Skip to content

Build and test for release #670

Build and test for release

Build and test for release #670

#
# THIS FILE IS GENERATED, PLEASE DO NOT EDIT.
#
# Copyright 2022 Flant JSC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# on push to default branch or on tags
name: Build and test for release
on:
workflow_dispatch:
inputs:
issue_id:
description: 'Id of issue where label was set'
required: false
issue_number:
description: 'Number of issue where label was set'
required: false
comment_id:
description: 'Id of comment in issue where to put workflow run status'
required: false
editions:
description: 'Comma-separated list of editions to build'
required: false
type: string
env:
# <template: werf_envs>
WERF_CHANNEL: "ea"
WERF_ENV: "FE"
TEST_TIMEOUT: "15m"
# Use fixed string 'sys/deckhouse-oss' for repo name. ${CI_PROJECT_PATH} is not available here in GitHub.
DEV_REGISTRY_PATH: "${{ secrets.DECKHOUSE_DEV_REGISTRY_HOST }}/sys/deckhouse-oss"
# Registry for additional repositories used for testing Github Actions workflows.
GHA_TEST_REGISTRY_PATH: "ghcr.io/${{ github.repository }}"
# Need for ssh: default.
DOCKER_BUILDKIT: "1"
WERF_LOG_TERMINAL_WIDTH: "200"
# </template: werf_envs>
# <template: git_source_envs>
# source repo [email protected]:group
SOURCE_REPO: "${{secrets.SOURCE_REPO_GIT}}"
# cloud providers source repo should contain creds for repo for ex https://user:[email protected]/group
CLOUD_PROVIDERS_SOURCE_REPO: "${{secrets.CLOUD_PROVIDERS_SOURCE_REPO}}"
GOPROXY: "${{vars.GOPROXY}}"
# observability source repo should contain creds for repo for ex https://user:[email protected]/group
OBSERVABILITY_SOURCE_REPO: "${{secrets.OBSERVABILITY_SOURCE_REPO}}"
# Next two are required for accessing the stronghold repo during d8 cli builds.
# Stronghold pull token should contain CI token with read access to stronghold repos.
STRONGHOLD_PULL_TOKEN: "${{secrets.STRONGHOLD_PULL_TOKEN}}"
# deckhouse private repo should contain the host address of proprietary parts of deckhouse ecosystem. Ex repo.my-repo.com
DECKHOUSE_PRIVATE_REPO: "${{secrets.DECKHOUSE_PRIVATE_REPO}}"
# </template: git_source_envs>
# Cancel in-progress jobs for the same tag/branch.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
started_at:
name: Save start timestamp
outputs:
started_at: ${{ steps.started_at.outputs.started_at }}
runs-on: "ubuntu-latest"
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: git_info_job>
git_info:
name: Get git info
runs-on: ubuntu-latest
outputs:
ci_commit_tag: ${{ steps.git_info.outputs.ci_commit_tag }}
ci_commit_branch: ${{ steps.git_info.outputs.ci_commit_branch }}
ci_commit_ref_name: ${{ steps.git_info.outputs.ci_commit_ref_name }}
ci_commit_ref_slug: ${{ steps.git_info.outputs.ci_commit_ref_slug }}
ref_full: ${{ steps.git_info.outputs.ref_full }}
github_sha: ${{ steps.git_info.outputs.github_sha }}
pr_number: ${{ steps.git_info.outputs.pr_number }}
# Skip the CI for automation PRs, e.g. changelog
if: ${{ github.event.pull_request.user.login != 'deckhouse-BOaTswain' }}
steps:
- id: git_info
name: Get tag name and SHA
uses: actions/[email protected]
with:
script: |
const { GITHUB_REF_TYPE, GITHUB_REF_NAME, GITHUB_REF } = process.env
let refSlug = ''
let refName = ''
let refFull = ''
let githubBranch = ''
let githubTag = ''
let githubSHA = ''
let prNumber = ''
if (context.eventName === "workflow_dispatch" && context.payload.inputs && context.payload.inputs.pull_request_ref) {
// Trigger: workflow_dispatch with pull_request_ref.
// Extract pull request number from 'refs/pull/<NUM>/merge'
prNumber = context.payload.inputs.pull_request_ref.replace('refs/pull/', '').replace('/merge', '').replace('/head', '')
refSlug = `pr${prNumber}`
refName = context.payload.inputs.ci_commit_ref_name
refFull = context.payload.inputs.pull_request_ref
githubBranch = refName
githubSHA = context.payload.inputs.pull_request_sha
core.info(`workflow_dispatch event: set git info from inputs. inputs: ${JSON.stringify(context.payload.inputs)}`)
} else if (context.eventName === "pull_request" || context.eventName === "pull_request_target" ) {
// For PRs from forks, tag images with `prXXX` to avoid clashes between branches.
const targetRepo = context.payload.repository.full_name;
const prRepo = context.payload.pull_request.head.repo.full_name
const prRef = context.payload.pull_request.head.ref
refSlug = `pr${context.issue.number}`;
refName = (prRepo === targetRepo) ? prRef : refSlug;
refFull = `refs/pull/${context.issue.number}/head`
githubBranch = refName
githubSHA = context.payload.pull_request.head.sha
core.info(`pull request event: set git info from pull_request.head. pr:${prRepo}:${prRef} target:${targetRepo}:${context.ref}`)
prNumber = context.issue.number
} else {
// Other triggers: workflow_dispatch without pull_request_ref, schedule, push...
// refName is 'main' or tag name, so slugification is not necessary.
refSlug = GITHUB_REF_NAME
refName = GITHUB_REF_NAME
refFull = GITHUB_REF
githubTag = GITHUB_REF_TYPE == "tag" ? refName : ""
githubBranch = GITHUB_REF_TYPE == "branch" ? refName : ""
githubSHA = context.sha
core.info(`${context.eventName} event: set git info from context: ${JSON.stringify({GITHUB_REF_NAME, GITHUB_REF_TYPE, sha: context.sha })}`)
}
core.setCommandEcho(true)
core.setOutput('ci_commit_ref_slug', refSlug)
core.setOutput('ci_commit_ref_name', refName)
core.setOutput(`ci_commit_tag`, githubTag)
core.setOutput(`ci_commit_branch`, githubBranch)
core.setOutput(`ref_full`, refFull)
core.setOutput('github_sha', githubSHA)
core.setOutput('pr_number', prNumber)
core.setCommandEcho(false)
# </template: git_info_job>
detect_editions:
name: Detect editions
runs-on: ubuntu-latest
outputs:
BUILD_CE: ${{steps.detect_editions.outputs.BUILD_CE}}
BUILD_EE: ${{steps.detect_editions.outputs.BUILD_EE}}
BUILD_BE: ${{steps.detect_editions.outputs.BUILD_BE}}
BUILD_SE: ${{steps.detect_editions.outputs.BUILD_SE}}
BUILD_SE-plus: ${{steps.detect_editions.outputs.BUILD_SE-plus}}
steps:
- name: Detect editions
id: detect_editions
env:
EDITIONS: ${{ github.event.inputs.editions }}
run: |
echo "Input allowed editions: '${EDITIONS}'"
EMPTY_EDITIONS=yes
for edition in CE EE BE SE SE-plus ; do
if grep -i ",${edition}," <<<",${EDITIONS}," 2>/dev/null 1>&2 ; then
echo " - enable build of ${edition} edition."
echo "BUILD_${edition}=true" >> $GITHUB_OUTPUT
EMPTY_EDITIONS=no
fi
done
if [[ $EMPTY_EDITIONS == "yes" ]] ; then
echo "No editions requested. Building only FE."
fi
comment_on_start:
name: Update issue comment
runs-on: ubuntu-latest
steps:
# <template: checkout_step>
- name: Checkout sources
uses: actions/[email protected]
# </template: checkout_step>
# <template: update_comment_on_start>
- name: Update comment on start
if: ${{ github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const name = 'Build and test for release';
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnStart({github, context, core, name})
# </template: update_comment_on_start>
go_generate:
name: Go Generate
needs:
- git_info
# <template: go_generate_template>
runs-on: [self-hosted, regular]
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_step>
- name: Checkout sources
uses: actions/[email protected]
# </template: checkout_step>
# <template: login_readonly_registry_step>
- name: Check readonly registry credentials
id: check_readonly_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_READ_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to readonly registry
uses: docker/[email protected]
if: ${{ steps.check_readonly_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_READ_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_READ_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_READ_PASSWORD }}
logout: false
# </template: login_readonly_registry_step>
# <template: werf_install_step>
- name: Install werf CLI
uses: werf/actions/install@43075e4ab81952b181d33e125ef15b9c060a782e
with:
channel: ${{env.WERF_CHANNEL}}
# </template: werf_install_step>
- name: Set up Go 1.23
uses: actions/setup-go@v3
with:
go-version: '1.23'
- name: Run go generate
run: |
(cd tools && go generate)
(cd modules/500-upmeter/hooks/smokemini/internal/snapshot && go generate)
- name: Check generated code
run: |
git diff --exit-code
# </template: go_generate_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'Go Generate';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
workflow_render:
name: Render workflow
needs:
- git_info
# <template: workflow_render_template>
runs-on: [self-hosted, regular]
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_step>
- name: Checkout sources
uses: actions/[email protected]
# </template: checkout_step>
# <template: login_readonly_registry_step>
- name: Check readonly registry credentials
id: check_readonly_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_READ_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to readonly registry
uses: docker/[email protected]
if: ${{ steps.check_readonly_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_READ_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_READ_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_READ_PASSWORD }}
logout: false
# </template: login_readonly_registry_step>
- name: Render GitHub workflow
run: |
cd .github
./render-workflows.sh
- name: Check rendered files
run: |
git diff --exit-code
# </template: workflow_render_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'Render workflow';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
build_fe:
name: Build FE
needs:
- git_info
- go_generate
- workflow_render
env:
WERF_ENV: "FE"
# <template: build_template>
runs-on: [self-hosted, regular, selectel]
outputs:
tests_image_name: ${{ steps.build.outputs.tests_image_name }}
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_dev_registry_step>
- name: Check dev registry credentials
id: check_dev_registry
env:
HOST: ${{secrets.DECKHOUSE_DEV_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_DEV_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to dev registry
uses: docker/[email protected]
if: ${{ steps.check_dev_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_DEV_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_DEV_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
logout: false
# </template: login_dev_registry_step>
# <template: login_readonly_registry_step>
- name: Check readonly registry credentials
id: check_readonly_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_READ_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to readonly registry
uses: docker/[email protected]
if: ${{ steps.check_readonly_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_READ_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_READ_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_READ_PASSWORD }}
logout: false
# </template: login_readonly_registry_step>
# <template: login_rw_registry_step>
- name: Check rw registry credentials
id: check_rw_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to rw registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
logout: false
- name: Login to Github Container Registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials != 'true' }}
with:
registry: ghcr.io
username: ${{ secrets.GHCR_IO_REGISTRY_USER }}
password: ${{ secrets.GHCR_IO_REGISTRY_PASSWORD }}
logout: false
# </template: login_rw_registry_step>
# <template: werf_install_step>
- name: Install werf CLI
uses: werf/actions/install@43075e4ab81952b181d33e125ef15b9c060a782e
with:
channel: ${{env.WERF_CHANNEL}}
# </template: werf_install_step>
# <template: login_git_step>
- name: Start ssh-agent
uses: webfactory/[email protected]
with:
ssh-private-key: |
${{secrets.SOURCE_REPO_SSH_KEY}}
- name: Add ssh_known_hosts
run: |
HOST=$(grep -oP '(?<=@)[^/:]+' <<< ${{secrets.SOURCE_REPO_GIT}})
echo "::add-mask::$HOST"
IPS=$(nslookup "$HOST" | awk '/^Address: / { print $2 }')
for IP in $IPS; do
echo "::add-mask::$IP"
done
mkdir -p ~/.ssh
touch ~/.ssh/known_hosts
HOST_KEYS=$(ssh-keyscan -H "$HOST" 2>/dev/null)
while IFS= read -r KEY_LINE; do
CONSTANT_PART=$(awk '{print $2, $3}' <<< "$KEY_LINE")
if ! grep -q "$CONSTANT_PART" ~/.ssh/known_hosts; then
echo "$KEY_LINE" >> ~/.ssh/known_hosts
fi
done <<< "$HOST_KEYS"
# </template: login_git_step>
- name: Build and push deckhouse images
id: build
env:
DECKHOUSE_REGISTRY_HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
CI_COMMIT_TAG: ${{needs.git_info.outputs.ci_commit_tag}}
CI_COMMIT_BRANCH: ${{needs.git_info.outputs.ci_commit_branch}}
CI_COMMIT_REF_NAME: ${{needs.git_info.outputs.ci_commit_ref_name}}
CI_COMMIT_REF_SLUG: ${{needs.git_info.outputs.ci_commit_ref_slug}}
run: |
# Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
# REPO_SUFFIX should be empty for main repo 'deckhouse/deckhouse'.
REPO_SUFFIX=
fi
# Put tags on produced images and push to dev and release repositories.
#
# There are 2 modes: "dev" and "release".
# The "dev" mode builds branches only:
# - Build using dev-registry as primary and deckhouse registry as secondary.
# - Push dev and dev/install images with prNUM tags and push to dev-registry.
# The "release" mode builds branches and tags:
# - Build using dev-registry as primary and deckhouse registry as secondary.
# - Push dev and dev/install images to dev-registry with tag equal to a branch name (main or release-X.Y).
# - Build using deckhouse registry as primary and dev-registry as secondary.
# - Push dev, dev/install and release-channel-version images to deckhouse registry with tag equels to a Git tag.
# SRC_NAME is a name of image from werf.yaml.
# SRC is a source image name (stage name from werf build report).
# DST is an image name for docker push.
function pull_push_rmi() {
SRC_NAME=$1
SRC=$2
DST=$3
echo "⚓️ 📥 [$(date -u)] Pull '${SRC_NAME}' image as ${SRC}."
docker pull ${SRC}
echo "⚓️ 🏷 [$(date -u)] Tag '${SRC_NAME}' image as ${DST}."
docker image tag ${SRC} ${DST}
echo "⚓️ 📤 [$(date -u)] Push '${SRC_NAME}' image as ${DST}."
docker image push ${DST}
echo "⚓️ 🧹 [$(date -u)] Remove local tag for '${SRC_NAME}'."
docker image rmi ${DST} || true;
}
if [[ -n "${DEV_REGISTRY_PATH}" ]]; then export WERF_REPO="${DEV_REGISTRY_PATH}"; fi
type werf && source $(werf ci-env github --verbose --as-file)
# CE/EE/FE -> ce/ee/fe
REGISTRY_SUFFIX=$(echo ${WERF_ENV} | tr '[:upper:]' '[:lower:]')
#temporary: move temp dir
TEMP_WORKDIR="$(dirname "${{github.workspace}}")/${{github.run_id}}-$REGISTRY_SUFFIX"
mkdir -p "$TEMP_WORKDIR"
# Registry path to publish images for Git branches.
BRANCH_REGISTRY_PATH=
# Registry path to publish images for Git tags.
SEMVER_REGISTRY_PATH=
if [[ -n ${DECKHOUSE_REGISTRY_HOST:-} ]] ; then
# Build using dev-registry as primary repo and prod registry as secondary (ro) repo.
# This build will put stages to "dev" registry. If "dev" registry is empty, existing stages are copied from prod registry.
