From d17dfe4cdd276b70f4f6aa878568eea001a59b20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 3 Apr 2023 15:28:01 +0200 Subject: [PATCH 1/2] gha: Use ghcr.io for the k8s CI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's switch to using the `ghcr.io` registry for the k8s CI, as this will save us some troubles on running the CI with PRs coming from forked repos. Fixes: #6587 Signed-off-by: Fabiano FidĂȘncio --- .github/workflows/ci-on-push.yaml | 8 ++++++-- .github/workflows/payload-after-push.yaml | 3 ++- .../publish-kata-deploy-payload-amd64.yaml | 17 ++++++++++++++++- .../publish-kata-deploy-payload-arm64.yaml | 18 +++++++++++++++++- .../publish-kata-deploy-payload-s390x.yaml | 19 +++++++++++++++++-- .github/workflows/run-k8s-tests-on-aks.yaml | 12 +++++++++--- 6 files changed, 67 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci-on-push.yaml b/.github/workflows/ci-on-push.yaml index 10cf5aeb3..8e9d6d078 100644 --- a/.github/workflows/ci-on-push.yaml +++ b/.github/workflows/ci-on-push.yaml @@ -13,13 +13,17 @@ jobs: uses: ./.github/workflows/publish-kata-deploy-payload-amd64.yaml with: tarball-suffix: -${{ github.event.pull_request.number}}-${{ github.sha }} - repo: kata-deploy-ci + registry: ghcr.io + repo: ${{ github.repository_owner }}/kata-deploy-ci tag: ${{ github.event.pull_request.number }}-${{ github.sha }}-amd64 + quay-io-login-continue-on-error: true secrets: inherit run-k8s-tests-on-aks: needs: publish-kata-deploy-payload-amd64 uses: ./.github/workflows/run-k8s-tests-on-aks.yaml with: - image-tag: ${{ github.event.pull_request.number }}-${{ github.sha }}-amd64 + registry: ghcr.io + repo: ${{ github.repository_owner }}/kata-deploy-ci + tag: ${{ github.event.pull_request.number }}-${{ github.sha }}-amd64 secrets: inherit diff --git a/.github/workflows/payload-after-push.yaml b/.github/workflows/payload-after-push.yaml index a03d4e543..741af5902 100644 --- a/.github/workflows/payload-after-push.yaml +++ b/.github/workflows/payload-after-push.yaml @@ -19,7 +19,8 @@ jobs: needs: build-assets-amd64 uses: ./.github/workflows/publish-kata-deploy-payload-amd64.yaml with: - registry: quay.io/kata-containers/kata-deploy-ci + registry: quay.io + repo: kata-containers/kata-deploy-ci tag: kata-containers-amd64 secrets: inherit diff --git a/.github/workflows/publish-kata-deploy-payload-amd64.yaml b/.github/workflows/publish-kata-deploy-payload-amd64.yaml index 27c0ade46..fea62765c 100644 --- a/.github/workflows/publish-kata-deploy-payload-amd64.yaml +++ b/.github/workflows/publish-kata-deploy-payload-amd64.yaml @@ -5,12 +5,19 @@ on: tarball-suffix: required: false type: string + registry: + required: true + type: string repo: required: true type: string tag: required: true type: string + quay-io-login-continue-on-error: + required: false + type: boolean + default: false jobs: kata-payload: @@ -29,10 +36,18 @@ jobs: registry: quay.io username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + continue-on-error: ${{ inputs.quay-io-login-continue-on-error }} + + - name: Login to Kata Containers ghcr.io + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: build-and-push-kata-payload id: build-and-push-kata-payload run: | ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ $(pwd)/kata-static.tar.xz \ - quay.io/kata-containers/${{ inputs.repo }} ${{ inputs.tag }} + ${{ inputs.registry }}/${{ inputs.repo }} ${{ inputs.tag }} diff --git a/.github/workflows/publish-kata-deploy-payload-arm64.yaml b/.github/workflows/publish-kata-deploy-payload-arm64.yaml index 0834b7bf5..9b8e736dc 100644 --- a/.github/workflows/publish-kata-deploy-payload-arm64.yaml +++ b/.github/workflows/publish-kata-deploy-payload-arm64.yaml @@ -5,12 +5,19 @@ on: tarball-suffix: required: false type: string + registry: + required: true + type: string repo: required: true type: string tag: required: true type: string + quay-io-login-continue-on-error: + required: false + type: boolean + default: false jobs: kata-payload: @@ -33,10 +40,19 @@ jobs: registry: quay.io username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + continue-on-error: ${{ inputs.quay-io-login-continue-on-error }} + + - name: Login to Kata Containers ghcr.io + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: build-and-push-kata-payload