forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
102 lines (95 loc) · 3.02 KB
/
envoy-publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# This workflow is triggered by azp currently
# Once arm/x64 build jobs are shifted to github, this can be triggered
# by on: workflow_run
name: Envoy/Publish & verify
permissions:
contents: read
on:
# This runs untrusted code, do not expose secrets in the verify job
workflow_dispatch:
inputs:
ref:
description: "Git SHA ref to checkout"
sha:
description: "Git SHA of commit HEAD (ie last commit of PR)"
head_ref:
description: "Ref for grouping PRs"
concurrency:
group: >-
${{ github.actor != 'trigger-release-envoy[bot]'
&& github.event.inputs.head_ref
|| github.run_id
}}-${{ github.event.workflow.id }}
cancel-in-progress: true
jobs:
load:
secrets:
app-key: ${{ secrets.ENVOY_CI_APP_KEY }}
app-id: ${{ secrets.ENVOY_CI_APP_ID }}
lock-app-key: ${{ secrets.ENVOY_CI_MUTEX_APP_KEY }}
lock-app-id: ${{ secrets.ENVOY_CI_MUTEX_APP_ID }}
permissions:
actions: read
contents: read
packages: read
pull-requests: read
if: >-
${{
(github.repository == 'envoyproxy/envoy'
|| vars.ENVOY_CI)
&& (!contains(github.actor, '[bot]')
|| github.actor == 'trigger-workflow-envoy[bot]'
|| github.actor == 'trigger-release-envoy[bot]')
}}
uses: ./.github/workflows/_load.yml
with:
check-name: publish
head-sha: ${{ inputs.sha }}
publish:
secrets:
ENVOY_CI_SYNC_APP_ID: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_SYNC_APP_ID || '' }}
ENVOY_CI_SYNC_APP_KEY: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_SYNC_APP_KEY || '' }}
ENVOY_CI_PUBLISH_APP_ID: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_PUBLISH_APP_ID || '' }}
ENVOY_CI_PUBLISH_APP_KEY: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_PUBLISH_APP_KEY || '' }}
permissions:
contents: read
packages: read
if: ${{ fromJSON(needs.load.outputs.request).run.publish }}
needs:
- load
uses: ./.github/workflows/_stage_publish.yml
name: Publish
with:
request: ${{ needs.load.outputs.request }}
trusted: ${{ fromJSON(needs.load.outputs.trusted) }}
verify:
permissions:
contents: read
packages: read
if: ${{ fromJSON(needs.load.outputs.request).run.verify }}
needs:
- load
uses: ./.github/workflows/_stage_verify.yml
name: Verify
with:
request: ${{ needs.load.outputs.request }}
trusted: ${{ fromJSON(needs.load.outputs.trusted) }}
request:
secrets:
app-id: ${{ secrets.ENVOY_CI_APP_ID }}
app-key: ${{ secrets.ENVOY_CI_APP_KEY }}
permissions:
actions: read
contents: read
pull-requests: read
if: >-
${{ always()
&& (fromJSON(needs.load.outputs.request).run.publish
|| fromJSON(needs.load.outputs.request).run.verify) }}
needs:
- load
- publish
- verify
uses: ./.github/workflows/_finish.yml
with:
needs: ${{ toJSON(needs) }}