-
Notifications
You must be signed in to change notification settings - Fork 2
209 lines (209 loc) · 8.55 KB
/
reusable-ko-build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
name: Reusable Ko build
env:
VERSION_CRANE: v0.16.1
GEONET_DEFAULT_BASE_IMAGE: ghcr.io/geonet/base-images/static:latest
on:
workflow_call:
inputs:
registryOverride:
required: false
type: string
description: |
a container registry to use instead of ghcr.io.
e.g:
- quay.io
- registry.gitlab.com/somecoolproject
- ghcr.io/somecoolproject/thing
registryGhcrUsernameOverride:
required: false
type: string
description: |
the GitHub username to use for ghcr auth override.
tags:
required: false
type: string
default: latest,git-${{ github.sha }}
description: |
a comma separated list of tags to image tags.
e.g:
- latest,20230607,git-deadb33f
- cooltag,v2.0.2
- latest
paths:
required: false
type: string
description: |
the Go entrypoint paths for applications, where there they have `package main`
e.g: ./cmd/thing1 ./cmd/thing2
push:
required: false
default: ${{ github.ref == 'refs/heads/main' }}
type: boolean
description: |
set to true to push an image to a registry. When set to false, it will build and exit
platforms:
required: false
type: string
default: "linux/amd64"
description: |
comma-separated list of the target platforms for container builds.
e.g:
- all
- linux/amd64
- linux/arm64,linux/amd64
aws-region:
type: string
default: ap-southeast-2
required: false
description: |
the AWS region to use; e.g ap-southeast-2
aws-role-arn-to-assume:
type: string
required: false
description: |
an AWS role ARN to assume.
e.g: arn:aws:iam::ACCOUNT_ID:role/github-actions-ROLE_NAME
aws-role-duration-seconds:
type: string
default: "3600"
required: false
description: |
the amount of seconds to hold a session open for.
aws-role-session-name:
type: string
required: false
description: |
the name of the session to use for AssumeRole(WithWebIdentity).
setup:
required: false
type: string
description: |
shell commands to setup the build environment
configPath:
required: false
type: string
description: |
the path to a Ko config yaml
goflags:
required: false
type: string
description: |
set a GOFLAGS environment variable
secrets:
GH_CI_USER_TOKEN:
required: false
outputs:
images:
value: ${{ jobs.build.outputs.images }}
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 30
outputs:
images: ${{ steps.build.outputs.images }}
steps:
- if: ${{ startsWith(github.repository, 'GeoNet/') == false }}
name: require GeoNet org
run: |
exit 1
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: configure system
run: |
git config user.name 'github-actions[bot]'
git config user.email 'github-actions[bot]@users.noreply.github.com'
gh auth login --with-token < <(echo ${{ secrets.GITHUB_TOKEN }})
gh auth status
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: go.mod
cache-dependency-path: go.sum
check-latest: true
- name: setup
run: |
eval '${{ inputs.setup }}'
- id: run-info
name: collect job run info
env:
KO_DOCKER_REPO: ghcr.io/${{ github.repository }}
KO_CONFIG_PATH: ${{ inputs.configPath }}
REGISTRY_OVERRIDE: ${{ inputs.registryOverride }}
TAGS: ${{ inputs.tags }}
run: |
if [ -n "$REGISTRY_OVERRIDE" ]; then
KO_DOCKER_REPO="$REGISTRY_OVERRIDE"
fi
echo "KO_DOCKER_REPO=${KO_DOCKER_REPO,,}" >> $GITHUB_ENV
if [ -n "${KO_CONFIG_PATH:-}" ]; then
echo "KO_CONFIG_PATH=$KO_CONFIG_PATH" >> $GITHUB_ENV
fi
# set default base image if not set in config
if [ ! -f "${KO_CONFIG_PATH:-.ko.yaml}" ] || [ "$(yq e '.defaultBaseImage==null | not' "${KO_CONFIG_PATH:-.ko.yaml}")" = "false" ]; then
