diff --git a/.github/workflows/pr-and-release-container.yaml b/.github/workflows/pr-and-release-container.yaml index 1f44cab0..f1d922a2 100644 --- a/.github/workflows/pr-and-release-container.yaml +++ b/.github/workflows/pr-and-release-container.yaml @@ -141,266 +141,22 @@ jobs: labels: [ self-hosted, linux, x64 ] group: heavy steps: - - name: clone repo - uses: actions/checkout@v3 -# changes - - name: detect changed files - pr - uses: dorny/paths-filter@v2 - id: changes - with: - token: ${{ github.token }} - filters: ${{ inputs.filters }} - - - name: annotate the ci run with changes - run: >- - echo "::notice title=Job: ${{ github.job }}::%0A - Changes: ${{ steps.changes.outputs.changes }}" -# setup - - name: install cosign - if: inputs.cosign-public-key != '' - uses: sigstore/cosign-installer@v3.1.2 - - - name: forward proxy settings - run: | - echo "HTTP_PROXY=$HTTP_PROXY" >> $GITHUB_ENV - echo "HTTPS_PROXY=$HTTPS_PROXY" >> $GITHUB_ENV - echo "NO_PROXY=$NO_PROXY" >> $GITHUB_ENV - - - name: install buildx - uses: docker/setup-buildx-action@v3 - with: - driver-opts: | - env.http_proxy=${{ env.HTTP_PROXY }} - env.https_proxy=${{ env.HTTPS_PROXY }} - "env.no_proxy='${{ env.NO_PROXY }}'" - - - name: login to container registry - uses: docker/login-action@v2 - with: - registry: ${{ inputs.registry }} - username: ${{ inputs.registry-user }} - password: ${{ secrets.registry-token }} - - - name: determine release - if: github.event_name == 'push' - uses: docker://ghcr.io/codfish/semantic-release-action:v2 - id: semantic - env: - GITHUB_TOKEN: ${{ github.token }} - with: - dry_run: true - branches: ${{ inputs.release-branches }} - tag_format: ${{ inputs.release-tag-format }} - plugins: |- - [ - ['@semantic-release/commit-analyzer', { - "releaseRules": ${{ inputs.release-rules }}, - }], - '@semantic-release/release-notes-generator', - ['@semantic-release/github', { - "successComment": false, - "failTitle": false - }] - ] - - - name: annotate the ci run with release version output - if: steps.semantic.outputs.new-release-published == 'true' && github.event_name == 'push' - run: >- - echo "::notice title=Job: ${{ github.job }} / ${{ inputs.job-name }}::%0A - Next release will be version ${{ steps.semantic.outputs.release-version }}" -# rest of the owl - - name: pr container metadata + - name: pr if: github.event_name == 'pull_request' - uses: docker/metadata-action@v5 - id: meta - with: - images: | - ${{ inputs.registry }}/${{ inputs.registry-repo }} - tags: | - type=ref,event=pr - - - name: release container metadata - if: steps.semantic.outputs.new-release-published == 'true' && github.event_name == 'push' - uses: docker/metadata-action@v5 - id: meta - with: - images: | - ${{ inputs.registry }}/${{ inputs.registry-repo }} - tags: | - type=raw,value=${{ inputs.registry-tag-prefix }}${{ steps.semantic.outputs.release-version }}${{ inputs.registry-tag-suffix }} - - - name: build and push - uses: docker/build-push-action@v5 - id: build + uses: ./.github/workflows/pr-container-composite.yaml with: - file: ${{ inputs.build-file }} - context: ${{ inputs.build-context }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - push: true - github-token: ${{ github.token }} - cache-from: type=gha - cache-to: type=gha,mode=max - provenance: true - - - name: cosign image with key - if: inputs.cosign-public-key != '' - run: | - cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${TAGS}@${DIGEST}" - env: - COSIGN_PRIVATE_KEY: ${{ secrets.cosign-private-key }} - COSIGN_PASSWORD: ${{ secrets.cosign-password }} - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build.outputs.digest }} - - - name: cosign verify image - if: inputs.cosign-public-key != '' - env: - COSIGN_PUBLIC_KEY: ${{ inputs.cosign-public-key }} - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build.outputs.digest }} - run: | - cosign verify --key env://COSIGN_PUBLIC_KEY "${TAGS}@${DIGEST}" - - - name: annotate the ci run with pr container tags - if: github.event_name == 'pull_request' - run: >- - echo "::notice title=Job: ${{ github.job }} / ${{ inputs.job-name }}::%0A - Pushed PR container assets!%0A - - %0A - docker pull ${{ steps.meta.outputs.tags }}%0A - ${{ steps.build.outputs.digest }}" - - - name: annotate the ci run with release candidate container tags - if: steps.semantic.outputs.new-release-published == 'true' && github.event_name == 'push' - run: >- - echo "::notice title=Job: ${{ github.job }} / ${{ inputs.job-name }}::%0A - Pushed release candidate container assets!