id: build-and-push-kata-payload run: | ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ $(pwd)/kata-static.tar.xz \ - quay.io/kata-containers/$${ inputs.repo }} ${{ inputs.tag }} + ${{ inputs.registry }}/${{ inputs.repo }} ${{ inputs.tag }} + diff --git a/.github/workflows/publish-kata-deploy-payload-s390x.yaml b/.github/workflows/publish-kata-deploy-payload-s390x.yaml index 6c96df801..89efbd58e 100644 --- a/.github/workflows/publish-kata-deploy-payload-s390x.yaml +++ b/.github/workflows/publish-kata-deploy-payload-s390x.yaml @@ -6,11 +6,18 @@ on: required: false type: string registry: - repo: true + required: true + type: string + repo: + required: true type: string tag: required: true type: string + quay-io-login-continue-on-error: + required: false + type: boolean + default: false jobs: kata-payload: @@ -33,10 +40,18 @@ jobs: registry: quay.io username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + continue-on-error: ${{ inputs.quay-io-login-continue-on-error }} + + - name: Login to Kata Containers ghcr.io + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: build-and-push-kata-payload id: build-and-push-kata-payload run: | ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \ $(pwd)/kata-static.tar.xz \ - quay.io/kata-containers/${{ inputs.repo }} ${{ inputs.tag }} + ${{ inputs.registry }}/${{ inputs.repo }} ${{ inputs.tag }} diff --git a/.github/workflows/run-k8s-tests-on-aks.yaml b/.github/workflows/run-k8s-tests-on-aks.yaml index 09ff68092..83dd4ab7b 100644 --- a/.github/workflows/run-k8s-tests-on-aks.yaml +++ b/.github/workflows/run-k8s-tests-on-aks.yaml @@ -2,7 +2,13 @@ name: CI | Run kubernetes tests on AKS on: workflow_call: inputs: - image-tag: + registry: + required: true + type: string + repo: + required: true + type: string + tag: required: true type: string @@ -52,9 +58,9 @@ jobs: - name: Deploy kata-deploy run: | - sed -i -e "s|quay.io/kata-containers/kata-deploy:latest|quay.io/kata-containers/kata-deploy-ci:${{ inputs.image-tag }}|g" tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml + sed -i -e "s|quay.io/kata-containers/kata-deploy:latest|${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}|g" tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml cat tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml - cat tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml | grep "quay.io/kata-containers/kata-deploy-ci:${{ inputs.image-tag }}" || die "Failed to setup the tests image" + cat tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml | grep "${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}" || die "Failed to setup the tests image" kubectl apply -f tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml kubectl apply -f tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml From 3215860a47f1fff1436a94669e24523bf9627b02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 3 Apr 2023 18:16:52 +0200 Subject: [PATCH 2/2] gha: Set ci-on-push to run on `pull_request_target` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is less secure than running the PR on `pull_request`, and will require using an additional `ok-to-test` label to make sure someone deliverately ran the actions coming from a forked repo. Signed-off-by: Fabiano FidĂȘncio --- .github/workflows/ci-on-push.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-on-push.yaml b/.github/workflows/ci-on-push.yaml index 8e9d6d078..cbab26837 100644 --- a/.github/workflows/ci-on-push.yaml +++ b/.github/workflows/ci-on-push.yaml @@ -1,14 +1,21 @@ name: Kata Containers CI on: - pull_request + pull_request_target: + types: + - opened + - reopened + - labeled + - synchronize jobs: build-kata-static-tarball-amd64: + if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml with: tarball-suffix: -${{ github.event.pull_request.number}}-${{ github.sha }} publish-kata-deploy-payload-amd64: + if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') needs: build-kata-static-tarball-amd64 uses: ./.github/workflows/publish-kata-deploy-payload-amd64.yaml with: @@ -20,6 +27,7 @@ jobs: secrets: inherit run-k8s-tests-on-aks: + if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') needs: publish-kata-deploy-payload-amd64 uses: ./.github/workflows/run-k8s-tests-on-aks.yaml with: