chore(deps): update github/codeql-action digest to b6a472f (main) #1327
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Build operator, bundle, and catalog images | |
| on: | |
| # /!\ Warning: using the pull_request_target event to be able to read secrets. But using this event without the cautionary measures described below | |
| # may allow unauthorized GitHub users to open a “pwn request” and exfiltrate secrets. | |
| # As recommended in https://iterative.ai/blog/testing-external-contributions-using-github-actions-secrets, | |
| # we are adding an 'authorize' job that checks if the workflow was triggered from a fork PR. In that case, the "external" environment | |
| # will prevent the job from running until it's approved manually by human intervention. | |
| pull_request_target: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| branches: | |
| - main | |
| - rhdh-1.[0-9]+ | |
| - 1.[0-9]+.x | |
| - release-1.[0-9]+ | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.number || github.event.pull_request.head.ref }} | |
| cancel-in-progress: true | |
| env: | |
| REGISTRY: ${{ vars.REGISTRY }} | |
| jobs: | |
| authorize: | |
| # The 'external' environment is configured with the odo-maintainers team as required reviewers. | |
| # All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks. | |
| # see list of approvers in OWNERS file | |
| environment: | |
| ${{ (github.event.pull_request.head.repo.full_name == github.repository || | |
| contains(fromJSON('["coreydaley","gazarenkov","kadel","nickboldt","rm3l","kim-tsao","openshift-cherrypick-robot"]'), github.actor)) && 'internal' || 'external' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: approved | |
| run: | | |
| echo "✓" | |
| pr-build: | |
| name: PR Publish | |
| runs-on: ubuntu-latest | |
| needs: authorize | |
| permissions: | |
| contents: read | |
| packages: write | |
| pull-requests: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| fetch-depth: 0 | |
| repository: ${{github.event.pull_request.head.repo.full_name}} | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| # check changes in this commit for regex include and exclude matches | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f # v45.0.6 | |
| with: | |
| files: | | |
| .github/workflows/pr-container-build.yaml | |
| Makefile | |
| **/*.go | |
| bundle/** | |
| config/** | |
| go.mod | |
| go.sum | |
| LICENSE | |
| **/Dockerfile | |
| **/Containerfile | |
| **/*.Dockerfile | |
| **/.dockerignore | |
| files_ignore: | | |
| **/*.md | |
| **/*.adoc | |
| .rhdh/** | |
| tests/** | |
| - name: List all changed files (for troubleshooting) | |
| env: | |
| ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} | |
| run: | | |
| for file in ${ALL_CHANGED_FILES}; do | |
| echo "$file was changed" | |
| done | |
| - name: Setup Go | |
| # run this stage only if there are changes that match the includes and not the excludes | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Get the last commit short SHA of the PR | |
| # run this stage only if there are changes that match the includes and not the excludes | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| run: | | |
| SHORT_SHA=$(git rev-parse --short ${{ github.event.pull_request.head.sha }}) | |
| echo "SHORT_SHA=$SHORT_SHA" >> $GITHUB_ENV | |
| BASE_VERSION=$(grep -E "^VERSION \?=" Makefile | sed -r -e "s/.+= //") # 0.0.1 | |
| echo "BASE_VERSION=$BASE_VERSION" >> $GITHUB_ENV | |
| - name: Login to registry (${{env.REGISTRY}}) | |
| # run this stage only if there are changes that match the includes and not the excludes | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ vars.QUAY_USERNAME }} | |
| password: ${{ secrets.QUAY_TOKEN }} | |
| - name: Build and push operator, bundle, and catalog images | |
| # run this stage only if there are changes that match the includes and not the excludes | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| run: | | |
| # install skopeo, podman | |
| sudo apt-get -y update; sudo apt-get -y install skopeo podman | |
| export CONTAINER_TOOL=podman | |
| export VERSION=${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }} | |
| export REGISTRY_WITH_ORG=${{ env.REGISTRY }}/${{ env.REGISTRY_ORG }} | |
| export OPERATOR_IMAGE_NAME=${OPERATOR_IMAGE_NAME:-operator} | |
| export IMAGE_TAG_BASE=${REGISTRY_WITH_ORG}/${OPERATOR_IMAGE_NAME} | |
| set -ex | |
| # build 4 container images with a 14d expiry | |
| CONTAINER_TOOL=${CONTAINER_TOOL} VERSION=${VERSION} make lint release-build | |
| # now copy images from local cache to quay, using 0.0.1-pr-123-f00cafe and 0.0.1-pr-123 tags | |
| for image in ${OPERATOR_IMAGE_NAME} ${OPERATOR_IMAGE_NAME}-bundle ${OPERATOR_IMAGE_NAME}-catalog; do | |
| podman push -q ${REGISTRY_WITH_ORG}/${image}:${VERSION} docker://${REGISTRY_WITH_ORG}/${image}:${VERSION} | |
| skopeo --insecure-policy copy --all docker://${REGISTRY_WITH_ORG}/${image}:${VERSION} docker://${REGISTRY_WITH_ORG}/${image}:${VERSION} | |
| skopeo --insecure-policy copy --all docker://${REGISTRY_WITH_ORG}/${image}:${VERSION} docker://${REGISTRY_WITH_ORG}/${image}:${VERSION%-*} | |
| done | |
| env: | |
| REGISTRY_ORG: ${{ vars.REGISTRY_ORG }} | |
| OPERATOR_IMAGE_NAME: ${{ vars.OPERATOR_IMAGE_NAME }} | |
| # to avoid throttling on RHD org, use GH token | |
| GH_TOKEN: ${{ secrets.RHDH_BOT_TOKEN }} | |
| - name: Comment image links in PR | |
| # run this stage only if there are changes that match the includes and not the excludes | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 | |
| with: | |
| script: | | |
| await github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: 'PR images are available:<br/><ol><li>https://quay.io/rhdh-community/operator:${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}</li><li>https://quay.io/rhdh-community/operator-bundle:${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}</li><li>https://quay.io/rhdh-community/operator-catalog:${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}</li></ol>' | |
| }) |