Bunnyshell preview env, add demo app and readonly-user (#16) #205
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Image | |
on: | |
push: | |
branches: | |
- master-bns #todo bns: rollback to master | |
pull_request: | |
branches: | |
- master-bns #todo bns: rollback to master | |
types: [ labeled, unlabeled, opened, synchronize, reopened ] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
permissions: {} | |
jobs: | |
set-vars: | |
permissions: | |
contents: read | |
if: github.repository == 'argoproj/argo-cd' | |
runs-on: ubuntu-22.04 | |
outputs: | |
image-tag: ${{ steps.image.outputs.tag}} | |
platforms: ${{ steps.platforms.outputs.platforms }} | |
steps: | |
- uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0 | |
- name: Set image tag for ghcr | |
run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT | |
id: image | |
- name: Determine image platforms to use | |
id: platforms | |
run: | | |
IMAGE_PLATFORMS=linux/amd64 | |
if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-multi-image') }}" == "true" ]] | |
then | |
IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le | |
fi | |
echo "Building image for platforms: $IMAGE_PLATFORMS" | |
echo "platforms=$IMAGE_PLATFORMS" >> $GITHUB_OUTPUT | |
build-only: | |
needs: [set-vars] | |
permissions: | |
contents: read | |
packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags | |
id-token: write # for creating OIDC tokens for signing. | |
if: ${{ github.repository == 'bunnyshell/argo-cd' && github.event_name != 'push' }} #todo bns: rollback to argoproj/argo-cd | |
uses: ./.github/workflows/image-reuse.yaml | |
with: | |
# Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) | |
go-version: 1.22 | |
platforms: ${{ needs.set-vars.outputs.platforms }} | |
push: false | |
build-and-publish: | |
needs: [set-vars] | |
permissions: | |
contents: read | |
packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags | |
id-token: write # for creating OIDC tokens for signing. | |
if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} | |
uses: ./.github/workflows/image-reuse.yaml | |
with: | |
quay_image_name: quay.io/argoproj/argocd:latest | |
ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} | |
# Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) | |
go-version: 1.22 | |
platforms: ${{ needs.set-vars.outputs.platforms }} | |
push: true | |
secrets: | |
quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }} | |
quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }} | |
ghcr_username: ${{ github.actor }} | |
ghcr_password: ${{ secrets.GITHUB_TOKEN }} | |
build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io | |
needs: | |
- build-and-publish | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) | |
if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} | |
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
image: ghcr.io/argoproj/argo-cd/argocd | |
digest: ${{ needs.build-and-publish.outputs.image-digest }} | |
registry-username: ${{ github.actor }} | |
secrets: | |
registry-password: ${{ secrets.GITHUB_TOKEN }} | |
Deploy: | |
needs: | |
- build-and-publish | |
- set-vars | |
permissions: | |
contents: write # for git to push upgrade commit if not already deployed | |
packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags | |
if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0 | |
- run: git clone "https://[email protected]/argoproj/argoproj-deployments" | |
env: | |
TOKEN: ${{ secrets.TOKEN }} | |
- run: | | |
docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} | |
git config --global user.email '[email protected]' | |
git config --global user.name 'CI' | |
git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ needs.set-vars.outputs.image-tag }}' && git push) | |
working-directory: argoproj-deployments/argocd | |