release: push scorecard-test-kuttl images on scorecard-kuttl/v* tags (#4633)

.github/workflows/deploy.yml: only run image deploy jobs
for code changes and appropriate tag patterns

docs/contribution/guidelines/releasing.md: add scorecard-test-kuttl
release section

release/Makefile: add scorecard-kuttl tag check to version regexp

Signed-off-by: Eric Stroczynski <[email protected]>

Author: Eric Stroczynski

.github/workflows/deploy.yml

@@ -6,6 +6,7 @@ on:
     - '**'
     tags:
     - 'v*'
+    - 'scorecard-kuttl/v*'
   pull_request:
     branches: [ master ]
 
@@ -14,22 +15,25 @@ jobs:
     name: check_docs_only
     runs-on: ubuntu-18.04
     outputs:
-      should_skip_tests: ${{ steps.check_docs_only.outputs.skip-tests }}
+      is_skip: ${{ steps.check_docs_only.outputs.skip-deploy }}
     steps:
       - uses: actions/checkout@v2
         with:
           fetch-depth: 0
       - id: check_docs_only
+        # Since PR's are squashed prior to merging to the branch checked out (default branch),
+        # HEAD^ will resolve to the previous point in history.
         run: |
-          REPO_MASTER_REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
-          echo "::set-output name=skip-tests::$(hack/ci/check-doc-only-update.sh $REPO_MASTER_REF)"
-
+          REF="HEAD^"
+          [[ -z "${{ github.base_ref }}" ]] || REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
+          echo "::set-output name=skip-deploy::$(hack/ci/check-doc-only-update.sh $REF)"
 
   # Job to test release steps. This will only create a release remotely if run on a tagged commit.
   goreleaser:
     name: goreleaser
     needs: check_docs_only
-    if: needs.check_docs_only.outputs.should_skip_tests != 'true'
+    # Run this job on a tag like 'vX.Y.Z' or on a branch or pull request with code changes.
+    if: startsWith(github.ref, 'refs/tags/v') || ( needs.check_docs_only.outputs.is_skip != 'true' && !startsWith(github.ref, 'refs/tags/') )
     runs-on: ubuntu-18.04
     environment: deploy
     steps:
@@ -51,23 +55,24 @@ jobs:
 
     - name: release
       run: |
-        if [[ $GITHUB_REF != refs/tags/* ]]; then
+        if [[ $GITHUB_REF != refs/tags/v* ]]; then
           export DRY_RUN=1
         fi
         make release
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-  # Job matrix for image builds.
+  # Job matrix for image builds. Only pushes if a tag with prefix "v" is present.
   images:
     name: images
     needs: check_docs_only
-    if: needs.check_docs_only.outputs.should_skip_tests != 'true'
+    # Run this job on a tag like 'vX.Y.Z' or on a branch or pull request with code changes.
+    if: startsWith(github.ref, 'refs/tags/v') || ( needs.check_docs_only.outputs.is_skip != 'true' && !startsWith(github.ref, 'refs/tags/') )
     runs-on: ubuntu-18.04
     environment: deploy
     strategy:
       matrix:
-        id: ["operator-sdk", "ansible-operator", "helm-operator", "scorecard-test", "scorecard-test-kuttl"]
+        id: ["operator-sdk", "ansible-operator", "helm-operator", "scorecard-test"]
     steps:
 
     - name: set up qemu
@@ -84,35 +89,69 @@ jobs:
         password: ${{ secrets.QUAY_PASSWORD }}
         registry: quay.io
 
+    # Check out repo before tag step for script.
+    - name: checkout
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
+
     - name: create tags
       id: tags
       run: |
         IMG=quay.io/${{ github.repository_owner }}/${{ matrix.id }}
-        if [[ $GITHUB_REF == refs/tags/* ]]; then
-          TAG=${GITHUB_REF#refs/tags/}
-          MAJOR_MINOR=${TAG%.*}
-          echo ::set-output name=tags::${IMG}:${TAG},${IMG}:${MAJOR_MINOR}
-
-        elif [[ $GITHUB_REF == refs/heads/* ]]; then
-          TAG=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')
-          echo ::set-output name=tags::${IMG}:${TAG}
-
-        elif [[ $GITHUB_REF == refs/pull/* ]]; then
-          TAG=pr-${{ github.event.number }}
-          echo ::set-output name=tags::${IMG}:${TAG}
-        fi
+        echo ::set-output name=tags::$(.github/workflows/get_image_tags.sh "$IMG" "v")
+
+    - name: build and push
+      uses: docker/build-push-action@v2
+      with:
+        file: ./images/${{ matrix.id }}/Dockerfile
+        context: .
+        platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
+        push: ${{ (github.event_name != 'pull_request' && (startsWith(github.ref, 'refs/tags/') || github.ref == format('refs/heads/{0}', github.event.repository.default_branch) )) }}
+        tags: ${{ steps.tags.outputs.tags }}
+
+  # scorecard-test-kuttl image build job. Only pushes if a tag with prefix "scorecard-kuttl/v" is present.
+  image-scorecard-test-kuttl:
+    name: image-scorecard-test-kuttl
+    needs: check_docs_only
+    # Run this job on a tag like 'scorecard-kuttl/vX.Y.Z' or on a branch or pull request with code changes.
+    if: startsWith(github.ref, 'refs/tags/scorecard-kuttl/v') || ( needs.check_docs_only.outputs.is_skip != 'true' && !startsWith(github.ref, 'refs/tags/') )
+    runs-on: ubuntu-18.04
+    environment: deploy
+    steps:
 
+    - name: set up qemu
+      uses: docker/setup-qemu-action@v1
+
+    - name: set up buildx
+      uses: docker/setup-buildx-action@v1
+
+    - name: quay.io login
+      if: github.event_name != 'pull_request'
+      uses: docker/login-action@v1
+      with:
+        username: ${{ secrets.QUAY_USERNAME }}
+        password: ${{ secrets.QUAY_PASSWORD }}
+        registry: quay.io
+
+    # Check out repo before tag step for script.
     - name: checkout
       uses: actions/checkout@v2
       with:
         fetch-depth: 0
 
+    - name: create tags
+      id: tags
+      run: |
+        IMG=quay.io/${{ github.repository_owner }}/scorecard-test-kuttl
+        echo ::set-output name=tags::$(.github/workflows/get_image_tags.sh "$IMG" "scorecard-kuttl/v")
+
     - name: build and push
       uses: docker/build-push-action@v2
       with:
-        file: ./images/${{ matrix.id }}/Dockerfile
+        file: ./images/scorecard-test-kuttl/Dockerfile
         context: .
         # s390x is not supported by the scorecard-test-kuttl base image.
-        platforms: linux/amd64,linux/arm64,linux/ppc64le${{ matrix.id != 'scorecard-test-kuttl' && ',linux/s390x' || '' }}
+        platforms: linux/amd64,linux/arm64,linux/ppc64le
         push: ${{ (github.event_name != 'pull_request' && (startsWith(github.ref, 'refs/tags/') || github.ref == format('refs/heads/{0}', github.event.repository.default_branch) )) }}
         tags: ${{ steps.tags.outputs.tags }}

.github/workflows/get_image_tags.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+IMG="$1"
+TAG_PREFIX="$2"
+
+: ${IMG:?"\$1 must be set to an image tag"}
+: ${TAG_PREFIX:?"\$2 must be set to some tag prefix to pass to refs/tags/{prefix}*"}
+: ${GITHUB_REF:?"GITHUB_REF must be set to a git 'refs/' path in the environment (typically set by the Actions runner)"}
+
+if [[ $GITHUB_REF == refs/tags/${TAG_PREFIX}* ]]; then
+  # Release tags.
+  TAG="${GITHUB_REF#refs/tags/${TAG_PREFIX}}"
+  # Prepend "v" if removed by the above variable operation, since $TAG should always be semver.
+  [[ $TAG == v* ]] || TAG="v${TAG}"
+  MAJOR_MINOR="${TAG%.*}"
+  echo "${IMG}:${TAG},${IMG}:${MAJOR_MINOR}"
+
+elif [[ $GITHUB_REF == refs/tags/* ]]; then
+  # Any other tag, which will not be pushed.
+  TAG="$(echo "${GITHUB_REF#refs/tags/}" | sed -r 's|/+|-|g')-local"
+  echo "${IMG}:${TAG}"
+
+elif [[ $GITHUB_REF == refs/heads/* ]]; then
+  # Branch build.
+  TAG="$(echo "${GITHUB_REF#refs/heads/}" | sed -r 's|/+|-|g')"
+  echo "${IMG}:${TAG}"
+
+elif [[ $GITHUB_REF == refs/pull/* ]]; then
+  # PR build.
+  TAG="pr-$(echo "${GITHUB_REF}" | sed -E 's|refs/pull/([^/]+)/?.*|\1|')"
+  echo "${IMG}:${TAG}"
+fi

.github/workflows/integration.yml

@@ -13,9 +13,12 @@ jobs:
         with:
           fetch-depth: 0
       - id: check_docs_only
+        # Since PR's are squashed prior to merging to the branch checked out (default branch),
+        # HEAD^ will resolve to the previous point in history.
         run: |
-          REPO_MASTER_REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
-          echo "::set-output name=skip-tests::$(hack/ci/check-doc-only-update.sh $REPO_MASTER_REF)"
+          REF="HEAD^"
+          [[ -z "${{ github.base_ref }}" ]] || REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
+          echo "::set-output name=skip-deploy::$(hack/ci/check-doc-only-update.sh $REF)"
 
   integration:
     name: integration

.github/workflows/test-ansible.yml

@@ -13,9 +13,12 @@ jobs:
         with:
           fetch-depth: 0
       - id: check_docs_only
+        # Since PR's are squashed prior to merging to the branch checked out (default branch),
+        # HEAD^ will resolve to the previous point in history.
         run: |
-          REPO_MASTER_REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
-          echo "::set-output name=skip-tests::$(hack/ci/check-doc-only-update.sh $REPO_MASTER_REF)"
+          REF="HEAD^"
+          [[ -z "${{ github.base_ref }}" ]] || REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
+          echo "::set-output name=skip-deploy::$(hack/ci/check-doc-only-update.sh $REF)"
 
