overlay profiles: Fix a couple of issues with SLSA provenance stuff #699
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "PR command build dispatcher" | |
on: | |
issue_comment: | |
types: [created] | |
permissions: | |
pull-requests: write | |
concurrency: | |
group: ${{ github.workflow }}-pr-command-${{ github.event.issue.pull_request.number }} | |
cancel-in-progress: true | |
jobs: | |
run_pre_checks: | |
# Only run if this is a PR comment that contains a valid command | |
if: ${{ github.event.issue.pull_request }} && ( contains(github.event.comment.body, '/build-image') || contains(github.event.comment.body, '/update-sdk')) | |
name: Check if commenter is in the Flatcar maintainers team | |
outputs: | |
maintainers: steps.step1.output.maintainers | |
sdk_changes: ${{ steps.step3.outputs.sdk_changes }} | |
runs-on: | |
- ubuntu-latest | |
steps: | |
- name: Fetch members of the maintainers team | |
id: step1 | |
env: | |
requester: ${{ github.event.comment.user.login }} | |
shell: bash | |
run: | | |
set -euo pipefail | |
curl --fail --show-error -L --silent \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer ${{ secrets.GH_ACTIONS_ORG_READ }}" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
https://api.github.com/orgs/flatcar/teams/flatcar-maintainers/members \ | |
| jq -r '.[].login' > maintainers.txt | |
echo "Current members of the maintainers team:" | |
cat maintainers.txt | |
res=false | |
echo "Checking for membership of '${{ env.requester }}'" | |
if grep -qE "^${{ env.requester }}$" maintainers.txt ; then | |
echo "Succeeded." | |
res=true | |
else | |
echo "FAILED: '${{ env.requester }} is not a member of the Flatcar maintainers team." | |
fi | |
$res | |
- name: Set outputs | |
id: step2 | |
shell: bash | |
run: | | |
echo "sdk_changes=${{ contains(github.event.comment.body, '/update-sdk') }}" >> $GITHUB_OUTPUT | |
- name: Post a link to the workflow run to the PR | |
id: step3 | |
uses: mshick/add-pr-comment@v2 | |
with: | |
issue: ${{ github.event.issue.pull_request.number }} | |
message: "Build action triggered: [${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})" | |
update_sdk: | |
needs: run_pre_checks | |
if: needs.run_pre_checks.result == 'success' && needs.run_pre_checks.outputs.sdk_changes == 'true' | |
name: "Build an updated SDK container" | |
# SDK build needs access to bincache ssh secret | |
secrets: inherit | |
uses: ./.github/workflows/update-sdk.yaml | |
build_image: | |
needs: [ run_pre_checks, update_sdk ] | |
if: (always() && ! cancelled()) && needs.run_pre_checks.result == 'success' && needs.update_sdk.result != 'failure' && contains(github.event.comment.body, '/build-image') | |
name: "Build the OS image" | |
uses: ./.github/workflows/ci.yaml | |
with: | |
custom_sdk_version: ${{ needs.update_sdk.outputs.sdk_version }} | |
image_formats: qemu_uefi |