-
Notifications
You must be signed in to change notification settings - Fork 10
101 lines (86 loc) · 3.75 KB
/
test-build-testpush.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
---
# Workflow to build Docker image
# Based on openshift.yml (excluding OpenShift deployment)
# This workflow is intended for testing a new deployment to a
# "latest-test" image from a PR, on significant change.
# Article on use of pull_request_target here:
# https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
name: "Run tests, build and push test image"
env:
APP_NAME: "physrisk-api"
IMAGE_REGISTRY: "quay.io/os-climate"
IMAGE_TAGS: ""
# yamllint disable-line rule:truthy
on:
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows
pull_request_target:
types: [labeled]
# yamllint disable rule:line-length
jobs:
build:
name: "Build and push to Quay"
runs-on: ubuntu-latest
if: contains(github.event.pull_request.labels.*.name, 'deploy test')
steps:
- name: "Check for required secrets"
uses: actions/github-script@v4
with:
script: |
const secrets = {
OSC_PHYSRISK_API_QUAY_USER: `${{ secrets.OSC_PHYSRISK_API_QUAY_USER }}`,
OSC_PHYSRISK_API_QUAY_TOKEN: `${{ secrets.OSC_PHYSRISK_API_QUAY_TOKEN }}`,
};
const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
if (value.length === 0) {
core.error(`Secret "${name}" is not set`);
return true;
}
core.info(`✔️ Secret "${name}" is set`);
return false;
});
if (missingSecrets.length > 0) {
core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
"You can add it using:\n" +
"GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
"GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
"Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
}
else {
core.info(`✅ All the required secrets are set`);
}
- name: "Check out repository"
uses: actions/checkout@v2
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
- name: "Determine app name"
if: env.APP_NAME == ''
run: |
APP_NAME=$(basename "${PWD}")
echo "${APP_NAME}" | tee -a "${GITHUB_ENV}"
- name: "Determine image tags"
if: env.IMAGE_TAGS == ''
run: |
echo "IMAGE_TAGS=latest-test ${GITHUB_SHA::12}" | tee -a "${GITHUB_ENV}"
# https://github.com/redhat-actions/buildah-build#readme
- name: "Build from Dockerfile"
id: build-image
uses: redhat-actions/buildah-build@v2
with:
image: ${{ env.APP_NAME }}
tags: ${{ env.IMAGE_TAGS }}
# If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs
# Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build
# Otherwise, point this to your Dockerfile/Containerfile relative to the repository root.
dockerfiles: |
./Dockerfile
# https://github.com/redhat-actions/push-to-registry#readme
- name: "Push to registry"
id: push-image
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.build-image.outputs.image }}
tags: ${{ steps.build-image.outputs.tags }}
registry: ${{ env.IMAGE_REGISTRY }}
username: ${{ secrets.OSC_PHYSRISK_API_QUAY_USER }}
password: ${{ secrets.OSC_PHYSRISK_API_QUAY_TOKEN }}