Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow ci flow to be called from Actions tab #5103

Merged
merged 14 commits into from
Feb 19, 2024
Merged

allow ci flow to be called from Actions tab #5103

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
f47129d
allow ci flow to be called from Actions tab
pdabelf5 Feb 15, 2024
9082c56
Merge branch 'main' into workflow-dispatch-ci
pdabelf5 Feb 15, 2024
ec83ba7
renamed input from skip-publish to publish-image
pdabelf5 Feb 15, 2024
d18aacd
move publish-image logic to checks job
pdabelf5 Feb 15, 2024
d6a28f3
only use publish-image to drive publish
pdabelf5 Feb 16, 2024
242e428
utilise publish-image flag
pdabelf5 Feb 16, 2024
dec1560
adjust CI job dependencies
pdabelf5 Feb 16, 2024
9ebef43
Merge branch 'main' into workflow-dispatch-ci
pdabelf5 Feb 16, 2024
5029e42
skip smoke tests while troubleshooting
pdabelf5 Feb 16, 2024
8f37630
cast to boolean for publish-images value
pdabelf5 Feb 16, 2024
2acc275
validation speedup
pdabelf5 Feb 16, 2024
582fd50
re-add testing
pdabelf5 Feb 16, 2024
f765499
Merge branch 'main' into workflow-dispatch-ci
pdabelf5 Feb 16, 2024
6349919
Merge branch 'main' into workflow-dispatch-ci
pdabelf5 Feb 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions .github/workflows/build-oss.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ on:
tag:
required: false
type: string
build-cache:
publish-image:
required: false
type: boolean

Expand Down Expand Up @@ -54,7 +54,7 @@ jobs:
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
platforms: arm,arm64,ppc64le,s390x
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
if: ${{ inputs.publish-image }}

- name: Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
Expand All @@ -64,36 +64,36 @@ jobs:
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Login to GitHub Container Registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }}
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Login to Public ECR
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: public.ecr.aws
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Login to Quay.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_ROBOT_TOKEN }}
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Get short tag
id: tag
Expand Down Expand Up @@ -149,10 +149,10 @@ jobs:
annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }}
platforms: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && inputs.platforms || '' }}
load: ${{ github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-') }}
push: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
push: ${{ inputs.publish-image }}
pull: true
no-cache: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
sbom: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
no-cache: ${{ inputs.publish-image }}
sbom: ${{ inputs.publish-image }}
provenance: false
build-args: |
BUILD_OS=${{ inputs.image }}
Expand Down
30 changes: 15 additions & 15 deletions .github/workflows/build-plus.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ on:
release-url:
required: false
type: string
build-cache:
publish-image:
required: false
type: boolean

Expand Down Expand Up @@ -55,7 +55,7 @@ jobs:
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
platforms: arm64,s390x
if: github.event_name != 'pull_request'
if: ${{ inputs.publish-image }}

- name: Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
Expand All @@ -67,15 +67,15 @@ jobs:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
if: github.event_name != 'pull_request' && ! inputs.build-cache
if: ${{ inputs.publish-image }}

- name: Login to GCR
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
if: github.event_name != 'pull_request' && ! inputs.build-cache
if: ${{ inputs.publish-image }}

