Merge pull request #7 from ruivieira/RHOAIENG-24444-infra

chore: Add image building GHA

Author: ruivieira

.github/workflows/build-and-push.yaml

@@ -0,0 +1,164 @@
+name: Build and Push
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - v*
+    paths-ignore:
+      - 'LICENSE'
+      - '**/.gitignore'
+      - '**.md'
+      - '**.adoc'
+      - '*.txt'
+  pull_request_target:
+    paths-ignore:
+      - 'LICENSE'
+      - '**/.gitignore'
+      - '**.md'
+      - '**.adoc'
+      - '*.txt'
+    types: [labeled, opened, synchronize, reopened]
+jobs:
+  # Ensure that tests pass before publishing a new image.
+  build-and-push-ci:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      security-events: write
+    steps: # Assign context variable for various action contexts (tag, main, CI)
+      - name: Assigning CI context
+        if: github.head_ref != '' && github.head_ref != 'main' && !startsWith(github.ref, 'refs/tags/v')
+        run: echo "BUILD_CONTEXT=ci" >> $GITHUB_ENV
+      - name: Assigning tag context
+        if: github.head_ref == '' && startsWith(github.ref, 'refs/tags/v')
+        run: echo "BUILD_CONTEXT=tag" >> $GITHUB_ENV
+      - name: Assigning main context
+        if: github.head_ref == '' && github.ref == 'refs/heads/main'
+        run: echo "BUILD_CONTEXT=main" >> $GITHUB_ENV
+      # Run checkouts
+      - uses: mheap/github-action-required-labels@v4
+        if: env.BUILD_CONTEXT == 'ci'
+        with:
+          mode: minimum
+          count: 1
+          labels: "ok-to-test, lgtm, approved"
+      - uses: actions/checkout@v3
+        if: env.BUILD_CONTEXT == 'ci'
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - uses: actions/checkout@v3
+        if: env.BUILD_CONTEXT == 'main' ||  env.BUILD_CONTEXT == 'tag'
+      # Print variables for debugging
+      - name: Log reference variables
+        run: |
+          echo "CONTEXT: ${{ env.BUILD_CONTEXT }}"
+          echo "GITHUB.REF: ${{ github.ref }}"
+          echo "GITHUB.HEAD_REF: ${{ github.head_ref }}"
+          echo "SHA: ${{ github.event.pull_request.head.sha }}"
+          echo "MAIN IMAGE AT: ${{ vars.QUAY_RELEASE_REPO }}:latest"
+          echo "CI IMAGE AT: quay.io/trustyai/trustyai-service-python-ci:${{ github.event.pull_request.head.sha }}"
+      # Set environments depending on context
+      - name: Set CI environment
+        if:  env.BUILD_CONTEXT == 'ci'
+        run: |
+          echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
+          echo "IMAGE_NAME=quay.io/trustyai/trustyai-service-python-ci" >> $GITHUB_ENV
+      - name: Set main-branch environment
+        if:  env.BUILD_CONTEXT == 'main'
+        run: |
+          echo "TAG=latest" >> $GITHUB_ENV
+          echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV
+      - name: Set tag environment
+        if: env.BUILD_CONTEXT == 'tag'
+        run: |
+          echo "TAG=${{ github.ref_name }}" >> $GITHUB_ENV
+          echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV
+      #
+      # Run docker commands
+      - name: Pull prerequisite images
+        run: |
+          docker pull $(cat Dockerfile | grep -o -P '(?<=FROM ).*(?= AS build)')
+          docker pull $(cat Dockerfile | grep -o -P '(?<=FROM ).*(?= AS runtime)')
+      - name: Put expiry date on CI-tagged image
+        if:  env.BUILD_CONTEXT == 'ci'
+        run: sed -i 's#summary="odh-trustyai-service-python\"#summary="odh-trustyai-service-python" \\ \n      quay.expires-after=7d#' Dockerfile
+      - name: Build image
+        run: docker build -t ${{ env.IMAGE_NAME }}:$TAG .
+      - name: Log in to Quay
+        run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io
+      - name: Push to Quay CI repo
+        run: docker push ${{ env.IMAGE_NAME }}:$TAG
+
+      # Create CI Manifests
+      - name: Set up manifests for CI
+        if: env.BUILD_CONTEXT == 'ci'
+        run: |
+          git clone https://github.com/trustyai-explainability/trustyai-service-operator
+          cd trustyai-service-operator
+          sed -i "s#quay.io/trustyai/trustyai-service:latest#${{ env.IMAGE_NAME }}:$TAG#" ./config/base/params.env
+          sed -i "s#quay.io/trustyai/trustyai-service:latest#${{ env.IMAGE_NAME }}:$TAG#" ./config/overlays/odh/params.env
+          sed -i "s#quay.io/trustyai/trustyai-service:latest#${{ env.IMAGE_NAME }}:$TAG#" ./config/overlays/rhoai/params.env
+          rm -Rf $(ls . | grep -v config)
+          rm -Rf .gitignore .dockerignore .github .git .yamllint.yaml
+          echo "## Automatically Generated Manifests for Service CI" > README.md
+          echo "Generated by [Service PR #${{ github.event.number }}](https://github.com/trustyai-explainability/trustyai-service/pull/${{ github.event.number }})" >> README.md
+
+      # push to ci-manifest repo
+      - uses: cpina/github-action-push-to-another-repository@main
+        if: env.BUILD_CONTEXT == 'ci'
+        env:
+          SSH_DEPLOY_KEY: ${{ secrets.TRUSTYAI_CI_BOT_SSH_KEY}}
+        with:
+          source-directory: 'trustyai-service-operator'
+          destination-github-username: 'trustyai-ci-bot'
+          destination-repository-username: 'trustyai-explainability'
+          destination-repository-name: 'trustyai-service-operator-ci'
+          target-branch: service-python-${{ env.TAG }}
+          create-target-branch-if-needed: 'true'
+
+      # Leave comment
+      - uses: peter-evans/find-comment@v3
+        name: Find Comment
+        id: fc
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes:  PR image build and manifest generation completed successfully
+      - uses: peter-evans/create-or-update-comment@v4
+        name: Generate/update success message comment
+        with:
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          edit-mode: replace
+          body: |
+            PR image build and manifest generation completed successfully!
+            
+            📦 [PR image](https://quay.io/trustyai/trustyai-service-python-ci:${{ github.event.pull_request.head.sha }}): `quay.io/trustyai/trustyai-service-python-ci:${{ github.event.pull_request.head.sha }}`
+            
+            🗂️ [CI manifests](https://github.com/trustyai-explainability/trustyai-service-operator-ci/tree/service-python-${{ env.TAG }})
+            
+            ```
+            devFlags:
+              manifests:
+                - contextDir: config
+                  sourcePath: ''
+                  uri: https://api.github.com/repos/trustyai-explainability/trustyai-service-operator-ci/tarball/service-python-${{ env.TAG }}
+            ```
+      - name: Trivy scan
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'image'
+          image-ref: "${{ env.IMAGE_NAME }}:${{ env.TAG }}"
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+          exit-code: '0'
+          ignore-unfixed: false
+          vuln-type: 'os,library'
+
+      - name: Update Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'