diff --git a/.github/workflows/build-ci.yml b/.github/workflows/build-ci.yml new file mode 100644 index 00000000..e9279d3d --- /dev/null +++ b/.github/workflows/build-ci.yml @@ -0,0 +1,135 @@ +name: build-CI + +concurrency: + group: ci-${{ github.run_id }} + cancel-in-progress: true + +on: + push: + branches: + - main + - v[0-9]+ + - v[0-9]+.[0-9]+ + - cryostat-v[0-9]+.[0-9]+ + +env: + CI_USER: cryostat+bot + CI_REGISTRY: quay.io/cryostat + CI_OPERATOR_IMG: quay.io/cryostat/cryostat-operator + CI_BUNDLE_IMG: quay.io/cryostat/cryostat-operator-bundle + CI_SCORECARD_IMG: quay.io/cryostat/cryostat-operator-scorecard + CI_PLATFORMS: linux/amd64,linux/arm64 + OPENSUSE_UNOFFICIAL_LIBCONTAINERS_KEY_URL: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_22.04/Release.key" + OPENSUSE_UNOFFICIAL_LIBCONTAINERS_SOURCE_URL: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_22.04" + +jobs: + build-operator: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Install podman v4 + run: | + echo "deb $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_SOURCE_URL/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list + curl -fsSL $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_KEY_URL | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg > /dev/null + sudo apt update + sudo apt install podman + - name: Build operator image + run: | + IMAGE_NAMESPACE=${{ env.CI_REGISTRY }} SKIP_TESTS=true PLATFORMS=${{ env.CI_PLATFORMS }} MANIFEST_PUSH=false make oci-buildx + - name: Tag image + id: tag-image + run: | + IMG_TAG="$(make --eval='print-img-ver: ; @echo $(IMAGE_VERSION)' print-img-ver)" + if [ "$GITHUB_REF" == "refs/heads/main" ]; then + podman tag \ + ${{ env.CI_OPERATOR_IMG }}:$IMG_TAG \ + ${{ env.CI_OPERATOR_IMG }}:latest + echo "tags=$IMG_TAG latest" >> $GITHUB_OUTPUT + else + echo "tags=$IMG_TAG" >> $GITHUB_OUTPUT + fi + - name: Push to quay.io + id: push-to-quay + uses: redhat-actions/push-to-registry@v2 + with: + image: cryostat-operator + tags: ${{ steps.tag-image.outputs.tags }} + registry: ${{ env.CI_REGISTRY }} + username: ${{ env.CI_USER }} + password: ${{ secrets.REGISTRY_PASSWORD }} + - name: Print image URL + run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}" + + build-bundle: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build bundle image + run: IMAGE_NAMESPACE=${{ env.CI_REGISTRY }} make bundle-build + - name: Tag image + id: tag-image + run: | + IMG_TAG="$(make --eval='print-img-ver: ; @echo $(IMAGE_VERSION)' print-img-ver)" + if [ "$GITHUB_REF" == "refs/heads/main" ]; then + podman tag \ + ${{ env.CI_BUNDLE_IMG }}:$IMG_TAG \ + ${{ env.CI_BUNDLE_IMG }}:latest + echo "tags=$IMG_TAG latest" >> $GITHUB_OUTPUT + else + echo "tags=$IMG_TAG" >> $GITHUB_OUTPUT + fi + - name: Push to quay.io + id: push-to-quay + uses: redhat-actions/push-to-registry@v2 + with: + image: cryostat-operator-bundle + tags: ${{ steps.tag-image.outputs.tags }} + registry: ${{ env.CI_REGISTRY }} + username: ${{ env.CI_USER }} + password: ${{ secrets.REGISTRY_PASSWORD }} + - name: Print image URL + run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}" + + build-scorecard: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Get scorecard image tag + id: get-image-tag + run: | + SCORECARD_TAG=$(yq '[.stages[0].tests[].image | capture("cryostat-operator-scorecard:(?P[\w.