- name: Authenticate to Google Cloud Marketplace
id: auth-mktpl
Expand Down Expand Up @@ -114,15 +114,15 @@ jobs:
script: |
let id_token = await core.getIDToken()
core.setOutput('id_token', id_token)
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Login to NGINX Registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: docker-mgmt.nginx.com
username: ${{ steps.idtoken.outputs.id_token }}
password: ${{ github.actor }}
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Docker meta
id: meta
Expand Down Expand Up @@ -165,13 +165,13 @@ jobs:
target: ${{ inputs.target }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }}
platforms: ${{ github.event_name != 'pull_request' && inputs.platforms || '' }}
load: ${{ github.event_name == 'pull_request' }}
push: ${{ github.event_name != 'pull_request' && ! inputs.build-cache }}
annotations: ${{ inputs.publish-image && steps.meta.outputs.annotations || '' }}
platforms: ${{ inputs.publish-image && inputs.platforms || '' }}
load: ${{ ! inputs.publish-image }}
push: ${{ inputs.publish-image }}
pull: true
no-cache: ${{ github.event_name != 'pull_request' }}
sbom: ${{ github.event_name != 'pull_request' }}
no-cache: ${{ inputs.publish-image }}
sbom: ${{ inputs.publish-image }}
provenance: false
build-args: |
BUILD_OS=${{ inputs.image }}
Expand Down Expand Up @@ -236,7 +236,7 @@ jobs:
"nginx-repo.crt=${{ inputs.nap_modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
"nginx-repo.key=${{ inputs.nap_modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
if: ${{ ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # 0.17.0
Expand All @@ -246,14 +246,14 @@ jobs:
format: "sarif"
output: "trivy-results-${{ inputs.image }}.sarif"
ignore-unfixed: "true"
if: ${{ ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1
continue-on-error: true
with:
sarif_file: "trivy-results-${{ inputs.image }}.sarif"
if: ${{ ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Upload Scan Results
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/cache-update.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ jobs:
platforms: ${{ matrix.platforms }}
image: ${{ matrix.image }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
build-cache: true
publish-image: false
permissions:
contents: read
actions: read
Expand Down Expand Up @@ -116,7 +116,7 @@ jobs:
target: ${{ matrix.target }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
release-url: ${{ needs.release-notes.outputs.release-url }}
build-cache: true
publish-image: false
permissions:
contents: read
security-events: write
Expand Down Expand Up @@ -170,7 +170,7 @@ jobs:
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
nap_modules: ${{ matrix.nap_modules }}
release-url: ${{ needs.release-notes.outputs.release-url }}
build-cache: true
publish-image: false
permissions:
contents: read
security-events: write
Expand Down
28 changes: 22 additions & 6 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ on:
- release-*
schedule:
- cron: "0 4 * * *" # run every day at 04:00 UTC
workflow_dispatch:
inputs:
publish-image:
description: Publish of the generated images
type: boolean
default: false

defaults:
run:
Expand All @@ -37,6 +43,7 @@ jobs:
chart_version: ${{ steps.vars.outputs.chart_version }}
binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }}
ic_version: ${{ steps.vars.outputs.ic_version }}
publish-images: ${{ steps.vars.outputs.publish }}
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand Down Expand Up @@ -76,6 +83,13 @@ jobs:
source .github/data/version.txt
echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT
echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT
publish=false
if ${{ github.event_name == 'workflow_dispatch' && inputs.publish-image }}; then
publish=true
elif ${{ github.event_name != 'workflow_dispatch' && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}; then
publish=true
fi
echo "publish=$publish" >> $GITHUB_OUTPUT
cat $GITHUB_OUTPUT
- name: Fetch Cached Binary Artifacts
Expand Down Expand Up @@ -413,13 +427,13 @@ jobs:
build-docker:
name: Build Docker OSS
needs: [checks, smoke-tests]
needs: [checks, smoke-results]
strategy:
fail-fast: false
matrix:
image: [debian, alpine]
platforms:
["linux/arm", "linux/arm64, linux/amd64, linux/ppc64le", "linux/s390x"]
["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"]
include:
- image: ubi
platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
Expand All @@ -428,6 +442,7 @@ jobs:
platforms: ${{ matrix.platforms }}
image: ${{ matrix.image }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
publish-image: ${{ needs.checks.outputs.publish-images == 'true' }}
permissions:
contents: read
actions: read
Expand All @@ -438,7 +453,7 @@ jobs:

build-docker-plus:
name: Build Docker Plus
needs: [checks, build-docker, release-notes]
needs: [checks, smoke-results, release-notes]
strategy:
fail-fast: false
matrix:
Expand All @@ -456,6 +471,7 @@ jobs:
target: ${{ matrix.target }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
release-url: ${{ needs.release-notes.outputs.release-url }}
publish-image: ${{ needs.checks.outputs.publish-images == 'true' }}
permissions:
contents: read
security-events: write
Expand All @@ -464,7 +480,7 @@ jobs:

build-docker-nap:
name: Build Docker NAP
needs: [checks, build-docker-plus, release-notes]
needs: [checks, smoke-results, release-notes]
strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -501,7 +517,6 @@ jobs:
target: goreleaser
platforms: "linux/amd64"
nap_modules: waf

uses: ./.github/workflows/build-plus.yml
with:
platforms: ${{ matrix.platforms }}
Expand All @@ -510,6 +525,7 @@ jobs:
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
nap_modules: ${{ matrix.nap_modules }}
release-url: ${{ needs.release-notes.outputs.release-url }}
publish-image: ${{ needs.checks.outputs.publish-images == 'true' }}
permissions:
contents: read
security-events: write
Expand Down Expand Up @@ -604,7 +620,7 @@ jobs:
gcp-marketplace:
name: Trigger PR for GCP Marketplace
runs-on: ubuntu-22.04
needs: [checks, publish-helm]
needs: [checks, build-docker-plus, build-docker-nap]
steps:
- name:
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
Expand Down
Loading