Skip to content

Commit

Permalink
allow ci flow to be called from Actions tab (#5103)
Browse files Browse the repository at this point in the history
  • Loading branch information
@pdabelf5
pdabelf5 authored Feb 19, 2024
1 parent df763f7 commit 5aff19e
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 34 deletions.
20 changes: 10 additions & 10 deletions .github/workflows/build-oss.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ on:
tag:
required: false
type: string
build-cache:
publish-image:
required: false
type: boolean

Expand Down Expand Up @@ -54,7 +54,7 @@ jobs:
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
platforms: arm,arm64,ppc64le,s390x
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
if: ${{ inputs.publish-image }}

- name: Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
Expand All @@ -64,36 +64,36 @@ jobs:
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Login to GitHub Container Registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }}
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Login to Public ECR
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: public.ecr.aws
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Login to Quay.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_ROBOT_TOKEN }}
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Get short tag
id: tag
Expand Down Expand Up @@ -149,10 +149,10 @@ jobs:
annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }}
platforms: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && inputs.platforms || '' }}
load: ${{ github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-') }}
push: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
push: ${{ inputs.publish-image }}
pull: true
no-cache: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
sbom: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
no-cache: ${{ inputs.publish-image }}
sbom: ${{ inputs.publish-image }}
provenance: false
build-args: |
BUILD_OS=${{ inputs.image }}
Expand Down
30 changes: 15 additions & 15 deletions .github/workflows/build-plus.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ on:
release-url:
required: false
type: string
build-cache:
publish-image:
required: false
type: boolean

Expand Down Expand Up @@ -55,7 +55,7 @@ jobs:
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
platforms: arm64,s390x
if: github.event_name != 'pull_request'
if: ${{ inputs.publish-image }}

- name: Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
Expand All @@ -67,15 +67,15 @@ jobs:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
if: github.event_name != 'pull_request' && ! inputs.build-cache
if: ${{ inputs.publish-image }}

- name: Login to GCR
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
if: github.event_name != 'pull_request' && ! inputs.build-cache
if: ${{ inputs.publish-image }}

- name: Authenticate to Google Cloud Marketplace
id: auth-mktpl
Expand Down Expand Up @@ -114,15 +114,15 @@ jobs:
script: |
let id_token = await core.getIDToken()
core.setOutput('id_token', id_token)
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Login to NGINX Registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: docker-mgmt.nginx.com
username: ${{ steps.idtoken.outputs.id_token }}
password: ${{ github.actor }}
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Docker meta
id: meta
Expand Down Expand Up @@ -165,13 +165,13 @@ jobs:
target: ${{ inputs.target }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }}
platforms: ${{ github.event_name != 'pull_request' && inputs.platforms || '' }}
load: ${{ github.event_name == 'pull_request' }}
push: ${{ github.event_name != 'pull_request' && ! inputs.build-cache }}
annotations: ${{ inputs.publish-image && steps.meta.outputs.annotations || '' }}
platforms: ${{ inputs.publish-image && inputs.platforms || '' }}
load: ${{ ! inputs.publish-image }}
push: ${{ inputs.publish-image }}
pull: true
no-cache: ${{ github.event_name != 'pull_request' }}
sbom: ${{ github.event_name != 'pull_request' }}
no-cache: ${{ inputs.publish-image }}
sbom: ${{ inputs.publish-image }}
provenance: false
build-args: |
BUILD_OS=${{ inputs.image }}
Expand Down Expand Up @@ -236,7 +236,7 @@ jobs:
"nginx-repo.crt=${{ inputs.nap_modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
"nginx-repo.key=${{ inputs.nap_modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
if: ${{ ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # 0.17.0
Expand All @@ -246,14 +246,14 @@ jobs:
format: "sarif"
output: "trivy-results-${{ inputs.image }}.sarif"
ignore-unfixed: "true"
if: ${{ ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1
continue-on-error: true
with:
sarif_file: "trivy-results-${{ inputs.image }}.sarif"
if: ${{ ! inputs.build-cache }}
if: ${{ inputs.publish-image }}

