diff --git a/.github/mergify.yml b/.github/mergify.yml index 9150104a6..90993d9d8 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -1,27 +1,41 @@ +# The `check-success` should be specifying the final job in the CI workflow assuming it depends +# directly or indirectly on all other jobs passing. + +shared: + # Rules applicable to both queueing and merge requests. + compulsory: &compulsory + + # Ensure the minimal CI checks have passed. + - check-success=DCO + - check-success=Package + + # Ensure we're targetting the default branch. + - base=main + + # Ensure we have adequete reviews. + - "#approved-reviews-by>=1" + - "#changes-requested-reviews-by=0" + + # Ensure we aren't being explicitly blocked with a label. + - label!=do-not-merge + queue_rules: - name: default conditions: - # Conditions to get out of the queue (= merged) - - check-success=DCO - - check-success~=docker-images.*tink-server - - check-success~=docker-images.*tink-worker + - and: *compulsory + pull_request_rules: - - name: Automatic merge on approval + - name: Automatic merge conditions: - - base=main - - "#approved-reviews-by>=1" - - "#changes-requested-reviews-by=0" - - "#review-requested=0" - - check-success=DCO - - check-success~=docker-images.*tink-server - - check-success~=docker-images.*tink-worker - - check-success=crosscompile - - label!=do-not-merge + - and: *compulsory + + # Ensure the review is opted in using labels. - label=ready-to-merge + actions: queue: - method: merge name: default + method: merge commit_message_template: | {{ title }} (#{{ number }}) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c2c62544c..f5dde5e69 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,4 +1,4 @@ -name: For each commit and PR +name: Tink on: push: branches: @@ -8,80 +8,72 @@ on: pull_request: env: CGO_ENABLED: 0 + GO_VERSION: 1.18 jobs: verify: + name: Verify runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v2 - - name: Install Go - uses: actions/setup-go@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-go@v3 with: - go-version: "1.18.5" - - name: make verify - run: make verify + go-version: "${{ env.GO_VERSION }}" + - run: make verify test: + name: Test runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v2 - - name: Install Go - uses: actions/setup-go@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-go@v3 with: - go-version: "1.18.5" + go-version: "${{ env.GO_VERSION }}" - name: Install nix uses: cachix/install-nix-action@v16 with: nix_path: nixpkgs=channel:nixos-unstable - - name: Fetch Nix Packages + - name: Install required nix packages run: nix-shell --run 'true' - - name: Generate - run: nix-shell --run 'make generate' - - name: go test - run: make test - - name: upload codecov + - run: make test + - name: Upload codecov run: bash <(curl -s https://codecov.io/bash) - ci-checks: + checks: + name: CI Checks runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Install nix uses: cachix/install-nix-action@v16 with: nix_path: nixpkgs=channel:nixos-unstable - - name: Fetch Nix Packages - run: nix-shell --run 'true' + - run: nix-shell --run 'true' - run: PATH=$PWD/bin/:$PATH ./ci-checks.sh # We preemptively build the binaries for efficiency instead of waiting on unit tests to pass # hence this doesn't depend on anything. - crosscompile: + build: + name: Build runs-on: ubuntu-latest strategy: matrix: platform: [amd64, arm64] steps: - - name: Checkout code - uses: actions/checkout@v2 - - name: Install Go - uses: actions/setup-go@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-go@v3 with: - go-version: "1.18.5" + go-version: "${{ env.GO_VERSION }}" - name: Build linux/${{ matrix.platform }} - run: | - make build -j$(nproc) GOOS=linux GOARCH=${{ matrix.platform }} - - name: Upload binaries - uses: actions/upload-artifact@v2 + run: make build -j$(nproc) GOOS=linux GOARCH=${{ matrix.platform }} + - uses: actions/upload-artifact@v3 with: name: binaries path: bin/* - docker-images: + package: + name: Package runs-on: ubuntu-latest needs: - verify - test - - ci-checks - - crosscompile + - checks + - build strategy: matrix: include: @@ -92,36 +84,32 @@ jobs: - repository: quay.io/tinkerbell/tink-controller binary: tink-controller steps: - - name: Docker Image Tag for Sha + - name: