urunc/.github/workflows/upload_s3.yml at 9575751d69066515bbdbbed812c3d2f7b28190d2 · urunc-dev/urunc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
name: Upload to S3

on:
  workflow_call:
    inputs:
      ref:
        required: true
        type: string
        default: ''
    secrets:
      AWS_ACCESS_KEY:
        required: true
      AWS_SECRET_ACCESS_KEY:
        required: true


  workflow_dispatch:
    inputs:
      ref:
        required: true
        type: string
        default: ''

permissions:
  contents: read

jobs:
  build:
    runs-on: ${{ matrix.runner }}
    strategy:
      matrix:
        include:
          - arch: amd64
            runner: ubuntu-22.04
          - arch: arm64
            runner: ubuntu-22.04-arm
    continue-on-error: true

    steps:
    - name: Harden the runner (Audit all outbound calls)
      uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
      with:
        egress-policy: audit

    - name: Get revision SHA and branch (safe)
      id: get-rev
      env:
        EVENT_NAME: ${{ github.event_name }}
        IS_MERGED: ${{ github.event.pull_request.merged }}
        GITHUB_SHA: ${{ github.sha }}
        PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
        PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
        REF_NAME: ${{ github.ref_name }}
      run: |
        if [ "$EVENT_NAME" == "pull_request" ]; then
          if [ "$IS_MERGED" == "true" ]; then
            sha="$GITHUB_SHA"
            branch="$PR_BASE_REF"
            echo "PR merged. SHA: ${sha}, Branch: ${branch}"
          else
            sha="$PR_HEAD_SHA"
            branch="$PR_HEAD_REF"
            echo "PR not yet merged. SHA: ${sha}, Branch: ${branch}"
          fi
        else
          sha="$GITHUB_SHA"
          branch="$REF_NAME"
          echo "$EVENT_NAME event. SHA: ${sha}, Branch: ${branch}"
        fi

        echo "sha=${sha}" >> "$GITHUB_ENV"
        echo "branch=${branch}" >> "$GITHUB_ENV"

    - name: Download urunc artifact
      uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
      with:
        name: urunc_static_${{ matrix.arch }}-${{ github.run_id }}
        path: ./

    - name: Download containerd-shim-urunc-v2 artifact
      uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
      with:
        name: containerd-shim-urunc-v2_static_${{ matrix.arch }}-${{ github.run_id }}
        path: ./

    - name: Upload urunc to S3
      uses: cloudkernels/minio-upload@5fc9bf7a244cfafb453c6b10c8c3730a68bff0db
      with:
        url: https://s3.nbfc.io
        access-key: ${{ secrets.AWS_ACCESS_KEY }}
        secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        local-path: urunc_static_${{ matrix.arch }}
        remote-path: nbfc-assets/github/urunc/dist/${{ env.branch }}/${{ matrix.arch }}/
        policy: 1

    - name: Upload containerd-shim-urunc-v2 to S3
      uses: cloudkernels/minio-upload@5fc9bf7a244cfafb453c6b10c8c3730a68bff0db
      with:
        url: https://s3.nbfc.io
        access-key: ${{ secrets.AWS_ACCESS_KEY }}
        secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        local-path: containerd-shim-urunc-v2_static_${{ matrix.arch }}
        remote-path: nbfc-assets/github/urunc/dist/${{ env.branch }}/${{ matrix.arch }}/
        policy: 1