From 1f8b13a1a271af9cd59b5b968631f4c2b3a1ae00 Mon Sep 17 00:00:00 2001 From: mgoerens Date: Mon, 24 Jul 2023 13:30:35 +0200 Subject: [PATCH] Move container images creation to release workflow This makes it possible to retrigger the entire release process, including all assets creation, by retagging the main branch. Starting with this commit, build triggers on the quay.io/redhat-certification/chart-verifier repo are no longer needed. close #383 --- .github/workflows/build.yaml | 38 +----------------------------- .github/workflows/main.yaml | 42 ++++++++++++++++++++++++++++++++++ .github/workflows/release.yaml | 21 ++++++++++++++++- Makefile | 13 +++++++++-- README.md | 2 -- 5 files changed, 74 insertions(+), 42 deletions(-) create mode 100644 .github/workflows/main.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4c189fb0..b93fe7b9 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -3,7 +3,7 @@ name: Build, Test, Automerge and Tag # This workflow runs on all PRs that are targetting the main branch. # # It runs the test suite. If the PR is a release PR, it automerges and tags the main branch with -# the corresonding new version. Finally, it retags the container image with latest. +# the corresonding new version. on: pull_request_target: @@ -225,39 +225,3 @@ jobs: custom_tag: ${{ steps.check_version_in_PR.outputs.PR_version }} tag_prefix: "" commit_sha: ${{ steps.main_sha.outputs.origin_main_sha }} - - - name: Wait for image build to complete - # Quay is configured to automatically build our image. This waits - # for it to complete before proceeding successfully. - id: wait_for_image_build - if: ${{ steps.check_version_updated.outputs.updated == 'true'}} - run: | - expectedImage=quay.io/redhat-certification/chart-verifier:${{ steps.check_version_in_PR.outputs.PR_version }} - for i in {1..30}; do - s=60 - echo "Querying Quay for "${expectedImage}" in ${s} seconds..." - sleep $s - skopeo inspect docker://"${expectedImage}" && echo "Image Found!" && exit 0 - done - echo "ERR Image not found in allotted time." - exit 1 - - - name: Login to Quay as Bot - id: login_as_bot - if: ${{ steps.wait_for_image_build.outcome == 'success'}} - uses: redhat-actions/podman-login@v1 - with: - username: ${{ secrets.QUAY_BOT_USERNAME }} - password: ${{ secrets.QUAY_BOT_TOKEN }} - registry: quay.io/redhat-certification - - - name: Update latest tag - if: ${{ steps.login_as_bot.outcome == 'success'}} - id: update_latest_tag - # TODO: When we shift to a push-from-this-repo model (instead of Quay build model) - # we should transition this tag workflow to use the digest of the image built here in CI. - run: | - imageReference=quay.io/redhat-certification/chart-verifier - podman pull ${imageReference}:${{ steps.check_version_in_PR.outputs.PR_version }} - podman tag ${imageReference}:${{ steps.check_version_in_PR.outputs.PR_version }} ${imageReference}:latest - podman push ${imageReference}:latest diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml new file mode 100644 index 00000000..beb47795 --- /dev/null +++ b/.github/workflows/main.yaml @@ -0,0 +1,42 @@ +name: Create container image on main + +# This workflow builds a container image for each commit on the main branch. +# The image is tagged with the (short) commit ID and "main", and pushed to Quay. + +on: + push: + branches: + - main +jobs: + image: + name: Build and push container images + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Get commit ID + id: get_commit_id + run: | + # Make the short commit ID available to the following steps. + COMMIT_ID=$(git rev-parse --short HEAD) + echo "commit_id=$COMMIT_ID" | tee -a $GITHUB_OUTPUT + + - name: Build container images + id: build_container_images + run: | + # Build podman images locally + make build-image IMAGE_TAG=${{ steps.get_commit_id.outputs.commit_id }} + make build-image IMAGE_TAG=main + + - name: Push to quay.io + id: push_to_quay + uses: redhat-actions/push-to-registry@v2 + with: + image: chart-verifier + tags: | + ${{ steps.get_commit_id.outputs.commit_id }} + main + registry: quay.io/redhat-certification + username: ${{ secrets.QUAY_BOT_USERNAME }} + password: ${{ secrets.QUAY_BOT_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 29274f37..2602cd62 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -18,7 +18,8 @@ name: create release on new tags # Finally, as mentioned above, create a new tag (e.g. `git tag 1.12.2 && git push --tags`) to # recreate the release. # -# This workflow builds the tarball, creates the Github release and attaches the tarball to it. +# This workflow builds all release assets (the tarball and the container images), creates the +# Github release and attaches the tarball to it. on: push: @@ -88,3 +89,21 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Build container images + id: build_container_images + run: | + # Build podman images locally + make build-image IMAGE_TAG=${{ steps.get_tag.outputs.release_version }} + make build-image IMAGE_TAG=latest + + - name: Push to quay.io + id: push_to_quay + uses: redhat-actions/push-to-registry@v2 + with: + image: chart-verifier + tags: | + ${{ steps.get_tag.outputs.release_version }} + latest + registry: quay.io/redhat-certification + username: ${{ secrets.QUAY_BOT_USERNAME }} + password: ${{ secrets.QUAY_BOT_TOKEN }} diff --git a/Makefile b/Makefile index 0d785ea3..7afabb8c 100644 --- a/Makefile +++ b/Makefile @@ -4,6 +4,7 @@ IMAGE_BUILDER?=podman IMAGE_REPO?=quay.io/redhat-certification COMMIT_ID=$(shell git rev-parse --short HEAD) COMMIT_ID_LONG=$(shell git rev-parse HEAD) +IMAGE_TAG=$(COMMIT_ID) default: bin @@ -52,9 +53,17 @@ bin_win: test: go test -v ./... +# Build the container image. Usage: make build-image IMAGE_TAG=my_tag +# If IMAGE_TAG is not provided, use the COMMIT_ID .PHONY: build-image build-image: - $(IMAGE_BUILDER) build -t $(IMAGE_REPO)/chart-verifier:$(COMMIT_ID) . + $(IMAGE_BUILDER) build -t $(IMAGE_REPO)/chart-verifier:$(IMAGE_TAG) . + +# Push the container image. Usage: make push-image IMAGE_TAG=my_tag +# If IMAGE_TAG is not provided, use the COMMIT_ID +.PHONY: push-image +push-image: + $(IMAGE_BUILDER) push $(IMAGE_REPO)/chart-verifier:$(IMAGE_TAG) . .PHONY: gosec gosec: install.gosec @@ -86,4 +95,4 @@ define go-install-tool @[ -f $(1) ] || { \ GOBIN=$(PROJECT_DIR)/out go install $(2) ;\ } -endef \ No newline at end of file +endef diff --git a/README.md b/README.md index db749255..c358048c 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,5 @@ # **chart-verifier**: Rules based tool to certify Helm charts -[![Docker Repository on Quay](https://quay.io/repository/redhat-certification/chart-verifier/status "Docker Repository on Quay")](https://quay.io/repository/redhat-certification/chart-verifier) - The **chart-verifier** CLI tool allows you to validate the Helm chart against a configurable list of checks. The tool ensures that the Helm charts include the associated metadata and formatting, and are distribution ready. The tool allows users to validate a Helm chart URL and provides a report where each check has a `positive` or `negative` result. A negative result from a check indicates a problem with the chart, which needs correction. It ensures that the Helm chart works seamlessly on Red Hat OpenShift and can be submitted as a certified Helm chart in the [OpenShift Helm Repository](https://github.com/openshift-helm-charts).