Bump dorny/paths-filter from 3.0.0 to 3.0.2 #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Build and Publish from PR" | |
## | |
# This workflow builds and publishes a Docker image for Plugin from a PR. | |
# It has its own special IAM role, does not sign the image, and publishes to | |
# a special ECR repo. | |
## | |
on: | |
pull_request: | |
jobs: | |
build-publish-untrusted: | |
if: ${{ ! startsWith(github.ref_name, 'release/') }} | |
runs-on: ubuntu-20.04 | |
environment: sdlc | |
permissions: | |
id-token: write | |
contents: read | |
env: | |
ECR_IMAGE_NAME: crib-plugin-untrusted | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Git Short SHA | |
shell: bash | |
env: | |
GIT_PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
run: | | |
echo "GIT_SHORT_SHA=${GIT_PR_HEAD_SHA:0:7}" | tee -a "$GITHUB_ENV" | |
- name: Check if image exists | |
id: check-image | |
uses: goplugin/plugin-github-actions/docker/image-exists@92e0f299a87522c2a37bfc4686c4d8a96dc9d28b # v2.3.5 | |
with: | |
repository: ${{ env.ECR_IMAGE_NAME}} | |
tag: sha-${{ env.GIT_SHORT_SHA }} | |
AWS_REGION: ${{ secrets.AWS_REGION }} | |
AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_OIDC_IAM_ROLE_PUBLISH_PR_ARN }} | |
- name: Build and publish plugin image | |
if: steps.check-image.outputs.exists == 'false' | |
uses: ./.github/actions/build-sign-publish-plugin | |
with: | |
publish: true | |
aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_PUBLISH_PR_ARN }} | |
aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS_DEFAULT }} | |
aws-region: ${{ secrets.AWS_REGION }} | |
sign-images: false | |
ecr-hostname: ${{ secrets.AWS_SDLC_ECR_HOSTNAME }} | |
ecr-image-name: ${{ env.ECR_IMAGE_NAME }} | |
dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }} | |
dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }} | |
- name: Get PR labels | |
id: pr-labels | |
env: | |
GH_TOKEN: ${{ github.token }} | |
PR_NUMBER: ${{ github.event.number }} | |
run: | | |
RESPONSE=$(gh pr view ${PR_NUMBER} --json labels) | |
# Check if the labels command was successful | |
if [[ $? -ne 0 ]]; then | |
echo "Error fetching labels" | |
exit 1 | |
fi | |
echo "RESPONSE=${RESPONSE}" | |
LABELS=$(echo "$RESPONSE" | jq -r '.labels | map(.name) | join(", ")') | |
# Check if any labels were found | |
if [[ -z "${LABELS:-}" ]]; then | |
echo "No labels found" | |
else | |
echo "labels=${LABELS}" | tee -a "${GITHUB_OUTPUT}" | |
fi | |
- name: Setup GAP | |
if: contains(steps.pr-labels.outputs.labels, 'crib') | |
uses: goplugin/.github/actions/setup-gap@main | |
with: | |
aws-region: ${{ secrets.AWS_REGION }} | |
aws-role-arn: ${{ secrets.AWS_OIDC_IAM_ROLE_PUBLISH_PR_ARN }} | |
api-gateway-host: ${{ secrets.AWS_API_GW_HOST_ARGO_SAND }} | |
use-argocd: "true" | |
argocd-user: ${{ secrets.ARGOCD_USER_SAND }} | |
argocd-pass: ${{ secrets.ARGOCD_PASS_SAND }} | |
# Run an Argo CD sync after the image is built. | |
- name: Argo CD App Sync | |
if: contains(steps.pr-labels.outputs.labels, 'crib') | |
shell: bash | |
env: | |
PR_NUMBER: ${{ github.event.number }} | |
run: | | |
argocd app sync \ | |
--plaintext \ | |
--grpc-web \ | |
--async \ | |
"crib-plugin-${PR_NUMBER}" | |
- name: Collect Metrics | |
if: always() | |
id: collect-gha-metrics | |
uses: goplugin/push-gha-metrics-action@0281b09807758be1dcc41651e44e62b353808c47 # v2.1.0 | |
with: | |
org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }} | |
basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }} | |
hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }} | |
this-job-name: build-publish-untrusted | |
continue-on-error: true |