Skip to content

Commit

Permalink
refactor: use composite pr
Browse files Browse the repository at this point in the history
  • Loading branch information
@rdash99
rdash99 committed Jan 23, 2024
1 parent 83cfefc commit 87f6e0a
Showing 1 changed file with 16 additions and 260 deletions.
276 changes: 16 additions & 260 deletions .github/workflows/pr-and-release-container.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,266 +141,22 @@ jobs:
labels: [ self-hosted, linux, x64 ]
group: heavy
steps:
- name: clone repo
uses: actions/checkout@v3
# changes
- name: detect changed files - pr
uses: dorny/paths-filter@v2
id: changes
with:
token: ${{ github.token }}
filters: ${{ inputs.filters }}

- name: annotate the ci run with changes
run: >-
echo "::notice title=Job: ${{ github.job }}::%0A
Changes: ${{ steps.changes.outputs.changes }}"
# setup
- name: install cosign
if: inputs.cosign-public-key != ''
uses: sigstore/cosign-installer@v3.1.2

- name: forward proxy settings
run: |
echo "HTTP_PROXY=$HTTP_PROXY" >> $GITHUB_ENV
echo "HTTPS_PROXY=$HTTPS_PROXY" >> $GITHUB_ENV
echo "NO_PROXY=$NO_PROXY" >> $GITHUB_ENV
- name: install buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: |
env.http_proxy=${{ env.HTTP_PROXY }}
env.https_proxy=${{ env.HTTPS_PROXY }}
"env.no_proxy='${{ env.NO_PROXY }}'"
- name: login to container registry
uses: docker/login-action@v2
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.registry-user }}
password: ${{ secrets.registry-token }}

- name: determine release
if: github.event_name == 'push'
uses: docker://ghcr.io/codfish/semantic-release-action:v2
id: semantic
env:
GITHUB_TOKEN: ${{ github.token }}
with:
dry_run: true
branches: ${{ inputs.release-branches }}
tag_format: ${{ inputs.release-tag-format }}
plugins: |-
[
['@semantic-release/commit-analyzer', {
"releaseRules": ${{ inputs.release-rules }},
}],
'@semantic-release/release-notes-generator',
['@semantic-release/github', {
"successComment": false,
"failTitle": false
}]
]
- name: annotate the ci run with release version output
if: steps.semantic.outputs.new-release-published == 'true' && github.event_name == 'push'
run: >-
echo "::notice title=Job: ${{ github.job }} / ${{ inputs.job-name }}::%0A
Next release will be version ${{ steps.semantic.outputs.release-version }}"
# rest of the owl
- name: pr container metadata
- name: pr
if: github.event_name == 'pull_request'
uses: docker/metadata-action@v5
id: meta
with:
images: |
${{ inputs.registry }}/${{ inputs.registry-repo }}
tags: |
type=ref,event=pr
- name: release container metadata
if: steps.semantic.outputs.new-release-published == 'true' && github.event_name == 'push'
uses: docker/metadata-action@v5
id: meta
with:
images: |
${{ inputs.registry }}/${{ inputs.registry-repo }}
tags: |
type=raw,value=${{ inputs.registry-tag-prefix }}${{ steps.semantic.outputs.release-version }}${{ inputs.registry-tag-suffix }}
- name: build and push
uses: docker/build-push-action@v5
id: build
uses: ./.github/workflows/pr-container-composite.yaml
with:
file: ${{ inputs.build-file }}
context: ${{ inputs.build-context }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
push: true
github-token: ${{ github.token }}
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: true

- name: cosign image with key
if: inputs.cosign-public-key != ''
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${TAGS}@${DIGEST}"
env:
COSIGN_PRIVATE_KEY: ${{ secrets.cosign-private-key }}
COSIGN_PASSWORD: ${{ secrets.cosign-password }}
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.build.outputs.digest }}

- name: cosign verify image
if: inputs.cosign-public-key != ''
env:
COSIGN_PUBLIC_KEY: ${{ inputs.cosign-public-key }}
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.build.outputs.digest }}
run: |
cosign verify --key env://COSIGN_PUBLIC_KEY "${TAGS}@${DIGEST}"
- name: annotate the ci run with pr container tags
if: github.event_name == 'pull_request'
run: >-
echo "::notice title=Job: ${{ github.job }} / ${{ inputs.job-name }}::%0A
Pushed PR container assets!%0A
- %0A
docker pull ${{ steps.meta.outputs.tags }}%0A
${{ steps.build.outputs.digest }}"
- name: annotate the ci run with release candidate container tags
if: steps.semantic.outputs.new-release-published == 'true' && github.event_name == 'push'
run: >-
echo "::notice title=Job: ${{ github.job }} / ${{ inputs.job-name }}::%0A
Pushed release candidate container assets!%0A
- %0A
docker pull ${{ steps.meta.outputs.tags }}%0A
docker pull ${{ steps.build.outputs.digest }}"
- name: test
if: ${{ inputs.test-flags != '' || inputs.test-args != '' }}
run: |
docker run \
${{ inputs.test-flags }} \
${{ inputs.registry }}/${{ inputs.registry-repo }}@${{ steps.build.outputs.digest }} \
${{ inputs.test-args }}
- name: test condition
if: github.event_name == 'push'
run: |
echo 'Hello World'
- name: retag container
if: steps.semantic.outputs.new-release-published == 'true' && github.event_name == 'push'
run: docker buildx imagetools create -t ${{ steps.meta.outputs.tags }} ${{ inputs.registry }}/${{ inputs.registry-repo }}@${{ steps.build.outputs.digest }}

