Skip to content

Remove usage of kube-rbac-proxy and switch to the built-in WithAuthenticationAndAuthorization filter instead #627

Remove usage of kube-rbac-proxy and switch to the built-in WithAuthenticationAndAuthorization filter instead

Remove usage of kube-rbac-proxy and switch to the built-in WithAuthenticationAndAuthorization filter instead #627

name: PR Build operator, bundle, and catalog images
on:
# /!\ Warning: using the pull_request_target event to be able to read secrets. But using this event without the cautionary measures described below
# may allow unauthorized GitHub users to open a “pwn request” and exfiltrate secrets.
# As recommended in https://iterative.ai/blog/testing-external-contributions-using-github-actions-secrets,
# we are adding an 'authorize' job that checks if the workflow was triggered from a fork PR. In that case, the "external" environment
# will prevent the job from running until it's approved manually by human intervention.
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review]
branches:
- main
- rhdh-1.[0-9]+
- 1.[0-9]+.x
- release-1.[0-9]+
concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.event.pull_request.head.ref }}
cancel-in-progress: true
env:
REGISTRY: quay.io
jobs:
authorize:
# The 'external' environment is configured with the odo-maintainers team as required reviewers.
# All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks.
# see list of approvers in OWNERS file
environment:
${{ (github.event.pull_request.head.repo.full_name == github.repository ||
contains(fromJSON('["coreydaley","gazarenkov","kadel","nickboldt","rm3l","kim-tsao","openshift-cherrypick-robot"]'), github.actor)) && 'internal' || 'external' }}
runs-on: ubuntu-latest
steps:
- name: approved
run: |
echo "✓"
pr-build:
name: PR Publish
runs-on: ubuntu-latest
needs: authorize
permissions:
contents: read
packages: write
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
# check changes in this commit for regex include and exclude matches; pipe to an env var
- name: Check for changes to build
run: |
# don't fail if nothing returned by grep
set +e
CHANGES="$(git diff --name-only ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} | \
grep -E "workflows/.+-container-build.yaml|Makefile|bundle/|config/|go.mod|go.sum|.+\.go|docker/|\.dockerignore" | \
grep -v -E ".+_test.go|/.rhdh/")";
echo "Changed files for this commit:"
echo "=============================="
echo "$CHANGES"
echo "=============================="
{
echo 'CHANGES<<EOF'
echo $CHANGES
echo EOF
} >> "$GITHUB_ENV"
- name: Setup Go
# run this stage only if there are changes that match the includes and not the excludes
if: ${{ env.CHANGES != '' }}
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
with:
go-version-file: 'go.mod'
- name: Get the last commit short SHA of the PR
# run this stage only if there are changes that match the includes and not the excludes
if: ${{ env.CHANGES != '' }}
run: |
SHORT_SHA=$(git rev-parse --short ${{ github.event.pull_request.head.sha }})
echo "SHORT_SHA=$SHORT_SHA" >> $GITHUB_ENV
BASE_VERSION=$(grep -E "^VERSION \?=" Makefile | sed -r -e "s/.+= //") # 0.0.1
echo "BASE_VERSION=$BASE_VERSION" >> $GITHUB_ENV
- name: Login to quay.io
# run this stage only if there are changes that match the includes and not the excludes
if: ${{ env.CHANGES != '' }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ vars.QUAY_USERNAME }}
password: ${{ secrets.QUAY_TOKEN }}
- name: Build and push operator, bundle, and catalog images
# run this stage only if there are changes that match the includes and not the excludes
if: ${{ env.CHANGES != '' }}
run: |
# install skopeo, podman
sudo apt-get -y update; sudo apt-get -y install skopeo podman
export CONTAINER_ENGINE=podman
export VERSION=${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}
set -ex
# build 4 container images with a 14d expiry
CONTAINER_ENGINE=${CONTAINER_ENGINE} VERSION=${VERSION} make lint release-build
# now copy images from local cache to quay, using 0.0.1-pr-123-f00cafe and 0.0.1-pr-123 tags
for image in operator operator-bundle operator-catalog; do
podman push -q quay.io/rhdh-community/${image}:${VERSION} docker://quay.io/rhdh-community/${image}:${VERSION}
skopeo --insecure-policy copy --all docker://quay.io/rhdh-community/${image}:${VERSION} docker://quay.io/rhdh-community/${image}:${VERSION}
skopeo --insecure-policy copy --all docker://quay.io/rhdh-community/${image}:${VERSION} docker://quay.io/rhdh-community/${image}:${VERSION%-*}
done
env:
# to avoid throttling on RHD org, use GH token
GH_TOKEN: ${{ secrets.RHDH_BOT_TOKEN }}
- name: Comment image links in PR
# run this stage only if there are changes that match the includes and not the excludes
if: ${{ env.CHANGES != '' }}
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
with:
script: |
await github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: 'PR images are available:<br/><ol><li>https://quay.io/rhdh-community/operator:${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}</li><li>https://quay.io/rhdh-community/operator-bundle:${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}</li><li>https://quay.io/rhdh-community/operator-catalog:${{ env.BASE_VERSION }}-pr-${{ github.event.number }}-${{ env.SHORT_SHA }}</li></ol>'
})