-
Notifications
You must be signed in to change notification settings - Fork 15
143 lines (127 loc) · 6.57 KB
/
pr-container-build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# Copyright 2023 The Janus IDP Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: PR Build operator, bundle, and catalog images
on:
# /!\ Warning: using the pull_request_target event to be able to read secrets. But using this event without the cautionary measures described below
# may allow unauthorized GitHub users to open a “pwn request” and exfiltrate secrets.
# As recommended in https://iterative.ai/blog/testing-external-contributions-using-github-actions-secrets,
# we are adding an 'authorize' job that checks if the workflow was triggered from a fork PR. In that case, the "external" environment
# will prevent the job from running until it's approved manually by human intervention.
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review]
branches:
- main
- rhdh-1.[0-9]+
- 1.[0-9]+.x
concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.event.pull_request.head.ref }}
cancel-in-progress: true
env:
REGISTRY: quay.io
jobs:
authorize:
# The 'external' environment is configured with the odo-maintainers team as required reviewers.
# All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks.
# see list of approvers in OWNERS file
environment:
${{ (github.event.pull_request.head.repo.full_name == github.repository ||
contains(fromJSON('["coreydaley","gazarenkov","kadel","nickboldt","rm3l","kim-tsao","openshift-cherrypick-robot"]'), github.actor)) && 'internal' || 'external' }}
runs-on: ubuntu-latest
steps:
- name: approved
run: |
echo "✓"
pr-build:
name: PR Publish
runs-on: ubuntu-latest
needs: authorize
permissions:
contents: read
packages: write
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
# check changes in this commit for regex include and exclude matches; pipe to an env var
- name: Check for changes to build
run: |
# don't fail if nothing returned by grep
set +e
CHANGES="$(git diff --name-only ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} | \
grep -E "workflows/.+-container-build.yaml|Makefile|bundle/|config/|go.mod|go.sum|.+\.go|docker/|\.dockerignore" | \
grep -v -E ".+_test.go|/.rhdh/")";
echo "Changed files for this commit:"
echo "=============================="
echo "$CHANGES"
echo "=============================="
{
echo 'CHANGES<<EOF'
echo $CHANGES
echo EOF
} >> "$GITHUB_ENV"
- name: Setup Go
# run this stage only if there are changes that match the includes and not the excludes
if: ${{ env.CHANGES != '' }}
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
with:
go-version-file: 'go.mod'
- name: Get the last commit short SHA of the PR
# run this stage only if there are changes that match the includes and not the excludes
if: ${{ env.CHANGES != '' }}
run: |
SHORT_SHA=$(git rev-parse --short ${{ github.event.pull_request.head.sha }})
echo "SHORT_SHA=$SHORT_SHA" >> $GITHUB_ENV
BASE_VERSION=$(grep -E "^VERSION \?=" Makefile | sed -r -e "s/.+= //") # 0.0.1
echo "BASE_VERSION=$BASE_VERSION" >> $GITHUB_ENV
- name: Login to quay.io
# run this stage only if there are changes that match the includes and not the excludes
if: ${{ env.CHANGES != '' }}
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ vars.QUAY_USERNAME }}
password: ${{ secrets.QUAY_TOKEN }}
- name: Build and push operator, bundle, and catalog images
# run this stage only if there are changes that match the includes and not the excludes
if: ${{ env.CHANGES != '' }}
run: |
# install skopeo, podman
sudo apt-get -y update; sudo apt-get -y install skopeo podman
export CONTAINER_ENGINE=podman
export VERSION=${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}
set -ex
# build 3 container images with a 14d expiry
CONTAINER_ENGINE=${CONTAINER_ENGINE} VERSION=${VERSION} make lint release-build
# now copy images from local cache to quay, using 0.0.1-pr-123-f00cafe and 0.0.1-pr-123 tags
for image in operator operator-bundle operator-catalog; do
podman push quay.io/janus-idp/${image}:${VERSION} -q
skopeo --insecure-policy copy --all docker://quay.io/janus-idp/${image}:${VERSION} docker://quay.io/janus-idp/${image}:${VERSION}
skopeo --insecure-policy copy --all docker://quay.io/janus-idp/${image}:${VERSION} docker://quay.io/janus-idp/${image}:${VERSION%-*}
done
- name: Comment image links in PR
# run this stage only if there are changes that match the includes and not the excludes
if: ${{ env.CHANGES != '' }}
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
with:
script: |
await github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: 'PR images are available:<br/><ol><li>https://quay.io/janus-idp/operator:${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}</li><li>https://quay.io/janus-idp/operator-bundle:${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}</li><li>https://quay.io/janus-idp/operator-catalog:${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}</li></ol>'
})