SECONDARY_REPO="--cache-repo ${DECKHOUSE_REGISTRY_HOST}/deckhouse/${REGISTRY_SUFFIX}"
if [[ -n "${CI_COMMIT_BRANCH}" && ! "${CI_COMMIT_BRANCH}" =~ ^(main|release-.+)$ ]]; then
SECONDARY_REPO=
fi
werf build \
${SECONDARY_REPO} \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
BRANCH_REGISTRY_PATH="${DEV_REGISTRY_PATH}"
SEMVER_REGISTRY_PATH="${DECKHOUSE_REGISTRY_HOST}/deckhouse"
else
# DECKHOUSE_REGISTRY_HOST is empty, so this repo is not the main repo.
# Build using dev-registry as a single primary repo and push:
# - branches to Dev registry to run e2e tests.
# - semver tags to Github Container Registry for testing release process.
werf build \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
BRANCH_REGISTRY_PATH="${DEV_REGISTRY_PATH}"
SEMVER_REGISTRY_PATH="${GHA_TEST_REGISTRY_PATH}"
echo "⚓️ 🧪 [$(date -u)] DECKHOUSE_REGISTRY_HOST is empty. Publish to Github Container Registry '${PROD_REGISTRY_PATH}'"
fi
cp images_tags_werf.json "$TEMP_WORKDIR"
# Publish images for Git branch.
if [[ -n "${CI_COMMIT_BRANCH}" ]]; then
# Add edition name for non-FE builds
if [[ -n ${WERF_ENV} && ${WERF_ENV,,} != "fe" ]]; then
IMAGE_EDITION=${WERF_ENV,,}
fi
# CI_COMMIT_REF_SLUG is a 'prNUM' for dev branches or 'main' for default branch.
# Use it as image tag. Add suffix to not overlap with PRs in main repo.
IMAGE_TAG=${CI_COMMIT_REF_SLUG}${IMAGE_EDITION:+-${IMAGE_EDITION}}${REPO_SUFFIX:+-${REPO_SUFFIX}}
echo "⚓️ 💫 [$(date -u)] Publish images to dev-registry for branch '${CI_COMMIT_BRANCH}' and edition '${WERF_ENV}' using tag '${IMAGE_TAG}' ..."
echo "⚓️ 💫 [$(date -u)] Publish 'dev' image to dev-registry using tag ${IMAGE_TAG}".
DECKHOUSE_IMAGE_SRC="$(jq -r '.Images."dev".DockerImageName' images_tags_werf.json)"
DECKHOUSE_IMAGE=${BRANCH_REGISTRY_PATH}:${IMAGE_TAG}
pull_push_rmi 'dev' ${DECKHOUSE_IMAGE_SRC} ${DECKHOUSE_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/install:${IMAGE_TAG}
pull_push_rmi 'dev/install' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install-standalone' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install-standalone".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/install-standalone:${IMAGE_TAG}
pull_push_rmi 'dev/install-standalone' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'e2e-terraform' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."e2e-terraform".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/e2e-terraform:${IMAGE_TAG}
pull_push_rmi 'e2e-terraform' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
fi
# Publish images for Git tag.
if [[ -n "${CI_COMMIT_TAG}" ]]; then
# The Git tag may contain a '+' sign, so use slugify for this situation.
# Slugify doesn't change a tag with safe-only characters.
IMAGE_TAG=$(werf slugify --format docker-tag "${CI_COMMIT_TAG}")
echo "⚓️ 💫 [$(date -u)] Publish images for Git tag '${CI_COMMIT_TAG}' and registry suffix '${REGISTRY_SUFFIX}' using tag '${IMAGE_TAG}' ..."
if [[ -n ${DECKHOUSE_REGISTRY_HOST} ]] ; then
# Copy stages to prod registry from dev registry.
export WERF_DISABLE_META_TAGS=true
werf build \
--repo ${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX} \
--secondary-repo $WERF_REPO \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
cp images_tags_werf.json "$TEMP_WORKDIR"
fi
# Note: do not run second werf build for test repo, as it has no secondary repo.
echo "⚓️ 💫 [$(date -u)] Publish 'dev' image to deckhouse registry using tag ${IMAGE_TAG} ..."
DECKHOUSE_IMAGE_SRC="$(jq -r '.Images."dev".DockerImageName' images_tags_werf.json)"
DECKHOUSE_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}:${IMAGE_TAG}
pull_push_rmi 'dev' ${DECKHOUSE_IMAGE_SRC} ${DECKHOUSE_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install' image to deckhouse registry using tag ${IMAGE_TAG} ..."
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/install:${IMAGE_TAG}
pull_push_rmi 'dev/install' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install-standalone' image to deckhouse registry using tag ${IMAGE_TAG} ..."
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install-standalone".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/install-standalone:${IMAGE_TAG}
pull_push_rmi 'dev/install-standalone' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'release-channel-version' image to deckhouse registry using tag ${IMAGE_TAG} ..."
RELEASE_CHANNEL_IMAGE_SRC="$(jq -r '.Images."release-channel-version".DockerImageName' images_tags_werf.json)"
RELEASE_CHANNEL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/release-channel:${IMAGE_TAG}
pull_push_rmi 'release-channel-version' ${RELEASE_CHANNEL_IMAGE_SRC} ${RELEASE_CHANNEL_IMAGE}
fi
# Save 'tests' image name to pass it as output for 'tests' jobs.
TESTS_IMAGE_NAME="$(jq -r '.Images."tests".DockerImageName' images_tags_werf.json)"
# Print image name in uppercase to prevent hiding non-secret registry host stored in secret.
echo "Tests image name: '${TESTS_IMAGE_NAME}'" | tr '[:lower:]' '[:upper:]'
# Encode as gzip+base64 to evade github's SecretMasker error: "Skip output since it may contain secret".
echo "tests_image_name=$(echo ${TESTS_IMAGE_NAME} | gzip | base64 -w0)" >> $GITHUB_OUTPUT
- name: Check DKP images manifests in public registry
if: ${{ github.repository == 'deckhouse/deckhouse' && startsWith(github.ref, 'refs/tags/v') }}
id: check_images
env:
CI_COMMIT_REF_SLUG: ${{needs.git_info.outputs.ci_commit_ref_slug}}
DECKHOUSE_REGISTRY_READ_HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
EDITION=$(echo ${WERF_ENV} | tr '[:upper:]' '[:lower:]')
./tools/check-release-images.sh --tag ${CI_COMMIT_REF_SLUG} --edition ${EDITION} --images-path ${DECKHOUSE_REGISTRY_READ_HOST}/deckhouse/
- name: Cleanup
if: ${{ always() }}
run: |
rm -f images_tags_werf.json
# </template: build_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'Build FE';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
build_ee:
name: Build EE
needs:
- git_info
- go_generate
- workflow_render
- build_fe
- detect_editions
if: ${{ startsWith(github.ref, 'refs/tags/v') || (needs.detect_editions.outputs.BUILD_EE == 'true') }}
env:
WERF_ENV: "EE"
# <template: build_template>
runs-on: [self-hosted, regular, selectel]
outputs:
tests_image_name: ${{ steps.build.outputs.tests_image_name }}
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_dev_registry_step>
- name: Check dev registry credentials
id: check_dev_registry
env:
HOST: ${{secrets.DECKHOUSE_DEV_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_DEV_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to dev registry
uses: docker/[email protected]
if: ${{ steps.check_dev_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_DEV_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_DEV_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
logout: false
# </template: login_dev_registry_step>
# <template: login_readonly_registry_step>
- name: Check readonly registry credentials
id: check_readonly_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_READ_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to readonly registry
uses: docker/[email protected]
if: ${{ steps.check_readonly_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_READ_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_READ_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_READ_PASSWORD }}
logout: false
# </template: login_readonly_registry_step>
# <template: login_rw_registry_step>
- name: Check rw registry credentials
id: check_rw_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to rw registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
logout: false
- name: Login to Github Container Registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials != 'true' }}
with:
registry: ghcr.io
username: ${{ secrets.GHCR_IO_REGISTRY_USER }}
password: ${{ secrets.GHCR_IO_REGISTRY_PASSWORD }}
logout: false
# </template: login_rw_registry_step>
# <template: werf_install_step>
- name: Install werf CLI
uses: werf/actions/install@43075e4ab81952b181d33e125ef15b9c060a782e
with:
channel: ${{env.WERF_CHANNEL}}
# </template: werf_install_step>
# <template: login_git_step>
- name: Start ssh-agent
uses: webfactory/[email protected]
with:
ssh-private-key: |
${{secrets.SOURCE_REPO_SSH_KEY}}
- name: Add ssh_known_hosts
run: |
HOST=$(grep -oP '(?<=@)[^/:]+' <<< ${{secrets.SOURCE_REPO_GIT}})
echo "::add-mask::$HOST"
IPS=$(nslookup "$HOST" | awk '/^Address: / { print $2 }')
for IP in $IPS; do
echo "::add-mask::$IP"
done
mkdir -p ~/.ssh
touch ~/.ssh/known_hosts
HOST_KEYS=$(ssh-keyscan -H "$HOST" 2>/dev/null)
while IFS= read -r KEY_LINE; do
CONSTANT_PART=$(awk '{print $2, $3}' <<< "$KEY_LINE")
if ! grep -q "$CONSTANT_PART" ~/.ssh/known_hosts; then
echo "$KEY_LINE" >> ~/.ssh/known_hosts
fi
done <<< "$HOST_KEYS"
# </template: login_git_step>
- name: Build and push deckhouse images
id: build
env:
DECKHOUSE_REGISTRY_HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
CI_COMMIT_TAG: ${{needs.git_info.outputs.ci_commit_tag}}
CI_COMMIT_BRANCH: ${{needs.git_info.outputs.ci_commit_branch}}
CI_COMMIT_REF_NAME: ${{needs.git_info.outputs.ci_commit_ref_name}}
CI_COMMIT_REF_SLUG: ${{needs.git_info.outputs.ci_commit_ref_slug}}
run: |
# Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
# REPO_SUFFIX should be empty for main repo 'deckhouse/deckhouse'.
REPO_SUFFIX=
fi
# Put tags on produced images and push to dev and release repositories.
#
# There are 2 modes: "dev" and "release".
# The "dev" mode builds branches only:
# - Build using dev-registry as primary and deckhouse registry as secondary.
# - Push dev and dev/install images with prNUM tags and push to dev-registry.
# The "release" mode builds branches and tags:
# - Build using dev-registry as primary and deckhouse registry as secondary.
# - Push dev and dev/install images to dev-registry with tag equal to a branch name (main or release-X.Y).
# - Build using deckhouse registry as primary and dev-registry as secondary.
# - Push dev, dev/install and release-channel-version images to deckhouse registry with tag equels to a Git tag.
# SRC_NAME is a name of image from werf.yaml.
# SRC is a source image name (stage name from werf build report).
# DST is an image name for docker push.
function pull_push_rmi() {
SRC_NAME=$1
SRC=$2
DST=$3
echo "⚓️ 📥 [$(date -u)] Pull '${SRC_NAME}' image as ${SRC}."
docker pull ${SRC}
echo "⚓️ 🏷 [$(date -u)] Tag '${SRC_NAME}' image as ${DST}."
docker image tag ${SRC} ${DST}
echo "⚓️ 📤 [$(date -u)] Push '${SRC_NAME}' image as ${DST}."
docker image push ${DST}
echo "⚓️ 🧹 [$(date -u)] Remove local tag for '${SRC_NAME}'."
docker image rmi ${DST} || true;
}
if [[ -n "${DEV_REGISTRY_PATH}" ]]; then export WERF_REPO="${DEV_REGISTRY_PATH}"; fi
type werf && source $(werf ci-env github --verbose --as-file)
# CE/EE/FE -> ce/ee/fe
REGISTRY_SUFFIX=$(echo ${WERF_ENV} | tr '[:upper:]' '[:lower:]')
#temporary: move temp dir
TEMP_WORKDIR="$(dirname "${{github.workspace}}")/${{github.run_id}}-$REGISTRY_SUFFIX"
mkdir -p "$TEMP_WORKDIR"
# Registry path to publish images for Git branches.
BRANCH_REGISTRY_PATH=
# Registry path to publish images for Git tags.
SEMVER_REGISTRY_PATH=
if [[ -n ${DECKHOUSE_REGISTRY_HOST:-} ]] ; then
# Build using dev-registry as primary repo and prod registry as secondary (ro) repo.
# This build will put stages to "dev" registry. If "dev" registry is empty, existing stages are copied from prod registry.
