scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-08 06:15:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: gha for building / publishing on pr (#87)

Browse Source
This commit is contained in:
Marco Ceppi
2023-02-27 22:32:37 -05:00
committed by GitHub
parent 14b1b7cb04
commit 1726d182ee
2 changed files with 95 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
.github/workflows/build.yml vendored
View File

@@ -1,7 +1,8 @@
name: build-ublue name: build-ublue
on: on:
pull_request_target: pull_request:
types: [labeled] types:
- labeled
branches: branches:
- main - main
paths-ignore: paths-ignore:
@@ -23,7 +24,7 @@ jobs:
push-ghcr: push-ghcr:
name: Build and push image name: Build and push image
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
if: contains(github.event.pull_request.labels.*.name, 'ok-to-build') if: contains(github.event.pull_request.labels.*.name, 'ok-to-build') || github.event_name != 'pull_request'
permissions: permissions:
contents: read contents: read
packages: write packages: write
@@ -103,6 +104,7 @@ jobs:
- name: Push To GHCR - name: Push To GHCR
uses: redhat-actions/push-to-registry@v2 uses: redhat-actions/push-to-registry@v2
id: push id: push
if: github.event_name != 'pull_request'
env: env:
REGISTRY_USER: ${{ github.actor }} REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }} REGISTRY_PASSWORD: ${{ github.token }}
@@ -117,9 +119,11 @@ jobs:
# Sign container # Sign container
- uses: sigstore/cosign-installer@main - uses: sigstore/cosign-installer@main
if: github.event_name != 'pull_request'
# Only needed when running `cosign sign` using a key # Only needed when running `cosign sign` using a key
- name: Write signing key to disk - name: Write signing key to disk
if: github.event_name != 'pull_request'
run: | run: |
echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
# DEBUG: get character count of key # DEBUG: get character count of key
@@ -129,12 +133,14 @@ jobs:
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
uses: docker/login-action@v2 uses: docker/login-action@v2
if: github.event_name != 'pull_request'
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Sign container image - name: Sign container image
if: github.event_name != 'pull_request'
run: | run: |
cosign sign --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS} cosign sign --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
env: env:
@@ -142,5 +148,22 @@ jobs:
COSIGN_EXPERIMENTAL: false COSIGN_EXPERIMENTAL: false
- name: Echo outputs - name: Echo outputs
if: github.event_name != 'pull_request'
run: | run: |
echo "${{ toJSON(steps.push.outputs) }}" echo "${{ toJSON(steps.push.outputs) }}"
- name: Upload Container Export
if: github.event_name == 'pull_request'
run: |
mkdir -p output
podman save -o output/image.tar ${{ steps.build_image.outputs.image }}
echo "image=${{ steps.build_image.outputs.image }}" >> output/meta
echo "tags=${{ steps.build_image.outputs.tags }}" >> output/meta
- name: Publish Artifact
uses: actions/upload-artifact@v2
if: github.event_name == 'pull_request'
with:
name: output
path: output

69
.github/workflows/pr-publish.yml vendored Normal file
View File

@@ -0,0 +1,69 @@
name: Publish PR builds
on:
workflow_run:
workflows: ["build-ublue"]
types:
- completed
env:
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
jobs:
upload:
runs-on: ubuntu-latest
if: >
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success'
steps:
- name: 'Download artifact'
uses: actions/github-script@v3.1.0
with:
script: |
var artifacts = await github.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{github.event.workflow_run.id }},
});
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "output"
})[0];
var download = await github.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{github.workspace}}/output.zip', Buffer.from(download.data));
- run: unzip output.zip
- name: Load Container Image
id: load_image
run: |
podman load -i image.tar
cat meta >> $GITHUB_OUTPUT
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v5
with:
string: ${{ env.IMAGE_REGISTRY }}
- name: Push To GHCR
uses: redhat-actions/push-to-registry@v2
id: push
if: github.event_name != 'pull_request'
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
with:
image: ${{ steps.load_image.outputs.image }}
tags: ${{ steps.load_image.outputs.tags }}
registry: ${{ steps.registry_case.outputs.lowercase }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
extra-args: |
--disable-content-trust