Check images for an empty image string #376
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build, Test and Release | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize, reopened] | |
| branches: [ main ] | |
| jobs: | |
| build-test-release: | |
| name: Build artifacts | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout main branch | |
| uses: actions/checkout@v3 | |
| - name: Checkout PR branch | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| path: "chart-verifier" | |
| - name: Setup Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version-file: go.mod | |
| - name: Ensure Modules | |
| working-directory: ./chart-verifier | |
| run: make tidy | |
| - name: Ensure Formatting | |
| working-directory: ./chart-verifier | |
| run: make fmt | |
| - name: Run Linters | |
| working-directory: ./chart-verifier | |
| run: make lint | |
| - name: Build Binary | |
| working-directory: ./chart-verifier | |
| run: make bin | |
| - name: Run tests | |
| working-directory: ./chart-verifier | |
| run: | | |
| # Run go tests | |
| make test | |
| if [[ ! -z $(git status -s) ]] | |
| then | |
| echo "go test - errors running go tests : $(git status -s)" | |
| exit 1 | |
| fi | |
| - name: Set up Python 3.x | |
| uses: actions/setup-python@v2 | |
| with: | |
| python-version: '3.9' | |
| - name: Set up Python scripts on PR branch | |
| working-directory: ./chart-verifier | |
| run: | | |
| # set up python requirements and scripts on PR branch | |
| python3 -m venv ve1 | |
| cd scripts && ../ve1/bin/pip3 install -r requirements.txt && cd .. | |
| cd scripts && ../ve1/bin/python3 setup.py install && cd .. | |
| - name: Check if only release file in PR | |
| working-directory: ./chart-verifier | |
| id: check_version_in_PR | |
| run: | | |
| # check if release file only is included in PR | |
| ve1/bin/release-checker --api-url=${{ github.event.pull_request._links.self.href }} | |
| - name: Get Date | |
| id: get-date | |
| run: | | |
| echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT | |
| shell: bash | |
| - uses: actions/cache@v2 | |
| id: cache | |
| with: | |
| path: ./chart-verifier/oc | |
| key: ${{ steps.get-date.outputs.date }} | |
| - name: Install oc | |
| working-directory: ./chart-verifier | |
| id: install-oc | |
| run: | | |
| # install oc | |
| curl -sLO https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux.tar.gz | |
| tar zxvf openshift-client-linux.tar.gz oc | |
| - name: Build the Image | |
| working-directory: ./chart-verifier | |
| id: build_image | |
| run: | | |
| # build a docker image | |
| commit_sha=$(git rev-parse --short HEAD) | |
| ve1/bin/build-and-test --image-name="quay.io/redhat-certification/chart-verifier" --sha-value=$commit_sha --build-only="True"} | |
| - name: Build podman Image | |
| working-directory: ./chart-verifier | |
| id: build_podman_image | |
| run: | | |
| # build a podman image | |
| # sudo apt install qemu-system-x86 | |
| commit_sha=$(git rev-parse --short HEAD) | |
| image_tag="podman-"$commit_sha | |
| echo "use image tag $image_tag" | |
| podman build -t quay.io/redhat-certification/chart-verifier:$image_tag . | |
| echo "podman_image_tag=$image_tag" >> $GITHUB_OUTPUT | |
| - name: Create tarfile | |
| id: create-tarfile | |
| working-directory: ./chart-verifier | |
| run: | | |
| # check if release file only is included in PR | |
| ve1/bin/tar-file --release="test" | |
| - name: Login to oc | |
| working-directory: ./chart-verifier | |
| env: | |
| KUBECONFIG: /tmp/ci-kubeconfig | |
| run: | | |
| # oc login | |
| API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d) | |
| gpg --version | |
| curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash | |
| if [ $GITHUB_REPOSITORY == "redhat-certification/chart-verifier" ]; then | |
| # TODO: temporarily allow for skipping TLS verification as the new cluster uses local-only certificates | |
| # This if logic isn't removed to remind us to come back and swap this out when a valid cert is put in place. | |
| ./oc login --insecure-skip-tls-verify --token=${{ secrets.CLUSTER_TOKEN }} --server=${API_SERVER} | |
| else | |
| ./oc login --insecure-skip-tls-verify --token=${{ secrets.CLUSTER_TOKEN }} --server=${API_SERVER} | |
| fi | |
| ve1/bin/sa-for-chart-testing --create charts-${{ github.event.number }} --token token.txt --server ${API_SERVER} | |
| - name: Run the tests | |
| working-directory: ./chart-verifier | |
| env: | |