SECONDARY_REPO="--cache-repo ${DECKHOUSE_REGISTRY_HOST}/deckhouse/${REGISTRY_SUFFIX}"
if [[ -n "${CI_COMMIT_BRANCH}" && ! "${CI_COMMIT_BRANCH}" =~ ^(main|release-.+)$ ]]; then
SECONDARY_REPO=
fi
werf build \
${SECONDARY_REPO} \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
BRANCH_REGISTRY_PATH="${DEV_REGISTRY_PATH}"
SEMVER_REGISTRY_PATH="${DECKHOUSE_REGISTRY_HOST}/deckhouse"
else
# DECKHOUSE_REGISTRY_HOST is empty, so this repo is not the main repo.
# Build using dev-registry as a single primary repo and push:
# - branches to Dev registry to run e2e tests.
# - semver tags to Github Container Registry for testing release process.
werf build \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
BRANCH_REGISTRY_PATH="${DEV_REGISTRY_PATH}"
SEMVER_REGISTRY_PATH="${GHA_TEST_REGISTRY_PATH}"
echo "⚓️ 🧪 [$(date -u)] DECKHOUSE_REGISTRY_HOST is empty. Publish to Github Container Registry '${PROD_REGISTRY_PATH}'"
fi
cp images_tags_werf.json "$TEMP_WORKDIR"
# Publish images for Git branch.
if [[ -n "${CI_COMMIT_BRANCH}" ]]; then
# Add edition name for non-FE builds
if [[ -n ${WERF_ENV} && ${WERF_ENV,,} != "fe" ]]; then
IMAGE_EDITION=${WERF_ENV,,}
fi
# CI_COMMIT_REF_SLUG is a 'prNUM' for dev branches or 'main' for default branch.
# Use it as image tag. Add suffix to not overlap with PRs in main repo.
IMAGE_TAG=${CI_COMMIT_REF_SLUG}${IMAGE_EDITION:+-${IMAGE_EDITION}}${REPO_SUFFIX:+-${REPO_SUFFIX}}
echo "⚓️ 💫 [$(date -u)] Publish images to dev-registry for branch '${CI_COMMIT_BRANCH}' and edition '${WERF_ENV}' using tag '${IMAGE_TAG}' ..."
echo "⚓️ 💫 [$(date -u)] Publish 'dev' image to dev-registry using tag ${IMAGE_TAG}".
DECKHOUSE_IMAGE_SRC="$(jq -r '.Images."dev".DockerImageName' images_tags_werf.json)"
DECKHOUSE_IMAGE=${BRANCH_REGISTRY_PATH}:${IMAGE_TAG}
pull_push_rmi 'dev' ${DECKHOUSE_IMAGE_SRC} ${DECKHOUSE_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/install:${IMAGE_TAG}
pull_push_rmi 'dev/install' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install-standalone' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install-standalone".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/install-standalone:${IMAGE_TAG}
pull_push_rmi 'dev/install-standalone' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'e2e-terraform' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."e2e-terraform".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/e2e-terraform:${IMAGE_TAG}
pull_push_rmi 'e2e-terraform' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
fi
# Publish images for Git tag.
if [[ -n "${CI_COMMIT_TAG}" ]]; then
# The Git tag may contain a '+' sign, so use slugify for this situation.
# Slugify doesn't change a tag with safe-only characters.
IMAGE_TAG=$(werf slugify --format docker-tag "${CI_COMMIT_TAG}")
echo "⚓️ 💫 [$(date -u)] Publish images for Git tag '${CI_COMMIT_TAG}' and registry suffix '${REGISTRY_SUFFIX}' using tag '${IMAGE_TAG}' ..."
if [[ -n ${DECKHOUSE_REGISTRY_HOST} ]] ; then
# Copy stages to prod registry from dev registry.
export WERF_DISABLE_META_TAGS=true
werf build \
--repo ${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX} \
--secondary-repo $WERF_REPO \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
cp images_tags_werf.json "$TEMP_WORKDIR"
fi
# Note: do not run second werf build for test repo, as it has no secondary repo.
echo "⚓️ 💫 [$(date -u)] Publish 'dev' image to deckhouse registry using tag ${IMAGE_TAG} ..."
DECKHOUSE_IMAGE_SRC="$(jq -r '.Images."dev".DockerImageName' images_tags_werf.json)"
DECKHOUSE_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}:${IMAGE_TAG}
pull_push_rmi 'dev' ${DECKHOUSE_IMAGE_SRC} ${DECKHOUSE_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install' image to deckhouse registry using tag ${IMAGE_TAG} ..."
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/install:${IMAGE_TAG}
pull_push_rmi 'dev/install' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install-standalone' image to deckhouse registry using tag ${IMAGE_TAG} ..."
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install-standalone".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/install-standalone:${IMAGE_TAG}
pull_push_rmi 'dev/install-standalone' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'release-channel-version' image to deckhouse registry using tag ${IMAGE_TAG} ..."
RELEASE_CHANNEL_IMAGE_SRC="$(jq -r '.Images."release-channel-version".DockerImageName' images_tags_werf.json)"
RELEASE_CHANNEL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/release-channel:${IMAGE_TAG}
pull_push_rmi 'release-channel-version' ${RELEASE_CHANNEL_IMAGE_SRC} ${RELEASE_CHANNEL_IMAGE}
fi
# Save 'tests' image name to pass it as output for 'tests' jobs.
TESTS_IMAGE_NAME="$(jq -r '.Images."tests".DockerImageName' images_tags_werf.json)"
# Print image name in uppercase to prevent hiding non-secret registry host stored in secret.
echo "Tests image name: '${TESTS_IMAGE_NAME}'" | tr '[:lower:]' '[:upper:]'
# Encode as gzip+base64 to evade github's SecretMasker error: "Skip output since it may contain secret".
echo "tests_image_name=$(echo ${TESTS_IMAGE_NAME} | gzip | base64 -w0)" >> $GITHUB_OUTPUT
- name: Check DKP images manifests in public registry
if: ${{ github.repository == 'deckhouse/deckhouse' && startsWith(github.ref, 'refs/tags/v') }}
id: check_images
env:
CI_COMMIT_REF_SLUG: ${{needs.git_info.outputs.ci_commit_ref_slug}}
DECKHOUSE_REGISTRY_READ_HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
EDITION=$(echo ${WERF_ENV} | tr '[:upper:]' '[:lower:]')
./tools/check-release-images.sh --tag ${CI_COMMIT_REF_SLUG} --edition ${EDITION} --images-path ${DECKHOUSE_REGISTRY_READ_HOST}/deckhouse/
- name: Cleanup
if: ${{ always() }}
run: |
rm -f images_tags_werf.json
# </template: build_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'Build EE';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
build_se:
name: Build SE
needs:
- git_info
- go_generate
- workflow_render
- build_fe
- detect_editions
if: ${{ startsWith(github.ref, 'refs/tags/v') || (needs.detect_editions.outputs.BUILD_SE == 'true') }}
env:
WERF_ENV: "SE"
# <template: build_template>
runs-on: [self-hosted, regular, selectel]
outputs:
tests_image_name: ${{ steps.build.outputs.tests_image_name }}
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_dev_registry_step>
- name: Check dev registry credentials
id: check_dev_registry
env:
HOST: ${{secrets.DECKHOUSE_DEV_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_DEV_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to dev registry
uses: docker/[email protected]
if: ${{ steps.check_dev_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_DEV_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_DEV_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
logout: false
# </template: login_dev_registry_step>
# <template: login_readonly_registry_step>
- name: Check readonly registry credentials
id: check_readonly_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_READ_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to readonly registry
uses: docker/[email protected]
if: ${{ steps.check_readonly_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_READ_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_READ_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_READ_PASSWORD }}
logout: false
# </template: login_readonly_registry_step>
# <template: login_rw_registry_step>
- name: Check rw registry credentials
id: check_rw_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to rw registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
logout: false
- name: Login to Github Container Registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials != 'true' }}
with:
registry: ghcr.io
username: ${{ secrets.GHCR_IO_REGISTRY_USER }}
password: ${{ secrets.GHCR_IO_REGISTRY_PASSWORD }}
logout: false
# </template: login_rw_registry_step>
# <template: werf_install_step>
- name: Install werf CLI
uses: werf/actions/install@43075e4ab81952b181d33e125ef15b9c060a782e
with:
channel: ${{env.WERF_CHANNEL}}
# </template: werf_install_step>
# <template: login_git_step>
- name: Start ssh-agent
uses: webfactory/[email protected]
with:
ssh-private-key: |
${{secrets.SOURCE_REPO_SSH_KEY}}
- name: Add ssh_known_hosts
run: |
HOST=$(grep -oP '(?<=@)[^/:]+' <<< ${{secrets.SOURCE_REPO_GIT}})
echo "::add-mask::$HOST"
IPS=$(nslookup "$HOST" | awk '/^Address: / { print $2 }')
for IP in $IPS; do
echo "::add-mask::$IP"
done
mkdir -p ~/.ssh
touch ~/.ssh/known_hosts
HOST_KEYS=$(ssh-keyscan -H "$HOST" 2>/dev/null)
while IFS= read -r KEY_LINE; do
CONSTANT_PART=$(awk '{print $2, $3}' <<< "$KEY_LINE")
if ! grep -q "$CONSTANT_PART" ~/.ssh/known_hosts; then
echo "$KEY_LINE" >> ~/.ssh/known_hosts
fi
done <<< "$HOST_KEYS"
# </template: login_git_step>
- name: Build and push deckhouse images
id: build
env:
DECKHOUSE_REGISTRY_HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
CI_COMMIT_TAG: ${{needs.git_info.outputs.ci_commit_tag}}
CI_COMMIT_BRANCH: ${{needs.git_info.outputs.ci_commit_branch}}
CI_COMMIT_REF_NAME: ${{needs.git_info.outputs.ci_commit_ref_name}}
CI_COMMIT_REF_SLUG: ${{needs.git_info.outputs.ci_commit_ref_slug}}
run: |
# Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
# REPO_SUFFIX should be empty for main repo 'deckhouse/deckhouse'.
REPO_SUFFIX=
fi
# Put tags on produced images and push to dev and release repositories.
#
# There are 2 modes: "dev" and "release".
# The "dev" mode builds branches only:
# - Build using dev-registry as primary and deckhouse registry as secondary.
# - Push dev and dev/install images with prNUM tags and push to dev-registry.
# The "release" mode builds branches and tags:
# - Build using dev-registry as primary and deckhouse registry as secondary.
# - Push dev and dev/install images to dev-registry with tag equal to a branch name (main or release-X.Y).
# - Build using deckhouse registry as primary and dev-registry as secondary.
# - Push dev, dev/install and release-channel-version images to deckhouse registry with tag equels to a Git tag.
# SRC_NAME is a name of image from werf.yaml.
# SRC is a source image name (stage name from werf build report).
# DST is an image name for docker push.
function pull_push_rmi() {
SRC_NAME=$1
SRC=$2
DST=$3
echo "⚓️ 📥 [$(date -u)] Pull '${SRC_NAME}' image as ${SRC}."
docker pull ${SRC}
echo "⚓️ 🏷 [$(date -u)] Tag '${SRC_NAME}' image as ${DST}."
docker image tag ${SRC} ${DST}
echo "⚓️ 📤 [$(date -u)] Push '${SRC_NAME}' image as ${DST}."
docker image push ${DST}
echo "⚓️ 🧹 [$(date -u)] Remove local tag for '${SRC_NAME}'."
docker image rmi ${DST} || true;
}
if [[ -n "${DEV_REGISTRY_PATH}" ]]; then export WERF_REPO="${DEV_REGISTRY_PATH}"; fi
type werf && source $(werf ci-env github --verbose --as-file)
# CE/EE/FE -> ce/ee/fe
REGISTRY_SUFFIX=$(echo ${WERF_ENV} | tr '[:upper:]' '[:lower:]')
#temporary: move temp dir
TEMP_WORKDIR="$(dirname "${{github.workspace}}")/${{github.run_id}}-$REGISTRY_SUFFIX"
mkdir -p "$TEMP_WORKDIR"
# Registry path to publish images for Git branches.
BRANCH_REGISTRY_PATH=
# Registry path to publish images for Git tags.
SEMVER_REGISTRY_PATH=
if [[ -n ${DECKHOUSE_REGISTRY_HOST:-} ]] ; then
# Build using dev-registry as primary repo and prod registry as secondary (ro) repo.
# This build will put stages to "dev" registry. If "dev" registry is empty, existing stages are copied from prod registry.
SECONDARY_REPO="--cache-repo ${DECKHOUSE_REGISTRY_HOST}/deckhouse/${REGISTRY_SUFFIX}"
if [[ -n "${CI_COMMIT_BRANCH}" && ! "${CI_COMMIT_BRANCH}" =~ ^(main|release-.+)$ ]]; then
SECONDARY_REPO=
fi
werf build \
${SECONDARY_REPO} \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
BRANCH_REGISTRY_PATH="${DEV_REGISTRY_PATH}"
SEMVER_REGISTRY_PATH="${DECKHOUSE_REGISTRY_HOST}/deckhouse"
else
# DECKHOUSE_REGISTRY_HOST is empty, so this repo is not the main repo.
# Build using dev-registry as a single primary repo and push:
# - branches to Dev registry to run e2e tests.
# - semver tags to Github Container Registry for testing release process.
werf build \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
BRANCH_REGISTRY_PATH="${DEV_REGISTRY_PATH}"
SEMVER_REGISTRY_PATH="${GHA_TEST_REGISTRY_PATH}"
echo "⚓️ 🧪 [$(date -u)] DECKHOUSE_REGISTRY_HOST is empty. Publish to Github Container Registry '${PROD_REGISTRY_PATH}'"
fi
cp images_tags_werf.json "$TEMP_WORKDIR"
# Publish images for Git branch.
if [[ -n "${CI_COMMIT_BRANCH}" ]]; then
# Add edition name for non-FE builds
if [[ -n ${WERF_ENV} && ${WERF_ENV,,} != "fe" ]]; then
IMAGE_EDITION=${WERF_ENV,,}
fi
# CI_COMMIT_REF_SLUG is a 'prNUM' for dev branches or 'main' for default branch.
# Use it as image tag. Add suffix to not overlap with PRs in main repo.
IMAGE_TAG=${CI_COMMIT_REF_SLUG}${IMAGE_EDITION:+-${IMAGE_EDITION}}${REPO_SUFFIX:+-${REPO_SUFFIX}}
echo "⚓️ 💫 [$(date -u)] Publish images to dev-registry for branch '${CI_COMMIT_BRANCH}' and edition '${WERF_ENV}' using tag '${IMAGE_TAG}' ..."
echo "⚓️ 💫 [$(date -u)] Publish 'dev' image to dev-registry using tag ${IMAGE_TAG}".
DECKHOUSE_IMAGE_SRC="$(jq -r '.Images."dev".DockerImageName' images_tags_werf.json)"
DECKHOUSE_IMAGE=${BRANCH_REGISTRY_PATH}:${IMAGE_TAG}
pull_push_rmi 'dev' ${DECKHOUSE_IMAGE_SRC} ${DECKHOUSE_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/install:${IMAGE_TAG}
pull_push_rmi 'dev/install' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install-standalone' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install-standalone".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/install-standalone:${IMAGE_TAG}
pull_push_rmi 'dev/install-standalone' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'e2e-terraform' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."e2e-terraform".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/e2e-terraform:${IMAGE_TAG}
pull_push_rmi 'e2e-terraform' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
fi
# Publish images for Git tag.
if [[ -n "${CI_COMMIT_TAG}" ]]; then
# The Git tag may contain a '+' sign, so use slugify for this situation.
# Slugify doesn't change a tag with safe-only characters.
IMAGE_TAG=$(werf slugify --format docker-tag "${CI_COMMIT_TAG}")
echo "⚓️ 💫 [$(date -u)] Publish images for Git tag '${CI_COMMIT_TAG}' and registry suffix '${REGISTRY_SUFFIX}' using tag '${IMAGE_TAG}' ..."
if [[ -n ${DECKHOUSE_REGISTRY_HOST} ]] ; then
# Copy stages to prod registry from dev registry.
export WERF_DISABLE_META_TAGS=true
werf build \
--repo ${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX} \
--secondary-repo $WERF_REPO \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
cp images_tags_werf.json "$TEMP_WORKDIR"
fi
# Note: do not run second werf build for test repo, as it has no secondary repo.
echo "⚓️ 💫 [$(date -u)] Publish 'dev' image to deckhouse registry using tag ${IMAGE_TAG} ..."
DECKHOUSE_IMAGE_SRC="$(jq -r '.Images."dev".DockerImageName' images_tags_werf.json)"
DECKHOUSE_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}:${IMAGE_TAG}
pull_push_rmi 'dev' ${DECKHOUSE_IMAGE_SRC} ${DECKHOUSE_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install' image to deckhouse registry using tag ${IMAGE_TAG} ..."
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/install:${IMAGE_TAG}
pull_push_rmi 'dev/install' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install-standalone' image to deckhouse registry using tag ${IMAGE_TAG} ..."
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install-standalone".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/install-standalone:${IMAGE_TAG}
pull_push_rmi 'dev/install-standalone' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'release-channel-version' image to deckhouse registry using tag ${IMAGE_TAG} ..."
RELEASE_CHANNEL_IMAGE_SRC="$(jq -r '.Images."release-channel-version".DockerImageName' images_tags_werf.json)"
RELEASE_CHANNEL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/release-channel:${IMAGE_TAG}
pull_push_rmi 'release-channel-version' ${RELEASE_CHANNEL_IMAGE_SRC} ${RELEASE_CHANNEL_IMAGE}
fi
# Save 'tests' image name to pass it as output for 'tests' jobs.
TESTS_IMAGE_NAME="$(jq -r '.Images."tests".DockerImageName' images_tags_werf.json)"
# Print image name in uppercase to prevent hiding non-secret registry host stored in secret.
echo "Tests image name: '${TESTS_IMAGE_NAME}'" | tr '[:lower:]' '[:upper:]'
# Encode as gzip+base64 to evade github's SecretMasker error: "Skip output since it may contain secret".
echo "tests_image_name=$(echo ${TESTS_IMAGE_NAME} | gzip | base64 -w0)" >> $GITHUB_OUTPUT
- name: Check DKP images manifests in public registry
if: ${{ github.repository == 'deckhouse/deckhouse' && startsWith(github.ref, 'refs/tags/v') }}
id: check_images
env:
CI_COMMIT_REF_SLUG: ${{needs.git_info.outputs.ci_commit_ref_slug}}
DECKHOUSE_REGISTRY_READ_HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
EDITION=$(echo ${WERF_ENV} | tr '[:upper:]' '[:lower:]')
./tools/check-release-images.sh --tag ${CI_COMMIT_REF_SLUG} --edition ${EDITION} --images-path ${DECKHOUSE_REGISTRY_READ_HOST}/deckhouse/
- name: Cleanup
if: ${{ always() }}
run: |
rm -f images_tags_werf.json
# </template: build_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'Build SE';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
build_se_plus:
name: Build SE-plus
needs:
- git_info
- go_generate
- workflow_render
- build_fe
- detect_editions
if: ${{ startsWith(github.ref, 'refs/tags/v') || (needs.detect_editions.outputs.BUILD_SE-plus == 'true') }}
env:
WERF_ENV: "SE-plus"
# <template: build_template>
runs-on: [self-hosted, regular, selectel]
outputs:
tests_image_name: ${{ steps.build.outputs.tests_image_name }}
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_dev_registry_step>
- name: Check dev registry credentials
id: check_dev_registry
env:
HOST: ${{secrets.DECKHOUSE_DEV_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_DEV_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to dev registry
uses: docker/[email protected]
if: ${{ steps.check_dev_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_DEV_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_DEV_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
logout: false
# </template: login_dev_registry_step>
# <template: login_readonly_registry_step>
- name: Check readonly registry credentials
id: check_readonly_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_READ_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to readonly registry
uses: docker/[email protected]
if: ${{ steps.check_readonly_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_READ_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_READ_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_READ_PASSWORD }}
logout: false
# </template: login_readonly_registry_step>
# <template: login_rw_registry_step>
- name: Check rw registry credentials
id: check_rw_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to rw registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
logout: false
- name: Login to Github Container Registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials != 'true' }}
with:
registry: ghcr.io
username: ${{ secrets.GHCR_IO_REGISTRY_USER }}
password: ${{ secrets.GHCR_IO_REGISTRY_PASSWORD }}
logout: false
# </template: login_rw_registry_step>
# <template: werf_install_step>
- name: Install werf CLI
uses: werf/actions/install@43075e4ab81952b181d33e125ef15b9c060a782e
with:
channel: ${{env.WERF_CHANNEL}}
# </template: werf_install_step>
# <template: login_git_step>
- name: Start ssh-agent
uses: webfactory/[email protected]
with:
ssh-private-key: |
${{secrets.SOURCE_REPO_SSH_KEY}}
- name: Add ssh_known_hosts
run: |
HOST=$(grep -oP '(?<=@)[^/:]+' <<< ${{secrets.SOURCE_REPO_GIT}})
echo "::add-mask::$HOST"
IPS=$(nslookup "$HOST" | awk '/^Address: / { print $2 }')
for IP in $IPS; do
echo "::add-mask::$IP"
done
mkdir -p ~/.ssh
touch ~/.ssh/known_hosts
HOST_KEYS=$(ssh-keyscan -H "$HOST" 2>/dev/null)
while IFS= read -r KEY_LINE; do
CONSTANT_PART=$(awk '{print $2, $3}' <<< "$KEY_LINE")
if ! grep -q "$CONSTANT_PART" ~/.ssh/known_hosts; then
echo "$KEY_LINE" >> ~/.ssh/known_hosts
fi
done <<< "$HOST_KEYS"
# </template: login_git_step>
- name: Build and push deckhouse images
id: build
env:
DECKHOUSE_REGISTRY_HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
CI_COMMIT_TAG: ${{needs.git_info.outputs.ci_commit_tag}}
CI_COMMIT_BRANCH: ${{needs.git_info.outputs.ci_commit_branch}}
CI_COMMIT_REF_NAME: ${{needs.git_info.outputs.ci_commit_ref_name}}
CI_COMMIT_REF_SLUG: ${{needs.git_info.outputs.ci_commit_ref_slug}}
run: |
# Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
# REPO_SUFFIX should be empty for main repo 'deckhouse/deckhouse'.
REPO_SUFFIX=
fi
# Put tags on produced images and push to dev and release repositories.
#
# There are 2 modes: "dev" and "release".
# The "dev" mode builds branches only:
# - Build using dev-registry as primary and deckhouse registry as secondary.
# - Push dev and dev/install images with prNUM tags and push to dev-registry.
# The "release" mode builds branches and tags:
# - Build using dev-registry as primary and deckhouse registry as secondary.
# - Push dev and dev/install images to dev-registry with tag equal to a branch name (main or release-X.Y).
# - Build using deckhouse registry as primary and dev-registry as secondary.
# - Push dev, dev/install and release-channel-version images to deckhouse registry with tag equels to a Git tag.
# SRC_NAME is a name of image from werf.yaml.
# SRC is a source image name (stage name from werf build report).
# DST is an image name for docker push.
function pull_push_rmi() {
SRC_NAME=$1
SRC=$2
DST=$3
echo "⚓️ 📥 [$(date -u)] Pull '${SRC_NAME}' image as ${SRC}."
docker pull ${SRC}
echo "⚓️ 🏷 [$(date -u)] Tag '${SRC_NAME}' image as ${DST}."
docker image tag ${SRC} ${DST}
echo "⚓️ 📤 [$(date -u)] Push '${SRC_NAME}' image as ${DST}."
docker image push ${DST}
echo "⚓️ 🧹 [$(date -u)] Remove local tag for '${SRC_NAME}'."
docker image rmi ${DST} || true;
}
if [[ -n "${DEV_REGISTRY_PATH}" ]]; then export WERF_REPO="${DEV_REGISTRY_PATH}"; fi
type werf && source $(werf ci-env github --verbose --as-file)
# CE/EE/FE -> ce/ee/fe
REGISTRY_SUFFIX=$(echo ${WERF_ENV} | tr '[:upper:]' '[:lower:]')
#temporary: move temp dir
TEMP_WORKDIR="$(dirname "${{github.workspace}}")/${{github.run_id}}-$REGISTRY_SUFFIX"
mkdir -p "$TEMP_WORKDIR"
# Registry path to publish images for Git branches.
BRANCH_REGISTRY_PATH=
# Registry path to publish images for Git tags.
SEMVER_REGISTRY_PATH=
if [[ -n ${DECKHOUSE_REGISTRY_HOST:-} ]] ; then
# Build using dev-registry as primary repo and prod registry as secondary (ro) repo.
# This build will put stages to "dev" registry. If "dev" registry is empty, existing stages are copied from prod registry.
SECONDARY_REPO="--cache-repo ${DECKHOUSE_REGISTRY_HOST}/deckhouse/${REGISTRY_SUFFIX}"
if [[ -n "${CI_COMMIT_BRANCH}" && ! "${CI_COMMIT_BRANCH}" =~ ^(main|release-.+)$ ]]; then
SECONDARY_REPO=
fi
werf build \
${SECONDARY_REPO} \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
BRANCH_REGISTRY_PATH="${DEV_REGISTRY_PATH}"
SEMVER_REGISTRY_PATH="${DECKHOUSE_REGISTRY_HOST}/deckhouse"
else
# DECKHOUSE_REGISTRY_HOST is empty, so this repo is not the main repo.
# Build using dev-registry as a single primary repo and push:
# - branches to Dev registry to run e2e tests.
# - semver tags to Github Container Registry for testing release process.
werf build \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
BRANCH_REGISTRY_PATH="${DEV_REGISTRY_PATH}"
SEMVER_REGISTRY_PATH="${GHA_TEST_REGISTRY_PATH}"
echo "⚓️ 🧪 [$(date -u)] DECKHOUSE_REGISTRY_HOST is empty. Publish to Github Container Registry '${PROD_REGISTRY_PATH}'"
fi
cp images_tags_werf.json "$TEMP_WORKDIR"
# Publish images for Git branch.
if [[ -n "${CI_COMMIT_BRANCH}" ]]; then
# Add edition name for non-FE builds
if [[ -n ${WERF_ENV} && ${WERF_ENV,,} != "fe" ]]; then
IMAGE_EDITION=${WERF_ENV,,}
fi
# CI_COMMIT_REF_SLUG is a 'prNUM' for dev branches or 'main' for default branch.
# Use it as image tag. Add suffix to not overlap with PRs in main repo.
IMAGE_TAG=${CI_COMMIT_REF_SLUG}${IMAGE_EDITION:+-${IMAGE_EDITION}}${REPO_SUFFIX:+-${REPO_SUFFIX}}
echo "⚓️ 💫 [$(date -u)] Publish images to dev-registry for branch '${CI_COMMIT_BRANCH}' and edition '${WERF_ENV}' using tag '${IMAGE_TAG}' ..."
echo "⚓️ 💫 [$(date -u)] Publish 'dev' image to dev-registry using tag ${IMAGE_TAG}".
DECKHOUSE_IMAGE_SRC="$(jq -r '.Images."dev".DockerImageName' images_tags_werf.json)"
DECKHOUSE_IMAGE=${BRANCH_REGISTRY_PATH}:${IMAGE_TAG}
pull_push_rmi 'dev' ${DECKHOUSE_IMAGE_SRC} ${DECKHOUSE_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/install:${IMAGE_TAG}
pull_push_rmi 'dev/install' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install-standalone' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install-standalone".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/install-standalone:${IMAGE_TAG}
pull_push_rmi 'dev/install-standalone' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'e2e-terraform' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."e2e-terraform".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/e2e-terraform:${IMAGE_TAG}
pull_push_rmi 'e2e-terraform' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
fi
# Publish images for Git tag.
if [[ -n "${CI_COMMIT_TAG}" ]]; then
# The Git tag may contain a '+' sign, so use slugify for this situation.
# Slugify doesn't change a tag with safe-only characters.
IMAGE_TAG=$(werf slugify --format docker-tag "${CI_COMMIT_TAG}")
echo "⚓️ 💫 [$(date -u)] Publish images for Git tag '${CI_COMMIT_TAG}' and registry suffix '${REGISTRY_SUFFIX}' using tag '${IMAGE_TAG}' ..."
if [[ -n ${DECKHOUSE_REGISTRY_HOST} ]] ; then
# Copy stages to prod registry from dev registry.
export WERF_DISABLE_META_TAGS=true
werf build \
--repo ${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX} \
--secondary-repo $WERF_REPO \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
cp images_tags_werf.json "$TEMP_WORKDIR"
fi
# Note: do not run second werf build for test repo, as it has no secondary repo.
echo "⚓️ 💫 [$(date -u)] Publish 'dev' image to deckhouse registry using tag ${IMAGE_TAG} ..."
