diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 99d13f86..4985568e 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -14,7 +14,7 @@ permissions: {} jobs: build-push-test: - name: ๐Ÿ› ๏ธ Build โ†’ Push โ†’ Test (๐Ÿจ ${{ matrix.flavor }}) + name: Build โ†’ Push โ†’ Test (๐Ÿจ ${{ matrix.flavor }}) strategy: matrix: flavor: [cpp, rust] diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml index 170a930c..df501abd 100644 --- a/.github/workflows/wc-build-push-test.yml +++ b/.github/workflows/wc-build-push-test.yml @@ -9,36 +9,53 @@ on: required: true type: string image-name: - description: "Name of the Docker image to build, without registry or tag. E.g. 'my-image' or 'my-org/my-image'" + description: >- + Name of the Docker image to build, without registry or tag. + + Examples: + 'my-image' + 'my-org/my-image' required: true type: string devcontainer-metadata-file: - description: "Path to a JSON file containing devcontainer metadata to add as a label to the built image" + description: >- + Path to a JSON file containing devcontainer metadata to add as a label to the built image. + + Examples: + '.devcontainer/devcontainer-metadata.json' + '.devcontainer//devcontainer-metadata.json' required: false type: string registry: - description: "Docker registry to push built containers to, DOCKER_REGISTRY_USERNAME and DOCKER_REGISTRY_PASSWORD secrets must be set if not using GitHub Container Registry" + description: >- + Docker registry to push built containers to. + `DOCKER_REGISTRY_USERNAME` and `DOCKER_REGISTRY_PASSWORD` secrets must be set if not using GitHub Container Registry (ghcr.io). required: false type: string default: "ghcr.io" build-test-runner-labels: description: >- - JSON object passed to fromJson to become the build matrix. Example: - '["ubuntu-latest", "ubuntu-24.04-arm"]' + JSON array used to select multi-architecture runners for build and test jobs. + Must be valid JSON. + + Examples: + '["ubuntu-latest"]' + '["ubuntu-latest", "ubuntu-24.04-arm"]' + '[["self-hosted", "linux", "x86_64"], ["self-hosted", "linux", "arm64"]]' required: false type: string default: '["ubuntu-latest", "ubuntu-24.04-arm"]' runner-labels: description: >- - Single runner label OR JSON array of runner labels for non-build jobs. + JSON array used to select the default linux runner for non-build jobs. + Must be valid JSON. + Examples: - ubuntu-latest '["ubuntu-latest"]' '["self-hosted", "linux", "x86_64"]' - Provide a valid JSON array (starting with '[') to use multiple labels; any other value is treated as a single label string. required: false type: string - default: ubuntu-latest + default: '["ubuntu-latest"]' integration-test-file: description: "Path to the BATS test file to run for integration tests" required: false @@ -94,19 +111,20 @@ jobs: integration-test: name: ๐Ÿงช if: ${{ inputs.integration-test-file }} - strategy: - matrix: - runner: ${{ (startsWith(inputs.build-test-runner-labels, '[') && endsWith(inputs.build-test-runner-labels, ']')) && fromJson(inputs.build-test-runner-labels) || inputs.build-test-runner-labels }} needs: build-push uses: ./.github/workflows/wc-integration-test.yml permissions: contents: read + secrets: + DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }} + DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} with: + build-test-runner-labels: ${{ inputs.build-test-runner-labels }} fully-qualified-image-name: ${{ needs.build-push.outputs.fully-qualified-image-name }} image-basename: ${{ needs.build-push.outputs.image-basename }} image-digest: ${{ needs.build-push.outputs.digest }} + registry: ${{ inputs.registry }} test-file: ${{ inputs.integration-test-file }} - runner-labels: ${{ matrix.runner }} acceptance-test: name: ๐Ÿ—๏ธ diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index f03e791b..16d59a59 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -57,10 +57,10 @@ jobs: runner-labels: ${{ inputs.runner-labels }} build-push: - name: ${{ matrix.runner }} + name: Build (${{ (startsWith(matrix.runner, '[') && endsWith(matrix.runner, ']')) && join(matrix.runner, ', ') || matrix.runner }}) strategy: matrix: - runner: ${{ (startsWith(inputs.build-test-runner-labels, '[') && endsWith(inputs.build-test-runner-labels, ']')) && fromJson(inputs.build-test-runner-labels) || inputs.build-test-runner-labels }} + runner: ${{ fromJson(inputs.build-test-runner-labels) }} runs-on: ${{ matrix.runner }} needs: sanitize-image-name permissions: @@ -137,9 +137,7 @@ jobs: merge-image: name: ๐Ÿ”— Merge Image - # Support either a plain single label (e.g. ubuntu-latest) OR a JSON array of labels. - # If the input starts & ends with brackets we attempt JSON parsing; otherwise we pass the raw string. - runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }} + runs-on: ${{ fromJson(inputs.runner-labels) }} needs: - build-push - sanitize-image-name @@ -159,9 +157,6 @@ jobs: with: disable-sudo: true egress-policy: audit - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: path: ${{ runner.temp }}/digests diff --git a/.github/workflows/wc-dependency-review.yml b/.github/workflows/wc-dependency-review.yml index 1415f8d9..b3c49c2a 100644 --- a/.github/workflows/wc-dependency-review.yml +++ b/.github/workflows/wc-dependency-review.yml @@ -5,17 +5,23 @@ on: workflow_call: inputs: runner-labels: - description: "Runner to use for the job, will be passed to `runs-on`" + description: >- + JSON array used to select the action runner. + Must be valid JSON. + + Examples: + '["ubuntu-latest"]' + '["self-hosted", "linux", "x86_64"]' required: false type: string - default: ubuntu-latest + default: '["ubuntu-latest"]' permissions: {} jobs: dependency-review: name: Review - runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }} + runs-on: ${{ fromJson(inputs.runner-labels) }} permissions: contents: read pull-requests: write diff --git a/.github/workflows/wc-integration-test.yml b/.github/workflows/wc-integration-test.yml index cc7479d2..f4118777 100644 --- a/.github/workflows/wc-integration-test.yml +++ b/.github/workflows/wc-integration-test.yml @@ -16,27 +16,27 @@ on: test-file: required: true type: string - runner-labels: - description: "Runner to use for the job, will be passed to `runs-on`" + build-test-runner-labels: required: true type: string registry: - description: "Docker registry to push built containers to, DOCKER_REGISTRY_USERNAME and DOCKER_REGISTRY_PASSWORD secrets must be set if not using GitHub Container Registry" - required: false + required: true type: string - default: "ghcr.io" secrets: DOCKER_REGISTRY_USERNAME: - required: false + required: true DOCKER_REGISTRY_PASSWORD: - required: false + required: true permissions: {} jobs: run-test: - name: ๐Ÿงช Integration Test - runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }} + name: Integration Test (${{ (startsWith(matrix.runner, '[') && endsWith(matrix.runner, ']')) && join(matrix.runner, ', ') || matrix.runner }}) + strategy: + matrix: + runner: ${{ fromJson(inputs.build-test-runner-labels) }} + runs-on: ${{ matrix.runner }} container: image: ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }} credentials: diff --git a/.github/workflows/wc-sanitize-image-name.yml b/.github/workflows/wc-sanitize-image-name.yml index 5629c4a4..878d37a2 100644 --- a/.github/workflows/wc-sanitize-image-name.yml +++ b/.github/workflows/wc-sanitize-image-name.yml @@ -29,7 +29,7 @@ permissions: {} jobs: sanitize: name: Sanitize Image Name - runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }} + runs-on: ${{ fromJson(inputs.runner-labels) }} outputs: image-basename: ${{ steps.sanitize-image-name.outputs.sanitized-basename }} image-name: ${{ steps.sanitize-image-name.outputs.sanitized-image-name }}