Skip to content

chore(deps): Update RHEL UBI images (#790) #348

chore(deps): Update RHEL UBI images (#790)

chore(deps): Update RHEL UBI images (#790) #348

---
name: 'molecule certified EEs'
on: # yamllint disable-line rule:truthy
pull_request_target:
types:
- 'labeled'
paths:
- '.github/workflows/molecule_certified_ees.yml'
- '.github/workflows/wf_call_molecule_certified_ees.yml'
- 'defaults/**'
- 'files/**'
- 'handlers/**'
- 'library/**'
- 'lookup_plugins/**'
- 'meta/**'
- 'module_utils/**'
- 'molecule/**'
- 'tasks/**'
- 'templates/**'
- 'vars/**'
push:
branches:
- 'main'
paths:
- '.github/workflows/molecule_certified_ees.yml'
- '.github/workflows/wf_call_molecule_certified_ees.yml'
- 'defaults/**'
- 'files/**'
- 'handlers/**'
- 'library/**'
- 'lookup_plugins/**'
- 'meta/**'
- 'module_utils/**'
- 'molecule/**'
- 'tasks/**'
- 'templates/**'
- 'vars/**'
pull_request:
branches:
- 'main'
paths:
- '.github/workflows/molecule_certified_ees.yml'
- '.github/workflows/wf_call_molecule_certified_ees.yml'
- 'defaults/**'
- 'files/**'
- 'handlers/**'
- 'library/**'
- 'lookup_plugins/**'
- 'meta/**'
- 'module_utils/**'
- 'molecule/**'
- 'tasks/**'
- 'templates/**'
- 'vars/**'
workflow_dispatch:
inputs:
repoCache:
description: 'Reset or disable the cache?'
type: 'choice'
default: 'enabled'
options:
- 'enabled'
- 'disabled'
- 'reset'
moleculeDebug:
description: 'Enable Molecule debug?'
type: 'choice'
default: 'false'
options:
- 'true'
- 'false'
ansibleVerbosity:
description: 'Enable Ansible verbosity?'
type: 'choice'
default: '0'
options:
- '0'
- '1'
- '2'
- '3'
- '4'
- '5'
# schedule to reset caches once a week on Monday
schedule:
- cron: '30 2 * * 1'
permissions:
contents: 'read'
jobs:
check-secrets:
name: 'Check if required secrets are available'
runs-on: 'ubuntu-24.04'
permissions:
contents: 'read'
outputs:
secrets-defined: '${{ steps.secret-check.outputs.secrets-defined }}'
steps:
- name: 'Harden Runner'
uses: 'step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f' # v2.10.2
with:
disable-sudo: true
egress-policy: 'block'
- name: 'Check if all required secrets are defined'
id: 'secret-check'
shell: 'bash'
run: |
# fail if:
# - a variable is unbound
# - any command fails
# - a command in a pipe fails
# - a command in a sub-shell fails
set -Eeuo pipefail
(
[[ "${{ secrets.CRC_USERNAME }}" != '' ]] &&
[[ "${{ secrets.CRC_PASSWORD }}" != '' ]]
) || {
echo "secrets-defined=false" >> "${GITHUB_OUTPUT}";
exit 0;
};
# secrets not empty, so assuming defined
echo "secrets-defined=true" >> "${GITHUB_OUTPUT}";
check-should-cache:
name: 'Check whether caching should be enabled'
# only run the job if the job context's branch is main or the 'run' label is set or
# the secrets are defined (due to a contributor raising the PR)
if: >-
contains(github.event.pull_request.labels.*.name, 'run') ||
github.ref == 'refs/heads/main' ||
needs.check-secrets.outputs.secrets-defined == 'true'
needs: 'check-secrets'
runs-on: 'ubuntu-24.04'
permissions:
contents: 'read'
outputs:
repo-cache: '${{ steps.cache-check.outputs.repo-cache }}'
steps:
- name: 'Harden Runner'
uses: 'step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f' # v2.10.2
with:
disable-sudo: true
egress-policy: 'block'
- name: 'Check if caching should be enabled'
id: 'cache-check'
shell: 'bash'
run: |
# fail if:
# - a variable is unbound
# - any command fails
# - a command in a pipe fails
# - a command in a sub-shell fails
set -Eeuo pipefail
# enable debug if runner runs in debug
[[ "${{ runner.debug }}" -ne 1 ]] || {
echo "INFO: Enabling bash trace";
set -x;
};
(
[[ "${{ github.event_name }}" != "schedule" ]] &&
[[ "${{ github.event.schedule }}" != "30 2 * * 1" ]]
) || {
# event is the schedule to reset the cache, resetting cache
echo "INFO: Schedule detected, resetting cache";
echo "repo-cache=reset" >> "${GITHUB_OUTPUT}";
exit 0;
};
[[ "${{ github.event.inputs.repoCache }}" == "" ]] || {
# repoCache is set
echo "INFO: repoCache input variable defined: ${{ github.event.inputs.repoCache }}";
echo "repo-cache=${{ github.event.intputs.repoCache }}" >> "${GITHUB_OUTPUT}";
exit 0;
};
# repoCache not set, caching by default
echo "INFO: repoCache input not defined nor running in a schedule, enabling caching"
echo "repo-cache=enabled" >> "${GITHUB_OUTPUT}"
call-molecule-workflow:
name: 'Include molecule workflow'
if: "needs.check-secrets.outputs.secrets-defined == 'true'"
permissions:
contents: 'write'
needs:
- 'check-secrets'
- 'check-should-cache'
uses: './.github/workflows/wf_call_molecule_certified_ees.yml'
with:
repoCache: "${{ needs.check-should-cache.outputs.repo-cache }}"
moleculeDebug: "${{ github.event.inputs.moleculeDebug }}"
ansibleVerbosity: "${{ github.event.inputs.ansibleVerbosity }}"
secrets:
CRC_USERNAME: '${{ secrets.CRC_USERNAME }}'
CRC_PASSWORD: '${{ secrets.CRC_PASSWORD }}'
token: '${{ secrets.GITHUB_TOKEN }}'
...