DECKHOUSE_IMAGE_SRC="$(jq -r '.Images."dev".DockerImageName' images_tags_werf.json)"
DECKHOUSE_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}:${IMAGE_TAG}
pull_push_rmi 'dev' ${DECKHOUSE_IMAGE_SRC} ${DECKHOUSE_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install' image to deckhouse registry using tag ${IMAGE_TAG} ..."
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/install:${IMAGE_TAG}
pull_push_rmi 'dev/install' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install-standalone' image to deckhouse registry using tag ${IMAGE_TAG} ..."
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install-standalone".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/install-standalone:${IMAGE_TAG}
pull_push_rmi 'dev/install-standalone' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'release-channel-version' image to deckhouse registry using tag ${IMAGE_TAG} ..."
RELEASE_CHANNEL_IMAGE_SRC="$(jq -r '.Images."release-channel-version".DockerImageName' images_tags_werf.json)"
RELEASE_CHANNEL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/release-channel:${IMAGE_TAG}
pull_push_rmi 'release-channel-version' ${RELEASE_CHANNEL_IMAGE_SRC} ${RELEASE_CHANNEL_IMAGE}
fi
# Save 'tests' image name to pass it as output for 'tests' jobs.
TESTS_IMAGE_NAME="$(jq -r '.Images."tests".DockerImageName' images_tags_werf.json)"
# Print image name in uppercase to prevent hiding non-secret registry host stored in secret.
echo "Tests image name: '${TESTS_IMAGE_NAME}'" | tr '[:lower:]' '[:upper:]'
# Encode as gzip+base64 to evade github's SecretMasker error: "Skip output since it may contain secret".
echo "tests_image_name=$(echo ${TESTS_IMAGE_NAME} | gzip | base64 -w0)" >> $GITHUB_OUTPUT
- name: Check DKP images manifests in public registry
if: ${{ github.repository == 'deckhouse/deckhouse' && startsWith(github.ref, 'refs/tags/v') }}
id: check_images
env:
CI_COMMIT_REF_SLUG: ${{needs.git_info.outputs.ci_commit_ref_slug}}
DECKHOUSE_REGISTRY_READ_HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
EDITION=$(echo ${WERF_ENV} | tr '[:upper:]' '[:lower:]')
./tools/check-release-images.sh --tag ${CI_COMMIT_REF_SLUG} --edition ${EDITION} --images-path ${DECKHOUSE_REGISTRY_READ_HOST}/deckhouse/
- name: Cleanup
if: ${{ always() }}
run: |
rm -f images_tags_werf.json
# </template: build_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'Build SE-plus';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
build_be:
name: Build BE
needs:
- git_info
- go_generate
- workflow_render
- build_fe
- detect_editions
if: ${{ startsWith(github.ref, 'refs/tags/v') || (needs.detect_editions.outputs.BUILD_BE == 'true') }}
env:
WERF_ENV: "BE"
# <template: build_template>
runs-on: [self-hosted, regular, selectel]
outputs:
tests_image_name: ${{ steps.build.outputs.tests_image_name }}
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_dev_registry_step>
- name: Check dev registry credentials
id: check_dev_registry
env:
HOST: ${{secrets.DECKHOUSE_DEV_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_DEV_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to dev registry
uses: docker/[email protected]
if: ${{ steps.check_dev_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_DEV_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_DEV_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
logout: false
# </template: login_dev_registry_step>
# <template: login_readonly_registry_step>
- name: Check readonly registry credentials
id: check_readonly_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_READ_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to readonly registry
uses: docker/[email protected]
if: ${{ steps.check_readonly_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_READ_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_READ_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_READ_PASSWORD }}
logout: false
# </template: login_readonly_registry_step>
# <template: login_rw_registry_step>
- name: Check rw registry credentials
id: check_rw_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to rw registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
logout: false
- name: Login to Github Container Registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials != 'true' }}
with:
registry: ghcr.io
username: ${{ secrets.GHCR_IO_REGISTRY_USER }}
password: ${{ secrets.GHCR_IO_REGISTRY_PASSWORD }}
logout: false
# </template: login_rw_registry_step>
# <template: werf_install_step>
- name: Install werf CLI
uses: werf/actions/install@43075e4ab81952b181d33e125ef15b9c060a782e
with:
channel: ${{env.WERF_CHANNEL}}
# </template: werf_install_step>
# <template: login_git_step>
- name: Start ssh-agent
uses: webfactory/[email protected]
with:
ssh-private-key: |
${{secrets.SOURCE_REPO_SSH_KEY}}
- name: Add ssh_known_hosts
run: |
HOST=$(grep -oP '(?<=@)[^/:]+' <<< ${{secrets.SOURCE_REPO_GIT}})
echo "::add-mask::$HOST"
IPS=$(nslookup "$HOST" | awk '/^Address: / { print $2 }')
for IP in $IPS; do
echo "::add-mask::$IP"
done
mkdir -p ~/.ssh
touch ~/.ssh/known_hosts
HOST_KEYS=$(ssh-keyscan -H "$HOST" 2>/dev/null)
while IFS= read -r KEY_LINE; do
CONSTANT_PART=$(awk '{print $2, $3}' <<< "$KEY_LINE")
if ! grep -q "$CONSTANT_PART" ~/.ssh/known_hosts; then
echo "$KEY_LINE" >> ~/.ssh/known_hosts
fi
done <<< "$HOST_KEYS"
# </template: login_git_step>
- name: Build and push deckhouse images
id: build
env:
DECKHOUSE_REGISTRY_HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
CI_COMMIT_TAG: ${{needs.git_info.outputs.ci_commit_tag}}
CI_COMMIT_BRANCH: ${{needs.git_info.outputs.ci_commit_branch}}
CI_COMMIT_REF_NAME: ${{needs.git_info.outputs.ci_commit_ref_name}}
CI_COMMIT_REF_SLUG: ${{needs.git_info.outputs.ci_commit_ref_slug}}
run: |
# Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
# REPO_SUFFIX should be empty for main repo 'deckhouse/deckhouse'.
REPO_SUFFIX=
fi
# Put tags on produced images and push to dev and release repositories.
#
# There are 2 modes: "dev" and "release".
# The "dev" mode builds branches only:
# - Build using dev-registry as primary and deckhouse registry as secondary.
# - Push dev and dev/install images with prNUM tags and push to dev-registry.
# The "release" mode builds branches and tags:
# - Build using dev-registry as primary and deckhouse registry as secondary.
# - Push dev and dev/install images to dev-registry with tag equal to a branch name (main or release-X.Y).
# - Build using deckhouse registry as primary and dev-registry as secondary.
# - Push dev, dev/install and release-channel-version images to deckhouse registry with tag equels to a Git tag.
# SRC_NAME is a name of image from werf.yaml.
# SRC is a source image name (stage name from werf build report).
# DST is an image name for docker push.
function pull_push_rmi() {
SRC_NAME=$1
SRC=$2
DST=$3
echo "⚓️ 📥 [$(date -u)] Pull '${SRC_NAME}' image as ${SRC}."
docker pull ${SRC}
echo "⚓️ 🏷 [$(date -u)] Tag '${SRC_NAME}' image as ${DST}."
docker image tag ${SRC} ${DST}
echo "⚓️ 📤 [$(date -u)] Push '${SRC_NAME}' image as ${DST}."
docker image push ${DST}
echo "⚓️ 🧹 [$(date -u)] Remove local tag for '${SRC_NAME}'."
docker image rmi ${DST} || true;
}
if [[ -n "${DEV_REGISTRY_PATH}" ]]; then export WERF_REPO="${DEV_REGISTRY_PATH}"; fi
type werf && source $(werf ci-env github --verbose --as-file)
# CE/EE/FE -> ce/ee/fe
REGISTRY_SUFFIX=$(echo ${WERF_ENV} | tr '[:upper:]' '[:lower:]')
#temporary: move temp dir
TEMP_WORKDIR="$(dirname "${{github.workspace}}")/${{github.run_id}}-$REGISTRY_SUFFIX"
mkdir -p "$TEMP_WORKDIR"
# Registry path to publish images for Git branches.
BRANCH_REGISTRY_PATH=
# Registry path to publish images for Git tags.
SEMVER_REGISTRY_PATH=
if [[ -n ${DECKHOUSE_REGISTRY_HOST:-} ]] ; then
# Build using dev-registry as primary repo and prod registry as secondary (ro) repo.
# This build will put stages to "dev" registry. If "dev" registry is empty, existing stages are copied from prod registry.
SECONDARY_REPO="--cache-repo ${DECKHOUSE_REGISTRY_HOST}/deckhouse/${REGISTRY_SUFFIX}"
if [[ -n "${CI_COMMIT_BRANCH}" && ! "${CI_COMMIT_BRANCH}" =~ ^(main|release-.+)$ ]]; then
SECONDARY_REPO=
fi
werf build \
${SECONDARY_REPO} \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
BRANCH_REGISTRY_PATH="${DEV_REGISTRY_PATH}"
SEMVER_REGISTRY_PATH="${DECKHOUSE_REGISTRY_HOST}/deckhouse"
else
# DECKHOUSE_REGISTRY_HOST is empty, so this repo is not the main repo.
# Build using dev-registry as a single primary repo and push:
# - branches to Dev registry to run e2e tests.
# - semver tags to Github Container Registry for testing release process.
werf build \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
BRANCH_REGISTRY_PATH="${DEV_REGISTRY_PATH}"
SEMVER_REGISTRY_PATH="${GHA_TEST_REGISTRY_PATH}"
echo "⚓️ 🧪 [$(date -u)] DECKHOUSE_REGISTRY_HOST is empty. Publish to Github Container Registry '${PROD_REGISTRY_PATH}'"
fi
cp images_tags_werf.json "$TEMP_WORKDIR"
# Publish images for Git branch.
if [[ -n "${CI_COMMIT_BRANCH}" ]]; then
# Add edition name for non-FE builds
if [[ -n ${WERF_ENV} && ${WERF_ENV,,} != "fe" ]]; then
IMAGE_EDITION=${WERF_ENV,,}
fi
# CI_COMMIT_REF_SLUG is a 'prNUM' for dev branches or 'main' for default branch.
# Use it as image tag. Add suffix to not overlap with PRs in main repo.
IMAGE_TAG=${CI_COMMIT_REF_SLUG}${IMAGE_EDITION:+-${IMAGE_EDITION}}${REPO_SUFFIX:+-${REPO_SUFFIX}}
echo "⚓️ 💫 [$(date -u)] Publish images to dev-registry for branch '${CI_COMMIT_BRANCH}' and edition '${WERF_ENV}' using tag '${IMAGE_TAG}' ..."
echo "⚓️ 💫 [$(date -u)] Publish 'dev' image to dev-registry using tag ${IMAGE_TAG}".
DECKHOUSE_IMAGE_SRC="$(jq -r '.Images."dev".DockerImageName' images_tags_werf.json)"
DECKHOUSE_IMAGE=${BRANCH_REGISTRY_PATH}:${IMAGE_TAG}
pull_push_rmi 'dev' ${DECKHOUSE_IMAGE_SRC} ${DECKHOUSE_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/install:${IMAGE_TAG}
pull_push_rmi 'dev/install' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install-standalone' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install-standalone".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/install-standalone:${IMAGE_TAG}
pull_push_rmi 'dev/install-standalone' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'e2e-terraform' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."e2e-terraform".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/e2e-terraform:${IMAGE_TAG}
pull_push_rmi 'e2e-terraform' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
fi
# Publish images for Git tag.
if [[ -n "${CI_COMMIT_TAG}" ]]; then
# The Git tag may contain a '+' sign, so use slugify for this situation.
# Slugify doesn't change a tag with safe-only characters.
IMAGE_TAG=$(werf slugify --format docker-tag "${CI_COMMIT_TAG}")
echo "⚓️ 💫 [$(date -u)] Publish images for Git tag '${CI_COMMIT_TAG}' and registry suffix '${REGISTRY_SUFFIX}' using tag '${IMAGE_TAG}' ..."
if [[ -n ${DECKHOUSE_REGISTRY_HOST} ]] ; then
# Copy stages to prod registry from dev registry.
export WERF_DISABLE_META_TAGS=true
werf build \
--repo ${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX} \
--secondary-repo $WERF_REPO \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
cp images_tags_werf.json "$TEMP_WORKDIR"
fi
# Note: do not run second werf build for test repo, as it has no secondary repo.
echo "⚓️ 💫 [$(date -u)] Publish 'dev' image to deckhouse registry using tag ${IMAGE_TAG} ..."
DECKHOUSE_IMAGE_SRC="$(jq -r '.Images."dev".DockerImageName' images_tags_werf.json)"
DECKHOUSE_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}:${IMAGE_TAG}
pull_push_rmi 'dev' ${DECKHOUSE_IMAGE_SRC} ${DECKHOUSE_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install' image to deckhouse registry using tag ${IMAGE_TAG} ..."
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/install:${IMAGE_TAG}
pull_push_rmi 'dev/install' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install-standalone' image to deckhouse registry using tag ${IMAGE_TAG} ..."
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install-standalone".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/install-standalone:${IMAGE_TAG}
pull_push_rmi 'dev/install-standalone' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'release-channel-version' image to deckhouse registry using tag ${IMAGE_TAG} ..."
