Skip to content
This repository has been archived by the owner on Jun 4, 2024. It is now read-only.

Backport provision token booltype fix (#1065) #237

Backport provision token booltype fix (#1065)

Backport provision token booltype fix (#1065) #237

Workflow file for this run

---
name: Build release
on:
workflow_dispatch:
inputs:
artifact-tag:
description: "The tag associated with the artifact to deploy (eg. v1.2.3)."
type: string
required: true
# This is a workaround so that the actor who initiated a workflow run via a workflow dispatch event can determine the run ID of the started workflow run
workflow-tag:
description: "This field adds the provided value to a run step, allowing the calling actor to associate the started run with the GHA run ID."
type: string
required: false
pull_request:
branches:
- master
push:
tags:
- "v*"
branches:
- master
concurrency:
group: "Limit to one build at a time for ref ${{ inputs.artifact-tag || github.head_ref || github.ref }}"
cancel-in-progress: true
jobs:
setup:
runs-on: ubuntu-latest
outputs:
gitref: ${{ steps.set-gitref.outputs.gitref }}
environment: ${{ steps.set-variables.outputs.environment }}
version: ${{ steps.set-variables.outputs.version }}
steps:
# TODO this really needs to move to shared workflows. This is the ~fourth place
# that this logic has been used.
- name: Determine git ref
id: set-gitref
env:
REF_VALUE: ${{ inputs.artifact-tag || github.head_ref || github.ref }}
run: |
# If a workflow dispatche triggered the run
if [ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]; then
# REF_VALUE = inputs.artifact-tag, tag name
echo "gitref=refs/tags/$REF_VALUE" >> "$GITHUB_OUTPUT"
exit 0
fi
# If a push triggered the run
if [ "$GITHUB_EVENT_NAME" == "push" ]; then
# REF_VALUE = github.ref (fully formed)
echo "gitref=$REF_VALUE" >> "$GITHUB_OUTPUT"
exit 0
fi
# Otherwise, ref must be a branch
# REF_VALUE = github.head_ref, branch name
echo "gitref=refs/heads/$REF_VALUE" >> "$GITHUB_OUTPUT"
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ steps.set-gitref.outputs.gitref }}
- name: Set environment output values
id: set-variables
env:
INPUT_VERSION: ${{ inputs.artifact-tag }}
SEMVER_REGEX: ^v?(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)(?:-(?:(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?:[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
run: |
generate_version() {
# Example: v1.2.3-gen.4+g5678abcd
# If HEAD is tagged (and matches the format) then the output will be just the tag (no commit count or hash)
git describe --tags --match "v[[:digit:]]*.[[:digit:]]*.[[:digit:]]" | sed 's/\(.*\)-\(.*\)-\(.*\)/\1-gen.\2+\3/'
}
get_output_vars() {
case "$GITHUB_EVENT_NAME" in
"workflow_dispatch")
# Case: workflow dispatch event. Pull most vars from inputs.
echo "environment=build-stage"
echo "version=$INPUT_VERSION"
;;
"pull_request")
echo "environment=build-stage"
echo "version=$(generate_version)"
;;
"push")
# Case: commit push event.
if [ "$GITHUB_REF_TYPE" != "tag" ]; then
echo "environment=build-stage"
echo "version=$(generate_version)"
return
fi
# Case: tag event with prerelease version.
if [ "${GITHUB_REF_NAME#*-}" != "$GITHUB_REF_NAME" ]; then
echo "environment=build-stage"
echo "version=$GITHUB_REF_NAME"
return
fi
# Case: tag event with release version. Only this
# should go to prod.
echo "environment=build-prod"
echo "version=$GITHUB_REF_NAME"
;;
*)
>&2 echo "Unknown GHA event $GITHUB_EVENT_NAME, failing"
exit 1
;;
esac
}
# **********************************************
# WARNING: the $GITHUB_OUTPUT file is sourced
# by the shell below. Multiline comments will
# break parsing and cause a build failure. For
# details, see
# https://github.com/gravitational/teleport-plugins/pull/983#discussion_r1477745917
# **********************************************
get_output_vars >> "$GITHUB_OUTPUT"
