bitnami-containers/.github/workflows/ci-pipeline.yaml

name: CI Pipeline
on: # rebuild any PRs and main branch changes
  pull_request_target:
    types:
      - opened
      - reopened
      - synchronize
      - labeled
    branches:
      - main
      - bitnami:main
env:
  CSP_API_URL: https://console.cloud.vmware.com
  CSP_API_TOKEN: ${{ secrets.CSP_API_TOKEN }}
  VIB_PUBLIC_URL: https://cp.bromelia.vmware.com
jobs:
  get-container:
    runs-on: ubuntu-latest
    name: Get modified containers
    if: |
      github.event.pull_request.state != 'closed' &&
      (
        (github.event.action == 'labeled' && github.event.label.name == 'verify') ||
        (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'verify'))
      )      
    outputs:
      container: ${{ steps.get-container.outputs.container }}
      result: ${{ steps.get-container.outputs.result }}
      path: ${{ steps.get-container.outputs.path }}
    steps:
      - id: get-container
        name: Get modified containers
        run: |
          # Using the Github API to detect the files changed as git merge-base stops working when the branch is behind
          # and jitterbit/get-changed-files does not support pull_request_target
          URL="https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files"
          files_changed_data=$(curl -s --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' -X GET -G "$URL")
          files_changed="$(echo $files_changed_data | jq -r '.[] | .filename')"
          # Adding || true to avoid "Process exited with code 1" errors
          containers_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "bitnami/[^/]*" | sort | uniq || true)"
          flavors=($(echo "$files_changed" | xargs dirname | grep -o "bitnami/[^/]*/[^/]*/[^/]*" | sort | uniq || true))
          container_name=$(echo "$containers_dirs_changed" | sed "s|bitnami/||g")

          if [[ "${#flavors[@]}" -eq "1" ]]; then
            # Changes done in only one container -> OK
            echo "::set-output name=result::ok"
            echo "::set-output name=container::${container_name}"
            echo "::set-output name=path::${flavors[0]}"
          elif [[ "${#flavors[@]}" -le "0" ]]; then
            # Changes done in the containers/ folder but not inside a container subfolder -> Look for readme changes
            readme_object="$(echo $files_changed_data | jq -r '[ .[] | select(.filename | test("bitnami/[^/]+/README.md"))] | first')"
            if [[ "${readme_object}" == "null" ]]; then
              echo "::set-output name=error::No changes detected in containers. The rest of the tests will be skipped."
              echo "::set-output name=result::skip"
            else
              # Look for the modified branch in Readme content
              branch="$(echo ${readme_object} | jq -r '.patch' | grep -o "([^/]*/[^/]*/Dockerfile)" | sort -u | sed -nr "s|\((.+)/Dockerfile\)|\1|p")"
              if [[ ! -z "${branch}" ]]; then
                echo "::set-output name=result::ok"
                echo "::set-output name=container::${container_name}"
                echo "::set-output name=path::bitnami/${container_name}/${branch}"
              else
                echo "::set-output name=error::No changes detected in containers. The rest of the tests will be skipped."
                echo "::set-output name=result::skip"
              fi
            fi
          else
            # Changes done in more than container -> SKIP
            echo -e "::set-output name=error::Changes detected in more than one container directory:\n${containers_dirs_changed}\nIt is strongly advised to change only one container in a PR. The rest of the tests will be skipped."
            echo "::set-output name=result::skip"
          fi          
      # Using actions/github-scripts because using exit 1 in the script above would not provide any output
      # Source: https://github.community/t/no-output-on-process-completed-with-exit-code-1/123821/3
      - id: show-error
        name: Show error
        if: ${{ steps.get-container.outputs.result == 'fail' }}
        uses: actions/github-script@v3
        with:
          script: |
              core.setFailed('${{ steps.get-container.outputs.error }}')              
  vib-verify:
    runs-on: ubuntu-latest
    needs: get-container
    if: ${{ needs.get-container.outputs.result == 'ok' && contains(github.event.pull_request.labels.*.name, 'verify') }}
    name: Verify
    steps:
      - uses: actions/checkout@v3
        name: Checkout Repository
        # Required to search the latest commit with the tag
        with:
          fetch-depth: 0
      - id: get-tag
        name: Get latest image tag
        run: |
          tag="$(git log --pretty=tformat:"%s" -n 1 --grep=" release$" --author bitnami-bot@vmware.com --author containers@bitnami.com --author containers-bot@bitnami.com --  ${{ needs.get-container.outputs.path }} | awk '{print $1}')"
          echo "::set-output name=tag::${tag}"          
      - uses: vmware-labs/vmware-image-builder-action@main
        name: Verify
        with:
          pipeline: vib-verify.json
        env:
          # Path with docker resources
          VIB_ENV_PATH: ${{ needs.get-container.outputs.path }}
          # Container name
          VIB_ENV_CONTAINER: ${{ needs.get-container.outputs.container }}
          VIB_ENV_TAG: ${{ steps.get-tag.outputs.tag }}
  ci-pr-review:
    runs-on: ubuntu-latest
    needs: vib-verify
    name: Reviewal for automated PRs
    if: |
      always() &&
      github.actor == 'bitnami-bot' &&
      contains(github.event.pull_request.labels.*.name, 'auto-merge')      
    steps:
      # Approves the CI's PR if the 'VIB Verify' job succeeded
      # Approved by the 'github-actions' user. A PR can't be approved by its author
      - name: Approval
        if: ${{ needs.vib-verify.result == 'success' }}
        run: |
          curl --request POST \
          --url https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews \
          --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
          --header 'content-type: application/json' \
          --data '{
            "event": "APPROVE"
            }' \
          --fail          
      # Removes "auto-merge" label and add related agents as reviewers if the 'VIB Verify' job failed
      - name: Manual review required
        if: ${{ needs.vib-verify.result == 'failure' }}
        run: |
          curl --request DELETE \
          --url https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/auto-merge \
          --header 'authorization: Bearer ${{ secrets.BITNAMI_BOT_TOKEN }}' \
          --fail
          curl --request POST \
          --url https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments \
          --header 'authorization: Bearer ${{ secrets.BITNAMI_BOT_TOKEN }}' \
          --header 'content-type: application/json' \
          --data '{
            "body": "There has been an error during the automated release process. Manual revision is now required."
            }' \
          --fail
          curl --request POST \
          --url https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/requested_reviewers \
          --header 'authorization: Bearer ${{ secrets.BITNAMI_BOT_TOKEN }}' \
          --header 'content-type: application/json' \
          --data '{
            "reviewers": ["fmulero"]
            }' \
          --fail