diff --git a/.github/workflows/publish-gh-image.yml b/.github/workflows/publish-gh-image.yml index f734c768c..775901441 100644 --- a/.github/workflows/publish-gh-image.yml +++ b/.github/workflows/publish-gh-image.yml @@ -1,63 +1,117 @@ name: Create, Scan and Publish KAITO image on: - workflow_run: - workflows: [ "Push image to ACR" ] - types: [ completed ] + workflow_dispatch: + inputs: + release_version: + description: 'tag to be created for this image (i.e. vxx.xx.xx)' + required: true + pull_request: + types: [ closed ] + permissions: + id-token: write contents: write packages: write env: - REGISTRY: ghcr.io GO_VERSION: '1.20' IMAGE_NAME: 'workspace' + REGISTRY: ghcr.io jobs: - publish-images: - if: ${{ github.event.workflow_run.conclusion == 'success' }} + check-tag: + if: >- + github.event_name == 'workflow_dispatch' || + ( + github.event_name == 'pull_request' && + github.event.pull_request.merged == true && + contains(github.event.pull_request.title, 'update manifest and helm charts') + ) runs-on: ubuntu-latest environment: preset-env outputs: - tag: ${{ steps.get-registry.outputs.registry }} + tag: ${{ steps.get-tag.outputs.tag }} + steps: + - name: validate version + if: github.event_name == 'workflow_dispatch' + run: | + echo "${{ github.event.inputs.release_version }}" | grep -E 'v[0-9]+\.[0-9]+\.[0-9]+$' + + - id: get-tag + name: Get tag + run: | + if [[ ${{ github.event_name }} == 'workflow_dispatch' ]]; then + echo "tag=$(echo ${{ github.event.inputs.release_version }})" >> $GITHUB_OUTPUT + else + echo "tag=$(echo ${{ github.event.pull_request.head.ref }} | tr -d release-)" >> $GITHUB_OUTPUT + fi + + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - id: check-tag + name: Check for Tag + run: | + TAG="${{ steps.get-tag.outputs.tag }}" + if git show-ref --tags --verify --quiet "refs/tags/${TAG}"; then + echo "create_tag=$(echo 'false' )" >> $GITHUB_OUTPUT + else + echo "create_tag=$(echo 'true' )" >> $GITHUB_OUTPUT + fi + - name: 'Create tag' + if: steps.check-tag.outputs.create_tag == 'true' + uses: actions/github-script@v7 + with: + script: | + github.rest.git.createRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: 'refs/tags/${{ steps.get-tag.outputs.tag }}', + sha: context.sha + }) + + build-scan-publish-gh-images: + runs-on: ubuntu-latest + needs: [ check-tag ] + environment: preset-env steps: - id: get-registry run: | # registry must be in lowercase - echo " registry=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" >> $GITHUB_OUTPUT + echo "registry_repository=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" >> $GITHUB_OUTPUT - id: get-tag name: Get tag - run: echo "release_tag=$(echo ${{ github.event.pull_request.head.ref }} | tr -d release-)" >> $GITHUB_OUTPUT + run: | + echo "IMG_TAG=$(echo ${{ needs.check-tag.outputs.tag }} | tr -d v)" >> $GITHUB_ENV - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 0 - ref: ${{ steps.get-tag.outputs.release_tag }} + ref: ${{ needs.check-tag.outputs.tag }} - - name: Login to ${{ env.REGISTRY }} + - name: Login to ${{ steps.get-registry.outputs.registry_repository }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Set Image tag - run: | - ver=${{ steps.get-tag.outputs.release_tag }} - echo "IMG_TAG=${ver#"v"}" >> $GITHUB_ENV - - name: Build image run: | OUTPUT_TYPE=type=registry make docker-build-kaito env: - VERSION: ${{ steps.get-tag.outputs.release_tag }} + VERSION: ${{ needs.check-tag.outputs.tag }} + REGISTRY: ${{ steps.get-registry.outputs.registry_repository }} - - name: Scan ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }} + - name: Scan ${{ steps.get-registry.outputs.registry_repository }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }} uses: aquasecurity/trivy-action@master with: - image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }} + image-ref: ${{ steps.get-registry.outputs.registry_repository }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }} format: 'table' exit-code: '1' ignore-unfixed: true @@ -69,13 +123,13 @@ jobs: TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} run-e2e-gh-image: - needs: [publish-images] + needs: [ check-tag, build-scan-publish-gh-images ] uses: ./.github/workflows/e2e-workflow.yml with: git_sha: ${{ github.sha }} isRelease: true - registry: ${{ steps.get-registry.outputs.registry }} - tag: ${{ steps.get-tag.outputs.release_tag }} + registry: ${{ needs.get-registry.outputs.registry_repository }} + tag: ${{ needs.check-tag.outputs.tag }} secrets: E2E_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} E2E_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} @@ -84,14 +138,14 @@ jobs: E2E_ACR_AMRT_USERNAME: ${{ secrets.ACR_AMRT_USERNAME }} E2E_ACR_AMRT_PASSWORD: ${{ secrets.ACR_AMRT_PASSWORD }} - create-release: + publish-mcr-image: runs-on: ubuntu-latest environment: preset-env - needs: [run-e2e-gh-image] + needs: [ check-tag, run-e2e-gh-image ] steps: - name: 'Dispatch release tag' uses: peter-evans/repository-dispatch@v3 with: token: ${{ secrets.GITHUB_TOKEN }} - event-type: create-release - client-payload: '{"tag": "v${{ env.IMG_TAG }}"}' + event-type: publish-mcr-image + client-payload: '{"tag": "${{ needs.check-tag.outputs.tag }}"}'