- name: Upload Scan Results
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/cache-update.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ jobs:
platforms: ${{ matrix.platforms }}
image: ${{ matrix.image }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
build-cache: true
publish-image: false
permissions:
contents: read
actions: read
Expand Down Expand Up @@ -116,7 +116,7 @@ jobs:
target: ${{ matrix.target }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
release-url: ${{ needs.release-notes.outputs.release-url }}
build-cache: true
publish-image: false
permissions:
contents: read
security-events: write
Expand Down Expand Up @@ -170,7 +170,7 @@ jobs:
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
nap_modules: ${{ matrix.nap_modules }}
release-url: ${{ needs.release-notes.outputs.release-url }}
build-cache: true
publish-image: false
permissions:
contents: read
security-events: write
Expand Down
28 changes: 22 additions & 6 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ on:
- release-*
schedule:
- cron: "0 4 * * *" # run every day at 04:00 UTC
workflow_dispatch:
inputs:
publish-image:
description: Publish of the generated images
type: boolean
default: false

defaults:
run:
Expand All @@ -37,6 +43,7 @@ jobs:
chart_version: ${{ steps.vars.outputs.chart_version }}
binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }}
ic_version: ${{ steps.vars.outputs.ic_version }}
publish-images: ${{ steps.vars.outputs.publish }}
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand Down Expand Up @@ -76,6 +83,13 @@ jobs:
source .github/data/version.txt
echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT
echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT
publish=false
if ${{ github.event_name == 'workflow_dispatch' && inputs.publish-image }}; then
publish=true
elif ${{ github.event_name != 'workflow_dispatch' && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}; then
publish=true
fi
echo "publish=$publish" >> $GITHUB_OUTPUT
cat $GITHUB_OUTPUT
- name: Fetch Cached Binary Artifacts
Expand Down Expand Up @@ -413,13 +427,13 @@ jobs:
build-docker:
name: Build Docker OSS
needs: [checks, smoke-tests]
needs: [checks, smoke-results]
strategy:
fail-fast: false
matrix:
image: [debian, alpine]
platforms:
["linux/arm", "linux/arm64, linux/amd64, linux/ppc64le", "linux/s390x"]
["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"]
include:
- image: ubi
platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
Expand All @@ -428,6 +442,7 @@ jobs:
platforms: ${{ matrix.platforms }}
image: ${{ matrix.image }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
publish-image: ${{ needs.checks.outputs.publish-images == 'true' }}
permissions:
contents: read
actions: read
Expand All @@ -438,7 +453,7 @@ jobs:

build-docker-plus:
name: Build Docker Plus
needs: [checks, build-docker, release-notes]
needs: [checks, smoke-results, release-notes]
strategy:
fail-fast: false
matrix:
Expand All @@ -456,6 +471,7 @@ jobs:
target: ${{ matrix.target }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
release-url: ${{ needs.release-notes.outputs.release-url }}
publish-image: ${{ needs.checks.outputs.publish-images == 'true' }}
permissions:
contents: read
security-events: write
Expand All @@ -464,7 +480,7 @@ jobs:

build-docker-nap:
name: Build Docker NAP
needs: [checks, build-docker-plus, release-notes]
needs: [checks, smoke-results, release-notes]
strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -501,7 +517,6 @@ jobs:
target: goreleaser
platforms: "linux/amd64"
nap_modules: waf

uses: ./.github/workflows/build-plus.yml
with:
platforms: ${{ matrix.platforms }}
Expand All @@ -510,6 +525,7 @@ jobs:
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
nap_modules: ${{ matrix.nap_modules }}
release-url: ${{ needs.release-notes.outputs.release-url }}
publish-image: ${{ needs.checks.outputs.publish-images == 'true' }}
permissions:
contents: read
security-events: write
Expand Down Expand Up @@ -604,7 +620,7 @@ jobs:
gcp-marketplace:
name: Trigger PR for GCP Marketplace
runs-on: ubuntu-22.04
needs: [checks, publish-helm]
needs: [checks, build-docker-plus, build-docker-nap]
steps:
- name:
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
Expand Down

0 comments on commit 5aff19e

Please sign in to comment.