From 5aff19e6148c27329060891d0973c625eb344cc7 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Mon, 19 Feb 2024 11:49:17 +0000 Subject: [PATCH] allow ci flow to be called from Actions tab (#5103) --- .github/workflows/build-oss.yml | 20 ++++++++++---------- .github/workflows/build-plus.yml | 30 +++++++++++++++--------------- .github/workflows/cache-update.yml | 6 +++--- .github/workflows/ci.yml | 28 ++++++++++++++++++++++------ 4 files changed, 50 insertions(+), 34 deletions(-) diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index b7ae80bc7d..20b8fdccf9 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -15,7 +15,7 @@ on: tag: required: false type: string - build-cache: + publish-image: required: false type: boolean @@ -54,7 +54,7 @@ jobs: uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 with: platforms: arm,arm64,ppc64le,s390x - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ inputs.publish-image }} - name: Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 @@ -64,7 +64,7 @@ jobs: with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + if: ${{ inputs.publish-image }} - name: Login to GitHub Container Registry uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -72,20 +72,20 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + if: ${{ inputs.publish-image }} - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: aws-region: us-east-1 role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + if: ${{ inputs.publish-image }} - name: Login to Public ECR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: public.ecr.aws - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + if: ${{ inputs.publish-image }} - name: Login to Quay.io uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -93,7 +93,7 @@ jobs: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_ROBOT_TOKEN }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + if: ${{ inputs.publish-image }} - name: Get short tag id: tag @@ -149,10 +149,10 @@ jobs: annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }} platforms: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && inputs.platforms || '' }} load: ${{ github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-') }} - push: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + push: ${{ inputs.publish-image }} pull: true - no-cache: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} - sbom: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + no-cache: ${{ inputs.publish-image }} + sbom: ${{ inputs.publish-image }} provenance: false build-args: | BUILD_OS=${{ inputs.image }} diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 58499a953f..5d546bb8f5 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -21,7 +21,7 @@ on: release-url: required: false type: string - build-cache: + publish-image: required: false type: boolean @@ -55,7 +55,7 @@ jobs: uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 with: platforms: arm64,s390x - if: github.event_name != 'pull_request' + if: ${{ inputs.publish-image }} - name: Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 @@ -67,7 +67,7 @@ jobs: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - if: github.event_name != 'pull_request' && ! inputs.build-cache + if: ${{ inputs.publish-image }} - name: Login to GCR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -75,7 +75,7 @@ jobs: registry: gcr.io username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - if: github.event_name != 'pull_request' && ! inputs.build-cache + if: ${{ inputs.publish-image }} - name: Authenticate to Google Cloud Marketplace id: auth-mktpl @@ -114,7 +114,7 @@ jobs: script: | let id_token = await core.getIDToken() core.setOutput('id_token', id_token) - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + if: ${{ inputs.publish-image }} - name: Login to NGINX Registry uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -122,7 +122,7 @@ jobs: registry: docker-mgmt.nginx.com username: ${{ steps.idtoken.outputs.id_token }} password: ${{ github.actor }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + if: ${{ inputs.publish-image }} - name: Docker meta id: meta @@ -165,13 +165,13 @@ jobs: target: ${{ inputs.target }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }} - platforms: ${{ github.event_name != 'pull_request' && inputs.platforms || '' }} - load: ${{ github.event_name == 'pull_request' }} - push: ${{ github.event_name != 'pull_request' && ! inputs.build-cache }} + annotations: ${{ inputs.publish-image && steps.meta.outputs.annotations || '' }} + platforms: ${{ inputs.publish-image && inputs.platforms || '' }} + load: ${{ ! inputs.publish-image }} + push: ${{ inputs.publish-image }} pull: true - no-cache: ${{ github.event_name != 'pull_request' }} - sbom: ${{ github.event_name != 'pull_request' }} + no-cache: ${{ inputs.publish-image }} + sbom: ${{ inputs.publish-image }} provenance: false build-args: | BUILD_OS=${{ inputs.image }} @@ -236,7 +236,7 @@ jobs: "nginx-repo.crt=${{ inputs.nap_modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}" "nginx-repo.key=${{ inputs.nap_modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" ${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} - if: ${{ ! inputs.build-cache }} + if: ${{ inputs.publish-image }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # 0.17.0 @@ -246,14 +246,14 @@ jobs: format: "sarif" output: "trivy-results-${{ inputs.image }}.sarif" ignore-unfixed: "true" - if: ${{ ! inputs.build-cache }} + if: ${{ inputs.publish-image }} - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1 continue-on-error: true with: sarif_file: "trivy-results-${{ inputs.image }}.sarif" - if: ${{ ! inputs.build-cache }} + if: ${{ inputs.publish-image }} - name: Upload Scan Results uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 diff --git a/.github/workflows/cache-update.yml b/.github/workflows/cache-update.yml index ea36974cb0..8800fca156 100644 --- a/.github/workflows/cache-update.yml +++ b/.github/workflows/cache-update.yml @@ -87,7 +87,7 @@ jobs: platforms: ${{ matrix.platforms }} image: ${{ matrix.image }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} - build-cache: true + publish-image: false permissions: contents: read actions: read @@ -116,7 +116,7 @@ jobs: target: ${{ matrix.target }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} release-url: ${{ needs.release-notes.outputs.release-url }} - build-cache: true + publish-image: false permissions: contents: read security-events: write @@ -170,7 +170,7 @@ jobs: go-md5: ${{ needs.checks.outputs.go_code_md5 }} nap_modules: ${{ matrix.nap_modules }} release-url: ${{ needs.release-notes.outputs.release-url }} - build-cache: true + publish-image: false permissions: contents: read security-events: write diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fd5185c3c6..d613a644d5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,12 @@ on: - release-* schedule: - cron: "0 4 * * *" # run every day at 04:00 UTC + workflow_dispatch: + inputs: + publish-image: + description: Publish of the generated images + type: boolean + default: false defaults: run: @@ -37,6 +43,7 @@ jobs: chart_version: ${{ steps.vars.outputs.chart_version }} binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }} ic_version: ${{ steps.vars.outputs.ic_version }} + publish-images: ${{ steps.vars.outputs.publish }} steps: - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -76,6 +83,13 @@ jobs: source .github/data/version.txt echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT + publish=false + if ${{ github.event_name == 'workflow_dispatch' && inputs.publish-image }}; then + publish=true + elif ${{ github.event_name != 'workflow_dispatch' && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}; then + publish=true + fi + echo "publish=$publish" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT - name: Fetch Cached Binary Artifacts @@ -413,13 +427,13 @@ jobs: build-docker: name: Build Docker OSS - needs: [checks, smoke-tests] + needs: [checks, smoke-results] strategy: fail-fast: false matrix: image: [debian, alpine] platforms: - ["linux/arm", "linux/arm64, linux/amd64, linux/ppc64le", "linux/s390x"] + ["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"] include: - image: ubi platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" @@ -428,6 +442,7 @@ jobs: platforms: ${{ matrix.platforms }} image: ${{ matrix.image }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} + publish-image: ${{ needs.checks.outputs.publish-images == 'true' }} permissions: contents: read actions: read @@ -438,7 +453,7 @@ jobs: build-docker-plus: name: Build Docker Plus - needs: [checks, build-docker, release-notes] + needs: [checks, smoke-results, release-notes] strategy: fail-fast: false matrix: @@ -456,6 +471,7 @@ jobs: target: ${{ matrix.target }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} release-url: ${{ needs.release-notes.outputs.release-url }} + publish-image: ${{ needs.checks.outputs.publish-images == 'true' }} permissions: contents: read security-events: write @@ -464,7 +480,7 @@ jobs: build-docker-nap: name: Build Docker NAP - needs: [checks, build-docker-plus, release-notes] + needs: [checks, smoke-results, release-notes] strategy: fail-fast: false matrix: @@ -501,7 +517,6 @@ jobs: target: goreleaser platforms: "linux/amd64" nap_modules: waf - uses: ./.github/workflows/build-plus.yml with: platforms: ${{ matrix.platforms }} @@ -510,6 +525,7 @@ jobs: go-md5: ${{ needs.checks.outputs.go_code_md5 }} nap_modules: ${{ matrix.nap_modules }} release-url: ${{ needs.release-notes.outputs.release-url }} + publish-image: ${{ needs.checks.outputs.publish-images == 'true' }} permissions: contents: read security-events: write @@ -604,7 +620,7 @@ jobs: gcp-marketplace: name: Trigger PR for GCP Marketplace runs-on: ubuntu-22.04 - needs: [checks, publish-helm] + needs: [checks, build-docker-plus, build-docker-nap] steps: - name: uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1