diff --git a/.github/workflows/gar-workflows-build-push-acceptance-gss-images.yml b/.github/workflows/gar-workflows-build-push-acceptance-gss-images.yml new file mode 100644 index 000000000000..ec39e27d2735 --- /dev/null +++ b/.github/workflows/gar-workflows-build-push-acceptance-gss-images.yml @@ -0,0 +1,48 @@ +name: Build and Push acceptance gss compose images + +on: + pull_request + +jobs: + tags: + runs-on: ubuntu-latest + outputs: + time_tag: ${{ steps.vars.outputs.TIME_TAG }} + steps: + - + name: Set TAG value + id: vars + run: echo "TIME_TAG=$(date +%Y%m%d-%H%M%S)" >> $GITHUB_OUTPUT + + acceptance-kdc-docker: + needs: tags + uses: ./.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml + with: + tags: | + us-east1-docker.pkg.dev/crl-ci-images/cockroach/acceptance-gss-kdc:${{ needs.tags.outputs.time_tag }} + context: "{{defaultContext}}:pkg/acceptance/compose/gss/kdc" + secrets: + gcp_wif_provider: ${{ secrets.GCP_CRL_CI_IMAGES_WIF_PROVIDER }} + gcp_wif_service_account: ${{ secrets.GCP_CRL_CI_IMAGES_SERVICE_ACCOUNT }} + + acceptance-psql-docker: + needs: tags + uses: ./.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml + with: + tags: | + us-east1-docker.pkg.dev/crl-ci-images/cockroach/acceptance-gss-psql:${{ needs.tags.outputs.time_tag }} + context: "{{defaultContext}}:pkg/acceptance/compose/gss/psql" + secrets: + gcp_wif_provider: ${{ secrets.GCP_CRL_CI_IMAGES_WIF_PROVIDER }} + gcp_wif_service_account: ${{ secrets.GCP_CRL_CI_IMAGES_SERVICE_ACCOUNT }} + + acceptance-python-docker: + needs: tags + uses: ./.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml + with: + tags: | + us-east1-docker.pkg.dev/crl-ci-images/cockroach/acceptance-gss-python:${{ needs.tags.outputs.time_tag }} + context: "{{defaultContext}}:pkg/acceptance/compose/gss/python" + secrets: + gcp_wif_provider: ${{ secrets.GCP_CRL_CI_IMAGES_WIF_PROVIDER }} + gcp_wif_service_account: ${{ secrets.GCP_CRL_CI_IMAGES_SERVICE_ACCOUNT }} diff --git a/.github/workflows/gar-workflows-build-push-acceptance-image.yml b/.github/workflows/gar-workflows-build-push-acceptance-image.yml new file mode 100644 index 000000000000..9828b885f23d --- /dev/null +++ b/.github/workflows/gar-workflows-build-push-acceptance-image.yml @@ -0,0 +1,25 @@ +name: Build and Push acceptance image + +on: + pull_request + +jobs: + tags: + runs-on: ubuntu-latest + outputs: + time_tag: ${{ steps.vars.outputs.TIME_TAG }} + steps: + - + name: Set TAG value + id: vars + run: echo "TIME_TAG=$(date +%Y%m%d-%H%M%S)" >> $GITHUB_OUTPUT + docker: + needs: tags + uses: ./.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml + with: + tags: | + us-east1-docker.pkg.dev/crl-ci-images/cockroach/acceptance:${{ needs.tags.outputs.time_tag }} + context: "{{defaultContext}}:pkg/acceptance/testdata" + secrets: + gcp_wif_provider: ${{ secrets.GCP_CRL_CI_IMAGES_WIF_PROVIDER }} + gcp_wif_service_account: ${{ secrets.GCP_CRL_CI_IMAGES_SERVICE_ACCOUNT }} diff --git a/.github/workflows/gar-workflows-build-push-bazel-builder-image.yml b/.github/workflows/gar-workflows-build-push-bazel-builder-image.yml new file mode 100644 index 000000000000..e5b042ab4812 --- /dev/null +++ b/.github/workflows/gar-workflows-build-push-bazel-builder-image.yml @@ -0,0 +1,26 @@ +name: Build and Push bazel-builder image + +on: + pull_request + +jobs: + tags: + runs-on: ubuntu-latest + outputs: + time_tag: ${{ steps.vars.outputs.TIME_TAG }} + steps: + - + name: Set TAG value + id: vars + run: echo "TIME_TAG=$(date +%Y%m%d-%H%M%S)" >> $GITHUB_OUTPUT + docker: + needs: tags + uses: ./.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml + with: + tags: | + us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel-builder:latest-do-not-use + us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel-builder:${{ needs.tags.outputs.time_tag }} + context: "{{defaultContext}}:build/bazelbuilder" + secrets: + gcp_wif_provider: ${{ secrets.GCP_CRL_CI_IMAGES_WIF_PROVIDER }} + gcp_wif_service_account: ${{ secrets.GCP_CRL_CI_IMAGES_SERVICE_ACCOUNT }} diff --git a/.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml b/.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml new file mode 100644 index 000000000000..af724eaeeb97 --- /dev/null +++ b/.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml @@ -0,0 +1,74 @@ +name: Build and Push Multi-Platform Docker Images +# Note: This workflow is adapted to work with GAR only and specifically `us-east1-docker.pkg.dev` registry. +# If supporting more registries (within GAR) is needed in the future, we can pass the registry as an input from the +# calling workflow. +# To support pushing outside GAR, we will need to support authenticating to other non-google registries. + +on: + workflow_call: + inputs: + tags: + # Example: + # tags: | + # us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel-builder:latest-do-not-use + # us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel-builder:${{ needs.tags.outputs.time_tag }} + required: true + type: string + context: + type: string + required: true + secrets: + gcp_wif_provider: + required: true + gcp_wif_service_account: + required: true + +jobs: + reusable-workflow: + runs-on: ubuntu-latest + permissions: + contents: 'read' + id-token: 'write' + steps: + - + name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + # Below we will build without pushing, then authenticate, then build and push. We do this + # dance because the token will only be valid for one hour and building + pushing might + # take more than one hour. The second build will use the cache so it's not bad. + - + name: Build (but do not push) + uses: docker/build-push-action@v5 + with: + push: false + tags: ${{ inputs.tags }} + platforms: linux/amd64,linux/arm64 + context: ${{ inputs.context }} + - + name: GCP Auth + id: auth + uses: 'google-github-actions/auth@v1' + with: + token_format: access_token + workload_identity_provider: '${{ secrets.gcp_wif_provider }}' + service_account: '${{ secrets.gcp_wif_service_account }}' + access_token_lifetime: 600s # 10 minutes + - + name: Login to Artifact Registry + uses: docker/login-action@v1 + with: + registry: us-east1-docker.pkg.dev + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + - + name: Build (will use cache) and push (using recently generated token above) + uses: docker/build-push-action@v5 + with: + push: true + tags: ${{ inputs.tags }} + platforms: linux/amd64,linux/arm64 + context: ${{ inputs.context }}