Publish the certsuite
image (latest release only)
#804
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: 'Publish the `certsuite` image (latest release only)' | |
"on": | |
# Run the workflow when a new release gets published | |
release: | |
types: [published] | |
# Run the workflow every day at 5 am UTC (1 am EST, 7am CET) | |
# This is useful for keeping the image up-to-date with security | |
# patches provided in the UBI. | |
# Disclaimer: There is no guarantee that scheduled workflows will | |
# run at the predefined time, if at all. The delay is usually | |
# around 10-30 minutes. | |
schedule: | |
- cron: '0 5 * * *' | |
workflow_dispatch: | |
permissions: | |
contents: read | |
defaults: | |
run: | |
shell: bash | |
env: | |
REGISTRY: quay.io | |
REGISTRY_LOCAL: localhost | |
CERTSUITE_IMAGE_NAME: redhat-best-practices-for-k8s/certsuite | |
CERTSUITE_IMAGE_NAME_LEGACY: testnetworkfunction/cnf-certification-test | |
IMAGE_TAG: latest | |
CERTSUITE_CONTAINER_CLIENT: docker | |
CERTSUITE_NON_INTRUSIVE_ONLY: false | |
CERTSUITE_ALLOW_PREFLIGHT_INSECURE: false | |
CERTSUITE_CONFIG_DIR: /tmp/tnf/config | |
CERTSUITE_SRC_URL: 'https://github.com/${{ github.repository }}' | |
PROBE_IMAGE_REPO: redhat-best-practices-for-k8s/certsuite-probe | |
PROBE_IMAGE_SRC_URL: 'https://github.com/${PROBE_IMAGE_REPO}' | |
jobs: | |
test-and-push-tnf-image-main: | |
name: 'Test and push the `certsuite` image' | |
runs-on: ubuntu-22.04 | |
env: | |
SHELL: /bin/bash | |
KUBECONFIG: '/home/runner/.kube/config' | |
PFLT_DOCKERCONFIG: '/home/runner/.docker/config' | |
CURRENT_VERSION_GENERIC_BRANCH: main | |
CERTSUITE_VERSION: "" | |
PROBE_IMAGE_VERSION: "" | |
steps: | |
- name: Write temporary docker file | |
run: | | |
mkdir -p /home/runner/.docker | |
touch ${PFLT_DOCKERCONFIG} | |
echo '{ "auths": {} }' >> ${PFLT_DOCKERCONFIG} | |
- name: Checkout generic working branch of the current version | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: ${{ env.CURRENT_VERSION_GENERIC_BRANCH }} | |
fetch-depth: '0' | |
- name: Get the latest TNF version from GIT | |
run: | | |
GIT_RELEASE=$(git tag --points-at HEAD | head -n 1) | |
GIT_PREVIOUS_RELEASE=$(git tag --no-contains HEAD --sort=v:refname | tail -n 1) | |
GIT_LATEST_RELEASE=$GIT_RELEASE | |
if [ -z "$GIT_RELEASE" ]; then | |
GIT_LATEST_RELEASE=$GIT_PREVIOUS_RELEASE | |
fi | |
echo "version_number=$GIT_LATEST_RELEASE" >> $GITHUB_OUTPUT | |
id: set_certsuite_version | |
- name: Print the latest TNF version from GIT | |
run: | | |
echo Version tag: ${{ steps.set_certsuite_version.outputs.version_number }} | |
- name: Get contents of the version.json file | |
run: echo "json=$(cat version.json | tr -d '[:space:]')" >> $GITHUB_OUTPUT | |
id: get_version_json_file | |
- name: Get the probe version number from file | |
run: | | |
echo Probe version tag: $VERSION_FROM_FILE_PROBE | |
echo "probe_version_number=$VERSION_FROM_FILE_PROBE" >> $GITHUB_OUTPUT | |
id: set_probe_version | |
env: | |
VERSION_FROM_FILE_PROBE: ${{ fromJSON(steps.get_version_json_file.outputs.json).debugTag }} | |
- name: Update env variables | |
run: | | |
