diff --git a/.github/workflows/test-build-testpush.yaml b/.github/workflows/test-build-testpush.yaml new file mode 100644 index 0000000..93c32b7 --- /dev/null +++ b/.github/workflows/test-build-testpush.yaml @@ -0,0 +1,98 @@ +--- +# Workflow to build Docker image +# Based on openshift.yml (excluding OpenShift deployment) +# This workflow is intended for testing a new deployment to a +# "latest-test" image from a PR, on significant change. +# Article on use of pull_request_target here: +# https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ + +name: "Run tests, build and push test image" + +env: + APP_NAME: "physrisk-api" + IMAGE_REGISTRY: "quay.io/os-climate" + IMAGE_TAGS: "" + +# yamllint disable-line rule:truthy +on: + # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + pull_request_target: + types: [labeled] + + +# yamllint disable rule:line-length + +jobs: + build: + name: "Build and push to Quay" + runs-on: ubuntu-latest + if: contains(github.event.pull_request.labels.*.name, 'deploy test') + + steps: + - name: "Check for required secrets" + uses: actions/github-script@v4 + with: + script: | + const secrets = { + OSC_PHYSRISK_API_QUAY_USER: `${{ secrets.OSC_PHYSRISK_API_QUAY_USER }}`, + OSC_PHYSRISK_API_QUAY_TOKEN: `${{ secrets.OSC_PHYSRISK_API_QUAY_TOKEN }}`, + }; + + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { + if (value.length === 0) { + core.error(`Secret "${name}" is not set`); + return true; + } + core.info(`✔️ Secret "${name}" is set`); + return false; + }); + + if (missingSecrets.length > 0) { + core.setFailed(`❌ At least one required secret is not set in the repository. \n` + + "You can add it using:\n" + + "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); + } + else { + core.info(`✅ All the required secrets are set`); + } + + - name: "Check out repository" + uses: actions/checkout@v2 + + - name: "Determine app name" + if: env.APP_NAME == '' + run: | + APP_NAME=$(basename "${PWD}") + echo "${APP_NAME}" | tee -a "${GITHUB_ENV}" + + - name: "Determine image tags" + if: env.IMAGE_TAGS == '' + run: | + echo "IMAGE_TAGS=latest-test ${GITHUB_SHA::12}" | tee -a "${GITHUB_ENV}" + + # https://github.com/redhat-actions/buildah-build#readme + - name: "Build from Dockerfile" + id: build-image + uses: redhat-actions/buildah-build@v2 + with: + image: ${{ env.APP_NAME }} + tags: ${{ env.IMAGE_TAGS }} + + # If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs + # Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build + # Otherwise, point this to your Dockerfile/Containerfile relative to the repository root. + dockerfiles: | + ./Dockerfile + + # https://github.com/redhat-actions/push-to-registry#readme + - name: "Push to registry" + id: push-image + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ steps.build-image.outputs.image }} + tags: ${{ steps.build-image.outputs.tags }} + registry: ${{ env.IMAGE_REGISTRY }} + username: ${{ secrets.OSC_PHYSRISK_API_QUAY_USER }} + password: ${{ secrets.OSC_PHYSRISK_API_QUAY_TOKEN }}