\-_]+)$")][0].tag' bundle/tests/scorecard/config.yaml) + echo "tag=$SCORECARD_TAG" >> $GITHUB_OUTPUT + - name: Check if scorecard image tag already exists + id: check-tag-exists + run: | + EXIST=false + if [ -n "$(podman search --list-tags ${CI_SCORECARD_IMG} --format json | jq --arg TAG ${{ steps.get-image-tag.outputs.tag }} '.[0].Tags[] | select( . == $TAG)')" ]; then + EXIST=true + fi + echo "exist=$EXIST" >> $GITHUB_OUTPUT + - name: Install podman v4 + run: | + echo "deb $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_SOURCE_URL/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list + curl -fsSL $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_KEY_URL | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg > /dev/null + sudo apt update + sudo apt install podman + - name: Build scorecard image + run: | + CUSTOM_SCORECARD_IMG=${CI_SCORECARD_IMG}:${{ steps.get-image-tag.outputs.tag }} \ + PLATFORMS=${{ env.CI_PLATFORMS }} \ + MANIFEST_PUSH=false \ + make scorecard-build + if: ${{ steps.check-tag-exists.outputs.exist == 'false' }} + - name: Push to quay.io + id: push-to-quay + uses: redhat-actions/push-to-registry@v2 + with: + image: cryostat-operator-scorecard + tags: ${{ steps.get-image-tag.outputs.tag }} + registry: ${{ env.CI_REGISTRY }} + username: ${{ env.CI_USER }} + password: ${{ secrets.REGISTRY_PASSWORD }} + if: ${{ steps.check-tag-exists.outputs.exist == 'false' }} + - name: Print image URL + run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}" + if: ${{ steps.check-tag-exists.outputs.exist == 'false' }} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml deleted file mode 100644 index 1eefc65d..00000000 --- a/.github/workflows/ci.yaml +++ /dev/null @@ -1,297 +0,0 @@ -name: CI - -concurrency: - group: ci-${{ github.run_id }} - cancel-in-progress: true - -on: - push: - branches: - - main - - v[0-9]+ - - v[0-9]+.[0-9]+ - - cryostat-v[0-9]+.[0-9]+ - - pull_request_target: - types: - - opened - - reopened - - synchronize - - labeled - - unlabeled - branches: - - main - - v[0-9]+ - - v[0-9]+.[0-9]+ - - cryostat-v[0-9]+.[0-9]+ - -env: - CI_USER: cryostat+bot - CI_REGISTRY: quay.io/cryostat - CI_OPERATOR_IMG: quay.io/cryostat/cryostat-operator - CI_BUNDLE_IMG: quay.io/cryostat/cryostat-operator-bundle - CI_SCORECARD_IMG: quay.io/cryostat/cryostat-operator-scorecard - CI_PLATFORMS: linux/amd64,linux/arm64 - REPOSITORY: ${{ github.event.pull_request.head.repo.full_name }} - REF: ${{ github.event.pull_request.head.ref }} - OPENSUSE_UNOFFICIAL_LIBCONTAINERS_KEY_URL: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_22.04/Release.key" - OPENSUSE_UNOFFICIAL_LIBCONTAINERS_SOURCE_URL: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_22.04" - -jobs: - get-test-image-tag: - runs-on: ubuntu-latest - if: ${{ github.repository_owner == 'cryostatio' }} - outputs: - tag: ${{ steps.compute-tag.outputs.tag }} - steps: - - name: Compute test image tag - id: compute-tag - run: | - prefix="ci" - if [ -n "${{ github.event.number }}" ]; then - prefix="pr-${{ github.event.number }}" - fi - echo "tag=${prefix}-$GITHUB_SHA" >> $GITHUB_OUTPUT - clean-up-test-images: - runs-on: ubuntu-latest - needs: [get-test-image-tag, scorecard-test] - if: github.repository_owner == 'cryostatio' - strategy: - matrix: - image: [cryostat-operator, cryostat-operator-bundle, cryostat-operator-scorecard] - steps: - - uses: r26d/ghcr-delete-image-action@v1.3.0 - with: - owner: ${{ github.repository_owner }} - name: ${{ matrix.image }} - token: ${{ secrets.GHCR_PR_TOKEN }} - ignore-missing-package: true - tag-regex: ${{ needs.get-test-image-tag.outputs.tag }} - tagged-keep-latest: 0 - controller-test: - runs-on: ubuntu-latest - if: ${{ github.repository_owner == 'cryostatio' }} - steps: - - name: Fail if safe-to-test label NOT applied - if: ${{ github.event_name == 'pull_request_target' && !contains(github.event.pull_request.labels.