- name: cosign image with key
if: steps.semantic.outputs.new-release-published == 'true' && inputs.cosign-public-key != '' && github.event_name == 'push'
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${TAGS}@${DIGEST}"
env:
COSIGN_PRIVATE_KEY: ${{ secrets.cosign-private-key }}
COSIGN_PASSWORD: ${{ secrets.cosign-password }}
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.build.outputs.digest }}

- name: cosign verify container
if: steps.semantic.outputs.new-release-published == 'true' && inputs.cosign-public-key != '' && github.event_name == 'push'
env:
COSIGN_PUBLIC_KEY: ${{ inputs.cosign-public-key }}
TAG: ${{ inputs.registry }}/${{ inputs.registry-repo }}
DIGEST: ${{ steps.build.outputs.digest }}
run: |
cosign verify --key env://COSIGN_PUBLIC_KEY "${TAG}@${DIGEST}"
- name: release
if: steps.semantic.outputs.new-release-published == 'true' && github.event_name == 'push'
uses: actions/github-script@v6
id: release
env:
RELEASE_NOTES: |
${{ steps.semantic.outputs.release-notes }}
with:
retries: 3
github-token: ${{ github.token }}
script: |
github.rest.repos.createRelease({
owner: "${{ github.repository_owner }}",
repo: "${{ github.event.repository.name }}",
tag_name: "${{ steps.semantic.outputs.git-tag }}",
target_commitish: "${{ github.sha }}",
body: process.env.RELEASE_NOTES,
name: "${{ steps.semantic.outputs.git-tag }}"
});
- name: annotate the ci run with release container tags
if: steps.semantic.outputs.new-release-published == 'true' && github.event_name == 'push'
run: >-
echo "::notice title=Job: ${{ github.job }} / ${{ inputs.job-name }}::%0A
Pushed release container version ${{ steps.semantic.outputs.release-version }}!%0A
- %0A
docker pull ${{ env.RELEASE_TAG }}%0A
docker pull ${{ steps.build.outputs.digest }}"
- name: update slack thread failure
uses: archive/github-actions-slack@v2.7.0
continue-on-error: true
if: failure()
with:
slack-bot-user-oauth-access-token: ${{ secrets.slack-token }}
job-name: ${{ inputs.job-name }}
registry: ${{ inputs.registry }}
registry-user: ${{ inputs.registry-user }}
registry-repo: ${{ inputs.registry-repo }}
cosign-public-key: ${{ inputs.cosign-public-key }}
slack-channel: ${{ inputs.slack-channel }}
slack-text: |
:no_entry: ${{ github.repository }} / ${{ github.job }} / ${{ inputs.job-name }}\n
<https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}|:octocat: Pull Request>\n
<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|:book: CI Logs>
# pr:
# if: ${{ github.event.action }} == "synchronize" || ${{ github.event.action }} == "opened"
# # Build the container and push it as :pr-42 and :pr-42-fe45b3h
# uses: ./.github/workflows/build-and-test-pr-container.yaml
# with:
# job-name: ${{ inputs.job-name }}
# registry: ${{ inputs.registry }}
# registry-user: ${{ inputs.registry-user }}
# registry-repo: ${{ inputs.registry-repo }}
# cosign-public-key: ${{ inputs.cosign-public-key }}
# slack-channel: ${{ inputs.slack-channel }}
# build-file: ${{ inputs.build-file }}
# build-context: ${{ inputs.build-context }}
# test-flags: ${{ inputs.test-flags }}
# test-args: ${{ inputs.test-args }}
#
# secrets:
# cosign-private-key: ${{ secrets.cosign-private-key }}
# cosign-password: ${{ secrets.cosign-password }}
# registry-token: ${{ secrets.registry-token }}
# slack-token: ${{ secrets.slack-token }}
#
# release:
# if: ${{ github.event.action }} == "push"
# uses: ./.github/workflows/build-and-test-release-container.yaml
# with:
# job-name: ${{ inputs.job-name }}
# registry: ${{ inputs.registry }}
# registry-user: ${{ inputs.registry-user }}
# registry-repo: ${{ inputs.registry-repo }}
# registry-tag-prefix: ${{ inputs.registry-tag-prefix }}
# registry-tag-suffix: ${{ inputs.registry-tag-suffix }}
# release-tag-format: ${{ inputs.release-tag-format}}
# release-rules: ${{ inputs.release-rules }}
# release-branches: ${{ inputs.release-branches }}
# cosign-public-key: ${{ inputs.cosign-public-key }}
# slack-channel: ${{ inputs.slack-channel }}
# build-file: ${{ inputs.build-file }}
# build-context: ${{ inputs.build-context }}
# status-failure: ${{ inputs.status-failure }}
# test-flags: ${{ inputs.test-flags }}
# test-args: ${{ inputs.test-args }}
#
# secrets:
# cosign-private-key: ${{ secrets.cosign-private-key }}
# cosign-password: ${{ secrets.cosign-password }}
# slack-token: ${{ secrets.slack-token }}
# registry-token: ${{ secrets.registry-token }}
build-file: ${{ inputs.build-file }}
build-context: ${{ inputs.build-context }}
test-flags: ${{ inputs.test-flags }}
test-args: ${{ inputs.test-args }}
pr-filters: ${{ inputs.pr-filters }}
cosign-private-key: ${{ secrets.cosign-private-key }}
cosign-password: ${{ secrets.cosign-password }}
registry-token: ${{ secrets.registry-token }}
slack-token: ${{ secrets.slack-token }}

0 comments on commit 87f6e0a

Please sign in to comment.