%0A - - %0A - docker pull ${{ steps.meta.outputs.tags }}%0A - docker pull ${{ steps.build.outputs.digest }}" - - - name: test - if: ${{ inputs.test-flags != '' || inputs.test-args != '' }} - run: | - docker run \ - ${{ inputs.test-flags }} \ - ${{ inputs.registry }}/${{ inputs.registry-repo }}@${{ steps.build.outputs.digest }} \ - ${{ inputs.test-args }} - - - name: test condition - if: github.event_name == 'push' - run: | - echo 'Hello World' - - - name: retag container - if: steps.semantic.outputs.new-release-published == 'true' && github.event_name == 'push' - run: docker buildx imagetools create -t ${{ steps.meta.outputs.tags }} ${{ inputs.registry }}/${{ inputs.registry-repo }}@${{ steps.build.outputs.digest }} - - - name: cosign image with key - if: steps.semantic.outputs.new-release-published == 'true' && inputs.cosign-public-key != '' && github.event_name == 'push' - run: | - cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${TAGS}@${DIGEST}" - env: - COSIGN_PRIVATE_KEY: ${{ secrets.cosign-private-key }} - COSIGN_PASSWORD: ${{ secrets.cosign-password }} - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build.outputs.digest }} - - - name: cosign verify container - if: steps.semantic.outputs.new-release-published == 'true' && inputs.cosign-public-key != '' && github.event_name == 'push' - env: - COSIGN_PUBLIC_KEY: ${{ inputs.cosign-public-key }} - TAG: ${{ inputs.registry }}/${{ inputs.registry-repo }} - DIGEST: ${{ steps.build.outputs.digest }} - run: | - cosign verify --key env://COSIGN_PUBLIC_KEY "${TAG}@${DIGEST}" - - - name: release - if: steps.semantic.outputs.new-release-published == 'true' && github.event_name == 'push' - uses: actions/github-script@v6 - id: release - env: - RELEASE_NOTES: | - ${{ steps.semantic.outputs.release-notes }} - with: - retries: 3 - github-token: ${{ github.token }} - script: | - github.rest.repos.createRelease({ - owner: "${{ github.repository_owner }}", - repo: "${{ github.event.repository.name }}", - tag_name: "${{ steps.semantic.outputs.git-tag }}", - target_commitish: "${{ github.sha }}", - body: process.env.RELEASE_NOTES, - name: "${{ steps.semantic.outputs.git-tag }}" - }); - - - name: annotate the ci run with release container tags - if: steps.semantic.outputs.new-release-published == 'true' && github.event_name == 'push' - run: >- - echo "::notice title=Job: ${{ github.job }} / ${{ inputs.job-name }}::%0A - Pushed release container version ${{ steps.semantic.outputs.release-version }}!%0A - - %0A - docker pull ${{ env.RELEASE_TAG }}%0A - docker pull ${{ steps.build.outputs.digest }}" - - - name: update slack thread failure - uses: archive/github-actions-slack@v2.7.0 - continue-on-error: true - if: failure() - with: - slack-bot-user-oauth-access-token: ${{ secrets.slack-token }} + job-name: ${{ inputs.job-name }} + registry: ${{ inputs.registry }} + registry-user: ${{ inputs.registry-user }} + registry-repo: ${{ inputs.registry-repo }} + cosign-public-key: ${{ inputs.cosign-public-key }} slack-channel: ${{ inputs.slack-channel }} - slack-text: | - :no_entry: ${{ github.repository }} / ${{ github.job }} / ${{ inputs.job-name }}\n - \n - -# pr: -# if: ${{ github.event.action }} == "synchronize" || ${{ github.event.action }} == "opened" -# # Build the container and push it as :pr-42 and :pr-42-fe45b3h -# uses: ./.github/workflows/build-and-test-pr-container.yaml -# with: -# job-name: ${{ inputs.job-name }} -# registry: ${{ inputs.registry }} -# registry-user: ${{ inputs.registry-user }} -# registry-repo: ${{ inputs.registry-repo }} -# cosign-public-key: ${{ inputs.cosign-public-key }} -# slack-channel: ${{ inputs.slack-channel }} -# build-file: ${{ inputs.build-file }} -# build-context: ${{ inputs.build-context }} -# test-flags: ${{ inputs.test-flags }} -# test-args: ${{ inputs.test-args }} -# -# secrets: -# cosign-private-key: ${{ secrets.cosign-private-key }} -# cosign-password: ${{ secrets.cosign-password }} -# registry-token: ${{ secrets.registry-token }} -# slack-token: ${{ secrets.slack-token }} -# -# release: -# if: ${{ github.event.action }} == "push" -# uses: ./.github/workflows/build-and-test-release-container.yaml -# with: -# job-name: ${{ inputs.job-name }} -# registry: ${{ inputs.registry }} -# registry-user: ${{ inputs.registry-user }} -# registry-repo: ${{ inputs.registry-repo }} -# registry-tag-prefix: ${{ inputs.registry-tag-prefix }} -# registry-tag-suffix: ${{ inputs.registry-tag-suffix }} -# release-tag-format: ${{ inputs.release-tag-format}} -# release-rules: ${{ inputs.release-rules }} -# release-branches: ${{ inputs.release-branches }} -# cosign-public-key: ${{ inputs.cosign-public-key }} -# slack-channel: ${{ inputs.slack-channel }} -# build-file: ${{ inputs.build-file }} -# build-context: ${{ inputs.build-context }} -# status-failure: ${{ inputs.status-failure }} -# test-flags: ${{ inputs.test-flags }} -# test-args: ${{ inputs.test-args }} -# -# secrets: -# cosign-private-key: ${{ secrets.cosign-private-key }} -# cosign-password: ${{ secrets.cosign-password }} -# slack-token: ${{ secrets.slack-token }} -# registry-token: ${{ secrets.registry-token }} \ No newline at end of file + build-file: ${{ inputs.build-file }} + build-context: ${{ inputs.build-context }} + test-flags: ${{ inputs.test-flags }} + test-args: ${{ inputs.test-args }} + pr-filters: ${{ inputs.pr-filters }} + cosign-private-key: ${{ secrets.cosign-private-key }} + cosign-password: ${{ secrets.cosign-password }} + registry-token: ${{ secrets.registry-token }} + slack-token: ${{ secrets.slack-token }} \ No newline at end of file