Skip to content

overlay profiles: Fix a couple of issues with SLSA provenance stuff #699

overlay profiles: Fix a couple of issues with SLSA provenance stuff

overlay profiles: Fix a couple of issues with SLSA provenance stuff #699

name: "PR command build dispatcher"
on:
issue_comment:
types: [created]
permissions:
pull-requests: write
concurrency:
group: ${{ github.workflow }}-pr-command-${{ github.event.issue.pull_request.number }}
cancel-in-progress: true
jobs:
run_pre_checks:
# Only run if this is a PR comment that contains a valid command
if: ${{ github.event.issue.pull_request }} && ( contains(github.event.comment.body, '/build-image') || contains(github.event.comment.body, '/update-sdk'))
name: Check if commenter is in the Flatcar maintainers team
outputs:
maintainers: steps.step1.output.maintainers
sdk_changes: ${{ steps.step3.outputs.sdk_changes }}
runs-on:
- ubuntu-latest
steps:
- name: Fetch members of the maintainers team
id: step1
env:
requester: ${{ github.event.comment.user.login }}
shell: bash
run: |
set -euo pipefail
curl --fail --show-error -L --silent \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GH_ACTIONS_ORG_READ }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/flatcar/teams/flatcar-maintainers/members \
| jq -r '.[].login' > maintainers.txt
echo "Current members of the maintainers team:"
cat maintainers.txt
res=false
echo "Checking for membership of '${{ env.requester }}'"
if grep -qE "^${{ env.requester }}$" maintainers.txt ; then
echo "Succeeded."
res=true
else
echo "FAILED: '${{ env.requester }} is not a member of the Flatcar maintainers team."
fi
$res
- name: Set outputs
id: step2
shell: bash
run: |
echo "sdk_changes=${{ contains(github.event.comment.body, '/update-sdk') }}" >> $GITHUB_OUTPUT
- name: Post a link to the workflow run to the PR
id: step3
uses: mshick/add-pr-comment@v2
with:
issue: ${{ github.event.issue.pull_request.number }}
message: "Build action triggered: [${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})"
update_sdk:
needs: run_pre_checks
if: needs.run_pre_checks.result == 'success' && needs.run_pre_checks.outputs.sdk_changes == 'true'
name: "Build an updated SDK container"
# SDK build needs access to bincache ssh secret
secrets: inherit
uses: ./.github/workflows/update-sdk.yaml
build_image:
needs: [ run_pre_checks, update_sdk ]
if: (always() && ! cancelled()) && needs.run_pre_checks.result == 'success' && needs.update_sdk.result != 'failure' && contains(github.event.comment.body, '/build-image')
name: "Build the OS image"
uses: ./.github/workflows/ci.yaml
with:
custom_sdk_version: ${{ needs.update_sdk.outputs.sdk_version }}
image_formats: qemu_uefi