RELEASE_CHANNEL_IMAGE_SRC="$(jq -r '.Images."release-channel-version".DockerImageName' images_tags_werf.json)"
RELEASE_CHANNEL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/release-channel:${IMAGE_TAG}
pull_push_rmi 'release-channel-version' ${RELEASE_CHANNEL_IMAGE_SRC} ${RELEASE_CHANNEL_IMAGE}
fi
# Save 'tests' image name to pass it as output for 'tests' jobs.
TESTS_IMAGE_NAME="$(jq -r '.Images."tests".DockerImageName' images_tags_werf.json)"
# Print image name in uppercase to prevent hiding non-secret registry host stored in secret.
echo "Tests image name: '${TESTS_IMAGE_NAME}'" | tr '[:lower:]' '[:upper:]'
# Encode as gzip+base64 to evade github's SecretMasker error: "Skip output since it may contain secret".
echo "tests_image_name=$(echo ${TESTS_IMAGE_NAME} | gzip | base64 -w0)" >> $GITHUB_OUTPUT
- name: Check DKP images manifests in public registry
if: ${{ github.repository == 'deckhouse/deckhouse' && startsWith(github.ref, 'refs/tags/v') }}
id: check_images
env:
CI_COMMIT_REF_SLUG: ${{needs.git_info.outputs.ci_commit_ref_slug}}
DECKHOUSE_REGISTRY_READ_HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
EDITION=$(echo ${WERF_ENV} | tr '[:upper:]' '[:lower:]')
./tools/check-release-images.sh --tag ${CI_COMMIT_REF_SLUG} --edition ${EDITION} --images-path ${DECKHOUSE_REGISTRY_READ_HOST}/deckhouse/
- name: Cleanup
if: ${{ always() }}
run: |
rm -f images_tags_werf.json
# </template: build_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'Build BE';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
build_ce:
name: Build CE
needs:
- git_info
- go_generate
- workflow_render
- build_fe
- detect_editions
if: ${{ startsWith(github.ref, 'refs/tags/v') || (needs.detect_editions.outputs.BUILD_CE == 'true') }}
env:
WERF_ENV: "CE"
# <template: build_template>
runs-on: [self-hosted, regular, selectel]
outputs:
tests_image_name: ${{ steps.build.outputs.tests_image_name }}
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_dev_registry_step>
- name: Check dev registry credentials
id: check_dev_registry
env:
HOST: ${{secrets.DECKHOUSE_DEV_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_DEV_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to dev registry
uses: docker/[email protected]
if: ${{ steps.check_dev_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_DEV_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_DEV_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
logout: false
# </template: login_dev_registry_step>
# <template: login_readonly_registry_step>
- name: Check readonly registry credentials
id: check_readonly_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_READ_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to readonly registry
uses: docker/[email protected]
if: ${{ steps.check_readonly_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_READ_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_READ_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_READ_PASSWORD }}
logout: false
# </template: login_readonly_registry_step>
# <template: login_rw_registry_step>
- name: Check rw registry credentials
id: check_rw_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to rw registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
logout: false
- name: Login to Github Container Registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials != 'true' }}
with:
registry: ghcr.io
username: ${{ secrets.GHCR_IO_REGISTRY_USER }}
password: ${{ secrets.GHCR_IO_REGISTRY_PASSWORD }}
logout: false
# </template: login_rw_registry_step>
# <template: werf_install_step>
- name: Install werf CLI
uses: werf/actions/install@43075e4ab81952b181d33e125ef15b9c060a782e
with:
channel: ${{env.WERF_CHANNEL}}
# </template: werf_install_step>
# <template: login_git_step>
- name: Start ssh-agent
uses: webfactory/[email protected]
with:
ssh-private-key: |
${{secrets.SOURCE_REPO_SSH_KEY}}
- name: Add ssh_known_hosts
run: |
HOST=$(grep -oP '(?<=@)[^/:]+' <<< ${{secrets.SOURCE_REPO_GIT}})
echo "::add-mask::$HOST"
IPS=$(nslookup "$HOST" | awk '/^Address: / { print $2 }')
for IP in $IPS; do
echo "::add-mask::$IP"
done
mkdir -p ~/.ssh
touch ~/.ssh/known_hosts
HOST_KEYS=$(ssh-keyscan -H "$HOST" 2>/dev/null)
while IFS= read -r KEY_LINE; do
CONSTANT_PART=$(awk '{print $2, $3}' <<< "$KEY_LINE")
if ! grep -q "$CONSTANT_PART" ~/.ssh/known_hosts; then
echo "$KEY_LINE" >> ~/.ssh/known_hosts
fi
done <<< "$HOST_KEYS"
# </template: login_git_step>
- name: Build and push deckhouse images
id: build
env:
DECKHOUSE_REGISTRY_HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
CI_COMMIT_TAG: ${{needs.git_info.outputs.ci_commit_tag}}
CI_COMMIT_BRANCH: ${{needs.git_info.outputs.ci_commit_branch}}
CI_COMMIT_REF_NAME: ${{needs.git_info.outputs.ci_commit_ref_name}}
CI_COMMIT_REF_SLUG: ${{needs.git_info.outputs.ci_commit_ref_slug}}
run: |
# Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
# REPO_SUFFIX should be empty for main repo 'deckhouse/deckhouse'.
REPO_SUFFIX=
fi
# Put tags on produced images and push to dev and release repositories.
#
# There are 2 modes: "dev" and "release".
# The "dev" mode builds branches only:
# - Build using dev-registry as primary and deckhouse registry as secondary.
# - Push dev and dev/install images with prNUM tags and push to dev-registry.
# The "release" mode builds branches and tags:
# - Build using dev-registry as primary and deckhouse registry as secondary.
# - Push dev and dev/install images to dev-registry with tag equal to a branch name (main or release-X.Y).
# - Build using deckhouse registry as primary and dev-registry as secondary.
# - Push dev, dev/install and release-channel-version images to deckhouse registry with tag equels to a Git tag.
# SRC_NAME is a name of image from werf.yaml.
# SRC is a source image name (stage name from werf build report).
# DST is an image name for docker push.
function pull_push_rmi() {
SRC_NAME=$1
SRC=$2
DST=$3
echo "⚓️ 📥 [$(date -u)] Pull '${SRC_NAME}' image as ${SRC}."
docker pull ${SRC}
echo "⚓️ 🏷 [$(date -u)] Tag '${SRC_NAME}' image as ${DST}."
docker image tag ${SRC} ${DST}
echo "⚓️ 📤 [$(date -u)] Push '${SRC_NAME}' image as ${DST}."
docker image push ${DST}
echo "⚓️ 🧹 [$(date -u)] Remove local tag for '${SRC_NAME}'."
docker image rmi ${DST} || true;
}
if [[ -n "${DEV_REGISTRY_PATH}" ]]; then export WERF_REPO="${DEV_REGISTRY_PATH}"; fi
type werf && source $(werf ci-env github --verbose --as-file)
# CE/EE/FE -> ce/ee/fe
REGISTRY_SUFFIX=$(echo ${WERF_ENV} | tr '[:upper:]' '[:lower:]')
#temporary: move temp dir
TEMP_WORKDIR="$(dirname "${{github.workspace}}")/${{github.run_id}}-$REGISTRY_SUFFIX"
mkdir -p "$TEMP_WORKDIR"
# Registry path to publish images for Git branches.
BRANCH_REGISTRY_PATH=
# Registry path to publish images for Git tags.
SEMVER_REGISTRY_PATH=
if [[ -n ${DECKHOUSE_REGISTRY_HOST:-} ]] ; then
# Build using dev-registry as primary repo and prod registry as secondary (ro) repo.
# This build will put stages to "dev" registry. If "dev" registry is empty, existing stages are copied from prod registry.
SECONDARY_REPO="--cache-repo ${DECKHOUSE_REGISTRY_HOST}/deckhouse/${REGISTRY_SUFFIX}"
if [[ -n "${CI_COMMIT_BRANCH}" && ! "${CI_COMMIT_BRANCH}" =~ ^(main|release-.+)$ ]]; then
SECONDARY_REPO=
fi
werf build \
${SECONDARY_REPO} \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
BRANCH_REGISTRY_PATH="${DEV_REGISTRY_PATH}"
SEMVER_REGISTRY_PATH="${DECKHOUSE_REGISTRY_HOST}/deckhouse"
else
# DECKHOUSE_REGISTRY_HOST is empty, so this repo is not the main repo.
# Build using dev-registry as a single primary repo and push:
# - branches to Dev registry to run e2e tests.
# - semver tags to Github Container Registry for testing release process.
werf build \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
BRANCH_REGISTRY_PATH="${DEV_REGISTRY_PATH}"
SEMVER_REGISTRY_PATH="${GHA_TEST_REGISTRY_PATH}"
echo "⚓️ 🧪 [$(date -u)] DECKHOUSE_REGISTRY_HOST is empty. Publish to Github Container Registry '${PROD_REGISTRY_PATH}'"
fi
cp images_tags_werf.json "$TEMP_WORKDIR"
# Publish images for Git branch.
if [[ -n "${CI_COMMIT_BRANCH}" ]]; then
# Add edition name for non-FE builds
if [[ -n ${WERF_ENV} && ${WERF_ENV,,} != "fe" ]]; then
IMAGE_EDITION=${WERF_ENV,,}
fi
# CI_COMMIT_REF_SLUG is a 'prNUM' for dev branches or 'main' for default branch.
# Use it as image tag. Add suffix to not overlap with PRs in main repo.
IMAGE_TAG=${CI_COMMIT_REF_SLUG}${IMAGE_EDITION:+-${IMAGE_EDITION}}${REPO_SUFFIX:+-${REPO_SUFFIX}}
echo "⚓️ 💫 [$(date -u)] Publish images to dev-registry for branch '${CI_COMMIT_BRANCH}' and edition '${WERF_ENV}' using tag '${IMAGE_TAG}' ..."
echo "⚓️ 💫 [$(date -u)] Publish 'dev' image to dev-registry using tag ${IMAGE_TAG}".
DECKHOUSE_IMAGE_SRC="$(jq -r '.Images."dev".DockerImageName' images_tags_werf.json)"
DECKHOUSE_IMAGE=${BRANCH_REGISTRY_PATH}:${IMAGE_TAG}
pull_push_rmi 'dev' ${DECKHOUSE_IMAGE_SRC} ${DECKHOUSE_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/install:${IMAGE_TAG}
pull_push_rmi 'dev/install' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install-standalone' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install-standalone".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/install-standalone:${IMAGE_TAG}
pull_push_rmi 'dev/install-standalone' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'e2e-terraform' image to dev-registry using tag ${IMAGE_TAG}".
INSTALL_IMAGE_SRC="$(jq -r '.Images."e2e-terraform".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${BRANCH_REGISTRY_PATH}/e2e-terraform:${IMAGE_TAG}
pull_push_rmi 'e2e-terraform' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
fi
# Publish images for Git tag.
if [[ -n "${CI_COMMIT_TAG}" ]]; then
# The Git tag may contain a '+' sign, so use slugify for this situation.
# Slugify doesn't change a tag with safe-only characters.
IMAGE_TAG=$(werf slugify --format docker-tag "${CI_COMMIT_TAG}")
echo "⚓️ 💫 [$(date -u)] Publish images for Git tag '${CI_COMMIT_TAG}' and registry suffix '${REGISTRY_SUFFIX}' using tag '${IMAGE_TAG}' ..."
if [[ -n ${DECKHOUSE_REGISTRY_HOST} ]] ; then
# Copy stages to prod registry from dev registry.
export WERF_DISABLE_META_TAGS=true
werf build \
--repo ${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX} \
--secondary-repo $WERF_REPO \
--parallel=true --parallel-tasks-limit=5 \
--save-build-report=true \
--tmp-dir="$TEMP_WORKDIR" \
--build-report-path images_tags_werf.json
cp images_tags_werf.json "$TEMP_WORKDIR"
fi
# Note: do not run second werf build for test repo, as it has no secondary repo.
echo "⚓️ 💫 [$(date -u)] Publish 'dev' image to deckhouse registry using tag ${IMAGE_TAG} ..."
DECKHOUSE_IMAGE_SRC="$(jq -r '.Images."dev".DockerImageName' images_tags_werf.json)"
DECKHOUSE_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}:${IMAGE_TAG}
pull_push_rmi 'dev' ${DECKHOUSE_IMAGE_SRC} ${DECKHOUSE_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install' image to deckhouse registry using tag ${IMAGE_TAG} ..."
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/install:${IMAGE_TAG}
pull_push_rmi 'dev/install' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'dev/install-standalone' image to deckhouse registry using tag ${IMAGE_TAG} ..."
INSTALL_IMAGE_SRC="$(jq -r '.Images."dev/install-standalone".DockerImageName' images_tags_werf.json)"
INSTALL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/install-standalone:${IMAGE_TAG}
pull_push_rmi 'dev/install-standalone' ${INSTALL_IMAGE_SRC} ${INSTALL_IMAGE}
echo "⚓️ 💫 [$(date -u)] Publish 'release-channel-version' image to deckhouse registry using tag ${IMAGE_TAG} ..."
