Skip to content
.github/workflows/build-single-image.yml

Merge branch 'main' into chore/gcr-secrets #33

Sign in to view logs

Merge branch 'main' into chore/gcr-secrets

Merge branch 'main' into chore/gcr-secrets #33

Workflow file for this run

.github/workflows/build-single-image.yml at ef196f4
name: Build single image

Check failure on line 1 in .github/workflows/build-single-image.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/build-single-image.yml

Invalid workflow file 

(Line: 109, Col: 13): The identifier 'secrets' may not be used more than once within the same scope.
run-name: Building gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/${{ github.actor }}-dev/${{ inputs.prefix }}:${{ inputs.tag }} by @${{ github.actor }}
on:
workflow_dispatch:
inputs:
target:
description: 'Image build make target to call'
required: true
type: string
prefix:
description: 'Image prefix to use in GCR, e.g. nginx-ic/nginx-ingress'
required: true
type: string
tag:
description: 'Image tag to use in GCR, e.g. 3.7.0-SNAPSHOT'
required: true
type: string
branch:
description: 'Branch to checkout for build'
required: false
type: string
default: main
plus_repo:
description: 'Plus repo to install from'
required: true
default: 'pkgs.nginx.com'
type: choice
options:
- pkgs.nginx.com
- pkgs-test.nginx.com
defaults:
run:
shell: bash
permissions:
contents: read
jobs:
build:
permissions:
contents: read # for docker/build-push-action to read repo content
id-token: write # for login to GCP
runs-on: ubuntu-24.04
steps:
- name: Checkout Repository
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
ref: ${{ inputs.branch }}
fetch-depth: 0
- name: Setup Golang Environment
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: go.mod
- name: Output Variables
id: vars
run: |
./.github/scripts/variables.sh go_code_md5 >> $GITHUB_OUTPUT
echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT
source .github/data/version.txt
echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT
cat $GITHUB_OUTPUT
- name: Azure login
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
- name: Setup secrets
id: secrets
run: |
echo "Setting secrets for job"
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
echo "::add-mask::$GCR_WORKLOAD_ID"
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
with:
token_format: access_token
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
- name: Login to GCR
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Azure login
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
if: ${{ contains(inputs.target, 'plus') }}
- name: Setup secrets
id: secrets
run: |
echo "Setting secrets for job"
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
echo "::add-mask::$PLUS_CREDS"
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
while read -r line; do
echo "::add-mask::${line}"
done <<< "${CERT}"
echo $CERT > nginx-repo.crt
IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key')
while read -r line; do
echo "::add-mask::${line}"
done <<< "${KEY}"
echo $KEY > nginx-repo.key
IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
while read -r line; do
echo "::add-mask::${line}"
done <<< "${RHEL_CREDS}"
echo $RHEL_CREDS > rhel_license
if: ${{ contains(inputs.target, 'plus') }}
- name: Fetch Cached Binary Artifacts
id: binary-cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ steps.vars.outputs.go_code_md5 }}
- name: Build binaries
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
with:
version: latest
args: build --snapshot --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GOPATH: ${{ steps.vars.outputs.go_path }}
GORELEASER_CURRENT_TAG: "v${{ steps.vars.outputs.ic_version }}"
if: ${{ steps.binary-cache.outputs.binary_cache_hit != 'true' }}
- name: Store Artifacts in Cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ steps.vars.outputs.go_code_md5 }}
if: ${{ steps.binary-cache.outputs.binary_cache_hit != 'true' }}
- name: Build Image
run: |
make ${{ inputs.target }}
env:
REGISTRY: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev
PREFIX: ${{ inputs.prefix }}
TAG: ${{ inputs.tag }}
PLUS_REPO: ${{ inputs.plus_repo }}
TARGET: goreleaser
- name: Push image
run:
docker push ${REGISTRY}/${PREFIX}:${TAG}
env:
REGISTRY: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev
PREFIX: ${{ inputs.prefix }}
TAG: ${{ inputs.tag }}
- name: Clean up secrets
run: |
rm -f nginx-repo.crt nginx-repo.key rhel_license
if: always()