Enable trusted compute for docker deployment #1344
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # SPDX-FileCopyrightText: (C) 2025 Intel Corporation | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: Pre-Merge CI Pipeline | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| - release-* | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| MARKDOWNLINT_CLI_VER: 0.44.0 | |
| permissions: {} | |
| jobs: | |
| pre-checks: | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-latest | |
| outputs: | |
| filtered_projects: ${{ steps.filter-changes.outputs.filtered_projects }} | |
| other_changed_projects: ${{ steps.filter-changes.outputs.other_changed_projects }} | |
| docker_projects: ${{ steps.filter-changes.outputs.docker_projects }} | |
| no_docker_projects: ${{ steps.filter-changes.outputs.no_docker_projects }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: "Verify Branch Name" | |
| uses: open-edge-platform/orch-ci/verify-branch-name@bf82f7924caaac6ba2f388b6ec6ac4edd65f48ee # 2026.1.1 | |
| - name: "Discover Changed Subfolders" | |
| id: discover-changes | |
| uses: open-edge-platform/orch-ci/discover-changed-subfolders@bf82f7924caaac6ba2f388b6ec6ac4edd65f48ee # 2026.1.1 | |
| - name: "Filter Out Unwanted Changed Subfolders" | |
| id: filter-changes | |
| env: | |
| changed_projects: ${{ steps.discover-changes.outputs.changed_projects }} | |
| run: | | |
| folders_to_remove='[".github",".reuse","LICENSES",".git", "tests", "samples", "docs"]' | |
| no_docker_candidates='["baremetal", "helm"]' | |
| filtered_projects=$(echo "$changed_projects" | jq -cr --argjson folders_to_remove "$folders_to_remove" 'map(select(. as $item | $folders_to_remove | index($item) | not))') | |
| other_changed_projects=$(echo "$changed_projects" | jq -cr --argjson filtered_projects "$filtered_projects" 'map(select(. as $item | $filtered_projects | index($item) | not))') | |
| docker_projects=$(echo "$filtered_projects" | jq -cr --argjson no_docker_candidates "$no_docker_candidates" 'map(select(. as $item | $no_docker_candidates | index($item) | not))') | |
| no_docker_projects=$(echo "$filtered_projects" | jq -cr --argjson no_docker_candidates "$no_docker_candidates" 'map(select(. as $item | $no_docker_candidates | index($item)))') | |
| echo "filtered_projects=$filtered_projects" >> $GITHUB_OUTPUT | |
| echo "other_changed_projects=$other_changed_projects" >> $GITHUB_OUTPUT | |
| echo "docker_projects=$docker_projects" >> $GITHUB_OUTPUT | |
| echo "no_docker_projects=$no_docker_projects" >> $GITHUB_OUTPUT | |
| pre-merge-root: | |
| permissions: | |
| contents: read | |
| needs: pre-checks | |
| if: ${{ contains(needs.pre-checks.outputs.other_changed_projects, '.github') || contains(needs.pre-checks.outputs.other_changed_projects, 'LICENSES') || contains(needs.pre-checks.outputs.other_changed_projects, '""')}} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: '18' | |
| - run: | | |
| npm install -g \ | |
| "markdownlint-cli@${{ env.MARKDOWNLINT_CLI_VER }}" | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| id: setup_python | |
| with: | |
| python-version: '3.13' | |
| - name: Restore cached virtualenv | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| key: venv-${{ runner.os }}-${{ steps.setup_python.outputs.python-version }}-${{ hashFiles('requirements.txt') }} | |
| path: venv_infra | |
| - name: Run mdlint | |
| run: make mdlint | |
| - name: Run license check | |
| run: make license | |
| pre-merge-pipeline: | |
| permissions: | |
| contents: read | |
| needs: pre-checks | |
| if: ${{ needs.pre-checks.outputs.docker_projects != '[]' }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| project_folder: ${{ fromJson(needs.pre-checks.outputs.docker_projects) }} | |
| uses: open-edge-platform/orch-ci/.github/workflows/pre-merge.yml@cd3e9a8d77db98ea1b3001fd879bdf5a56baa5e7 # 2026.1.1 | |
| with: | |
| run_security_scans: true | |
| run_version_check: false | |
| run_build: true | |
| run_lint: true | |
| run_test: true | |
| run_docker_build: true | |
| run_docker_push: true | |
| run_helm_build: true | |
| run_helm_push: true | |
| run_artifact: false | |
| project_folder: ${{ matrix.project_folder }} | |
| version_suffix: "-pr-${{ github.event.number }}" | |
| secrets: # zizmor: ignore[secrets-inherit] | |
| inherit | |
| pre-merge-pipeline-no-docker: | |
| permissions: | |
| contents: read | |
| needs: pre-checks | |
| if: ${{ needs.pre-checks.outputs.no_docker_projects != '[]' }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| project_folder: ${{ fromJson(needs.pre-checks.outputs.no_docker_projects) }} | |
| uses: open-edge-platform/orch-ci/.github/workflows/pre-merge.yml@cd3e9a8d77db98ea1b3001fd879bdf5a56baa5e7 # 2026.1.1 | |
| with: | |
| run_security_scans: true | |
| run_version_check: false | |
| run_build: true | |
| run_lint: true | |
| run_test: true | |
| run_docker_build: false | |
| run_docker_push: false | |
| run_helm_build: true | |
| run_helm_push: true | |
| run_artifact: false | |
| project_folder: ${{ matrix.project_folder }} | |
| version_suffix: "-pr-${{ github.event.number }}" | |
| secrets: # zizmor: ignore[secrets-inherit] | |
| inherit | |
| final-check: | |
| runs-on: ubuntu-latest | |
| if: ${{ always() }} | |
| needs: [pre-merge-root, pre-merge-pipeline, pre-merge-pipeline-no-docker] | |
| steps: | |
| - name: Final Status Check | |
| env: | |
| pre_merge_pipeline: ${{ needs.pre-merge-pipeline.result }} | |
| pre_merge_pipeline_no_docker: ${{ needs.pre-merge-pipeline-no-docker.result }} | |
| pre_merge_root_pipeline: ${{ needs.pre-merge-root.result }} | |
| run: | | |
| results=("pre_merge_root_pipeline" "pre_merge_pipeline" "pre_merge_pipeline_no_docker") | |
| status="OK" | |
| for result in "${results[@]}"; do | |
| pipeline_result=$(eval echo \$$result) | |
| echo "${result} result: $pipeline_result" | |
| if [[ "$pipeline_result" != "success" && "$pipeline_result" != "skipped" ]]; then | |
| status="KO" | |
| fi | |
| done | |
| if [[ "$status" == "OK" ]]; then | |
| echo "Pre-merge check passed successfully." | |
| else | |
| echo "All pre-merge checks failed or were skipped. PR can't get merged" | |
| exit 1 | |
| fi |