*.name, 'safe-to-test') }} - run: exit 1 - - uses: actions/checkout@v2 - with: - repository: ${{ env.REPOSITORY }} - ref: ${{ env.REF }} - - uses: actions/setup-go@v2 - with: - go-version: '1.20.*' - - uses: actions/cache@v2 - with: - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - name: Run controller tests - run: make test-envtest - scorecard-test: - runs-on: ubuntu-latest - needs: [get-test-image-tag] - env: - TAG: ${{ needs.get-test-image-tag.outputs.tag }} - if: ${{ github.repository_owner == 'cryostatio' }} - steps: - - name: Fail if safe-to-test label NOT applied - if: ${{ github.event_name == 'pull_request_target' && !contains(github.event.pull_request.labels.*.name, 'safe-to-test') }} - run: exit 1 - - uses: actions/checkout@v2 - with: - repository: ${{ env.REPOSITORY }} - ref: ${{ env.REF }} - - uses: jpkrohling/setup-operator-sdk@v1.1.0 - with: - operator-sdk-version: v1.28.0 - - name: Install podman v4 - run: | - echo "deb $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_SOURCE_URL/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list - curl -fsSL $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_KEY_URL | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg - sudo apt update - sudo apt install podman - - name: Build scorecard image for test - run: | - CUSTOM_SCORECARD_IMG=ghcr.io/${{ github.repository_owner }}/cryostat-operator-scorecard:${{ env.TAG }} \ - PLATFORMS=linux/amd64 \ - MANIFEST_PUSH=false \ - make scorecard-build - - name: Push scorecard image to ghcr.io for test - id: push-scorecard-to-ghcr - uses: redhat-actions/push-to-registry@v2 - with: - image: cryostat-operator-scorecard - tags: ${{ env.TAG }} - registry: ghcr.io/${{ github.repository_owner }} - username: ${{ github.repository_owner }} - password: ${{ secrets.GHCR_PR_TOKEN }} - - name: Build operator image for test - run: | - OPERATOR_IMG=ghcr.io/${{ github.repository_owner }}/cryostat-operator:${{ env.TAG }} \ - SKIP_TESTS=true \ - make oci-build - - name: Push operator image to ghcr.io for test - id: push-operator-to-ghcr - uses: redhat-actions/push-to-registry@v2 - with: - image: cryostat-operator - tags: ${{ env.TAG }} - registry: ghcr.io/${{ github.repository_owner }} - username: ${{ github.repository_owner }} - password: ${{ secrets.GHCR_PR_TOKEN }} - - name: Build bundle image for test - run: | - yq -i '.spec.template.spec.imagePullSecrets = [{"name": "registry-key"}]' config/manager/manager.yaml - OPERATOR_IMG=${{ steps.push-operator-to-ghcr.outputs.registry-path }} \ - BUNDLE_IMG=ghcr.io/${{ github.repository_owner }}/cryostat-operator-bundle:${{ env.TAG }} \ - make bundle bundle-build - - name: Push bundle image to ghcr.io for test - id: push-bundle-to-ghcr - uses: redhat-actions/push-to-registry@v2 - with: - image: cryostat-operator-bundle - tags: ${{ env.TAG }} - registry: ghcr.io/${{ github.repository_owner }} - username: ${{ github.repository_owner }} - password: ${{ secrets.GHCR_PR_TOKEN }} - - name: Set up Kind cluster - run: | - kind create cluster --config=".github/kind-config.yaml" -n ci-${{ github.run_id }} - # Enabling Ingress - kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml - kubectl rollout status -w deployment/ingress-nginx-controller -n ingress-nginx --timeout 5m - - name: Install Operator Lifecycle Manager - run: curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.24.0/install.sh | bash -s v0.24.0 - - name: Install Cert Manager - run: make cert_manager - - uses: redhat-actions/podman-login@v1 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GHCR_PR_TOKEN }} - auth_file_path: $HOME/.docker/config.json - - name: Run scorecard tests - run: | - SCORECARD_REGISTRY_SERVER="ghcr.io" \ - SCORECARD_REGISTRY_USERNAME="${{ github.repository_owner }}" \ - SCORECARD_REGISTRY_PASSWORD="${{ secrets.GHCR_PR_TOKEN }}" \ - BUNDLE_IMG="${{ steps.push-bundle-to-ghcr.outputs.registry-path }}" \ - make test-scorecard - - name: Clean up Kind cluster - run: kind delete cluster -n ci-${{ github.run_id }} - build-operator: - runs-on: ubuntu-latest - if: ${{ github.event_name == 'push' && github.repository_owner == 'cryostatio' }} - steps: - - uses: actions/checkout@v2 - - name: Install podman v4 - run: | - echo "deb $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_SOURCE_URL/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list - curl -fsSL $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_KEY_URL | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg > /dev/null - sudo apt update - sudo apt install podman - - name: Build operator image - run: | - IMAGE_NAMESPACE=${{ env.CI_REGISTRY }} SKIP_TESTS=true PLATFORMS=${{ env.CI_PLATFORMS }} MANIFEST_PUSH=false make oci-buildx - - name: Tag image - id: tag-image - run: | - IMG_TAG="$(make --eval='print-img-ver: ; @echo $(IMAGE_VERSION)' print-img-ver)" - if [ "$GITHUB_REF" == "refs/heads/main" ]; then - podman tag \ - ${{ env.CI_OPERATOR_IMG }}:$IMG_TAG \ - ${{ env.CI_OPERATOR_IMG }}:latest - echo "tags=$IMG_TAG latest" >> $GITHUB_OUTPUT - else - echo "tags=$IMG_TAG" >> $GITHUB_OUTPUT - fi - - name: Push to quay.io - id: push-to-quay - uses: redhat-actions/push-to-registry@v2 - with: - image: cryostat-operator - tags: ${{ steps.tag-image.outputs.tags }} - registry: ${{ env.CI_REGISTRY }} - username: ${{ env.CI_USER }} - password: ${{ secrets.REGISTRY_PASSWORD }} - - name: Print image URL - run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}" - build-bundle: - runs-on: ubuntu-latest - if: ${{ github.event_name == 'push' && github.repository_owner == 'cryostatio' }} - steps: - - uses: actions/checkout@v2 - - name: Build bundle image - run: IMAGE_NAMESPACE=${{ env.CI_REGISTRY }} make bundle-build - - name: Tag image - id: tag-image - run: | - IMG_TAG="$(make --eval='print-img-ver: ; @echo $(IMAGE_VERSION)' print-img-ver)" - if [ "$GITHUB_REF" == "refs/heads/main" ]; then - podman tag \ - ${{ env.CI_BUNDLE_IMG }}:$IMG_TAG \ - ${{ env.CI_BUNDLE_IMG }}:latest - echo "tags=$IMG_TAG latest" >> $GITHUB_OUTPUT - else - echo "tags=$IMG_TAG" >> $GITHUB_OUTPUT - fi - - name: Push to quay.io - id: push-to-quay - uses: redhat-actions/push-to-registry@v2 - with: - image: cryostat-operator-bundle - tags: ${{ steps.tag-image.outputs.tags }} - registry: ${{ env.CI_REGISTRY }} - username: ${{ env.CI_USER }} - password: ${{ secrets.REGISTRY_PASSWORD }} - - name: Print image URL - run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}" - build-scorecard: - runs-on: ubuntu-latest - if: ${{ github.event_name == 'push' && github.repository_owner == 'cryostatio' }} - steps: - - uses: actions/checkout@v2 - - name: Get scorecard image tag - id: get-image-tag - run: | - SCORECARD_TAG=$(yq '[.stages[0].tests[].image | capture("cryostat-operator-scorecard:(?P[\w.