RELEASE_CHANNEL_IMAGE_SRC="$(jq -r '.Images."release-channel-version".DockerImageName' images_tags_werf.json)"
RELEASE_CHANNEL_IMAGE=${SEMVER_REGISTRY_PATH}/${REGISTRY_SUFFIX}/release-channel:${IMAGE_TAG}
pull_push_rmi 'release-channel-version' ${RELEASE_CHANNEL_IMAGE_SRC} ${RELEASE_CHANNEL_IMAGE}
fi
# Save 'tests' image name to pass it as output for 'tests' jobs.
TESTS_IMAGE_NAME="$(jq -r '.Images."tests".DockerImageName' images_tags_werf.json)"
# Print image name in uppercase to prevent hiding non-secret registry host stored in secret.
echo "Tests image name: '${TESTS_IMAGE_NAME}'" | tr '[:lower:]' '[:upper:]'
# Encode as gzip+base64 to evade github's SecretMasker error: "Skip output since it may contain secret".
echo "tests_image_name=$(echo ${TESTS_IMAGE_NAME} | gzip | base64 -w0)" >> $GITHUB_OUTPUT
- name: Check DKP images manifests in public registry
if: ${{ github.repository == 'deckhouse/deckhouse' && startsWith(github.ref, 'refs/tags/v') }}
id: check_images
env:
CI_COMMIT_REF_SLUG: ${{needs.git_info.outputs.ci_commit_ref_slug}}
DECKHOUSE_REGISTRY_READ_HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
EDITION=$(echo ${WERF_ENV} | tr '[:upper:]' '[:lower:]')
./tools/check-release-images.sh --tag ${CI_COMMIT_REF_SLUG} --edition ${EDITION} --images-path ${DECKHOUSE_REGISTRY_READ_HOST}/deckhouse/
- name: Cleanup
if: ${{ always() }}
run: |
rm -f images_tags_werf.json
# </template: build_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'Build CE';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
doc_web_build:
name: Doc web build
if: ${{ needs.git_info.outputs.ci_commit_ref_name == 'main' && github.repository == 'deckhouse/deckhouse' }}
# Wait for success build of modules.
needs:
- git_info
# <template: web_build_template>
runs-on: [self-hosted, regular]
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_dev_registry_step>
- name: Check dev registry credentials
id: check_dev_registry
env:
HOST: ${{secrets.DECKHOUSE_DEV_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_DEV_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to dev registry
uses: docker/[email protected]
if: ${{ steps.check_dev_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_DEV_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_DEV_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
logout: false
# </template: login_dev_registry_step>
# <template: login_rw_registry_step>
- name: Check rw registry credentials
id: check_rw_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to rw registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
logout: false
- name: Login to Github Container Registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials != 'true' }}
with:
registry: ghcr.io
username: ${{ secrets.GHCR_IO_REGISTRY_USER }}
password: ${{ secrets.GHCR_IO_REGISTRY_PASSWORD }}
logout: false
# </template: login_rw_registry_step>
- name: Run doc web build
uses: werf/actions/build@43075e4ab81952b181d33e125ef15b9c060a782e
with:
channel: ${{env.WERF_CHANNEL}}
env:
WERF_DIR: "docs/documentation"
WERF_LOG_VERBOSE: "on"
WERF_ENV: "EE"
WERF_REPO: "${{ steps.check_rw_registry.outputs.web_registry_path }}"
WERF_SECONDARY_REPO: "${{ steps.check_dev_registry.outputs.web_registry_path }}"
# </template: web_build_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'Doc web build';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
main_web_build:
name: Main web build
if: ${{ needs.git_info.outputs.ci_commit_ref_name == 'main' && github.repository == 'deckhouse/deckhouse' }}
# Wait for success build of modules.
needs:
- git_info
# <template: web_build_template>
runs-on: [self-hosted, regular]
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_dev_registry_step>
- name: Check dev registry credentials
id: check_dev_registry
env:
HOST: ${{secrets.DECKHOUSE_DEV_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_DEV_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to dev registry
uses: docker/[email protected]
if: ${{ steps.check_dev_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_DEV_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_DEV_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
logout: false
# </template: login_dev_registry_step>
# <template: login_rw_registry_step>
- name: Check rw registry credentials
id: check_rw_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to rw registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
logout: false
- name: Login to Github Container Registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials != 'true' }}
with:
registry: ghcr.io
username: ${{ secrets.GHCR_IO_REGISTRY_USER }}
password: ${{ secrets.GHCR_IO_REGISTRY_PASSWORD }}
logout: false
# </template: login_rw_registry_step>
- name: Run main web build
uses: werf/actions/build@43075e4ab81952b181d33e125ef15b9c060a782e
with:
channel: ${{env.WERF_CHANNEL}}
env:
WERF_DIR: "docs/site"
WERF_LOG_VERBOSE: "on"
WERF_ENV: "EE"
DOC_API_KEY: "${{secrets.DOC_API_KEY}}"
DOC_API_URL: "${{vars.DOC_API_URL}}"
WERF_REPO: "${{ steps.check_rw_registry.outputs.web_registry_path }}"
WERF_SECONDARY_REPO: "${{ steps.check_dev_registry.outputs.web_registry_path }}"
# </template: web_build_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'Main web build';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
tests:
name: Tests
needs:
- git_info
# <template: tests_before_build_template>
runs-on: [self-hosted, regular]
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_dev_registry_step>
- name: Check dev registry credentials
id: check_dev_registry
env:
HOST: ${{secrets.DECKHOUSE_DEV_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_DEV_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to dev registry
uses: docker/[email protected]
if: ${{ steps.check_dev_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_DEV_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_DEV_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
logout: false
# </template: login_dev_registry_step>
# <template: login_rw_registry_step>
- name: Check rw registry credentials
id: check_rw_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to rw registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
logout: false
- name: Login to Github Container Registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials != 'true' }}
with:
registry: ghcr.io
username: ${{ secrets.GHCR_IO_REGISTRY_USER }}
password: ${{ secrets.GHCR_IO_REGISTRY_PASSWORD }}
logout: false
# </template: login_rw_registry_step>
- name: Run tests
env:
TESTS_IMAGE_NAME: "registry.deckhouse.io/base_images/golang:1.23.4-bullseye@sha256:9b3176d53704a9b1be19d307b660733cc691af02906d7e918dbe4d11427a422c"
run: |
# Print image name in uppercase to prevent hiding non-secret registry host stored in secret.
echo "Tests image name: '${TESTS_IMAGE_NAME}'" | tr '[:lower:]' '[:upper:]'
echo "⚓️ 📥 [$(date -u)] Pull 'tests' image..."
docker pull ${TESTS_IMAGE_NAME}
echo "⚓️ 🏎 [$(date -u)] Run tests..."
docker run -w /deckhouse -v ${{github.workspace}}:/deckhouse -e "TERM=xterm-256color" -v ~/go-pkg-cache:/go/pkg ${TESTS_IMAGE_NAME} make tests-controller tests-modules
# </template: tests_before_build_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'Tests';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
tests_python_webhooks:
name: Tests python webhooks
needs:
- git_info
# <template: tests_webhooks_template>
runs-on: [self-hosted, regular]
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
- name: Run python webhook tests
run: |
make tests-webhooks
# </template: tests_webhooks_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'Tests python webhooks';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
tests_dmt_lint:
name: DMT lint
needs:
- git_info
# <template: tests_dmt_lint>
runs-on: [self-hosted, regular]
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
- name: DMT lint
run: |
make dmt-lint
# </template: tests_dmt_lint>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'DMT lint';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
dhctl_tests:
name: Dhctl Tests
needs:
- git_info
- build_fe
# <template: tests_template>
runs-on: [self-hosted, regular]
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_dev_registry_step>
- name: Check dev registry credentials
id: check_dev_registry
env:
HOST: ${{secrets.DECKHOUSE_DEV_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_DEV_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to dev registry
uses: docker/[email protected]
if: ${{ steps.check_dev_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_DEV_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_DEV_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
logout: false
# </template: login_dev_registry_step>
# <template: login_rw_registry_step>
- name: Check rw registry credentials
id: check_rw_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to rw registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
logout: false
- name: Login to Github Container Registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials != 'true' }}
with:
registry: ghcr.io
username: ${{ secrets.GHCR_IO_REGISTRY_USER }}
password: ${{ secrets.GHCR_IO_REGISTRY_PASSWORD }}
logout: false
# </template: login_rw_registry_step>
- name: Run tests
env:
TESTS_IMAGE_NAME: ${{needs.build_fe.outputs.tests_image_name}}
run: |
if [[ -z ${TESTS_IMAGE_NAME} ]] ; then
echo "TESTS_IMAGE_NAME is empty"
exit 1
fi
# Decode image name from gzip+base64.
TESTS_IMAGE_NAME=$(echo ${TESTS_IMAGE_NAME} | base64 -d | gunzip)
# Print image name in uppercase to prevent hiding non-secret registry host stored in secret.
echo "Tests image name: '${TESTS_IMAGE_NAME}'" | tr '[:lower:]' '[:upper:]'
echo "⚓️ 📥 [$(date -u)] Pull 'tests' image..."
docker pull ${TESTS_IMAGE_NAME}
echo "⚓️ 🏎 [$(date -u)] Run tests..."
docker run -w /deckhouse/dhctl -v ~/go-pkg-cache:/go/pkg ${TESTS_IMAGE_NAME} make ci
# </template: tests_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'Dhctl Tests';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
golangci_lint:
name: GolangCI Lint
needs:
- git_info
- build_fe
# <template: tests_template>
runs-on: [self-hosted, regular]
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_dev_registry_step>
- name: Check dev registry credentials
id: check_dev_registry
env:
HOST: ${{secrets.DECKHOUSE_DEV_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_DEV_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to dev registry
uses: docker/[email protected]
if: ${{ steps.check_dev_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_DEV_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_DEV_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
logout: false
# </template: login_dev_registry_step>
# <template: login_rw_registry_step>
- name: Check rw registry credentials
id: check_rw_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to rw registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
logout: false
- name: Login to Github Container Registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials != 'true' }}
with:
registry: ghcr.io
username: ${{ secrets.GHCR_IO_REGISTRY_USER }}
password: ${{ secrets.GHCR_IO_REGISTRY_PASSWORD }}
logout: false
# </template: login_rw_registry_step>
- name: Run tests
env:
TESTS_IMAGE_NAME: ${{needs.build_fe.outputs.tests_image_name}}
run: |
if [[ -z ${TESTS_IMAGE_NAME} ]] ; then
echo "TESTS_IMAGE_NAME is empty"
exit 1
fi
# Decode image name from gzip+base64.
TESTS_IMAGE_NAME=$(echo ${TESTS_IMAGE_NAME} | base64 -d | gunzip)
# Print image name in uppercase to prevent hiding non-secret registry host stored in secret.
echo "Tests image name: '${TESTS_IMAGE_NAME}'" | tr '[:lower:]' '[:upper:]'
echo "⚓️ 📥 [$(date -u)] Pull 'tests' image..."
docker pull ${TESTS_IMAGE_NAME}
echo "⚓️ 🏎 [$(date -u)] Run tests..."
docker run -w /deckhouse -v ${{github.workspace}}:/deckhouse -e "TERM=xterm-256color" -v ~/go-pkg-cache:/go/pkg ${TESTS_IMAGE_NAME} sh -c "go generate tools/register.go && GOGC=50 GOFLAGS=\"-buildvcs=false\" golangci-lint run"
# </template: tests_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'GolangCI Lint';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
openapi_test_cases:
name: OpenAPI Test Cases
needs:
- git_info
- build_fe
# <template: tests_template>
runs-on: [self-hosted, regular]
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_dev_registry_step>
- name: Check dev registry credentials
id: check_dev_registry
env:
HOST: ${{secrets.DECKHOUSE_DEV_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_DEV_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to dev registry
uses: docker/[email protected]
if: ${{ steps.check_dev_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_DEV_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_DEV_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
logout: false
# </template: login_dev_registry_step>
# <template: login_rw_registry_step>
- name: Check rw registry credentials
id: check_rw_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to rw registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
logout: false
- name: Login to Github Container Registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials != 'true' }}
with:
registry: ghcr.io
username: ${{ secrets.GHCR_IO_REGISTRY_USER }}
password: ${{ secrets.GHCR_IO_REGISTRY_PASSWORD }}
logout: false
# </template: login_rw_registry_step>
- name: Run tests
env:
TESTS_IMAGE_NAME: ${{needs.build_fe.outputs.tests_image_name}}
run: |
if [[ -z ${TESTS_IMAGE_NAME} ]] ; then
echo "TESTS_IMAGE_NAME is empty"
exit 1
fi
# Decode image name from gzip+base64.
TESTS_IMAGE_NAME=$(echo ${TESTS_IMAGE_NAME} | base64 -d | gunzip)
# Print image name in uppercase to prevent hiding non-secret registry host stored in secret.
echo "Tests image name: '${TESTS_IMAGE_NAME}'" | tr '[:lower:]' '[:upper:]'
echo "⚓️ 📥 [$(date -u)] Pull 'tests' image..."
docker pull ${TESTS_IMAGE_NAME}
echo "⚓️ 🏎 [$(date -u)] Run tests..."
docker run -v ${{github.workspace}}:/deckhouse -w /deckhouse -v ~/go-pkg-cache:/go/pkg ${TESTS_IMAGE_NAME} ginkgo -vet=off ./testing/openapi_cases/
# </template: tests_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'OpenAPI Test Cases';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
web_links_test:
name: Web links test
if: ${{ needs.git_info.outputs.ci_commit_ref_name == 'main' && github.repository == 'deckhouse/deckhouse' }}
needs:
- git_info
- doc_web_build
- main_web_build
# <template: web_links_test_template>
runs-on: [self-hosted, regular]
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_rw_registry_step>
- name: Check rw registry credentials
id: check_rw_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to rw registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
logout: false
- name: Login to Github Container Registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials != 'true' }}
with:
registry: ghcr.io
username: ${{ secrets.GHCR_IO_REGISTRY_USER }}
password: ${{ secrets.GHCR_IO_REGISTRY_PASSWORD }}
logout: false
# </template: login_rw_registry_step>
# <template: werf_install_step>
- name: Install werf CLI
uses: werf/actions/install@43075e4ab81952b181d33e125ef15b9c060a782e
with:
channel: ${{env.WERF_CHANNEL}}
# </template: werf_install_step>
- name: Prepare site structure
env:
DOC_API_KEY: "${{secrets.DOC_API_KEY}}"
DOC_API_URL: "${{vars.DOC_API_URL}}"
WERF_ENV: "EE"
DECKHOUSE_REGISTRY_READ_HOST: "${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}"
CHECKER_IMAGE: "${{vars.DOC_LINK_CHECKER_IMAGE}}"
WEB_REGISTRY_PATH: ${{steps.check_rw_registry.outputs.web_registry_path}}
run: |
type werf
werf version
BASEDIR=$(pwd)/docs
_TMPDIR=$(mktemp -d -t -p ${BASEDIR})
# Save TMPDIR to clean it later.
echo "_TMPDIR=$_TMPDIR" >> ${GITHUB_ENV}
echo "_TMPDIR=$_TMPDIR"
export WERF_REPO="${WEB_REGISTRY_PATH}"
echo -n 'use werf_repo '
echo $WERF_REPO | tr 'a-z' 'A-Z'
# Extract site content to the tmp directory.
export WERF_DIR=$BASEDIR/site
echo "Use werf_dir $WERF_DIR"
type werf && source $(werf ci-env github --verbose --as-file)
echo "werf stage image web-backend:"
werf stage image web-backend | tr 'a-z' 'A-Z'
docker pull $(werf stage image web-backend) || true
echo "werf stage image web-frontend:"
werf stage image web-frontend | tr 'a-z' 'A-Z'
docker pull $(werf stage image web-frontend) || true
echo "Copying files from the web-backend container..."
