Skip to content

chore(deps): use pinned image for buildah task #308

chore(deps): use pinned image for buildah task

chore(deps): use pinned image for buildah task #308

Workflow file for this run

name: CICD
env:
# ๐Ÿ–Š๏ธ EDIT your repository secrets to log into your OpenShift cluster and set up the context.
# See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
# To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
# ๐Ÿ–Š๏ธ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace.
OPENSHIFT_NAMESPACE: exhort
# ๐Ÿ–Š๏ธ EDIT to set the deployemnt resource data for image update.
OPENSHIFT_DEPLOYMENT_NAME: exhort
OPENSHIFT_CONTAINER_NAME: exhort
# ๐Ÿ–Š๏ธ EDIT to change the image registry settings.
# Registries such as GHCR, Quay.io, and Docker Hub are supported.
IMAGE_REGISTRY: quay.io/ecosystem-appeng
IMAGE_NAME: exhort
IMAGE_REGISTRY_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
IMAGE_REGISTRY_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}
REGISTRY_REDHAT_IO_USER: ${{ secrets.REGISTRY_REDHAT_IO_USER }}
REGISTRY_REDHAT_IO_PASSWORD: ${{ secrets.REGISTRY_REDHAT_IO_PASSWORD }}
# ๐Ÿ–Š๏ธ EDIT to change Dockerfile.
DOCKERFILE_PATH: ./src/main/docker/Dockerfile.jvm
on:
push:
branches:
- main
tags:
- '*'
workflow_dispatch:
jobs:
validate_workflow_requirements:
runs-on: ubuntu-latest
if: github.repository == 'RHEcosystemAppEng/exhort'
steps:
- name: Check For Required Secrets
uses: actions/github-script@v6
with:
script: |
const secrets = {
OPENSHIFT_SERVER: `${{ env.OPENSHIFT_SERVER }}`,
OPENSHIFT_TOKEN: `${{ env.OPENSHIFT_TOKEN }}`,
REGISTRY_REDHAT_IO_USER: `${{ env.REGISTRY_REDHAT_IO_USER }}`,
REGISTRY_REDHAT_IO_PASSWORD: `${{ env.REGISTRY_REDHAT_IO_PASSWORD }}`
};
// if image registry is ghcr.io - no registry credentials required, otherwise get registry credentials
if (!`${{ env.IMAGE_REGISTRY }}`.startsWith("ghcr.io")) {
secrets["IMAGE_REGISTRY_USER"] = `${{ env.IMAGE_REGISTRY_USER }}`;
secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ env.IMAGE_REGISTRY_PASSWORD }}`;
}
const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
if (value.length === 0) {
core.error(`Secret "${name}" is not set`);
return true;
}
core.info(`โœ”๏ธ Secret "${name}" is set`);
return false;
});
if (missingSecrets.length > 0) {
core.setFailed(`โŒ At least one required secret is not set in the repository. \n` +
"You can add it using:\n" +
"GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
"GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
"Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
}
else {
core.info(`โœ… All the required secrets are set`);
}
build_and_push_image:
needs: validate_workflow_requirements
runs-on: ubuntu-latest
outputs:
digest: ${{ steps.push-to-registry.outputs.digest }}
tag: ${{ steps.extract_branch.outputs.tag }}
steps:
- name: Checkout Repository
uses: actions/checkout@v3
- name: Extract tag name
shell: bash
run: |
branch=${GITHUB_REF_NAME}
case ${branch} in
'main') tag='latest' ;;
*) tag=${branch} ;;
esac
echo "tag=${tag}" >> $GITHUB_OUTPUT
id: extract_branch
- name: Setup JDK
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '21'
cache: 'maven'
- name: Build Package with Maven
run: |
./mvnw -B verify
env:
GITHUB_ACTOR: ${{ secrets.GITHUB_ACTOR }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Log in to Red Hat Registry
uses: redhat-actions/podman-login@v1
with:
registry: registry.redhat.io
username: ${{ env.REGISTRY_REDHAT_IO_USER }}
password: ${{ env.REGISTRY_REDHAT_IO_PASSWORD }}
- name: Build Image With buildah
id: build-image
uses: redhat-actions/buildah-build@v2
with:
image: ${{ env.IMAGE_NAME }}
tags: ${{ steps.extract_branch.outputs.tag }}
dockerfiles: |
${{ env.DOCKERFILE_PATH }}
- name: Push Image To Registry
id: push-to-registry
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.build-image.outputs.image }}
tags: ${{ steps.build-image.outputs.tags }}
registry: ${{ env.IMAGE_REGISTRY }}
username: ${{ env.IMAGE_REGISTRY_USER }}
password: ${{ env.IMAGE_REGISTRY_PASSWORD }}
deploy_to_openshift:
needs: build_and_push_image
runs-on: ubuntu-latest
steps:
- name: Install oc
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: 4
- name: Log In To OpenShift
uses: redhat-actions/oc-login@v1
with:
openshift_server_url: ${{ env.OPENSHIFT_SERVER }}
openshift_token: ${{ env.OPENSHIFT_TOKEN }}
insecure_skip_tls_verify: true
namespace: ${{ env.OPENSHIFT_NAMESPACE }}
- name: Patch Image
run: |
DEPLOYMENT_PATCH=$(printf '{"spec": {"template": {"spec": {"containers": [{"name": "%s", "image": "%s/%s@%s"}]}}}}' ${{ env.OPENSHIFT_CONTAINER_NAME }} ${{ env.IMAGE_REGISTRY }} ${{ env.IMAGE_NAME }} ${{ needs.build_and_push_image.outputs.digest }})
oc patch deployment ${{ env.OPENSHIFT_DEPLOYMENT_NAME }}-${{ needs.build_and_push_image.outputs.tag }} -p "${DEPLOYMENT_PATCH}"
- name: Monitor Deployment Status
run: oc rollout status deployment/${{ env.OPENSHIFT_DEPLOYMENT_NAME }}-${{ needs.build_and_push_image.outputs.tag }}