1- name : CI
1+ name : External Secrets Workable CI
22
33on :
44 push :
5+ tags :
6+ - workable-*
7+ pull_request :
58 branches :
6- - main
7- - release-*
8- pull_request : {}
9+ - workable-*
910
1011env :
1112 # Common versions
12- GOLANGCI_VERSION : ' v1.60.1'
13- KUBERNETES_VERSION : ' 1.31.x'
14-
15- # Sonar
16- SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }}
13+ GOLANGCI_VERSION : " v1.60.1"
14+ KUBERNETES_VERSION : " 1.31.x"
1715
1816permissions :
1917 contents : read
2018
2119jobs :
2220 detect-noop :
2321 permissions :
24- actions : write # for fkirc/skip-duplicate-actions to skip or stop workflow runs
25- contents : read # for fkirc/skip-duplicate-actions to read and compare commits
22+ actions : write # for fkirc/skip-duplicate-actions to skip or stop workflow runs
23+ contents : read # for fkirc/skip-duplicate-actions to read and compare commits
2624 runs-on : ubuntu-latest
2725 outputs :
2826 noop : ${{ steps.noop.outputs.should_skip }}
3836
3937 lint :
4038 permissions :
41- contents : read # for actions/checkout to fetch code
42- pull-requests : read # for golangci/golangci-lint-action to fetch pull requests
39+ contents : read # for actions/checkout to fetch code
40+ pull-requests : read # for golangci/golangci-lint-action to fetch pull requests
4341 runs-on : ubuntu-latest
4442 needs : detect-noop
4543 if : needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main'
@@ -126,6 +124,7 @@ jobs:
126124 make test
127125
128126name : Publish Unit Test Coverage
127+ if : false
129128 uses : codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
130129 env :
131130 CODECOV_TOKEN : ${{ secrets.CODECOV_TOKEN }}
@@ -134,39 +133,75 @@ jobs:
134133 file : ./cover.out
135134
136135 publish-artifacts :
137- needs : detect-noop
138- if : needs.detect-noop.outputs.noop != 'true'
139- uses : ./.github/workflows/publish.yml
136+ needs : [lint, check-diff, unit-tests]
137+ if : ${{ needs.detect-noop.outputs.noop != 'true' && startsWith(github.ref, 'refs/tags/workable-') }}
140138 permissions :
141139 id-token : write
142140 contents : read
143- strategy :
144- matrix :
145- include :
146- - dockerfile : " Dockerfile"
147- build-args : " CGO_ENABLED=0"
148- build-arch : " amd64 arm64 s390x ppc64le"
149- build-platform : " linux/amd64,linux/arm64,linux/s390x,linux/ppc64le"
150- tag-suffix : " " # distroless
151- - dockerfile : " Dockerfile.ubi"
152- build-args : " CGO_ENABLED=0"
153- build-arch : " amd64 arm64 ppc64le"
154- build-platform : " linux/amd64,linux/arm64,linux/ppc64le"
155- tag-suffix : " -ubi"
156- - dockerfile : " Dockerfile.ubi"
157- build-args : " CGO_ENABLED=0 GOEXPERIMENT=boringcrypto"
158- build-arch : " amd64 ppc64le"
159- build-platform : " linux/amd64,linux/ppc64le"
160- tag-suffix : " -ubi-boringssl"
161- with :
162- dockerfile : ${{ matrix.dockerfile }}
163- tag-suffix : ${{ matrix.tag-suffix }}
164- image-name : ghcr.io/${{ github.repository }}
165- build-platform : ${{ matrix.build-platform }}
166- build-args : ${{ matrix.build-args }}
167- build-arch : ${{ matrix.build-arch }}
168- ref : ${{ github.ref }}
169- secrets :
170- GHCR_USERNAME : ${{ secrets.GHCR_USERNAME }}
171- GHCR_TOKEN : ${{ secrets.GHCR_TOKEN }}
141+ runs-on : ubuntu-latest
142+ environment : Workable
143+ steps :
144+ - name : Checkout
145+ uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
146+
147+ - name : Get image tag
148+ id : container-info
149+ run : |
150+ echo "image-tag=${GITHUB_REF#refs/tags/workable-}" >> $GITHUB_OUTPUT
151+
152+ name : Build image
153+ uses : docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.1
154+ with :
155+ context : .
156+ file : Dockerfile.standalone
157+ push : false
158+ tags : Workable/external-secrets:${{ steps.container-info.outputs.image-tag }}
159+ provenance : false
160+
161+ # DISTRIBUTION OF SRE IMAGE
162+ - name : Login to sre registry
163+ uses : docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
164+ with :
165+ registry : us-docker.pkg.dev
166+ username : _json_key
167+ password : ${{ secrets.SRE_GCR_SA }}
172168
169+ - name : Push image to sre registry
170+ env :
171+ REGISTRY : us-docker.pkg.dev/sre-artifacts-20e4/gcr.io
172+ run : |
173+ docker tag Workable/external-secrets:${{ steps.container-info.outputs.image-tag }} \
174+ ${{ env.REGISTRY }}/external-secrets:${{ steps.container-info.outputs.image-tag }}
175+ docker push ${{ env.REGISTRY }}/external-secrets:${{ steps.container-info.outputs.image-tag }}
176+
177+ # DISTRIBUTION OF STAGING IMAGE
178+ - name : Login to staging registry
179+ uses : docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
180+ with :
181+ registry : us-docker.pkg.dev
182+ username : _json_key
183+ password : ${{ secrets.STAGING_GCR_SA }}
184+
185+ - name : Push image to staging registry
186+ env :
187+ REGISTRY : us-docker.pkg.dev/staging-artifacts-786a/gcr.io
188+ run : |
189+ docker tag Workable/external-secrets:${{ steps.container-info.outputs.image-tag }} \
190+ ${{ env.REGISTRY }}/external-secrets:${{ steps.container-info.outputs.image-tag }}
191+ docker push ${{ env.REGISTRY }}/external-secrets:${{ steps.container-info.outputs.image-tag }}
192+
193+ # DISTRIBUTION OF PRODUCTION IMAGE
194+ - name : Login to production registry
195+ uses : docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
196+ with :
197+ registry : us-docker.pkg.dev
198+ username : _json_key
199+ password : ${{ secrets.PRODUCTION_GCR_SA }}
200+
201+ - name : Push image to production registry
202+ env :
203+ REGISTRY : us-docker.pkg.dev/production-artifacts-0b0d/gcr.io
204+ run : |
205+ docker tag Workable/external-secrets:${{ steps.container-info.outputs.image-tag }} \
206+ ${{ env.REGISTRY }}/external-secrets:${{ steps.container-info.outputs.image-tag }}
207+ docker push ${{ env.REGISTRY }}/external-secrets:${{ steps.container-info.outputs.image-tag }}
0 commit comments