echo "CERTSUITE_VERSION=${{ steps.set_certsuite_version.outputs.version_number }}" >> $GITHUB_ENV | |
echo "PROBE_IMAGE_VERSION=${{ steps.set_probe_version.outputs.probe_version_number }}" >> $GITHUB_ENV | |
- name: Ensure $CERTSUITE_VERSION and $IMAGE_TAG are set | |
run: '[[ -n "$CERTSUITE_VERSION" ]] && [[ -n "$IMAGE_TAG" ]] && [[ -n "$PROBE_IMAGE_VERSION" ]]' | |
- name: Check whether the version tag exists on remote | |
run: git ls-remote --exit-code $CERTSUITE_SRC_URL refs/tags/$CERTSUITE_VERSION | |
- name: (if tag is missing) Display debug message | |
if: ${{ failure() }} | |
run: echo "Tag '$CERTSUITE_VERSION' does not exist on remote $CERTSUITE_SRC_URL" | |
- name: Check whether the version tag exists on remote | |
run: git ls-remote --exit-code ${{ env.PROBE_IMAGE_SRC_URL }} refs/tags/$PROBE_IMAGE_VERSION | |
- name: (if debugTag is missing) Display debug message | |
if: ${{ failure() }} | |
run: echo "Tag '$PROBE_IMAGE_VERSION' does not exist on remote $PROBE_IMAGE_SRC_URL" | |
- name: Checkout the version tag | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: ${{ env.CERTSUITE_VERSION }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
# Push the new TNF image to Quay.io. | |
- name: Authenticate against Quay.io | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ${{ env.REGISTRY }} | |
# Use a Robot Account to authenticate against Quay.io | |
# https://docs.quay.io/glossary/robot-accounts.html | |
username: ${{ secrets.QUAY_ROBOT_USERNAME_K8S }} | |
password: ${{ secrets.QUAY_ROBOT_TOKEN_K8S }} | |
- name: Build and push the TNF image for multi-arch | |
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
with: | |
context: . | |
file: Dockerfile | |
platforms: linux/amd64,linux/arm64 | |
push: true | |
tags: | | |
${{ env.REGISTRY }}/${{env.CERTSUITE_IMAGE_NAME}}:${{ env.CERTSUITE_VERSION }} | |
${{ env.REGISTRY }}/${{env.CERTSUITE_IMAGE_NAME}}:${{ env.IMAGE_TAG }} | |
- name: If failed to create the image, send alert msg to dev team. | |
if: ${{ failure() }} | |
uses: ./.github/actions/slack-webhook-sender | |
with: | |
message: 'Failed to create official container image manifest version ${{ env.CERTSUITE_VERSION }}' | |
slack_webhook: '${{ secrets.SLACK_ALERT_WEBHOOK_URL }}' | |
test-and-push-tnf-image-legacy: | |
name: 'Test and push the `cnf-certification-test` image (legacy)' | |
runs-on: ubuntu-22.04 | |
env: | |
SHELL: /bin/bash | |
KUBECONFIG: '/home/runner/.kube/config' | |
PFLT_DOCKERCONFIG: '/home/runner/.docker/config' | |
CURRENT_VERSION_GENERIC_BRANCH: main | |
CERTSUITE_VERSION: "" | |
PROBE_IMAGE_VERSION: "" | |
steps: | |
- name: Write temporary docker file | |
run: | | |
mkdir -p /home/runner/.docker | |
touch ${PFLT_DOCKERCONFIG} | |
echo '{ "auths": {} }' >> ${PFLT_DOCKERCONFIG} | |
- name: Checkout generic working branch of the current version | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: ${{ env.CURRENT_VERSION_GENERIC_BRANCH }} | |
fetch-depth: '0' | |
- name: Get the latest TNF version from GIT | |
run: | | |
GIT_RELEASE=$(git tag --points-at HEAD | head -n 1) | |
GIT_PREVIOUS_RELEASE=$(git tag --no-contains HEAD --sort=v:refname | tail -n 1) | |