\-_]+)$")][0].tag' bundle/tests/scorecard/config.yaml) - echo "tag=$SCORECARD_TAG" >> $GITHUB_OUTPUT - - name: Check if scorecard image tag already exists - id: check-tag-exists - run: | - EXIST=false - if [ -n "$(podman search --list-tags ${CI_SCORECARD_IMG} --format json | jq --arg TAG ${{ steps.get-image-tag.outputs.tag }} '.[0].Tags[] | select( . == $TAG)')" ]; then - EXIST=true - fi - echo "exist=$EXIST" >> $GITHUB_OUTPUT - - name: Install podman v4 - run: | - echo "deb $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_SOURCE_URL/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list - curl -fsSL $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_KEY_URL | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg > /dev/null - sudo apt update - sudo apt install podman - - name: Build scorecard image - run: | - CUSTOM_SCORECARD_IMG=${CI_SCORECARD_IMG}:${{ steps.get-image-tag.outputs.tag }} \ - PLATFORMS=${{ env.CI_PLATFORMS }} \ - MANIFEST_PUSH=false \ - make scorecard-build - if: ${{ steps.check-tag-exists.outputs.exist == 'false' }} - - name: Push to quay.io - id: push-to-quay - uses: redhat-actions/push-to-registry@v2 - with: - image: cryostat-operator-scorecard - tags: ${{ steps.get-image-tag.outputs.tag }} - registry: ${{ env.CI_REGISTRY }} - username: ${{ env.CI_USER }} - password: ${{ secrets.REGISTRY_PASSWORD }} - if: ${{ steps.check-tag-exists.outputs.exist == 'false' }} - - name: Print image URL - run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}" - if: ${{ steps.check-tag-exists.outputs.exist == 'false' }} diff --git a/.github/workflows/test-ci-command.yml b/.github/workflows/test-ci-command.yml new file mode 100644 index 00000000..e9c2b83f --- /dev/null +++ b/.github/workflows/test-ci-command.yml @@ -0,0 +1,92 @@ +name: test-CI-on-PR-command + +concurrency: + group: ci-${{ github.run_id }} + cancel-in-progress: true + +on: + issue_comment: + types: + - created + +jobs: + check-before-test: + runs-on: ubuntu-latest + permissions: + pull-requests: write + if: github.repository_owner == 'cryostatio' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/build_test') + steps: + - name: Fail if needs-triage label applied + if: ${{ contains(github.event.issue.labels.*.name, 'needs-triage') }} + run: exit 1 + - name: Show warning if permission is denied + if: | + !(github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER') + && (!contains(github.event.issue.labels.*.name, 'safe-to-test') || github.event.issue.user.name != github.event.comment.user.name) + uses: thollander/actions-comment-pull-request@v2 + with: + message: |- + You do not have permission to run the /build_test command. Please ask @cryostatio/reviewers + to resolve the issue. + - name: Fail if command permission is denied + if: | + !(github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER') + && (!contains(github.event.issue.labels.