-
Notifications
You must be signed in to change notification settings - Fork 195
319 lines (284 loc) · 11.5 KB
/
on_release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
name: Build and publish to Docker Hub
on:
release:
# job will automatically run after a new "release" is create on github.
types: [published]
jobs:
# this job will build, test and (potentially) push the docker images to docker hub
#
# BUILD PHASE:
# - will auto tag the image according to the release tag / `git describe`.
#
# TEST PHASE:
# - will run an e2e test with a modified docker compose.
# - queries OPA data to check its state matches an expected value.
# - state will match only if OPAL client successfully synced to OPAL server.
# - outputs the docker compose logs to more easily investigate errors.
#
# PUSH PHASE:
# - Runs only if test phase completes with no errors.
# - Pushes images (built at BUILD PHASE) to docker hub.
docker_build_and_publish:
runs-on: ubuntu-latest
env:
github_token: ${{ secrets.TOKEN_GITHUB }}
permissions:
id-token: write
contents: write # 'write' access to repository contents
pull-requests: write # 'write' access to pull requests
steps:
# BUILD PHASE
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Docker Compose install
run: |
curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
- name: Echo version tag
run: |
echo "The version tag that will be published to docker hub is: ${{ github.event.release.tag_name }}"
- name: Build client for testing
id: build_client
uses: docker/build-push-action@v4
with:
file: docker/Dockerfile
push: false
target: client
cache-from: type=registry,ref=permitio/opal-client:latest
cache-to: type=inline
load: true
tags: |
permitio/opal-client:test
- name: Build server for testing
id: build_server
uses: docker/build-push-action@v4
with:
file: docker/Dockerfile
push: false
target: server
cache-from: type=registry,ref=permitio/opal-server:latest
cache-to: type=inline
load: true
tags: |
permitio/opal-server:test
# TEST PHASE
- name: Create modified docker compose file
run: sed 's/:latest/:test/g' docker/docker-compose-example.yml > docker/docker-compose-test.yml
- name: Bring up stack
run: docker compose -f docker/docker-compose-test.yml up -d
- name: Check if OPA is healthy
run: ./scripts/wait-for.sh -t 60 http://localhost:8181/v1/data/users -- sleep 10 && curl -s "http://localhost:8181/v1/data/users" | jq '.result.bob.location.country == "US"'
- name: Output container logs
run: docker compose -f docker/docker-compose-test.yml logs
# PUSH PHASE
- name: Output local docker images
run: docker image ls --digests | grep opal
# pushes the *same* docker images that were previously tested as part of e2e sanity test.
# each image is pushed with the versioned tag first, if it succeeds the image is pushed with the latest tag as well.
- name: Build & Push client
if: ${{ github.event.release.prerelease == false }}
id: build_push_client_regular
uses: docker/build-push-action@v4
with:
file: docker/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
target: client
cache-from: type=registry,ref=permitio/opal-client:latest
cache-to: type=inline
tags: |
permitio/opal-client:latest
permitio/opal-client:${{ github.event.release.tag_name }}
- name: Build & Push client (prerelease)
if: ${{ github.event.release.prerelease == true }}
id: build_push_client_prerelease
uses: docker/build-push-action@v4
with:
file: docker/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
target: client
cache-from: type=registry,ref=permitio/opal-client:latest
cache-to: type=inline
tags: |
permitio/opal-client:${{ github.event.release.tag_name }}
- name: Build client-standalone
if: ${{ github.event.release.prerelease == false }}
id: build_push_client_standalone_regular
uses: docker/build-push-action@v4
with:
file: docker/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
target: client-standalone
cache-from: type=registry,ref=permitio/opal-client-standalone:latest
cache-to: type=inline
tags: |
permitio/opal-client-standalone:latest
permitio/opal-client-standalone:${{ github.event.release.tag_name }}
- name: Build client-standalone (prerelease)
if: ${{ github.event.release.prerelease == true }}
id: build_push_client_standalone_prerelease
uses: docker/build-push-action@v4
with:
file: docker/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
target: client-standalone
cache-from: type=registry,ref=permitio/opal-client-standalone:latest
cache-to: type=inline
tags: |
permitio/opal-client-standalone:${{ github.event.release.tag_name }}