   e2e:
     name: e2e

.github/workflows/test-go.yml

@@ -13,9 +13,12 @@ jobs:
         with:
           fetch-depth: 0
       - id: check_docs_only
+        # Since PR's are squashed prior to merging to the branch checked out (default branch),
+        # HEAD^ will resolve to the previous point in history.
         run: |
-          REPO_MASTER_REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
-          echo "::set-output name=skip-tests::$(hack/ci/check-doc-only-update.sh $REPO_MASTER_REF)"
+          REF="HEAD^"
+          [[ -z "${{ github.base_ref }}" ]] || REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
+          echo "::set-output name=skip-deploy::$(hack/ci/check-doc-only-update.sh $REF)"
 
   e2e:
     name: e2e

.github/workflows/test-helm.yml

@@ -13,9 +13,12 @@ jobs:
         with:
           fetch-depth: 0
       - id: check_docs_only
+        # Since PR's are squashed prior to merging to the branch checked out (default branch),
+        # HEAD^ will resolve to the previous point in history.
         run: |
-          REPO_MASTER_REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
-          echo "::set-output name=skip-tests::$(hack/ci/check-doc-only-update.sh $REPO_MASTER_REF)"
+          REF="HEAD^"
+          [[ -z "${{ github.base_ref }}" ]] || REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
+          echo "::set-output name=skip-deploy::$(hack/ci/check-doc-only-update.sh $REF)"
 
   e2e:
     name: e2e

.github/workflows/test-sanity.yml

@@ -13,9 +13,12 @@ jobs:
       with:
         fetch-depth: 0
     - id: check_docs_only
+      # Since PR's are squashed prior to merging to the branch checked out (default branch),
+      # HEAD^ will resolve to the previous point in history.
       run: |
-        REPO_MASTER_REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
-        echo "::set-output name=skip-tests::$(hack/ci/check-doc-only-update.sh $REPO_MASTER_REF)"
+        REF="HEAD^"
+        [[ -z "${{ github.base_ref }}" ]] || REF=$(git show-ref ${{ github.base_ref }} | head -1 | cut -d' ' -f2)
+        echo "::set-output name=skip-deploy::$(hack/ci/check-doc-only-update.sh $REF)"
 
   sanity:
     name: sanity

images/scorecard-test-kuttl/main.go

@@ -67,7 +67,7 @@ func main() {
 
 	jsonOutput, err := json.MarshalIndent(s, "", "    ")
 	if err != nil {
-		printErrorStatus(fmt.Errorf("could not marshal scoreard output %v", err))
+		printErrorStatus(fmt.Errorf("could not marshal scorecard output %v", err))
 		return
 	}
 	fmt.Println(string(jsonOutput))

release/Makefile

@@ -7,7 +7,8 @@ SHELL = /bin/bash
 # Dry run flags.
 ifneq ($(DRY_RUN),)
 SNAPSHOT_FLAGS = --snapshot --skip-publish --skip-sign --rm-dist
-$(shell touch changelog/generated/$(GIT_VERSION).md)
+CHANGELOG = changelog/generated/tmp.md
+$(shell touch $(CHANGELOG))
 endif
 
 # Ensure that this Makefile is run from the project root (always contains the 'cmd/' directory).
@@ -18,14 +19,15 @@ endif
 ##@ Release
 
 .PHONY: release
+CHANGELOG ?= changelog/generated/$(GIT_VERSION).md
 release: ## Publish an operator-sdk release, with option for a dry run with DRY_RUN.
 ifeq (,$(GIT_VERSION))
 	$(error "GIT_VERSION must be set to a git tag")
 endif
 	$(SCRIPTS_DIR)/fetch goreleaser 0.147.2
-	GORELEASER_CURRENT_TAG=$(GIT_VERSION) $(TOOLS_DIR)/goreleaser $(SNAPSHOT_FLAGS) --release-notes=changelog/generated/$(GIT_VERSION).md --parallelism 5
+	GORELEASER_CURRENT_TAG=$(GIT_VERSION) $(TOOLS_DIR)/goreleaser $(SNAPSHOT_FLAGS) --release-notes=$(CHANGELOG) --parallelism 5
 ifneq ($(DRY_RUN),)
-	rm changelog/generated/$(GIT_VERSION).md
+	rm $(CHANGELOG)
 endif
 
 ##@ Pre-Release
@@ -47,7 +49,7 @@ changelog: check_release_version ## Generate the changelog.
 	rm -f ./changelog/fragments/!(00-template.yaml)
 
 .PHONY: tag
-VERSION_REGEXP := ^v[0-9]+\.[0-9]+\.[0-9]+(\-(alpha|beta|rc)\.[0-9]+)?$
+VERSION_REGEXP := ^(scorecard-kuttl/)?v[0-9]+\.[0-9]+\.[0-9]+(\-(alpha|beta|rc)\.[0-9]+)?$
 tag: ## Create a release tag.
 ifeq (,$(RELEASE_VERSION))
 	$(error "RELEASE_VERSION must be set to tag HEAD")