Merge pull request #83 from VertaAI/ln/gha-kaniko

liam-verta · web-flow · commit 45cc068381a8 · 2023-06-13T13:03:02.000-07:00
chore: move to GHA publish
diff --git a/.github/workflows/images.yaml b/.github/workflows/images.yaml
@@ -1,11 +1,15 @@
 name: Build images
 
+
 on:
-  pull_request:
-    branches: ['main']
-  push:
-    branches: ['main']
-    tags: ['v[0-9]+.[0-9]+.[0-9]+*']
+  # Only run when this repo changes from private to public.
+  # Already public = never
+  public
+  # pull_request:
+  #   branches: ['main']
+  # push:
+  #   branches: ['main']
+  #   tags: ['v[0-9]+.[0-9]+.[0-9]+*']
 
 jobs:
   build-images:
diff --git a/.github/workflows/integration-tests.yaml b/.github/workflows/integration-tests.yaml
@@ -1,10 +1,13 @@
 name: Integration tests
 
 on:
-  push:
-    branches: ['main']
-  pull_request:
-    branches: ['main']
+  # Only run when this repo changes from private to public.
+  # Already public = never
+  public
+  # push:
+  #   branches: ['main']
+  # pull_request:
+  #   branches: ['main']
 
 permissions:
   contents: read
diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
@@ -1,12 +1,15 @@
 name: Scorecards supply-chain security
 on: 
+  # Only run when this repo changes from private to public.
+  # Already public = never
+  public
   # Only the default branch is supported.
-  branch_protection_rule:
-  schedule:
-    # Weekly on Saturdays.
-    - cron: '30 1 * * 6'
-  push:
-    branches: ['main']
+  # branch_protection_rule:
+  # schedule:
+  #   # Weekly on Saturdays.
+  #   - cron: '30 1 * * 6'
+  # push:
+  #   branches: ['main']
 
 # Declare default permissions as read only.
 permissions: read-all
diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml
@@ -1,10 +1,13 @@
 name: Unit tests
 
 on:
-  push:
-    branches: ['main']
-  pull_request:
-    branches: ['main']
+  # Only run when this repo changes from private to public.
+  # Already public = never
+  public
+  # push:
+  #   branches: ['main']
+  # pull_request:
+  #   branches: ['main']
 
 permissions:
   contents: read
diff --git a/.github/workflows/verta-build.yaml b/.github/workflows/verta-build.yaml
@@ -0,0 +1,124 @@
+name: Build and Push
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+  push:
+    branches:
+      - verta/main
+      - 'release/*'
+
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: write  # Read is required for actions/checkout, write is required to comment on commits
+  statuses: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  VERTA_ECR_REGISTRY: "493416687123.dkr.ecr.us-east-1.amazonaws.com"
+
+jobs:
+  kaniko:
+    runs-on: ubuntu-latest
+
+    env:
+      ECR_REPOSITORY: "493416687123.dkr.ecr.us-east-1.amazonaws.com/external/kaniko-project/executor"
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          # need previous commit to find PR head commit info
+          fetch-depth: 2
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: arn:aws:iam::493416687123:role/github-actions
+          aws-region: us-east-1
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Get branch names
+        id: branch_names
+        uses: tj-actions/branch-names@v7
+
+      - name: Get docker image tag
+        id: image_info
+        run: |
+          branch=$(echo ${{ steps.branch_names.outputs.current_branch }} | sed 's,/,_,g')
+          # PRs checkout a merge of PR head with target. Branches checkout current head of branch.
+          # When in a PR, use the PR head commit sha instead of the checkout commit sha.
+          pr_sha="${{ github.event.pull_request.head.sha }}"
+          sha=${pr_sha:-$GITHUB_SHA}
+          sha_details=$(TZ=UTC git show -s --format=%cd--%h --date='format-local:%Y-%m-%dT%H-%M-%S' --abbrev=7 $sha)
+          echo "sha=${sha}" >> $GITHUB_OUTPUT
+          echo "tag=${branch}-${sha_details}" >> $GITHUB_OUTPUT
+
+      - name: Update commit status with Docker image status
+        uses: ouzi-dev/commit-status-updater@v2
+        with:
+          name: "Tag: ${{ steps.image_info.outputs.tag }}"
+          description: "Publishing..."
+
+      - name: Inspect image to see if it already exists
+        id: should_publish
+        run: |
+          TARGETS=""
+          docker manifest inspect $ECR_REPOSITORY:${{ steps.image_info.outputs.tag }} || TARGETS="kaniko"
+          echo "targets=${TARGETS}" >> $GITHUB_OUTPUT
+
+      - name: Build and push Docker image to ECR
+        uses: docker/build-push-action@v4
+        if: "!(steps.should_publish.outputs.targets == '')"
+        env: 
+          DOCKER_BUILDKIT: "1"
+        with:
+          # context: .
+          file: deploy/Dockerfile
+          push: true
+          # build-args: |
+          #  VERSION=${{ steps.image_info.outputs.tag }}
+          tags: |
+            ${{ env.ECR_REPOSITORY }}:${{ steps.image_info.outputs.tag }}
+
+      - name: Configure AWS credentials for us-west-2
+        # external components should mirror every merge to verta/main
+        if: startsWith( github.ref, 'refs/heads/release/' ) || ( github.ref == 'refs/heads/verta/main' )
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: arn:aws:iam::493416687123:role/github-actions
+          aws-region: us-west-2
+
+      - name: Login to Amazon ECR for us-west-2
+        id: login-ecr-release
+        if: startsWith( github.ref, 'refs/heads/release/' ) || ( github.ref == 'refs/heads/verta/main' )
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Mirror Docker image to us-west-2
+        id: mirror-release
+        if: startsWith( github.ref, 'refs/heads/release/' ) || ( github.ref == 'refs/heads/verta/main' )
+        shell: bash
+        run: |
+          export TARGET_REPOSITORY=${ECR_REPOSITORY/us-east-1/us-west-2}
+          docker manifest inspect ${TARGET_REPOSITORY}:${{ steps.image_info.outputs.tag }} || \
+            docker tag ${ECR_REPOSITORY}:${{ steps.image_info.outputs.tag }} ${TARGET_REPOSITORY}:${{ steps.image_info.outputs.tag }} && \
+            docker push ${TARGET_REPOSITORY}:${{ steps.image_info.outputs.tag }}
+
+      - name: Create commit comment
+        uses: peter-evans/commit-comment@v2
+        if: "!(steps.should_publish.outputs.targets == '')"
+        with:
+          body: "Docker Tag: ${{ steps.image_info.outputs.tag }}"
+
+      - name: Update commit status with Docker image status
+        uses: ouzi-dev/commit-status-updater@v2
+        with:
+          name: "Tag: ${{ steps.image_info.outputs.tag }}"
+          url: "${{ github.server_url }}/${{ github.repository }}/commit/${{ steps.image_info.outputs.sha }}#comments"
+          status: success