*.name, 'safe-to-test') || github.event.issue.user.name != github.event.comment.user.name) + run: exit 1 + - name: React to comment + uses: actions/github-script@v4 + with: + script: | + const {owner, repo} = context.issue + github.reactions.createForIssueComment({ + owner, + repo, + comment_id: context.payload.comment.id, + content: "+1", + }); + + checkout-branch: + runs-on: ubuntu-latest + needs: [check-before-test] + permissions: + pull-requests: read + outputs: + PR_head_ref: ${{ fromJSON(steps.comment-branch.outputs.result).ref }} + PR_num: ${{ fromJSON(steps.comment-branch.outputs.result).num }} + PR_repo: ${{ fromJSON(steps.comment-branch.outputs.result).repo }} + steps: + - uses: actions/github-script@v4 + id: comment-branch + with: + script: | + const result = await github.pulls.get ({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.issue.number + }) + return { repo: result.data.head.repo.full_name, num: result.data.number, ref: result.data.head.ref } + + get-test-image-tag: + runs-on: ubuntu-latest + needs: [checkout-branch] + env: + num: ${{ needs.checkout-branch.outputs.PR_num }} + outputs: + tag: ${{ steps.compute-tag.outputs.tag }} + steps: + - name: Compute test image tag + id: compute-tag + run: | + prefix="ci" + if [ -n "${{ env.num }}" ]; then + prefix="pr-${{ env.num }}" + fi + echo "tag=${prefix}-$GITHUB_SHA" >> $GITHUB_OUTPUT + + run-test-jobs: + uses: ./.github/workflows/test-ci-reusable.yml + needs: [get-test-image-tag, checkout-branch] + with: + repository: ${{ needs.checkout-branch.outputs.PR_repo }} + ref: ${{ needs.checkout-branch.outputs.PR_head_ref }} + tag: ${{ needs.get-test-image-tag.outputs.tag }} diff --git a/.github/workflows/test-ci-push.yml b/.github/workflows/test-ci-push.yml new file mode 100644 index 00000000..0bc83e3d --- /dev/null +++ b/.github/workflows/test-ci-push.yml @@ -0,0 +1,34 @@ +name: test-CI-on-push + +concurrency: + group: ci-${{ github.run_id }} + cancel-in-progress: true + +on: + push: + branches: + - main + - v[0-9]+ + - v[0-9]+.[0-9]+ + - cryostat-v[0-9]+.[0-9]+ + +jobs: + get-test-image-tag: + runs-on: ubuntu-latest + outputs: + tag: ${{ steps.compute-tag.outputs.tag }} + steps: + - name: Compute test image tag + id: compute-tag + run: | + prefix="ci" + if [ -n "${{ github.event.number }}" ]; then + prefix="pr-${{ github.event.number }}" + fi + echo "tag=${prefix}-$GITHUB_SHA" >> $GITHUB_OUTPUT + + run-test-jobs: + uses: ./.github/workflows/test-ci-reusable.yml + needs: [get-test-image-tag] + with: + tag: ${{ needs.get-test-image-tag.outputs.tag }} diff --git a/.github/workflows/test-ci-reusable.yml b/.github/workflows/test-ci-reusable.yml new file mode 100644 index 00000000..c8c1c7db --- /dev/null +++ b/.github/workflows/test-ci-reusable.yml @@ -0,0 +1,140 @@ +on: + workflow_call: + inputs: + tag: + required: true + type: string + repository: + required: false + type: string + ref: + required: false + type: string + +env: + OPENSUSE_UNOFFICIAL_LIBCONTAINERS_KEY_URL: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_22.04/Release.key" + OPENSUSE_UNOFFICIAL_LIBCONTAINERS_SOURCE_URL: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_22.04" + +jobs: + clean-up-test-images: + runs-on: ubuntu-latest + needs: [scorecard-test] + strategy: + matrix: + image: [cryostat-operator, cryostat-operator-bundle, cryostat-operator-scorecard] + steps: + - uses: r26d/ghcr-delete-image-action@v1.3.0 + with: + owner: ${{ github.repository_owner }} + name: ${{ matrix.image }} + token: ${{ secrets.GHCR_PR_TOKEN }} + ignore-missing-package: true + tag-regex: ${{ inputs.tag }} + tagged-keep-latest: 0 + + controller-test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.ref }} + - uses: actions/setup-go@v2 + with: + go-version: '1.20.