feat: gha for building / publishing on pr (#87)

2025-11-07 13:58:03 +00:00 · 2023-02-27 22:32:37 -05:00
parent 14b1b7cb04
commit 1726d182ee
2 changed files with 95 additions and 3 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,7 +1,8 @@
 name: build-ublue
 on:
-  pull_request_target:
-    types: [labeled]
+  pull_request:
+    types:
+      - labeled
    branches:
      - main
    paths-ignore:
@@ -23,7 +24,7 @@ jobs:
  push-ghcr:
    name: Build and push image
    runs-on: ubuntu-22.04
-    if: contains(github.event.pull_request.labels.*.name, 'ok-to-build')
+    if: contains(github.event.pull_request.labels.*.name, 'ok-to-build') || github.event_name != 'pull_request'
    permissions:
      contents: read
      packages: write
@@ -103,6 +104,7 @@ jobs:
      - name: Push To GHCR
        uses: redhat-actions/push-to-registry@v2
        id: push
+        if: github.event_name != 'pull_request'
        env:
          REGISTRY_USER: ${{ github.actor }}
          REGISTRY_PASSWORD: ${{ github.token }}
@@ -117,9 +119,11 @@ jobs:

      # Sign container
      - uses: sigstore/cosign-installer@main
+        if: github.event_name != 'pull_request'

      # Only needed when running `cosign sign` using a key
      - name: Write signing key to disk
+        if: github.event_name != 'pull_request'
        run: |
          echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
          # DEBUG: get character count of key
@@ -129,12 +133,14 @@ jobs:

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
+        if: github.event_name != 'pull_request'
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Sign container image
+        if: github.event_name != 'pull_request'
        run: |
          cosign sign --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
        env:
@@ -142,5 +148,22 @@ jobs:
          COSIGN_EXPERIMENTAL: false

      - name: Echo outputs
+        if: github.event_name != 'pull_request'
        run: |
          echo "${{ toJSON(steps.push.outputs) }}"
+
+      - name: Upload Container Export
+        if: github.event_name == 'pull_request'
+        run: |
+          mkdir -p output
+          podman save -o output/image.tar ${{ steps.build_image.outputs.image }}
+          echo "image=${{ steps.build_image.outputs.image }}" >> output/meta
+          echo "tags=${{ steps.build_image.outputs.tags }}" >> output/meta
+      
+      - name: Publish Artifact
+        uses: actions/upload-artifact@v2
+        if: github.event_name == 'pull_request'
+        with:
+          name: output
+          path: output
+
--- a/.github/workflows/pr-publish.yml
+++ b/.github/workflows/pr-publish.yml
@@ -0,0 +1,69 @@
+name: Publish PR builds
+
+on:
+  workflow_run:
+    workflows: ["build-ublue"]
+    types:
+      - completed
+
+env:
+    IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+    steps:
+      - name: 'Download artifact'
+        uses: actions/github-script@v3.1.0
+        with:
+          script: |
+            var artifacts = await github.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{github.event.workflow_run.id }},
+            });
+            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "output"
+            })[0];
+            var download = await github.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/output.zip', Buffer.from(download.data));
+      - run: unzip output.zip
+
+      - name: Load Container Image
+        id: load_image
+        run: |
+          podman load -i image.tar
+          cat meta >> $GITHUB_OUTPUT
+
+      - name: Lowercase Registry
+        id: registry_case
+        uses: ASzc/change-string-case-action@v5
+        with:
+          string: ${{ env.IMAGE_REGISTRY }}
+
+      - name: Push To GHCR
+        uses: redhat-actions/push-to-registry@v2
+        id: push
+        if: github.event_name != 'pull_request'
+        env:
+          REGISTRY_USER: ${{ github.actor }}
+          REGISTRY_PASSWORD: ${{ github.token }}
+        with:
+          image: ${{ steps.load_image.outputs.image }}
+          tags: ${{ steps.load_image.outputs.tags }}
+          registry: ${{ steps.registry_case.outputs.lowercase }}
+          username: ${{ env.REGISTRY_USER }}
+          password: ${{ env.REGISTRY_PASSWORD }}
+          extra-args: |
+            --disable-content-trust
+