Skip to content

GitHub actions

Scott Ganyo edited this page May 11, 2023 · 8 revisions

Use Registry GitHub actions in workflows

The following Github actions are unpublished, but available directly from the registry repository.

setup-registry

The setup-registry action ensures registry CLI is locally installed and configured for further workflow actions. For example, a setup to access a Registry hosted on Google Cloud might look like this:

    - name: Installs and configures Registry CLI
      uses: apigee/registry/.github/actions/setup-registry@main
      with:
        name: cloud
        project: ${{ env.GOOGLE_CLOUD_PROJECT }}
        address: apigeeregistry.googleapis.com:443
        token-source: gcloud auth print-access-token
        insecure: false

Once setup, most registry cli commands can simply be run as steps like so:

- run: registry apply -f entity.yaml

registry-check

As checking a registry for conformance is more involved than simply running registry check, we provide a registry-check action that allows for not only running a set of rules, but also formatting and interpreting the results.

      - name: Check project and fail workflow if WARNING or ERROR
        uses: apigee/registry/.github/actions/registry-check@main
        with:
          pattern: projects/test
          error-level: WARNING

Example workflow

Here's an example of a full-featured workflow that pulls everything together. It performs the following:

  1. Create a local Registry for the workflow
  2. Set up the CLI to access the local Registry
  3. Apply some yaml to the local Registry
  4. Run registry check on the local Registry
  5. Only if registry check succeeds, the workflow continues...
  6. Set up the CLI to access a cloud Registry
  7. Apply the yaml to the cloud Registry

Note: The following example uses GCP Workload Identity Federation with Github OIDC, see Enabling keyless authentication from GitHub Actions for an overview of this setup and the Github reference for detailed security attributes: Configuring OpenID Connect in Google Cloud Platform.

on: [push, pull_request]

jobs:
  test-check-and-apply:
    name: Test entity.yaml locally and conditionally apply it to the cloud.
    runs-on: ubuntu-latest

    env:
      registry-yaml: entity.yaml
      workload_identity_provider: "projects/test/locations/global/workloadIdentityPools/github/providers/github"
      service_account: "[email protected]"

    permissions:
      id-token: write # required for requesting the JWT
      contents: read # required for actions/checkout

    services:
      local-registry: # will use a local SQLite3 instance
        image: ghcr.io/apigee/registry-server:main
        env:
          REGISTRY_LOGGING_LEVEL: debug
        ports:
          - 8080:8080

    steps:
      - uses: actions/checkout@v3
      - name: Configure a local Registry
        uses: apigee/registry/.github/actions/setup-registry@main
        with:
          name: local
          address: localhost:8080
          insecure: true
          project: test
      - name: Create a project on local Registry
        run: registry rpc admin create-project --project_id test
      - name: Apply yaml to the local Registry
        run: registry apply -f ${{ env.registry-yaml }}
      - name: Run check on the local Registry, stop if WARNING or above
        uses: apigee/registry/.github/actions/registry-check@main
        with:
          pattern: projects/test
          error-level: WARNING

      # No WARNINGS or ERRORS on local Registry check, continuing on...
      - name: Set up Google Cloud auth
        uses: google-github-actions/auth@v1
        with:
          workload_identity_provider: ${{ env.workload_identity_provider }}
          service_account: ${{ env.service_account }}
      - name: Set up Google Cloud SDK
        uses: google-github-actions/setup-gcloud@v1
      - uses: apigee/registry/.github/actions/setup-registry@main
        with:
          name: cloud
          project: ${{ env.GCP_PROJECT }} # set by setup-gcloud action
          address: apigeeregistry.googleapis.com:443
          insecure: false
          token-source: gcloud auth print-access-token
      - name: Apply API to cloud registry
        run: registry apply -f ${{ env.registry-yaml }}