generated from AlmaLinux/atomic-respin-template
-
-
Notifications
You must be signed in to change notification settings - Fork 1
154 lines (139 loc) · 5.55 KB
/
build.yml
File metadata and controls
154 lines (139 loc) · 5.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
---
# ba0fde3d-bee7-4307-b97b-17d0d20aff50
name: Build image
on:
pull_request:
push:
branches:
- 'main'
paths-ignore:
- '**/README.md'
workflow_dispatch:
schedule:
# run on Saturday at 10:00 UTC
- cron: '0 10 * * 6'
concurrency:
group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
cancel-in-progress: true
jobs:
set-env:
runs-on: ubuntu-latest
outputs:
LATEST_TAG: ${{ steps.set.outputs.LATEST_TAG }}
REGISTRY: ${{ steps.set.outputs.REGISTRY }}
REGISTRY_USER: ${{ steps.set.outputs.REGISTRY_USER }}
PLATFORMS: ${{ steps.set.outputs.PLATFORMS }}
IMAGE_PATH: ${{ steps.set.outputs.IMAGE_PATH }}
IMAGE_NAME: ${{ steps.set.outputs.IMAGE_NAME }}
IMAGE_REF: ${{ steps.set.outputs.IMAGE_REF }}
IS_SIGNED: ${{ steps.set.outputs.IS_SIGNED }}
steps:
- name: Checkout github actions
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v4
- name: Set environment variables
uses: ./.github/actions/config
id: set
check-update:
name: Check for updates
if: github.event_name == 'schedule'
needs: set-env
runs-on: ubuntu-latest
outputs:
res: ${{ steps.check-update.outputs.res }}
steps:
- name: Log in to registry
shell: bash
run: podman login ${{ needs.set-env.outputs.REGISTRY }} -u ${{ needs.set-env.outputs.REGISTRY_USER }} -p ${{ secrets.QUAY_PASSWORD }}
- name: Check update
id: check-update
shell: bash
run: |
# 'dnf check-update'
# exit codes:
# 0 - no updates
# 100 - updates available
# 125 - tag/platform not found
# 127 - command not found
res=0
podman run --quiet --rm ${{ needs.set-env.outputs.IMAGE_REF }}:latest dnf check-update || res=$?
echo "res=${res}" >> "$GITHUB_OUTPUT"
echo "Exit code: '$res'"
build-image:
name: Build image
uses: AlmaLinux/atomic-ci/.github/workflows/build-image.yml@v9
needs: [set-env, check-update]
if: ${{ !failure() && !cancelled() && (github.event_name != 'schedule' || needs.check-update.outputs.res != 0) }}
with:
containerfile: Dockerfile
image-name: "${{ needs.set-env.outputs.IMAGE_NAME }}"
previous-image: "${{ needs.set-env.outputs.IMAGE_REF }}:latest"
upstream-public-key: atomic-desktop.pub
platforms: ${{ needs.set-env.outputs.PLATFORMS }}
skip-maximize-build-space: true
image-path: ${{ needs.set-env.outputs.IMAGE_PATH }}
REGISTRY: ${{ needs.set-env.outputs.REGISTRY }}
REGISTRY_USER: ${{ needs.set-env.outputs.REGISTRY_USER }}
image-description: "AlmaLinux Atomic Workstation"
KMS_KEY_ALIAS: atomicsig
AWS_REGION: us-east-1
generate-sbom: true
secrets:
REGISTRY_TOKEN: ${{ secrets.QUAY_PASSWORD }}
AWS_ROLE_ARN: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/atomicimages
permissions:
contents: read
packages: write
id-token: write
test-image:
name: Test image
runs-on: ubuntu-latest
needs: [set-env, check-update, build-image]
if: ${{ !failure() && !cancelled() && (github.event_name != 'schedule' || needs.check-update.outputs.res != 0) }}
env:
IMAGE_REF: "${{ needs.build-image.outputs.image-ref }}@${{ needs.build-image.outputs.digest }}"
steps:
- name: Login to Container Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | podman login -u ${{ needs.set-env.outputs.REGISTRY_USER }} --password-stdin ${{ needs.set-env.outputs.REGISTRY }}
- name: Test container
run: |
# Create a short script to test the image using heredoc
cat << 'EOF' > /tmp/test.sh
set -ex
cat /etc/os-release
bootc -V
EOF
podman run --rm \
-v /tmp/test.sh:/tmp/test.sh \
${{ env.IMAGE_REF }} \
/bin/bash /tmp/test.sh
promote-image:
name: Promote image
needs: [set-env, check-update, build-image, test-image]
if: ${{ !failure() && !cancelled() && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && (github.event_name != 'schedule' || needs.check-update.outputs.res != 0) }}
uses: AlmaLinux/atomic-ci/.github/workflows/retag-image.yml@v9
with:
image: ${{ needs.build-image.outputs.image-ref }}
digest: ${{ needs.build-image.outputs.digest }}
tag: |
${{ needs.set-env.outputs.LATEST_TAG }}
${{ needs.build-image.outputs.major-version }}
${{ needs.build-image.outputs.redhat-version-id }}
${{ needs.build-image.outputs.version }}
REGISTRY: ${{ needs.set-env.outputs.REGISTRY }}
REGISTRY_USER: ${{ needs.set-env.outputs.REGISTRY_USER }}
secrets:
REGISTRY_TOKEN: ${{ secrets.QUAY_PASSWORD }}
permissions:
packages: write
create-release:
name: Create Release
needs: [set-env, check-update, build-image, test-image, promote-image]
if: ${{ !failure() && !cancelled() && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && (github.event_name != 'schedule' || needs.check-update.outputs.res != 0) }}
uses: AlmaLinux/atomic-ci/.github/workflows/create-release.yml@v9
with:
image-name: "${{ needs.set-env.outputs.IMAGE_NAME }}"
version: ${{ needs.build-image.outputs.version }}
pretty-version: ${{ needs.build-image.outputs.redhat-version-id }}
latest-image-ref: "${{ needs.build-image.outputs.image-ref }}:${{ needs.set-env.outputs.LATEST_TAG }}"
permissions:
contents: write