| KUBECONFIG: /tmp/ci-kubeconfig | |
| VERIFIER_IMAGE_TAG: ${{ steps.build_image.outputs.verifier-image-tag }} | |
| VERIFIER_TARBALL_NAME : ${{ steps.create-tarfile.outputs.tarball_full_name }} | |
| PODMAN_IMAGE_TAG : ${{ steps.build_podman_image.outputs.podman_image_tag }} | |
| id: run_test | |
| run: | | |
| # run pytest | |
| ve1/bin/pytest -v --log-cli-level=WARNING --tb=short | |
| - name: Delete Namespace | |
| if: ${{ always() && steps.install-oc.conclusion == 'success' }} | |
| working-directory: ./chart-verifier | |
| env: | |
| KUBECONFIG: /tmp/ci-kubeconfig | |
| run: | | |
| # delete the namespace | |
| API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d) | |
| ./oc login --token=${{ secrets.CLUSTER_TOKEN }} --server=${API_SERVER} | |
| ve1/bin/sa-for-chart-testing --delete charts-${{ github.event.number }} | |
| - name: Set up Python scripts on main branch | |
| run: | | |
| # set up python requirements and scripts on main branch | |
| echo $(pwd) | |
| python3 -m venv ve1 | |
| cd scripts && ../ve1/bin/pip3 install -r requirements.txt && cd .. | |
| cd scripts && ../ve1/bin/python3 setup.py install && cd .. | |
| - name: Check for restricted files and user permissiom | |
| id: check_authorization | |
| run: | | |
| # check for a restricted file and, if found, check user has permissiom | |
| ve1/bin/check-user --api-url=${{ github.event.pull_request._links.self.href }} --user=${{ github.event.pull_request.user.login }} | |
| - name: Check if version updated | |
| id: check_version_updated | |
| if: ${{ steps.check_version_in_PR.outputs.PR_includes_release == 'true' }} | |
| run: | | |
| # check if version file was changed | |
| ve1/bin/release-checker --version=${{ steps.check_version_in_PR.outputs.PR_version }} | |
| - name: Approve PR | |
| id: approve_pr | |
| if: ${{ steps.check_version_updated.outputs.updated == 'true'}} | |
| uses: hmarr/auto-approve-action@v2 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Merge PR | |
| id: merge_pr | |
| if: ${{ steps.check_version_updated.outputs.updated == 'true'}} | |
| uses: pascalgn/[email protected] | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| MERGE_METHOD: squash | |
| MERGE_LABELS: "" | |
| - name: Check for PR merge | |
| if: ${{ steps.check_version_updated.outputs.updated == 'true'}} | |
| run: | | |
| ve1/bin/check-auto-merge --api-url=${{ github.event.pull_request._links.self.href }} | |
| - name: Create the the release | |
| id: create_release | |
| if: ${{ steps.check_version_updated.outputs.updated == 'true'}} | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| tag_name: ${{ steps.check_version_in_PR.outputs.PR_version }} | |
| body: ${{ steps.check_version_in_PR.outputs.PR_release_body }} | |
| files: ${{ steps.check_version_in_PR.outputs.PR_tarball_name }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Wait for image build to complete | |
| # Quay is configured to automatically build our image. This waits | |
| # for it to complete before proceeding successfully. | |
| id: wait_for_image_build | |
| if: ${{ steps.check_version_updated.outputs.updated == 'true'}} | |
| run: | | |
| expectedImage=quay.io/redhat-certification/chart-verifier:${{ steps.check_version_in_PR.outputs.PR_version }} | |
| for i in {1..30}; do | |
| s=60 | |
| echo "Querying Quay for "${expectedImage}" in ${s} seconds..." | |
| sleep $s | |
| skopeo inspect docker://"${expectedImage}" && echo "Image Found!" && exit 0 | |
| done | |
| echo "ERR Image not found in allotted time." | |
| exit 1 | |
| - name: Login to Quay as Bot | |
| id: login_as_bot | |
| if: ${{ steps.wait_for_image_build.outcome == 'success'}} | |
| uses: redhat-actions/podman-login@v1 | |
| with: | |
| username: ${{ secrets.QUAY_BOT_USERNAME }} | |
| password: ${{ secrets.QUAY_BOT_TOKEN }} | |
| registry: quay.io/redhat-certification | |
| - name: Update latest tag | |
| if: ${{ steps.login_as_bot.outcome == 'success'}} | |
| id: update_latest_tag | |
| # TODO: When we shift to a push-from-this-repo model (instead of Quay build model) | |
| # we should transition this tag workflow to use the digest of the image built here in CI. | |
| run: | | |
| imageReference=quay.io/redhat-certification/chart-verifier | |
| podman pull ${imageReference}:${{ steps.check_version_in_PR.outputs.PR_version }} | |
| podman tag ${imageReference}:${{ steps.check_version_in_PR.outputs.PR_version }} ${imageReference}:latest | |
| podman push ${imageReference}:latest |