access rights have changed #36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build documentation (site-dev) | |
| env: | |
| PIP_CACHE_DIR: .pip # Configure the PIP cache directory | |
| PUSH_TARGET: img.hephy.pro/examples/howto-kubeconfig-dev | |
| BUILDDIR: ./site | |
| on: | |
| push: | |
| paths: [ src/**.md, .github/workflows/push-workflow-dev-site.yaml, themes/** ] | |
| branches: [ dev-branch ] | |
| # tags: [ "*" ] | |
| jobs: | |
| build-push: | |
| permissions: | |
| id-token: write # needed for signing the images with GitHub OIDC Token **not production ready** | |
| name: "Build & Push docs" | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checkout source code | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| # Use Flux to publish mkdocs build output as OCI | |
| - name: Setup Flux CLI | |
| uses: fluxcd/flux2/action@main | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| # Use Cosign to sign and verify site content as OCI | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@main | |
| # Cache mkdocs dependencies for faster build time | |
| - name: Cache dependencies | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ./.pip | |
| key: ${{ runner.os }}-modules-${{ hashFiles('./requirements.txt') }} | |
| # Install dependencies for build process | |
| - name: Install build dependencies | |
| run: | | |
| make deps | |
| # Build docs | |
| - name: Build mkdocs | |
| run: | | |
| make build BUILDDIR=$BUILDDIR | |
| # Use docker/metadata-action eventually (not used for now) | |
| - id: docker_meta | |
| uses: docker/[email protected] | |
| with: | |
| images: ${{ env.PUSH_TARGET }} | |
| tags: | | |
| type=sha,format=long | |
| type=semver,pattern={{version}} | |
| #,value=v1.0.0 | |
| - name: Generate build ID | |
| id: prep | |
| run: | | |
| branch=${GITHUB_REF##*/} | |
| sha=${GITHUB_SHA::8} | |
| ts=$(date +%s) | |
| echo "BUILD_ID=${branch}-${sha}-${ts}" >> $GITHUB_OUTPUT | |
| - name: Login to Hephy Harbor | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: img.hephy.pro | |
| username: ${{ secrets.HARBOR_BOT_PUSH_USER }} | |
| password: ${{ secrets.HARBOR_BOT_PASSWORD }} | |
| # Make build published as Flux OCI artifact | |
| - name: Flux push | |
| id: push_html | |
| run: | | |
| flux push artifact oci://${{ env.PUSH_TARGET }}:${{ steps.docker_meta.outputs.version }} --path=$BUILDDIR \ | |
| --source="$(git config --get remote.origin.url)" \ | |
| --revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" 2>&1 | tee tmp-digest.out | |
| # Warning: This is not stable, flux CLI output may change | |
| cat tmp-digest.out | |
| DIGEST="$(grep '✔ artifact successfully pushed to' tmp-digest.out | awk '{print $6}')" | |
| echo DIGEST=$DIGEST | |
| echo "digest=$(grep '✔ artifact successfully pushed to' tmp-digest.out | awk '{print $6}')" >> $GITHUB_OUTPUT | |
| flux tag artifact oci://${{ env.PUSH_TARGET }}:${{ steps.docker_meta.outputs.version }} \ | |
| --tag ${{ steps.prep.outputs.BUILD_ID }} | |
| flux tag artifact oci://${{ env.PUSH_TARGET }}:${{ steps.docker_meta.outputs.version }} \ | |
| --tag development | |
| # Sign the docs tag with cosign (keyless/experimental) | |
| - name: Cosign (keyless) | |
| run: cosign sign -y ${{ steps.push_html.outputs.digest }} | |
| env: | |
| COSIGN_EXPERIMENTAL: true |