Create docker image tags id: docker-image-tag - run: | - echo ::set-output name=tags::${{ matrix.repository }}:latest,${{ matrix.repository }}:sha-${GITHUB_SHA::8} - - name: Checkout code - uses: actions/checkout@v2 + run: echo ::set-output name=tags::${{ matrix.repository }}:latest,${{ matrix.repository }}:sha-${GITHUB_SHA::8} + - uses: actions/checkout@v3 - name: Login to quay.io - uses: docker/login-action@v1 + uses: docker/login-action@v2 if: ${{ startsWith(github.ref, 'refs/heads/main') }} with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} - - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + # - name: Set up QEMU + # uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - name: Download binaries + uses: docker/setup-buildx-action@v2 + - name: Download all binaries uses: actions/download-artifact@v2 with: name: binaries path: ./bin - - run: | - ls -l . - ls -l bin/ - file bin/ - - name: Fix Permissions + # Artifact upload doesn't preserve permissions so we need to fix them before use in + # the Dockerfiles. + - name: Fix permissions run: chmod +x bin/* - - name: ${{ matrix.repository }} - uses: docker/build-push-action@v2 + - name: Build ${{ matrix.repository }} and push + uses: docker/build-push-action@v3 with: context: . file: cmd/${{ matrix.binary }}/Dockerfile diff --git a/.github/workflows/tags.yaml b/.github/workflows/tags.yaml index b9ebfdcad..378fa7d67 100644 --- a/.github/workflows/tags.yaml +++ b/.github/workflows/tags.yaml @@ -2,7 +2,7 @@ on: push: tags: - "v*" -name: Create release +name: Release env: REGISTRY: quay.io IMAGE_NAME: ${{ github.repository }} @@ -10,9 +10,8 @@ jobs: release: runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v2 - - name: Generate Release Notes + - uses: actions/checkout@v3 + - name: Generate release notes run: | release_notes=$(gh api repos/{owner}/{repo}/releases/generate-notes -F tag_name=${{ github.ref }} --jq .body) echo 'RELEASE_NOTES<> $GITHUB_ENV @@ -22,39 +21,38 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OWNER: ${{ github.repository_owner }} REPO: ${{ github.event.repository.name }} - - name: Docker manager metadata + - name: Generate Docker image metadata id: meta - uses: docker/metadata-action@v3 + uses: docker/metadata-action@v4 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} flavor: latest=false tags: type=ref,event=tag - - name: Set the from image tag + github-token: ${{ secrets.GITHUB_TOKEN }} + - name: Set the FROM_TAG variable run: echo "FROM_TAG=sha-${GITHUB_SHA::8}" >> $GITHUB_ENV - # This is for tink server. quay.io/tinkerbell/tink - - name: Copy the image using skopeo + - name: Create tink-server image run: skopeo copy --all --dest-creds="${DST_REG_USER}":"${DST_REG_PASS}" docker://"${SRC_IMAGE}" docker://"${DST_IMAGE}" env: SRC_IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.FROM_TAG }} DST_IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} DST_REG_USER: ${{ secrets.QUAY_USERNAME }} DST_REG_PASS: ${{ secrets.QUAY_PASSWORD }} - - name: Copy the tink-controller image using skopeo + - name: Create tink-controller image run: skopeo copy --all --dest-creds="${DST_REG_USER}":"${DST_REG_PASS}" docker://"${SRC_IMAGE}" docker://"${DST_IMAGE}" env: SRC_IMAGE: ${{ env.REGISTRY }}/tinkerbell/tink-controller:${{ env.FROM_TAG }} DST_IMAGE: ${{ env.REGISTRY }}/tinkerbell/tink-controller:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} DST_REG_USER: ${{ secrets.QUAY_USERNAME }} DST_REG_PASS: ${{ secrets.QUAY_PASSWORD }} - - name: Copy the tink-worker image using skopeo + - name: Create tink-worker image run: skopeo copy --all --dest-creds="${DST_REG_USER}":"${DST_REG_PASS}" docker://"${SRC_IMAGE}" docker://"${DST_IMAGE}" env: SRC_IMAGE: ${{ env.REGISTRY }}/tinkerbell/tink-worker:${{ env.FROM_TAG }} DST_IMAGE: ${{ env.REGISTRY }}/tinkerbell/tink-worker:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} DST_REG_USER: ${{ secrets.QUAY_USERNAME }} DST_REG_PASS: ${{ secrets.QUAY_PASSWORD }} - - name: Create Release - id: create_release + - name: Create release uses: actions/create-release@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.yamlfmt b/.yamlfmt new file mode 100644 index 000000000..d6e3fb54c --- /dev/null +++ b/.yamlfmt @@ -0,0 +1,2 @@ +exclude: + - .github/**