl-icd
+          - opae-nlb-demo
+          - openssl-qat-engine
+          - sgx-sdk-demo
+          - sgx-aesmd-demo
+          - dlb-dpdk-demo
+          - dlb-libdlb-demo
+        builder: [buildah, docker]
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+      - run: make -e vendor
+      - name: Build image
+        env:
+          IMAGE_NAME: ${{ matrix.image }}
+          BUILDER_NAME: ${{ matrix.builder }}
+        run: |
+          make ${IMAGE_NAME} BUILDER=${BUILDER_NAME}
@@ -1,16 +1,6 @@
 name: e2e
 on:
-  workflow_dispatch:
-  schedule:
-    - cron: '0 4 * * *'
-  pull_request:
-    branches:
-      - main
-      - 'release-*'
-  push:
-    branches:
-      - main
-      - 'release-*'
+  workflow_call:
 
 permissions:
   contents: read
 
@@ -0,0 +1,61 @@
+name: publish
+on:
+  workflow_call:
+    inputs:
+      image_tag:
+        default: "devel"
+        required: false
+        type: string
+jobs:
+  image:
+    name: Build image
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        image:
+          - intel-fpga-admissionwebhook
+          - intel-fpga-initcontainer
+          - intel-gpu-initcontainer
+          - intel-gpu-plugin
+          - intel-fpga-plugin
+          - intel-qat-initcontainer
+          - intel-qat-plugin
+          - intel-qat-plugin-kerneldrv
+          - intel-deviceplugin-operator
+          - intel-sgx-admissionwebhook
+          - intel-sgx-plugin
+          - intel-sgx-initcontainer
+          - intel-dsa-plugin
+          - intel-iaa-plugin
+          - intel-idxd-config-initcontainer
+          - intel-dlb-plugin
+          - intel-dlb-initcontainer
+          - intel-xpumanager-sidecar
+
+          # # Demo images
+          - crypto-perf
+          - opae-nlb-demo
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+      - run: make -e vendor
+      - name: Build image
+        env:
+          IMAGE_NAME: ${{ matrix.image }}
+        run: |
+          REG=intel/ make ${IMAGE_NAME} BUILDER=docker
+      - name: Trivy scan for image
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: image
+          image-ref: intel/${{ matrix.image }}:${{ inputs.image_tag }}
+          exit-code: 1
+      - name: Test image base layer
+        run: IMG=intel/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
+      - name: Login
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_PASS }}
+      - name: Push
+        run: docker push intel/${{ matrix.image }}:${{ inputs.image_tag }}