*' + - uses: actions/cache@v2 + with: + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + - name: Run controller tests + run: make test-envtest + + scorecard-test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.ref }} + - uses: jpkrohling/setup-operator-sdk@v1.1.0 + with: + operator-sdk-version: v1.28.0 + - name: Install podman v4 + run: | + echo "deb $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_SOURCE_URL/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list + curl -fsSL $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_KEY_URL | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg + sudo apt update + sudo apt install podman + - name: Build scorecard image for test + run: | + CUSTOM_SCORECARD_IMG=ghcr.io/${{ github.repository_owner }}/cryostat-operator-scorecard:${{ inputs.tag }} \ + PLATFORMS=linux/amd64 \ + MANIFEST_PUSH=false \ + make scorecard-build + - name: Push scorecard image to ghcr.io for test + id: push-scorecard-to-ghcr + uses: redhat-actions/push-to-registry@v2 + with: + image: cryostat-operator-scorecard + tags: ${{ inputs.tag }} + registry: ghcr.io/${{ github.repository_owner }} + username: ${{ github.repository_owner }} + password: ${{ secrets.GHCR_PR_TOKEN }} + - name: Build operator image for test + run: | + OPERATOR_IMG=ghcr.io/${{ github.repository_owner }}/cryostat-operator:${{ inputs.tag }} \ + SKIP_TESTS=true \ + make oci-build + - name: Push operator image to ghcr.io for test + id: push-operator-to-ghcr + uses: redhat-actions/push-to-registry@v2 + with: + image: cryostat-operator + tags: ${{ inputs.tag }} + registry: ghcr.io/${{ github.repository_owner }} + username: ${{ github.repository_owner }} + password: ${{ secrets.GHCR_PR_TOKEN }} + - name: Build bundle image for test + run: | + yq -i '.spec.template.spec.imagePullSecrets = [{"name": "registry-key"}]' config/manager/manager.yaml + OPERATOR_IMG=${{ steps.push-operator-to-ghcr.outputs.registry-path }} \ + BUNDLE_IMG=ghcr.io/${{ github.repository_owner }}/cryostat-operator-bundle:${{ inputs.tag }} \ + make bundle bundle-build + - name: Push bundle image to ghcr.io for test + id: push-bundle-to-ghcr + uses: redhat-actions/push-to-registry@v2 + with: + image: cryostat-operator-bundle + tags: ${{ inputs.tag }} + registry: ghcr.io/${{ github.repository_owner }} + username: ${{ github.repository_owner }} + password: ${{ secrets.GHCR_PR_TOKEN }} + - name: Set up Kind cluster + run: | + kind create cluster --config=".github/kind-config.yaml" -n ci-${{ github.run_id }} + # Enabling Ingress + kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml + kubectl rollout status -w deployment/ingress-nginx-controller -n ingress-nginx --timeout 5m + - name: Install Operator Lifecycle Manager + run: curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.24.0/install.sh | bash -s v0.24.0 + - name: Install Cert Manager + run: make cert_manager + - uses: redhat-actions/podman-login@v1 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GHCR_PR_TOKEN }} + auth_file_path: $HOME/.docker/config.json + - name: Run scorecard tests + run: | + SCORECARD_REGISTRY_SERVER="ghcr.io" \ + SCORECARD_REGISTRY_USERNAME="${{ github.repository_owner }}" \ + SCORECARD_REGISTRY_PASSWORD="${{ secrets.GHCR_PR_TOKEN }}" \ + BUNDLE_IMG="${{ steps.push-bundle-to-ghcr.outputs.registry-path }}" \ + make test-scorecard + - name: Clean up Kind cluster + run: kind delete cluster -n ci-${{ github.run_id }}