-
Notifications
You must be signed in to change notification settings - Fork 13
133 lines (118 loc) · 6.22 KB
/
pr-container-build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: PR Build operator, bundle, and catalog images
on:
# /!\ Warning: using the pull_request_target event to be able to read secrets. But using this event without the cautionary measures described below
# may allow unauthorized GitHub users to open a “pwn request” and exfiltrate secrets.
# As recommended in https://iterative.ai/blog/testing-external-contributions-using-github-actions-secrets,
# we are adding an 'authorize' job that checks if the workflow was triggered from a fork PR. In that case, the "external" environment
# will prevent the job from running until it's approved manually by human intervention.
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review]
branches:
- main
- rhdh-1.[0-9]+
- 1.[0-9]+.x
- release-1.[0-9]+
concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.event.pull_request.head.ref }}
cancel-in-progress: true
env:
REGISTRY: quay.io
jobs:
authorize:
# The 'external' environment is configured with the odo-maintainers team as required reviewers.
# All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks.
# see list of approvers in OWNERS file
environment:
${{ (github.event.pull_request.head.repo.full_name == github.repository ||
contains(fromJSON('["coreydaley","gazarenkov","kadel","nickboldt","rm3l","kim-tsao","openshift-cherrypick-robot"]'), github.actor)) && 'internal' || 'external' }}
runs-on: ubuntu-latest
steps:
- name: approved
run: |
echo "✓"
pr-build:
name: PR Publish
runs-on: ubuntu-latest
needs: authorize
permissions:
contents: read
packages: write
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
# check changes in this commit for regex include and exclude matches; pipe to an env var
- name: Check for changes to build
run: |
# don't fail if nothing returned by grep
set +e
CHANGES="$(git diff --name-only ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} | \
grep -E "workflows/.+-container-build.yaml|Makefile|bundle/|config/|go.mod|go.sum|.+\.go|docker/|\.dockerignore" | \
grep -v -E ".+_test.go|/.rhdh/")";
echo "Changed files for this commit:"
echo "=============================="
echo "$CHANGES"
echo "=============================="
{
echo 'CHANGES<<EOF'
echo $CHANGES
echo EOF
} >> "$GITHUB_ENV"
- name: Setup Go
# run this stage only if there are changes that match the includes and not the excludes
if: ${{ env.CHANGES != '' }}
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
with:
go-version-file: 'go.mod'
- name: Get the last commit short SHA of the PR
# run this stage only if there are changes that match the includes and not the excludes
if: ${{ env.CHANGES != '' }}
run: |
SHORT_SHA=$(git rev-parse --short ${{ github.event.pull_request.head.sha }})
echo "SHORT_SHA=$SHORT_SHA" >> $GITHUB_ENV
BASE_VERSION=$(grep -E "^VERSION \?=" Makefile | sed -r -e "s/.+= //") # 0.0.1
echo "BASE_VERSION=$BASE_VERSION" >> $GITHUB_ENV
- name: Login to quay.io
# run this stage only if there are changes that match the includes and not the excludes
if: ${{ env.CHANGES != '' }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ vars.QUAY_USERNAME }}
password: ${{ secrets.QUAY_TOKEN }}
- name: Build and push operator, bundle, and catalog images
# run this stage only if there are changes that match the includes and not the excludes
if: ${{ env.CHANGES != '' }}
run: |
# install skopeo, podman
sudo apt-get -y update; sudo apt-get -y install skopeo podman
export CONTAINER_TOOL=podman
export VERSION=${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}
set -ex
# build 4 container images with a 14d expiry
CONTAINER_TOOL=${CONTAINER_TOOL} VERSION=${VERSION} make lint release-build
# now copy images from local cache to quay, using 0.0.1-pr-123-f00cafe and 0.0.1-pr-123 tags
for image in operator operator-bundle operator-catalog; do
podman push -q quay.io/rhdh-community/${image}:${VERSION} docker://quay.io/rhdh-community/${image}:${VERSION}
skopeo --insecure-policy copy --all docker://quay.io/rhdh-community/${image}:${VERSION} docker://quay.io/rhdh-community/${image}:${VERSION}
skopeo --insecure-policy copy --all docker://quay.io/rhdh-community/${image}:${VERSION} docker://quay.io/rhdh-community/${image}:${VERSION%-*}
done
env:
# to avoid throttling on RHD org, use GH token
GH_TOKEN: ${{ secrets.RHDH_BOT_TOKEN }}
- name: Comment image links in PR
# run this stage only if there are changes that match the includes and not the excludes
if: ${{ env.CHANGES != '' }}
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
with:
script: |
await github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: 'PR images are available:<br/><ol><li>https://quay.io/rhdh-community/operator:${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}</li><li>https://quay.io/rhdh-community/operator-bundle:${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}</li><li>https://quay.io/rhdh-community/operator-catalog:${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}</li></ol>'
})