# Copyright 2023 The Janus IDP Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. name: PR Build operator, bundle, and catalog images on: # /!\ Warning: using the pull_request_target event to be able to read secrets. But using this event without the cautionary measures described below # may allow unauthorized GitHub users to open a “pwn request” and exfiltrate secrets. # As recommended in https://iterative.ai/blog/testing-external-contributions-using-github-actions-secrets, # we are adding an 'authorize' job that checks if the workflow was triggered from a fork PR. In that case, the "external" environment # will prevent the job from running until it's approved manually by human intervention. pull_request_target: types: [opened, synchronize, reopened, ready_for_review] branches: - main - rhdh-1.[0-9]+ - 1.[0-9]+.x concurrency: group: ${{ github.workflow }}-${{ github.event.number || github.event.pull_request.head.ref }} cancel-in-progress: true env: REGISTRY: quay.io jobs: authorize: # The 'external' environment is configured with the odo-maintainers team as required reviewers. # All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks. # see list of approvers in OWNERS file environment: ${{ (github.event.pull_request.head.repo.full_name == github.repository || contains(fromJSON('["gazarenkov","jianrongzhang89","kadel","nickboldt","rm3l","kim-tsao","openshift-cherrypick-robot"]'), github.actor)) && 'internal' || 'external' }} runs-on: ubuntu-latest steps: - name: approved run: | echo "✓" pr-build: name: PR Publish runs-on: ubuntu-latest needs: authorize permissions: contents: read packages: write pull-requests: write steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} # check changes in this commit for regex include and exclude matches; pipe to an env var - name: Check for changes to build run: | # don't fail if nothing returned by grep set +e CHANGES="$(git diff --name-only ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} | \ grep -E "workflows/.+-container-build.yaml|Makefile|bundle/|config/|go.mod|go.sum|.+\.go|docker/|\.dockerignore" | \ grep -v -E ".+_test.go|/.rhdh/")"; echo "Changed files for this commit:" echo "==============================" echo "$CHANGES" echo "==============================" { echo 'CHANGES<> "$GITHUB_ENV" - name: Setup Go # run this stage only if there are changes that match the includes and not the excludes if: ${{ env.CHANGES != '' }} uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5 with: go-version-file: 'go.mod' - name: Get the last commit short SHA of the PR # run this stage only if there are changes that match the includes and not the excludes if: ${{ env.CHANGES != '' }} run: | SHORT_SHA=$(git rev-parse --short ${{ github.event.pull_request.head.sha }}) echo "SHORT_SHA=$SHORT_SHA" >> $GITHUB_ENV BASE_VERSION=$(grep -E "^VERSION \?=" Makefile | sed -r -e "s/.+= //") # 0.0.1 echo "BASE_VERSION=$BASE_VERSION" >> $GITHUB_ENV - name: Login to quay.io # run this stage only if there are changes that match the includes and not the excludes if: ${{ env.CHANGES != '' }} uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3 with: registry: ${{ env.REGISTRY }} username: ${{ vars.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - name: Build and push operator, bundle, and catalog images # run this stage only if there are changes that match the includes and not the excludes if: ${{ env.CHANGES != '' }} run: | # install skopeo, podman sudo apt-get -y update; sudo apt-get -y install skopeo podman export CONTAINER_ENGINE=podman export VERSION=${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }} set -ex # build 3 container images with a 14d expiry CONTAINER_ENGINE=${CONTAINER_ENGINE} VERSION=${VERSION} make lint release-build # now copy images from local cache to quay, using 0.0.1-pr-123-f00cafe and 0.0.1-pr-123 tags for image in operator operator-bundle operator-catalog; do podman push quay.io/janus-idp/${image}:${VERSION} -q skopeo --insecure-policy copy --all docker://quay.io/janus-idp/${image}:${VERSION} docker://quay.io/janus-idp/${image}:${VERSION} skopeo --insecure-policy copy --all docker://quay.io/janus-idp/${image}:${VERSION} docker://quay.io/janus-idp/${image}:${VERSION%-*} done - name: Comment image links in PR # run this stage only if there are changes that match the includes and not the excludes if: ${{ env.CHANGES != '' }} uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 with: script: | await github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body: 'PR images are available:
  1. https://quay.io/janus-idp/operator:${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}
  2. https://quay.io/janus-idp/operator-bundle:${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}
  3. https://quay.io/janus-idp/operator-catalog:${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}
' })