echo "KO_DEFAULTBASEIMAGE=$GEONET_DEFAULT_BASE_IMAGE" >> $GITHUB_ENV
echo "NOTICE: using default base image ($GEONET_DEFAULT_BASE_IMAGE) from env"
fi
if [ -z "$KO_DEFAULTBASEIMAGE" ] && [ -f "${KO_CONFIG_PATH:-.ko.yaml}" ] && [ "$(yq e '.defaultBaseImage==null | not' "${KO_CONFIG_PATH:-.ko.yaml}")" = "true" ]; then
KO_DEFAULTBASEIMAGE="$(yq e '.defaultBaseImage' "${KO_CONFIG_PATH:-.ko.yaml}")"
echo "NOTICE: found default base image ($KO_DEFAULTBASEIMAGE) in ${KO_CONFIG_PATH:-.ko.yaml}"
echo "KO_DEFAULTBASEIMAGE=$KO_DEFAULTBASEIMAGE" >> $GITHUB_ENV
fi
if [ -n "${{ inputs.paths }}" ]; then
echo "paths=$(echo '${{ inputs.paths }}' | tr '\n' ' ')" >> $GITHUB_OUTPUT
else
PATHS="$(go list -json ./... | jq -r -s '.[] | select (.Name == "main") | .ImportPath' | xargs)"
echo "paths="$PATHS"" >> $GITHUB_OUTPUT
fi
echo "tags=$TAGS" >> $GITHUB_OUTPUT
- uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main
with:
version: ${{ env.VERSION_CRANE }}
- uses: GeoNet/setup-ko@190558b6b0e4ebe7e2caa5d99309563d1bceaa8d # main
- name: get session name
id: get-session-name
if: ${{ inputs.aws-region != '' && inputs.aws-role-arn-to-assume != '' && inputs.aws-role-duration-seconds != '' && inputs.registryOverride != '' }}
env:
REPO: ${{ github.repository }}
AWS_ROLE_SESSION_NAME: ${{ inputs.aws-role-session-name }}
run: |
SESSION_NAME="$(echo "github-actions-$REPO" | sed 's,/,--,g' | tr '[[:upper:]]' '[[:lower:]]')"
if [ -n "$AWS_ROLE_SESSION_NAME" ]; then
SESSION_NAME="$AWS_ROLE_SESSION_NAME"
fi
echo "session-name=$SESSION_NAME" >> $GITHUB_OUTPUT
- name: Configure AWS Credentials
if: ${{ inputs.push == true && inputs.aws-region != '' && inputs.aws-role-arn-to-assume != '' && inputs.aws-role-duration-seconds != '' && steps.get-session-name.outputs.session-name != '' && inputs.registryOverride != '' }}
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-region: ${{ inputs.aws-region }}
role-to-assume: ${{ inputs.aws-role-arn-to-assume }}
role-duration-seconds: ${{ inputs.aws-role-duration-seconds }}
role-session-name: ${{ steps.get-session-name.outputs.session-name }}
- name: login to ECR
if: ${{ inputs.push == true && inputs.aws-region != '' && inputs.aws-role-arn-to-assume != '' && inputs.aws-role-duration-seconds != '' && steps.get-session-name.outputs.session-name != '' }}
run: |
aws ecr get-login-password --region ${{ inputs.aws-region }} | crane auth login ${{ inputs.registryOverride }} -u AWS --password-stdin
- name: override login to ghcr
if: ${{ env.registryGhcrUsernameOverride != '' && env.registryGhcrPasswordOverride != '' }}
env:
registryGhcrUsernameOverride: ${{ inputs.registryGhcrUsernameOverride }}
registryGhcrPasswordOverride: ${{ secrets.GH_CI_USER_TOKEN }}
run: |
echo "${{ env.registryGhcrPasswordOverride }}" | crane auth login ghcr.io -u ${{ env.registryGhcrUsernameOverride }} --password-stdin
- id: build
name: build
env:
IMAGES_PATH: ${{ steps.run-info.outputs.paths }}
TAGS: ${{ steps.run-info.outputs.tags }}
PUSH: ${{ inputs.push }}
PLATFORMS: ${{ inputs.platforms }}
GOFLAGS: "${{ inputs.goflags }}"
run: |
echo "NOTICE: using default base image $KO_DEFAULTBASEIMAGE"
IMAGES="$(ko build --platform=$PLATFORMS --push=$PUSH --tags "$TAGS" --base-import-paths $IMAGES_PATH)"
echo "images=$(echo $IMAGES | tr ' ' ',')" >> $GITHUB_OUTPUT
- name: image result
if: ${{ inputs.push }}
id: result
env:
IMAGES: ${{ steps.build.outputs.images }}
run: |
echo -e "Built and pushed:\n$(echo "$IMAGES" | sed 's/,/\n/g' | sed 's/^/- /g')"