gh-action-workflows/.github/workflows/nightwatch-build.yaml at cf47ea4c46a24e5ce7f142d95c1194be950d4377 · ZeitOnline/gh-action-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: Build nightwatch tests

# ### Example usage `nightwatch.yaml`
# on:
#   push:
#     branches:
#       - main
#     paths:
#       - '.github/workflows/nightwatch.yaml'
#       - 'smoketest/**'
#       - '!smoketest/k8s/versions/*'
#   pull_request:
#     paths:
#       - '.github/workflows/nightwatch.yaml'
#       - 'smoketest/**'
#       - '!smoketest/k8s/versions/*'
# jobs:
#   build:
#     uses: zeitonline/gh-action-workflows/.github/workflows/nightwatch-build.yaml@XXX
#     secrets: inherit
#     with:
#       versions: smoketest/k8s/versions
#       k8s_base: smoketest/k8s
#       project: MYPROJECT
#       environment: staging
#       gke_cluster: my-cluster

on:
  workflow_call:
    inputs:
      project:
        required: false
        type: string
      environment:
        required: false
        type: string
        default : staging
      gke_cluster:
        required: false
        type: string
      args:
        required: false
        type: string
        default: |
          --override-type=json --overrides='[
            {"op": "add", "path": "/spec/serviceAccount", "value": "baseproject"},
            {"op": "add", "path": "/spec/containers/0/envFrom", "value": [{
                "secretRef": {"name": "nightwatch-secrets", "optional": true}}]}
          ]'
      versions:
        description: directory in which to run `kustomize edit set-image`
        required: false
        type: string
      k8s_base:
        description: directory that contains a k8s manifest containing the final image name
        required: false
        type: string
        default: k8s
    outputs:
      tag:
        description: "Tag of built 'nightwatch' image"
        value: ${{ jobs.build.outputs.tag }}
jobs:
  build:
    name: Build docker image
    runs-on: zon-ubuntu-general-dind
    permissions:
      id-token: write
      contents: write
      checks: write
    outputs:
      tag: ${{ steps.tag.outputs.tag }}
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          token: ${{ secrets.PRIVATE_REPO_ACCESS_PAT }}
      - name: Set tag
        id: tag
        run: date +tag=%Y%m%d%H%M%S >> "$GITHUB_OUTPUT"
      - name: Set variables
        id: vars
        run: |
          input="${{ inputs.project }}"
          repository="${{ github.repository }}"
          default="${repository##*/}"
          project="${input:-$default}"
          echo "project=$project" >> "$GITHUB_ENV"
          echo "image=$( kustomize build ${{inputs.k8s_base}}/${{ inputs.environment }} | awk -F: '/image: .*nightwatch/ { print $2 }' | tr -d ' ' | uniq )" >> "$GITHUB_ENV"
          echo "tag=${{ steps.tag.outputs.tag }}" >> "$GITHUB_ENV"
      - name: Setup auth
        uses: ZeitOnline/gh-action-baseproject@v0
        id: baseproject
        with:
          project_name: ${{ env.project }}
          environment: ${{ inputs.environment }}
          gke_auth: true
          gke_cluster: ${{ inputs.gke_cluster || inputs.environment }}
          google_auth: true
          gar_docker_auth: true
          vault_export_token: true
      - name: Build & push image
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: smoketest
          target: nightwatch
          tags: ${{ env.image }}:${{ env.tag }}
          push: true
          secrets: |
            GCLOUD_TOKEN=${{ steps.baseproject.outputs.gcloud_access_token }}
      - uses: ZeitOnline/sysdig-scan-action@6ce72f92e0cb5c80ff798ec3807ee2d829c70b64 # v1.2.0
        if: github.ref_name != 'main'
        with:
          gha_vault_role: ${{steps.baseproject.outputs.gha_vault_role}}
          image_tag: ${{ env.image }}:${{ env.tag }}
      - name: Run tests
        if: github.ref_name != 'main'
        run: |
          TAG=${{ env.tag }}
          kubectl config set-context --current --namespace=${{ env.project }}
          kubectl run nightwatch-test-$TAG --image=${{ env.image }}:$TAG --restart=Never ${{ inputs.args }}
          kubectl wait --for=condition=Ready --timeout=120s pods/nightwatch-test-$TAG
          kubectl logs --follow pods/nightwatch-test-$TAG
          sleep 10
          status=$( kubectl get -o template --template='{{.status.phase}}' pods/nightwatch-test-$TAG )
          kubectl delete pods/nightwatch-test-$TAG
          test "$status" = "Succeeded"
      - name: Pull recent changes
        if: ${{ inputs.versions && github.ref_name == 'main' }}
        run: |
          git pull
      - name: Set image tags
        if: ${{ inputs.versions && github.ref_name == 'main' }}
        run: |
          cd ${{ inputs.versions }}
          kustomize edit set image nightwatch:${{ env.tag }}
      - name: Commit and push image tags
        if: ${{ inputs.versions && github.ref_name == 'main' }}
        run: |
          git commit -am "ci: update image versions (``${{ inputs.versions }}``)"
          git push