# Validate the semver
. "$GITHUB_OUTPUT" # Load the variables into the current environment
echo "$version" | grep -qP "$SEMVER_REGEX" || { echo "The artifact version $version is not a valid semver-coerced value"; exit 1; }
# Log the build details
echo "Built config:" | tee -a "$GITHUB_STEP_SUMMARY"
sed 's/^/* /' "$GITHUB_OUTPUT" | tee -a "$GITHUB_STEP_SUMMARY"
- name: ${{ inputs.workflow-tag }}
if: inputs.workflow-tag != ''
run: |
# Do nothing
# Each section here could be split out into a separate job, at the cost of slightly increased complexity.
# This would improve the (already somewhat fast) performance a bit, but I'm not sure if it's worth the
# tradeoff.
build-plugins:
needs: setup
runs-on: ubuntu-22.04-32core
environment: ${{ needs.setup.outputs.environment }}
permissions:
contents: read
id-token: write
env:
ARTIFACT_DIRECTORY: /tmp/build
steps:
# Setup
- name: Enable performance telemetry/metrics
uses: catchpoint/workflow-telemetry-action@v2
with:
comment_on_pr: false
- name: Checkout repo
uses: actions/checkout@v4
with:
ref: ${{ needs.setup.outputs.gitref }}
fetch-depth: 0 # This is required by some of the commands in the makefiles
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: "./go.mod"
check-latest: true
- name: Set environment variables for Makefiles
env:
VERSION_TAG: ${{ needs.setup.outputs.version }}
run: |
{
echo "VERSION=${VERSION_TAG##v}"
echo "GITREF=$VERSION_TAG"
} >> "$GITHUB_ENV"
# File artifacts
- name: Build the release tarballs
run: |
# Download Go dependencies
go mod download
# Build Binaries
make releases
# Build Helm charts
make helm-package-charts
# Terraform provider and event handler, as appropriate
go install github.com/konoui/lipo@latest # At some point this should be merged into the buildbox
make OS=linux ARCH=amd64 release/terraform release/event-handler
make OS=linux ARCH=arm64 release/terraform
make OS=darwin ARCH=amd64 release/terraform release/event-handler
make OS=darwin ARCH=arm64 release/terraform
make OS=darwin ARCH=universal release/terraform
- name: Collect the build files
run: |
mkdir -pv "$ARTIFACT_DIRECTORY"
find . \( -name '*.tar.gz' -o -name '*.tgz' \) -type f -exec cp {} "$ARTIFACT_DIRECTORY" \;
- name: Generate checksum files for built files
working-directory: ${{ env.ARTIFACT_DIRECTORY }}
run: |
shopt -s nullglob
for tarball in *.tar.gz *.tgz; do
sha256sum "$(basename "$tarball")" > "${tarball}.sha256"
done
echo "Artifacts:"
ls -lh
- name: Assume AWS role for uploading the artifacts
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-skip-session-tagging: true
aws-region: us-west-2
role-to-assume: ${{ vars.ARTIFACT_UPLOAD_AWS_ROLE }}
role-session-name: "tag-build-artifact-upload-${{ github.run_attempt }}"
role-duration-seconds: 900
- name: Upload artifacts to S3
working-directory: ${{ env.ARTIFACT_DIRECTORY }}
env:
PENDING_BUCKET: ${{ vars.PENDING_BUCKET }}
ARTIFACT_VERSION: ${{ needs.setup.outputs.version }}
run: aws s3 cp . "s3://$PENDING_BUCKET/teleport-plugins/tag/$ARTIFACT_VERSION/" --recursive
# Container artifacts
- name: Assume AWS role for pushing the container images
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-skip-session-tagging: true
aws-region: us-west-2
role-to-assume: ${{ vars.CONTAINER_IMAGE_UPLOAD_AWS_ROLE }}
role-session-name: "tag-build-container-image-upload-${{ github.run_attempt }}"
role-duration-seconds: 900
- name: Authenticate with ECR
env:
CONTAINER_IMAGE_PRIVATE_REGISTRY: ${{ vars.CONTAINER_IMAGE_PRIVATE_REGISTRY }}
run: |
aws ecr get-login-password | docker login -u="AWS" --password-stdin "$CONTAINER_IMAGE_PRIVATE_REGISTRY"
- name: Build and push the container images
env:
CONTAINER_IMAGE_PRIVATE_REGISTRY: ${{ vars.CONTAINER_IMAGE_PRIVATE_REGISTRY }}
run: |
# Access plugins and event handler
make DOCKER_PRIVATE_REGISTRY="$CONTAINER_IMAGE_PRIVATE_REGISTRY" \
docker-push-access-all docker-push-event-handler