nix-toolbox/.github/workflows/container.yml at de92d9de59eaed4439262141b45e076b755ab4be · thrix/nix-toolbox · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
---
name: Container Build

on:
  push:
    branches:
      - main
  pull_request:
    types: [opened, synchronize, reopened]
  schedule:
    - cron: '0 4 * * 1'
  workflow_dispatch:
  workflow_call:
    inputs:
      git_sha:
        required: true
        type: string
      pr_number:
        required: true
        type: string
    secrets:
      TESTING_FARM_API_TOKEN:
        required: true
      GHCR_TOKEN:
        required: true

jobs:
  build:
    runs-on: ubuntu-latest

    environment: build

    permissions:
      packages: write

    # Skip fork PRs — they are handled by container-pr.yml
    if: >-
      github.event_name != 'pull_request' ||
      github.event.pull_request.head.repo.full_name == github.repository

    strategy:
      matrix:
        include:
          - version: "42"
            plan: /tmt/build/f42
          - version: "43"
            plan: /tmt/build/f43
          - version: "44"
            plan: /tmt/build/f44
          - version: rawhide
            plan: /tmt/build/rawhide

    container:
      # Always use latest Testing Farm CLI to get newest features and fixes
      image: quay.io/testing-farm/cli:latest  # zizmor: ignore[unpinned-images]

    steps:
      - name: Resolve refs
        id: refs
        env:
          INPUT_PR_NUMBER: ${{ inputs.pr_number }}
          INPUT_GIT_SHA: ${{ inputs.git_sha }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
          PUSH_GIT_SHA: ${{ github.sha }}
          EVENT_NAME: ${{ github.event_name }}
        run: |
          if [ -n "${INPUT_PR_NUMBER}" ]; then
            echo "pr_number=${INPUT_PR_NUMBER}" >> "$GITHUB_OUTPUT"
            echo "git_sha=${INPUT_GIT_SHA}" >> "$GITHUB_OUTPUT"
          elif [ "${EVENT_NAME}" = "pull_request" ]; then
            echo "pr_number=${PR_NUMBER}" >> "$GITHUB_OUTPUT"
            echo "git_sha=${PR_HEAD_SHA}" >> "$GITHUB_OUTPUT"
          else
            echo "git_sha=${PUSH_GIT_SHA}" >> "$GITHUB_OUTPUT"
          fi

      - name: Compute image tag
        id: tag
        env:
          PR_NUMBER: ${{ steps.refs.outputs.pr_number }}
          VERSION: ${{ matrix.version }}
        run: |
          if [ -n "${PR_NUMBER}" ]; then
            echo "value=pr-${PR_NUMBER}-${VERSION}" >> "$GITHUB_OUTPUT"
          else
            echo "value=${VERSION}" >> "$GITHUB_OUTPUT"
          fi

      - name: Schedule build via Testing Farm
        env:
          TESTING_FARM_API_TOKEN: ${{ secrets.TESTING_FARM_API_TOKEN }}
          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
          REPO_OWNER: ${{ github.repository_owner }}
          GIT_SHA: ${{ steps.refs.outputs.git_sha }}
          TARGET_IMAGE: ghcr.io/thrix/nix-toolbox:${{ steps.tag.outputs.value }}
        run: |
          AUTH_JSON_BASE64=$(echo "{\"auths\":{\"ghcr.io\":{\"auth\":\"$(echo -n "${REPO_OWNER}:${GHCR_TOKEN}" | base64 | tr -d '\n')\"}}}" | base64 | tr -d '\n')
          testing-farm request \
            -e ENABLE_PUSH="yes" \
            -e GIT_REF="${GIT_SHA}" \
            -e TARGET_IMAGE="${TARGET_IMAGE}" \
            -s AUTH_JSON_BASE64="${AUTH_JSON_BASE64}" \
            --plan "${{ matrix.plan }}" \
            --git-url https://github.com/thrix/nix-toolbox \
            --git-ref "${GIT_SHA}"