Merge pull request #1238 from equinor/refactor-build #755
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & push | |
| on: | |
| push: | |
| branches: | |
| - master | |
| - release | |
| workflow_dispatch: | |
| permissions: | |
| id-token: write | |
| contents: read | |
| packages: write | |
| jobs: | |
| build-operator: | |
| runs-on: ubuntu-20.04 | |
| name: Build Operator | |
| outputs: | |
| tag: ${{ steps.metadata.outputs.tag }} | |
| fullname: ${{ steps.metadata.outputs.fullname }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build image tags | |
| id: metadata | |
| run: | | |
| sha=${GITHUB_SHA::8} | |
| ts=$(date +%s) | |
| tag=${GITHUB_REF_NAME}-${sha}-${ts} | |
| echo "tag=$tag" >> $GITHUB_OUTPUT | |
| echo "fullname=ghcr.io/${{ github.repository }}:$tag" >> $GITHUB_OUTPUT | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push radix-operator docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| push: true | |
| file: ./operator.Dockerfile | |
| platforms: | | |
| linux/amd64 | |
| linux/arm64 | |
| tags: "${{ steps.metadata.outputs.fullname }}" | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-pipelinerunner: | |
| runs-on: ubuntu-20.04 | |
| name: Build Pipeline runner | |
| outputs: | |
| tag_latest: ${{ steps.metadata.outputs.tag_latest }} | |
| fullname: ${{ steps.metadata.outputs.fullname }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build image names | |
| id: metadata | |
| run: | | |
| sha=${GITHUB_SHA::8} | |
| ts=$(date +%s) | |
| tag_latest=${GITHUB_REF_NAME}-latest | |
| tag=${GITHUB_REF_NAME}-${sha}-${ts} | |
| echo "tag_latest=$tag_latest" >> $GITHUB_OUTPUT | |
| echo "fullname=ghcr.io/${{ github.repository }}:$tag" >> $GITHUB_OUTPUT | |
| echo "fullname_latest=ghcr.io/${{ github.repository }}:$tag_latest" >> $GITHUB_OUTPUT | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push pipeline-runner docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| push: true | |
| file: ./pipeline.Dockerfile | |
| platforms: | | |
| linux/amd64 | |
| linux/arm64 | |
| tags: | | |
| ${{ steps.metadata.outputs.fullname }} | |
| ${{ steps.metadata.outputs.fullname_latest }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| deploy: | |
| runs-on: ubuntu-20.04 | |
| needs: | |
| - build-pipelinerunner | |
| - build-operator | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| target: | |
| - name: "dev" | |
| acr-name: "radixdev" | |
| client-id: "2bfe6984-f5e3-4d09-a0b2-4dd96de3f21e" | |
| subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b" | |
| - name: "playground" | |
| acr-name: "radixplayground" | |
| client-id: "7c000a42-1edb-4491-a241-4ac77bf7dd6d" | |
| subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b" | |
| - name: "platform" | |
| acr-name: "radixprod" | |
| client-id: "044f760d-aabb-4d29-a879-e774f16e3bcc" | |
| subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a" | |
| - name: "c2" | |
| acr-name: "radixc2prod" | |
| client-id: "581bb747-7b9f-4e80-a843-249eafb0a5fa" | |
| subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: azure/login@v2 | |
| with: | |
| client-id: ${{matrix.target.client-id}} | |
| tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" | |
| subscription-id: ${{matrix.target.subscription-id}} | |
| - name: Get GitHub Public IP | |
| id: github_public_ip | |
| run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT | |
| - name: Add GitHub IP to ACR | |
| id: update_firewall | |
| run: az acr network-rule add | |
| --name ${{matrix.target.acr-name}} | |
| --subscription ${{matrix.target.subscription-id}} | |
| --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} | |
| - name: Wait for 2 minutes while the network rule to take effect | |
| run: | | |
| sleep 120 | |
| - name: Wait for Specific IP in ACR Network Rules | |
| run: | | |
| MAX_ATTEMPTS=10 | |
| ATTEMPT=0 | |
| TARGET_IP="${{ steps.github_public_ip.outputs.ipv4 }}" | |
| echo "Waiting for IP $TARGET_IP to be allowed in ACR network rules..." | |
| while [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do | |
| NETWORK_RULES=$(az acr network-rule list --name ${{matrix.target.acr-name}} --subscription ${{ matrix.target.subscription-id }} --query "ipRules[]|[?contains(ipAddressOrRange, '$TARGET_IP')]" --output tsv) | |
| if [ -n "$NETWORK_RULES" ]; then | |
| echo "IP $TARGET_IP is allowed." | |
| break | |
| fi | |
| echo "Attempt $((ATTEMPT+1)) of $MAX_ATTEMPTS. Retrying in 10 seconds..." | |
| ATTEMPT=$((ATTEMPT+1)) | |
| sleep 10 | |
| done | |
| if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then | |
| echo "IP $TARGET_IP was not allowed after $MAX_ATTEMPTS attempts. Exiting." | |
| exit 1 | |
| fi | |
| - name: Build image tags | |
| id: metadata | |
| run: | | |
| echo "operator=${{ matrix.target.acr-name }}.azurecr.io/radix-operator:${{ needs.build-operator.outputs.tag }}" >> $GITHUB_OUTPUT | |
| echo "pipeline=${{ matrix.target.acr-name }}.azurecr.io/radix-pipeline:${{ needs.build-pipelinerunner.outputs.tag_latest }}" >> $GITHUB_OUTPUT | |
| - name: ACR Login | |
| run: az acr login --name ${{ matrix.target.acr-name }} | |
| - name: Pull Operator | |
| run: docker pull ${{ needs.build-operator.outputs.fullname }} | |
| - name: Pull Pipelinerunner | |
| run: docker pull ${{ needs.build-pipelinerunner.outputs.fullname }} | |
| - name: Re-Tag Operator | |
| run: docker tag ${{ needs.build-operator.outputs.fullname }} ${{ steps.metadata.outputs.operator }} | |
| - name: Re-Tag PipelineRunner | |
| run: docker tag ${{ needs.build-pipelinerunner.outputs.fullname }} ${{ steps.metadata.outputs.pipeline }} | |
| - name: Push Operator to Target Registry | |
| run: docker push ${{ steps.metadata.outputs.operator }} | |
| - name: Push Pipeline Runner to Target Registry | |
| run: docker push ${{ steps.metadata.outputs.pipeline }} | |
| - name: Revoke GitHub IP on ACR | |
| if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed | |
| run: az acr network-rule remove | |
| --name ${{matrix.target.acr-name}} | |
| --subscription ${{matrix.target.subscription-id}} | |
| --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} |