Update flow to use different artifact registry

epam · Dec 30, 2024 · c3cf1e6 · c3cf1e6
1 parent 43aee5f
commit c3cf1e6
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 49 deletions.
diff --git a/.github/workflows/base.yml b/.github/workflows/base.yml
@@ -17,15 +17,19 @@ on:
         required: true
         type: string
     secrets:
-      REGISTRY_URL:
+      ARTIFACTORY_REGISTRY_URL:
         required: true
-      REGISTRY_USER:
+      ARTIFACTORY_AUTH2_USER:
         required: true
-      REGISTRY_PASSWORD:
+      WFI_PROVIDER:
         required: true
-      COMMON_HELMCHART_NAME:
+      WFI_SA:
         required: true
-      COMMON_HELMCHART_VERSION:
+      BASE_HELMCHART_NAME:
+        required: true
+      BASE_HELMCHART_VERSION:
+        required: true
+      PROJECT_ID:
         required: true
       APP_NAME_BASE:
         required: true
@@ -36,11 +40,14 @@ env:
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   build-and-test:
+    permissions:
+      contents: 'read'
+      id-token: 'write'
 
     runs-on: ubuntu-latest
     env:
       ACTIONS_STEP_DEBUG: true
-      REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
+      VALUES_FILE: ${{ inputs.values-file }}
 
     steps:
       - uses: actions/checkout@v4
@@ -66,20 +73,29 @@ jobs:
       - name: stylelint
         run: yarn stylelint
 
-      - name: Login to registry
-        uses: docker/login-action@v2
+      - name: Authenticate to Cloud
+        id: auth
+        uses: 'google-github-actions/auth@v2'
         with:
-          registry: ${{ secrets.REGISTRY_URL }}
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
+          token_format: access_token
+          project_id: ${{ secrets.PROJECT_ID }}
+          workload_identity_provider: ${{ secrets.WFI_PROVIDER }}
+          service_account: ${{ secrets.WFI_SA }}
+
+      - name: Login to artifactory
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ secrets.ARTIFACTORY_REGISTRY_URL }}
+          username: ${{ secrets.ARTIFACTORY_AUTH2_USER }}
+          password: ${{ steps.auth.outputs.access_token }}
 
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v4
         with:
           # list of Docker images to use as base name for tags
           images: |
-            ${{ secrets.REGISTRY_URL }}/${{ inputs.image-name }}
+            ${{ secrets.ARTIFACTORY_REGISTRY_URL }}/${{ secrets.PROJECT_ID }}/apps-docker-repo/${{ inputs.image-name }}
           # generate Docker tags based on the following events/attributes
           # This is our main tag for image in form sha-XXXXXX which we will use in helm values file (see "Preparation and Helm chart packaging" job)
           tags: |
@@ -98,21 +114,6 @@ jobs:
           # Image will be tagged with all tags from "Docker meta" step
           tags: ${{ steps.meta.outputs.tags }}
 
-  package:
-    needs: build-and-test
-    runs-on: ubuntu-20.04 # Gitversion requires .NET SDK 3.1
-    env:
-      ACTIONS_STEP_DEBUG: true
-      REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
-      VALUES_FILE: ${{ inputs.values-file }}
-      COMMON_HELMCHART_VER: ${{ secrets.COMMON_HELMCHART_VERSION }}
-
-    steps:
-      - uses: actions/checkout@v3
-        name: Code checkout
-        with:
-          fetch-depth: 0
-
       # install Gitversion to obtain semver version
       - name: Install GitVersion
         uses: gittools/actions/gitversion/[email protected]
@@ -134,11 +135,11 @@ jobs:
 
       - name: Preparation and Helm chart packaging
         run: |
-          echo ${{ secrets.REGISTRY_PASSWORD }} | helm registry login ${{ secrets.REGISTRY_URL }} --username ${{ secrets.REGISTRY_USER }} --password-stdin
+          echo ${{ steps.auth.outputs.access_token }} | helm registry login ${{ secrets.ARTIFACTORY_REGISTRY_URL }} --username ${{ secrets.ARTIFACTORY_AUTH2_USER }} --password-stdin
           mkdir helmchart && cd ./helmchart # helm cannot untar file to the repo with the same name as a package. To avoid error we create temp folder
-          helm pull oci://${{ secrets.REGISTRY_URL }}/helm/${{ secrets.COMMON_HELMCHART_NAME }} --version ${COMMON_HELMCHART_VER} --untar
+          helm pull oci://${{ secrets.ARTIFACTORY_REGISTRY_URL }}/${{ secrets.PROJECT_ID }}/apps-docker-repo/helm/${{ secrets.BASE_HELMCHART_NAME }} --version ${{ secrets.BASE_HELMCHART_VERSION }} --untar
           echo "[INFO] Replace Docker image tag in helm chart..."
-          sed -i -e "s/tag: latest/tag: sha-${GITVERSION_SHORTSHA}/g" ${{ secrets.COMMON_HELMCHART_NAME }}/${VALUES_FILE}
+          sed -i -e "s/tag: latest/tag: sha-${GITVERSION_SHORTSHA}/g" ${{ secrets.BASE_HELMCHART_NAME }}/${VALUES_FILE}
 
       - name: Packaging and Uploading Helm Chart
         run: |
@@ -149,8 +150,8 @@ jobs:
           echo "[INFO] ${helm_tag}..."
 
           echo "[INFO] Replace Helm Chart package version..."
-          sed -i -e "s/version: ${COMMON_HELMCHART_VER}/version: ${helm_tag}/g" ${{ secrets.COMMON_HELMCHART_NAME }}/Chart.yaml
+          sed -i -e "s/version: ${{ secrets.BASE_HELMCHART_VERSION }}/version: ${helm_tag}/g" ${{ secrets.BASE_HELMCHART_NAME }}/Chart.yaml
           echo "[INFO] Changing Helm Chart package name..."
-          sed -i -e "s/name: ${{ secrets.COMMON_HELMCHART_NAME }}/name: ${{ secrets.APP_NAME_BASE }}/g" ${{ secrets.COMMON_HELMCHART_NAME }}/Chart.yaml
-          helm package ${{ secrets.COMMON_HELMCHART_NAME }}
-          helm push ${{ secrets.APP_NAME_BASE }}-${helm_tag}.tgz oci://${{ secrets.REGISTRY_URL }}/helm
+          sed -i -e "s/name: ${{ secrets.BASE_HELMCHART_NAME }}/name: ${{ secrets.APP_NAME_BASE }}/g" ${{ secrets.BASE_HELMCHART_NAME }}/Chart.yaml
+          helm package ${{ secrets.BASE_HELMCHART_NAME }}
+          helm push ${{ secrets.APP_NAME_BASE }}-${helm_tag}.tgz oci://${{ secrets.ARTIFACTORY_REGISTRY_URL }}/${{ secrets.PROJECT_ID }}/apps-docker-repo/helm
diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
@@ -15,11 +15,13 @@ jobs:
     # Call all jobs from base.yml
     uses: ./.github/workflows/base.yml
     secrets:
-      REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
-      REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
-      REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
-      COMMON_HELMCHART_NAME: ${{ secrets.COMMON_HELMCHART_NAME }}
-      COMMON_HELMCHART_VERSION: ${{ secrets.COMMON_HELMCHART_VERSION_NONPROD }}
+      BASE_HELMCHART_VERSION: ${{ secrets.BASE_HELMCHART_VERSION }}
+      BASE_HELMCHART_NAME: ${{ secrets.BASE_HELMCHART_NAME }}
+      WFI_PROVIDER: ${{ secrets.WFI_PROVIDER }}
+      WFI_SA: ${{ secrets.WFI_SA }}
+      PROJECT_ID: ${{ secrets.PROJECT_ID }}
+      ARTIFACTORY_REGISTRY_URL: ${{ secrets.ARTIFACTORY_REGISTRY_URL }}
+      ARTIFACTORY_AUTH2_USER: ${{ secrets.ARTIFACTORY_AUTH2_USER }}
       APP_NAME_BASE: ${{ secrets.APP_NAME_DEV }}
     with:
       values-file: values.dev.yaml

diff --git a/.github/workflows/prod.yml b/.github/workflows/prod.yml
@@ -20,12 +20,14 @@ jobs:
     # Call all jobs from base.yml
     uses: ./.github/workflows/base.yml
     secrets:
-      REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
-      REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
-      REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
-      COMMON_HELMCHART_NAME: ${{ secrets.COMMON_HELMCHART_NAME }}
-      COMMON_HELMCHART_VERSION: ${{ secrets.COMMON_HELMCHART_VERSION_PROD }}
       APP_NAME_BASE: ${{ secrets.APP_NAME }}
+      BASE_HELMCHART_VERSION: ${{ secrets.BASE_HELMCHART_VERSION }}
+      BASE_HELMCHART_NAME: ${{ secrets.BASE_HELMCHART_NAME }}
+      WFI_PROVIDER: ${{ secrets.WFI_PROVIDER }}
+      WFI_SA: ${{ secrets.WFI_SA }}
+      PROJECT_ID: ${{ secrets.PROJECT_ID }}
+      ARTIFACTORY_REGISTRY_URL: ${{ secrets.ARTIFACTORY_REGISTRY_URL }}
+      ARTIFACTORY_AUTH2_USER: ${{ secrets.ARTIFACTORY_AUTH2_USER }}
     with:
       values-file: values.prod.yaml
       # TODO: After migrating prod environment we can use the same image name for prod and non-prod

diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml
@@ -15,11 +15,13 @@ jobs:
     # Call all jobs from base.yml
     uses: ./.github/workflows/base.yml
     secrets:
-      REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
-      REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
-      REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
-      COMMON_HELMCHART_NAME: ${{ secrets.COMMON_HELMCHART_NAME }}
-      COMMON_HELMCHART_VERSION: ${{ secrets.COMMON_HELMCHART_VERSION_NONPROD }}
+      BASE_HELMCHART_VERSION: ${{ secrets.BASE_HELMCHART_VERSION }}
+      BASE_HELMCHART_NAME: ${{ secrets.BASE_HELMCHART_NAME }}
+      WFI_PROVIDER: ${{ secrets.WFI_PROVIDER }}
+      WFI_SA: ${{ secrets.WFI_SA }}
+      PROJECT_ID: ${{ secrets.PROJECT_ID }}
+      ARTIFACTORY_REGISTRY_URL: ${{ secrets.ARTIFACTORY_REGISTRY_URL }}
+      ARTIFACTORY_AUTH2_USER: ${{ secrets.ARTIFACTORY_AUTH2_USER }}
       APP_NAME_BASE: ${{ secrets.APP_NAME_QA }}
     with:
       values-file: values.qa.yaml