[containers/*] Publish workflow (#19)

* Add publish pipeline Signed-off-by: Fran Mulero <fmulero@vmware.com>
2022-07-12 18:06:40 +02:00 · 2022-07-12 18:06:40 +02:00 · 6ca2ce1ada
parent 68cadb9205
commit 6ca2ce1ada
5 changed files with 151 additions and 10 deletions
--- a/.github/workflows/cd-scheduled-pipeline.yaml
+++ b/.github/workflows/cd-scheduled-pipeline.yaml
@ -0,0 +1,69 @@
+# Temporary workflow to train publish actions. It will be removed in a close future
+name: Scheduled CD
+on:
+  schedule:
+    - cron: "?/15 * * * *"
+  workflow_dispatch:
+    inputs:
+      container:
+        description: Force VIB publication with this container
+        required: false
+env:
+  CSP_API_URL: https://console.cloud.vmware.com
+  CSP_API_TOKEN: ${{ secrets.CSP_API_TOKEN }}
+  VIB_PUBLIC_URL: https://cp.bromelia.vmware.com
+jobs:
+  get-container:
+    runs-on: ubuntu-latest
+    name: Get random container
+    outputs:
+      container: ${{ steps.get-container.outputs.container }}
+      flavors: ${{ steps.get-container.outputs.flavors }}
+    steps:
+      - uses: actions/checkout@v3
+        name: Checkout Repository
+        with:
+          fetch-depth: 0
+      - id: get-container
+        name: Get random container
+        run: |
+          container_name="${{ github.event.inputs.container }}"
+          if [ -z "$container_name" ]; then
+            containers=(containers/*)
+            random_index=$(( $RANDOM % ${#containers[@]} ))
+            container_name=$(echo "${containers[$random_index]}" | sed "s|containers/||g")
+          fi
+          flavors=(containers/${container_name}/*/*/)
+          flavors_json="["
+          for flavor in "${flavors[@]}"; do
+            tag="$(git log --pretty=tformat:"%s" -n 1 --grep=" release$" --author bitnami-bot@vmware.com --author containers@bitnami.com --author containers-bot@bitnami.com -- ${flavor} | awk '{print $1}')"
+            flavors_json+="{\"path\": \"${flavor}\", \"tag\": \"${tag}\"},"
+          done;
+          flavors_json="${flavors_json/%,/]}"
+
+          echo "::set-output name=container::${container_name}"
+          echo "::set-output name=flavors::${flavors_json}"
+  vib-publish:
+    runs-on: ubuntu-latest
+    needs: get-container
+    name: Publish
+    strategy:
+      fail-fast: false
+      matrix:
+        flavor:  ${{ fromJSON(needs.get-container.outputs.flavors) }}
+    steps:
+      - uses: actions/checkout@v3
+        name: Checkout Repository
+      - uses: vmware-labs/vmware-image-builder-action@main
+        name: Publish ${{ needs.get-container.outputs.container }}
+        with:
+          pipeline: vib-publish.json
+        env:
+          # Path with docker resources
+          VIB_ENV_PATH:  ${{ matrix.flavor.path }}
+          # Container name
+          VIB_ENV_CONTAINER: ${{ needs.get-container.outputs.container }}
+          VIB_ENV_TAG: ${{ matrix.flavor.tag }}
+          VIB_ENV_REGISTRY_URL: ${{ secrets.OCI_REGISTRY_URL }}
+          VIB_ENV_REGISTRY_USERNAME: ${{ secrets.OCI_REGISTRY_USERNAME }}
+          VIB_ENV_REGISTRY_PASSWORD:  ${{ secrets.OCI_REGISTRY_PASSWORD }}
--- a/.github/workflows/ci-pipeline.yaml
+++ b/.github/workflows/ci-pipeline.yaml
@ -1,4 +1,4 @@
-name: VIB
+name: CI Pipeline
 on: # rebuild any PRs and main branch changes
  pull_request_target:
    types:
@ -71,11 +71,16 @@ jobs:
      matrix:
        flavor:  ${{ fromJSON(needs.get-container.outputs.flavors) }}
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
        name: Checkout Repository
+        # Required to search the latest commit with the tag
        with:
-          ref: ${{ github.event.pull_request.head.ref }}