GIT_LATEST_RELEASE=$GIT_RELEASE | |
if [ -z "$GIT_RELEASE" ]; then | |
GIT_LATEST_RELEASE=$GIT_PREVIOUS_RELEASE | |
fi | |
echo "version_number=$GIT_LATEST_RELEASE" >> $GITHUB_OUTPUT | |
id: set_certsuite_version | |
- name: Print the latest TNF version from GIT | |
run: | | |
echo Version tag: ${{ steps.set_certsuite_version.outputs.version_number }} | |
- name: Get contents of the version.json file | |
run: echo "json=$(cat version.json | tr -d '[:space:]')" >> $GITHUB_OUTPUT | |
id: get_version_json_file | |
- name: Get the probe version number from file | |
run: | | |
echo Probe version tag: $VERSION_FROM_FILE_PROBE | |
echo "probe_version_number=$VERSION_FROM_FILE_PROBE" >> $GITHUB_OUTPUT | |
id: set_probe_version | |
env: | |
VERSION_FROM_FILE_PROBE: ${{ fromJSON(steps.get_version_json_file.outputs.json).debugTag }} | |
- name: Update env variables | |
run: | | |
echo "CERTSUITE_VERSION=${{ steps.set_certsuite_version.outputs.version_number }}" >> $GITHUB_ENV | |
echo "PROBE_IMAGE_VERSION=${{ steps.set_probe_version.outputs.probe_version_number }}" >> $GITHUB_ENV | |
- name: Ensure $CERTSUITE_VERSION and $IMAGE_TAG are set | |
run: '[[ -n "$CERTSUITE_VERSION" ]] && [[ -n "$IMAGE_TAG" ]] && [[ -n "$PROBE_IMAGE_VERSION" ]]' | |
- name: Check whether the version tag exists on remote | |
run: git ls-remote --exit-code $CERTSUITE_SRC_URL refs/tags/$CERTSUITE_VERSION | |
- name: (if tag is missing) Display debug message | |
if: ${{ failure() }} | |
run: echo "Tag '$CERTSUITE_VERSION' does not exist on remote $CERTSUITE_SRC_URL" | |
- name: Check whether the version tag exists on remote | |
run: git ls-remote --exit-code ${{ env.PROBE_IMAGE_SRC_URL }} refs/tags/$PROBE_IMAGE_VERSION | |
- name: (if debugTag is missing) Display debug message | |
if: ${{ failure() }} | |
run: echo "Tag '$PROBE_IMAGE_VERSION' does not exist on remote $PROBE_IMAGE_SRC_URL" | |
- name: Checkout the version tag | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: ${{ env.CERTSUITE_VERSION }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
# Push the new TNF image to Quay.io. | |
- name: Authenticate against Quay.io | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ${{ env.REGISTRY }} | |
# Use a Robot Account to authenticate against Quay.io | |
# https://docs.quay.io/glossary/robot-accounts.html | |
username: ${{ secrets.QUAY_ROBOT_USERNAME }} | |
password: ${{ secrets.QUAY_ROBOT_TOKEN }} | |
- name: Build and push the TNF image for multi-arch | |
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
with: | |
context: . | |
file: Dockerfile | |
platforms: linux/amd64,linux/arm64 | |
push: true | |
tags: | | |
${{ env.REGISTRY }}/${{env.CERTSUITE_IMAGE_NAME_LEGACY}}:${{ env.CERTSUITE_VERSION }} | |
${{ env.REGISTRY }}/${{env.CERTSUITE_IMAGE_NAME_LEGACY}}:${{ env.IMAGE_TAG }} | |
- name: If failed to create the image, send alert msg to dev team. | |
if: ${{ failure() }} | |
uses: ./.github/actions/slack-webhook-sender | |
with: | |
message: 'Failed to create official container image manifest version ${{ env.CERTSUITE_VERSION }}' | |
slack_webhook: '${{ secrets.SLACK_ALERT_WEBHOOK_URL }}' |