From 9dbd4369157699c4f627ca13ca253602f5cffdce Mon Sep 17 00:00:00 2001 From: Webster Mudge Date: Fri, 25 Aug 2023 12:30:13 -0400 Subject: [PATCH] Add validate-image.yml workflow Update validate_pr.yml to validate base image Save the image as an artifact, then validate the profiles using the artifact. Signed-off-by: Webster Mudge --- .github/workflows/build_push_image.yml | 2 +- .github/workflows/validate_image.yml | 98 ++++++++++++++++++++++++++ .github/workflows/validate_pr.yml | 49 ++++--------- 3 files changed, 112 insertions(+), 37 deletions(-) create mode 100644 .github/workflows/validate_image.yml diff --git a/.github/workflows/build_push_image.yml b/.github/workflows/build_push_image.yml index 53f3a97..c28eb1b 100644 --- a/.github/workflows/build_push_image.yml +++ b/.github/workflows/build_push_image.yml @@ -7,7 +7,7 @@ on: workflow_call: inputs: PROFILE: - description: 'Execution profile' + description: 'Execution Environment profile' required: true type: string outputs: diff --git a/.github/workflows/validate_image.yml b/.github/workflows/validate_image.yml new file mode 100644 index 0000000..71956a8 --- /dev/null +++ b/.github/workflows/validate_image.yml @@ -0,0 +1,98 @@ +--- + +name: Build (validate) Execution Environment image + +# See https://docs.docker.com/build/ci/github-actions/share-image-jobs/ + +on: + workflow_call: + inputs: + PROFILE: + description: 'Execution profile' + required: true + type: string + +permissions: + contents: read + packages: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Install latest ansible-builder + run: pip install ansible-builder + + - name: Construct image metadata + id: meta + uses: docker/metadata-action@v4 + with: + images: | + ghcr.io/${{ github.repository }} + flavor: | + latest=auto + prefix=${{ inputs.PROFILE }}-,onlatest=true + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=ref,event=branch + type=ref,event=pr + type=sha,prefix=${{ inputs.PROFILE }}- + + - name: Construct short SHA + id: sha + run: echo "sha-short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + + - name: Update container base image reference + if: ${{ inputs.PROFILE != 'base' }} + env: + REPLACEMENT_IMAGE: ${{ github.repository }}:base-${{ steps.sha.outputs.sha-short }} + run: + sed -i 's|cloudera-labs/cldr-runner:base-latest|${{ env.REPLACEMENT_IMAGE }}|' ${{ inputs.PROFILE }}/execution-environment.yml + + - name: Create builder context + run: | + ansible-builder create --file ${{ inputs.PROFILE }}/execution-environment.yml + + - name: Upload Containerfile + uses: actions/upload-artifact@v3 + with: + name: ${{ inputs.PROFILE }}-Containerfile + path: ${{ inputs.PROFILE }}/Containerfile + + - name: Download the base image + if: ${{ inputs.PROFILE != 'base' }} + uses: actions/download-artifact@v3 + with: + name: base-${{ steps.sha.outputs.sha-short }} + path: base-${{ steps.sha.outputs.sha-short }} + + - name: Load the base image + if: ${{ inputs.PROFILE != 'base' }} + run: | + podman load -i base-${{ steps.sha.outputs.sha-short }} + + - name: Build image from builder context + uses: redhat-actions/buildah-build@v2 + with: + context: ./context + containerfiles: | + ./context/Containerfile + build-args: | + BUILD_VER=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} + BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + BUILD_REVISION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + image: ${{ github.repository }} + tags: ${{ steps.meta.outputs.tags }} + extra-args: | + --output type=tar,dest=${{ inputs.PROFILE }}-${{ steps.sha.outputs.sha-short }} + + - name: Upload base image + if: ${{ inputs.PROFILE == 'base' }} + uses: actions/upload-artifact@v3 + with: + name: ${{ inputs.PROFILE }}-${{ steps.sha.outputs.sha-short }} + path: ${{ inputs.PROFILE }}-${{ steps.sha.outputs.sha-short }} diff --git a/.github/workflows/validate_pr.yml b/.github/workflows/validate_pr.yml index 5a3e19e..22af58b 100644 --- a/.github/workflows/validate_pr.yml +++ b/.github/workflows/validate_pr.yml @@ -21,50 +21,27 @@ on: branches: - 'release/**' - 'devel' - - 'devel-pvc-update' workflow_dispatch: jobs: - validate: - runs-on: ubuntu-latest + + validate-base: + uses: ./.github/workflows/validate_image.yml + with: + PROFILE: base + + validate-profiles: + needs: validate-base + uses: ./.github/workflows/validate_image.yml strategy: fail-fast: false matrix: - ee_profile: ["full", "base", "aws", "azure", "gcp"] - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - name: Install ansible-builder - run: pip install ansible-builder==1.2.0 - - - name: Set up context - run: | - mkdir -p ${{ matrix.ee_profile }} - cp -R builder/devel/* ${{ matrix.ee_profile }} - cp builder/ee-${{ matrix.ee_profile }}.yml ${{ matrix.ee_profile }}/execution-environment.yml - cp -R builder/env builder/inventory builder/repo builder/bashrc ${{ matrix.ee_profile }} - - - name: Create Containerfile - run: | - ansible-builder create --context ${{ matrix.ee_profile }} --file ${{ matrix.ee_profile }}/execution-environment.yml - - - name: Upload Containerfile - uses: actions/upload-artifact@v3 - with: - name: ${{ matrix.ee_profile }}-Containerfile - path: ${{ matrix.ee_profile }}/Containerfile - - - name: Build image from context - uses: redhat-actions/buildah-build@v2 - with: - context: ${{ matrix.ee_profile }} - image: ${{ github.repository }} - containerfiles: | - ${{ matrix.ee_profile }}/Containerfile + ee_profile: ["aws", "azure", "gcp", "full"] + with: + PROFILE: ${{ matrix.ee_profile }} record: - needs: validate + needs: validate-profiles runs-on: ubuntu-latest steps: # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/