- name: Build server
if: ${{ github.event.release.prerelease == false }}
id: build_push_server_regular
uses: docker/build-push-action@v4
with:
file: docker/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
target: server
cache-from: type=registry,ref=permitio/opal-server:latest
cache-to: type=inline
tags: |
permitio/opal-server:latest
permitio/opal-server:${{ github.event.release.tag_name }}
- name: Build server (prerelease)
if: ${{ github.event.release.prerelease == true }}
id: build_push_server_prerelease
uses: docker/build-push-action@v4
with:
file: docker/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
target: server
cache-from: type=registry,ref=permitio/opal-server:latest
cache-to: type=inline
tags: |
permitio/opal-server:${{ github.event.release.tag_name }}
- name: Build & Push client cedar
if: ${{ github.event.release.prerelease == false }}
id: build_push_client_cedar_regular
uses: docker/build-push-action@v4
with:
file: docker/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
target: client-cedar
cache-from: type=registry,ref=permitio/opal-client-cedar:latest
cache-to: type=inline
tags: |
permitio/opal-client-cedar:latest
permitio/opal-client-cedar:${{ github.event.release.tag_name }}
- name: Build & Push client cedar (prerelease)
if: ${{ github.event.release.prerelease == true }}
id: build_push_client_cedar_prerelease
uses: docker/build-push-action@v4
with:
file: docker/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
target: client-cedar
cache-from: type=registry,ref=permitio/opal-client-cedar:latest
cache-to: type=inline
tags: |
permitio/opal-client-cedar:${{ github.event.release.tag_name }}
- name: Build & Push client cedar
id: build_push_client_cedar
uses: docker/build-push-action@v4
with:
file: docker/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
target: client-cedar
cache-from: type=registry,ref=permitio/opal-client-cedar:latest
cache-to: type=inline
tags: |
permitio/opal-client-cedar:latest
permitio/opal-client-cedar:${{ github.event.release.tag_name }}
- name: Python setup
uses: actions/setup-python@v5
with:
python-version: '3.11.8'
# This is the root file representing the package for all the sub-packages.
- name: Bump version - packaging__.py
run: |
# Install required packages
pip install semver packaging
# Get version tag and remove 'v' prefix
version_tag=${{ github.event.release.tag_name }}
version_tag=${version_tag#v}
# Convert semver to PyPI version using the script
pypi_version=$(python smver2pypi.py $version_tag)
# Update only the __version__ in __packaging__.py
sed -i "s/__version__ = VERSION_STRING/__version__ = \"$pypi_version\"/" packages/__packaging__.py
# Print the result for verification
echo "Original version tag: $version_tag"
echo "PyPI version: $pypi_version"
cat packages/__packaging__.py
- name: Cleanup setup.py and Build every sub-packages
run: |
pip install wheel
cd packages/opal-common/ ; rm -rf *.egg-info build/ dist/
python setup.py sdist bdist_wheel
cd ../..
cd packages/opal-client/ ; rm -rf *.egg-info build/ dist/
python setup.py sdist bdist_wheel
cd ../..
cd packages/opal-server/ ; rm -rf *.egg-info build/ dist/
python setup.py sdist bdist_wheel
cd ../..
# Upload package distributions to the release - All assets in one step
- name: Upload assets to release
uses: shogo82148/[email protected]
with:
upload_url: ${{ github.event.release.upload_url }}
asset_path: |
packages/opal-common/dist/*
packages/opal-client/dist/*
packages/opal-server/dist/*
# Publish package distributions to PyPI
- name: Publish package distributions to PyPI - Opal-Common
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.PYPI_TOKEN }}
packages-dir: packages/opal-common/dist/
# For Test only !
# password: ${{ secrets.TEST_PYPI_TOKEN }}
# repository-url: https://test.pypi.org/legacy/
env:
name: pypi
url: https://pypi.org/p/opal-common/
- name: Publish package distributions to PyPI - Opal-Client
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.PYPI_TOKEN }}
packages-dir: packages/opal-client/dist/
# For Test only !
# password: ${{ secrets.TEST_PYPI_TOKEN }}
# repository-url: https://test.pypi.org/legacy/
env:
name: pypi
url: https://pypi.org/p/opal-client/
- name: Publish package distributions to PyPI - Opal-Server
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.PYPI_TOKEN }}
packages-dir: packages/opal-server/dist/
# For Test only !
# password: ${{ secrets.TEST_PYPI_TOKEN }}
# repository-url: https://test.pypi.org/legacy/
env:
name: pypi
url: https://pypi.org/p/opal-server/