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          fetch-depth: 0
+      - id: get-tag
+        name: Get latest image tag
+        run: |
+          tag="$(git log --pretty=tformat:"%s" -n 1 --grep=" release$" --author bitnami-bot@vmware.com --author containers@bitnami.com --author containers-bot@bitnami.com --  ${{ matrix.flavor }} | awk '{print $1}')"
+          echo "::set-output name=tag::${tag}"
      - uses: vmware-labs/vmware-image-builder-action@main
        name: Verify ${{ needs.get-container.outputs.container }}
        with:
@ -85,5 +90,4 @@ jobs:
          VIB_ENV_PATH: ${{ matrix.flavor }}
          # Container name
          VIB_ENV_CONTAINER: ${{ needs.get-container.outputs.container }}
-          # TODO: Retrieve version
-          VIB_ENV_TAG: latest
+          VIB_ENV_TAG: ${{ steps.get-tag.outputs.tag }}
--- a/.github/workflows/ci-scheduled-pipeline.yaml
+++ b/.github/workflows/ci-scheduled-pipeline.yaml
@ -1,4 +1,4 @@
-name: Scheduled VIB
+name: Scheduled CI pipeline
 on:
  schedule:
    - cron: "?/15 * * * *"
@ -51,8 +51,6 @@ jobs:
      matrix:
        flavor:  ${{ fromJSON(needs.get-container.outputs.flavors) }}
    steps:
-      - name: Install dependencies
-        run: pip install git-filter-repo==2.34.0
      - uses: actions/checkout@v3
        name: Checkout Repository
      - uses: vmware-labs/vmware-image-builder-action@main
@ -64,4 +62,4 @@ jobs:
          VIB_ENV_PATH:  ${{ matrix.flavor.path }}
          # Container name
          VIB_ENV_CONTAINER: ${{ needs.get-container.outputs.container }}
-          VIB_ENV_TAG: ${{ matrix.flavor.tag }}
+          VIB_ENV_TAG: ${{ matrix.flavor.tag }}
--- a/.github/workflows/sync.yaml
+++ b/.github/workflows/sync.yaml
@ -17,6 +17,8 @@ jobs:
    name: Trigger Containers Synchronization
    runs-on: ubuntu-latest
    steps:
+      - name: Install dependencies
+        run: pip install git-filter-repo==2.34.0
      - name: Checkout bitnami/containers
        uses: actions/checkout@v3
        with:
--- a/.vib/vib-publish.json
+++ b/.vib/vib-publish.json
@ -0,0 +1,68 @@
+{
+  "context": {
+    "resources": {
+      "url": "{SHA_ARCHIVE}",
+      "path": "{VIB_ENV_PATH}"
+    }
+  },
+  "phases": {
+    "package": {
+      "actions": [
+        {
+          "action_id": "container-image-package",
+          "params": {
+            "application": {
+              "details": {
+                "name": "{VIB_ENV_CONTAINER}",
+                "tag": "{VIB_ENV_TAG}"
+              }
+            }
+          }
+        },
+        {
+          "action_id": "container-image-lint",
+          "params": {
+            "threshold": "error"
+          }
+        }
+      ]
+    },
+    "verify": {
+      "actions": [
+        {
+          "action_id": "trivy",
+          "params": {
+            "threshold": "CRITICAL",
+            "vuln_type": [
+              "OS"
+            ],
+            "application": {
+              "kind": "CONTAINER_IMAGE"
+            }
+          }
+        }
+      ]
+    },
+    "publish": {
+      "actions": [
+        {
+          "action_id": "container-image-publish",
+          "params": {
+            "application": {
+              "details": {
+                "name": "{VIB_ENV_CONTAINER}",
+                "tag": "{VIB_ENV_TAG}"
+              }
+            },
+            "repository": {
+              "kind": "OCI",
+              "url": "{VIB_ENV_REGISTRY_URL}",
+              "username": "{VIB_ENV_REGISTRY_USERNAME}",
+              "password":  "{VIB_ENV_REGISTRY_PASSWORD}"
+            }
+          }
+        }
+      ]
+    }
+  }
+}