odh-dashboard/.github/workflows/pr-image-expiry.yml at main · katieperry4/odh-dashboard · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
name: Apply PR Image Expiry Label

on:
  # Use pull_request_target to access secrets for PRs from forks
  # This is safe because we only label existing images, not run untrusted PR code
  pull_request_target:
    types: [closed]
  workflow_dispatch: {}

permissions:
  contents: read

concurrency:
  group: pr-image-expiry-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

env:
  # Default Quay image repo; can be overridden by secret if provided
  QUAY_ODH_DASHBOARD_IMAGE_REPO: ${{ secrets.QUAY_ODH_DASHBOARD_IMAGE_REPO || 'quay.io/opendatahub/odh-dashboard' }}
  EXPIRES_AFTER: ${{ secrets.QUAY_ODH_DASHBOARD_IMAGE_EXPIRES_AFTER || '21d' }}

jobs:
  apply-expiry-label:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install crane
        shell: bash
        run: |
          set -euo pipefail
          # Get the latest release version
          LATEST_VERSION=$(curl -fsSL https://api.github.com/repos/google/go-containerregistry/releases/latest | jq -r '.tag_name')
          echo "Installing crane version: $LATEST_VERSION"

          # Download and install crane (tarball name changed from crane_* to go-containerregistry_*)
          TARBALL="go-containerregistry_Linux_x86_64.tar.gz"
          curl -fsSL -o "$TARBALL" "https://github.com/google/go-containerregistry/releases/download/${LATEST_VERSION}/${TARBALL}"
          sudo tar -xzf "$TARBALL" -C /usr/local/bin crane
          rm -f "$TARBALL"
          crane version

      - name: Login to Quay
        id: quay-login
        env:
          QUAY_TOKEN: ${{ secrets.QUAY_ROBOT_TOKEN }}
          QUAY_ROBOT_USERNAME: ${{ secrets.QUAY_ROBOT_USERNAME }}
        shell: bash
        run: |
          set -euo pipefail
          if [[ -z "${QUAY_ROBOT_USERNAME:-}" || -z "${QUAY_TOKEN:-}" ]]; then
            echo "Quay credentials not available; skipping label application."
            echo "logged_in=false" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          crane auth login quay.io -u "$QUAY_ROBOT_USERNAME" -p "$QUAY_TOKEN"
          echo "logged_in=true" >> "$GITHUB_OUTPUT"

      - name: Apply expiry label to PR image (best-effort)
        if: steps.quay-login.outputs.logged_in == 'true'
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
        shell: bash
        run: |
          set -euo pipefail
          if [[ -z "${PR_NUMBER:-}" ]]; then
            echo "Not a pull_request event; nothing to do." && exit 0
          fi

          IMAGE_REF="${QUAY_ODH_DASHBOARD_IMAGE_REPO}:pr-${PR_NUMBER}"
          echo "Target image: $IMAGE_REF"

          # Wait for the PR image to exist (Konflux/AppStudio push) up to ~2 minutes
          image_found=false
          for i in {1..12}; do
            if crane manifest "$IMAGE_REF" >/dev/null 2>&1; then
              echo "Found image $IMAGE_REF"
              image_found=true
              break
            fi
            echo "Image not found yet. Retry $i/12 ..."
            sleep 10
          done

          if [[ "$image_found" != "true" ]]; then
            echo "PR image not available; skipping label application."
            exit 0
          fi

          echo "Applying label quay.expires-after=${EXPIRES_AFTER} to $IMAGE_REF"
          crane mutate --label "quay.expires-after=${EXPIRES_AFTER}" "$IMAGE_REF"
          echo "Label applied."