docker cp $(docker create --rm $(werf stage image web-backend)):/app/root ${_TMPDIR}/backend
echo "Copying files from the web-frontend container..."
docker cp $(docker create --rm $(werf stage image web-frontend)):/app ${_TMPDIR}/frontend
# Extract documentation content to the tmp directory.
export WERF_DIR=$BASEDIR/documentation
type werf && source $(werf ci-env github --verbose --as-file)
echo "werf stage image docs/web:"
werf stage image docs/web | tr 'a-z' 'A-Z'
docker pull $(werf stage image docs/web)
echo "Copying DKP documentation files from the docs/web container..."
docker cp $(docker create --rm $(werf stage image docs/web)):/app ${_TMPDIR}/dkp-documentation
# Create EN site structure.
echo "Create site structure in ${_TMPDIR}"
mkdir -p ${_TMPDIR}/site_en/products/kubernetes-platform/documentation/ ${_TMPDIR}/site_ru/products/kubernetes-platform/documentation/
touch ${_TMPDIR}/site_en/index.html ${_TMPDIR}/site_ru/index.html
rsync -a --exclude='ru' --exclude='en' --exclude='compare' --exclude='includes/header.html' ${_TMPDIR}/frontend/ ${_TMPDIR}/site_en/
rsync -a --exclude='ru' --exclude='en' --exclude='compare' --exclude='includes/header.html' ${_TMPDIR}/frontend/ ${_TMPDIR}/site_ru/
#
rsync -a ${_TMPDIR}/frontend/en/ ${_TMPDIR}/site_en/
rsync -a ${_TMPDIR}/frontend/ru/ ${_TMPDIR}/site_ru/
#
rsync -a --exclude='includes/header.html' ${_TMPDIR}/backend/en/ ${_TMPDIR}/site_en/
rsync -a --exclude='includes/header.html' ${_TMPDIR}/backend/ru/ ${_TMPDIR}/site_ru/
#
rsync -a --exclude='ru' --exclude='en' --exclude='compare' ${_TMPDIR}/dkp-documentation/ ${_TMPDIR}/site_en/products/kubernetes-platform/documentation/
rsync -a --exclude='ru' --exclude='en' --exclude='compare' ${_TMPDIR}/dkp-documentation/ ${_TMPDIR}/site_ru/products/kubernetes-platform/documentation/
rsync -a ${_TMPDIR}/dkp-documentation/en/ ${_TMPDIR}/site_en/products/kubernetes-platform/documentation/
rsync -a ${_TMPDIR}/dkp-documentation/ru/ ${_TMPDIR}/site_ru/products/kubernetes-platform/documentation/
#
rsync -a ${_TMPDIR}/dkp-documentation/{assets,images} ${_TMPDIR}/site_en/products/kubernetes-platform/documentation
rsync -a ${_TMPDIR}/dkp-documentation/{assets,images} ${_TMPDIR}/site_ru/products/kubernetes-platform/documentation
echo "Moving DKP guides and GS files..."
mv ${_TMPDIR}/site_ru/{gs,guides} ${_TMPDIR}/site_ru/products/kubernetes-platform
mv ${_TMPDIR}/site_en/{gs,guides} ${_TMPDIR}/site_en/products/kubernetes-platform
echo "Moving DVP files..."
mv ${_TMPDIR}/site_ru/virtualization-platform ${_TMPDIR}/site_ru/products/virtualization-platform
mv ${_TMPDIR}/site_en/virtualization-platform ${_TMPDIR}/site_en/products/virtualization-platform
- name: Check links with html-proofer
continue-on-error: true
env:
DECKHOUSE_REGISTRY_READ_HOST: "${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}"
CHECKER_IMAGE: "${{vars.DOC_LINK_CHECKER_IMAGE}}"
run: |
test -e ./tools/docs/link-checker/entrypoint.sh && \
docker run \
--rm \
-v "${_TMPDIR}/site_en:/src/en:ro" \
-v "${_TMPDIR}/site_ru:/src/ru:ro" \
-v "./tools/docs/link-checker/entrypoint.sh:/entrypoint.sh:ro" \
-u $(id -u) \
${DECKHOUSE_REGISTRY_READ_HOST}/base_images/${CHECKER_IMAGE} \
/entrypoint.sh
- name: Clean TMPDIR
if: always()
run: |
if [[ -n $_TMPDIR ]] ; then
rm -rf $_TMPDIR
fi
# </template: web_links_test_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'Web links test';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
validators:
name: Validators
needs:
- git_info
- build_fe
# <template: tests_template>
runs-on: [self-hosted, regular]
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_dev_registry_step>
- name: Check dev registry credentials
id: check_dev_registry
env:
HOST: ${{secrets.DECKHOUSE_DEV_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_DEV_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to dev registry
uses: docker/[email protected]
if: ${{ steps.check_dev_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_DEV_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_DEV_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
logout: false
# </template: login_dev_registry_step>
# <template: login_rw_registry_step>
- name: Check rw registry credentials
id: check_rw_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to rw registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
logout: false
- name: Login to Github Container Registry
uses: docker/[email protected]
if: ${{ steps.check_rw_registry.outputs.has_credentials != 'true' }}
with:
registry: ghcr.io
username: ${{ secrets.GHCR_IO_REGISTRY_USER }}
password: ${{ secrets.GHCR_IO_REGISTRY_PASSWORD }}
logout: false
# </template: login_rw_registry_step>
- name: Run tests
env:
TESTS_IMAGE_NAME: ${{needs.build_fe.outputs.tests_image_name}}
run: |
if [[ -z ${TESTS_IMAGE_NAME} ]] ; then
echo "TESTS_IMAGE_NAME is empty"
exit 1
fi
# Decode image name from gzip+base64.
TESTS_IMAGE_NAME=$(echo ${TESTS_IMAGE_NAME} | base64 -d | gunzip)
# Print image name in uppercase to prevent hiding non-secret registry host stored in secret.
echo "Tests image name: '${TESTS_IMAGE_NAME}'" | tr '[:lower:]' '[:upper:]'
echo "⚓️ 📥 [$(date -u)] Pull 'tests' image..."
docker pull ${TESTS_IMAGE_NAME}
echo "⚓️ 🏎 [$(date -u)] Run tests..."
docker run -w /deckhouse -v ~/go-pkg-cache:/go/pkg ${TESTS_IMAGE_NAME} go test -tags=validation -run Validation -timeout=${{env.TEST_TIMEOUT}} ./testing/...
# </template: tests_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = 'Validators';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
deploy_latest_web_site_prod_sel:
name: (Prod) Deploy latest site
needs:
- git_info
- doc_web_build
- main_web_build
if: ${{ needs.git_info.outputs.ci_commit_ref_name == 'main' && github.repository == 'deckhouse/deckhouse' }}
runs-on: [self-hosted, regular]
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_readonly_registry_step>
- name: Check readonly registry credentials
id: check_readonly_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_READ_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to readonly registry
uses: docker/[email protected]
if: ${{ steps.check_readonly_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_READ_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_READ_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_READ_PASSWORD }}
logout: false
# </template: login_readonly_registry_step>
# <template: doc_version_template>
- name: Set documentation version
env:
CI_COMMIT_TAG: ${{needs.git_info.outputs.ci_commit_tag}}
run: |
echo "DOC_VERSION=${CI_COMMIT_TAG:-latest}" >> $GITHUB_ENV
# </template: doc_version_template>
# <template: deploy_site_template>
- name: Deploy site to preproduction
uses: werf/actions/converge@43075e4ab81952b181d33e125ef15b9c060a782e
with:
channel: ${{env.WERF_CHANNEL}}
kube-config-base64-data: "${{ secrets.KUBECONFIG_BASE64_PROD_SEL }}"
env: web-production
env:
WERF_REPO: ${{ steps.check_readonly_registry.outputs.web_registry_path }}
WERF_DIR: "docs/site"
WERF_RELEASE: "deckhouse-site"
WERF_NAMESPACE: deckhouse-web-production
WERF_SET_DOC_VERSION: "global.doc_version=${{ env.DOC_VERSION }}"
WERF_SET_ACTIVE_RELEASE: "global.active_release=v1"
WERF_SET_URL: "global.url=deckhouse.io"
WERF_SET_URL_RU: "global.url_ru=deckhouse.ru"
WERF_SET_WEB_ENV: "web.env=web-production"
WERF_SET_DOMAIN_MAP: "global.domain_map=eyJlbiIgOiAiZGVja2hvdXNlLmlvIiwgInJ1IiA6ICJkZWNraG91c2UucnUifQ=="
WERF_SET_DCNAME: "web.dc_name=prod-sel"
DOC_API_KEY: "${{secrets.DOC_API_KEY}}"
DOC_API_URL: "${{vars.DOC_API_URL}}"
WERF_SET_MODULE_WATCHER_AUTHS: "global.moduleWatcherAuths=${{ secrets.MODULE_WATCHER_AUTHS }}"
# </template: deploy_site_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = '(Prod) Deploy latest site';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
deploy_latest_web_doc_prod_sel:
name: (Prod) Deploy latest doc
needs:
- git_info
- doc_web_build
- main_web_build
if: ${{ needs.git_info.outputs.ci_commit_ref_name == 'main' && github.repository == 'deckhouse/deckhouse' }}
runs-on: [self-hosted, regular]
steps:
# <template: started_at_output>
- name: Job started timestamp
id: started_at
run: |
unixTimestamp=$(date +%s)
echo "started_at=${unixTimestamp}" >> $GITHUB_OUTPUT
# </template: started_at_output>
# <template: checkout_full_step>
- name: Checkout sources
uses: actions/[email protected]
with:
fetch-depth: 0
# </template: checkout_full_step>
# <template: login_readonly_registry_step>
- name: Check readonly registry credentials
id: check_readonly_registry
env:
HOST: ${{secrets.DECKHOUSE_REGISTRY_READ_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{secrets.DECKHOUSE_REGISTRY_READ_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi
- name: Login to readonly registry
uses: docker/[email protected]
if: ${{ steps.check_readonly_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ secrets.DECKHOUSE_REGISTRY_READ_HOST }}
username: ${{ secrets.DECKHOUSE_REGISTRY_READ_USER }}
password: ${{ secrets.DECKHOUSE_REGISTRY_READ_PASSWORD }}
logout: false
# </template: login_readonly_registry_step>
# <template: doc_version_template>
- name: Set documentation version
env:
CI_COMMIT_TAG: ${{needs.git_info.outputs.ci_commit_tag}}
run: |
echo "DOC_VERSION=${CI_COMMIT_TAG:-latest}" >> $GITHUB_ENV
# </template: doc_version_template>
# <template: deploy_doc_template>
- name: Deploy documentation to preproduction
uses: werf/actions/converge@43075e4ab81952b181d33e125ef15b9c060a782e
with:
channel: ${{env.WERF_CHANNEL}}
kube-config-base64-data: "${{ secrets.KUBECONFIG_BASE64_PROD_SEL }}"
env: web-production
env:
WERF_REPO: ${{ steps.check_readonly_registry.outputs.web_registry_path }}
WERF_DIR: "docs/documentation"
WERF_RELEASE: "deckhouse-doc-${{ env.DOC_VERSION }}"
WERF_NAMESPACE: deckhouse-web-production
WERF_SET_DOC_VERSION: "global.doc_version=${{ env.DOC_VERSION }}"
WERF_SET_URL: "global.url=deckhouse.io"
WERF_SET_URL_RU: "global.url_ru=deckhouse.ru"
WERF_SET_WEB_ENV: "web.env=web-production"
WERF_SET_DCNAME: "web.dc_name=prod-sel"
# </template: deploy_doc_template>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'job,one-line';
const name = '(Prod) Deploy latest doc';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>
last_comment:
name: Update comment on finish
needs:
- started_at
- git_info
- go_generate
- workflow_render
- build_fe
- build_ee
- build_ce
- build_be
- build_se
- build_se_plus
- doc_web_build
- main_web_build
- deploy_latest_web_site_prod_sel
- deploy_latest_web_doc_prod_sel
- tests
- dhctl_tests
- golangci_lint
- openapi_test_cases
- validators
if: ${{ always() }}
runs-on: ubuntu-latest
env:
JOB_NAMES: |
{"build_be":"Build BE","build_ce":"Build CE","build_ee":"Build EE","build_fe":"Build FE","build_se":"Build SE","build_se_plus":"Build SE-plus","deploy_latest_web_doc_prod_sel":"(Prod) Deploy latest doc","deploy_latest_web_site_prod_sel":"(Prod) Deploy latest site","dhctl_tests":"Dhctl Tests","doc_web_build":"Doc web build","go_generate":"Go Generate","golangci_lint":"GolangCI Lint","main_web_build":"Main web build","openapi_test_cases":"OpenAPI Test Cases","tests":"Tests","tests_dmt_lint":"DMT lint","tests_python_webhooks":"Tests python webhooks","validators":"Validators","web_links_test":"Web links test","workflow_render":"Render workflow"}
steps:
# <template: checkout_step>
- name: Checkout sources
uses: actions/[email protected]
# </template: checkout_step>
# <template: update_comment_on_finish>
- name: Update comment on finish
id: update_comment_on_finish
if: ${{ always() && github.event_name == 'workflow_dispatch' && !!github.event.inputs.issue_number }}
env:
NEEDS_CONTEXT: ${{ toJSON(needs) }}
JOB_CONTEXT: ${{ toJSON(job) }}
STEPS_CONTEXT: ${{ toJSON(steps) }}
uses: actions/[email protected]
with:
github-token: ${{secrets.BOATSWAIN_GITHUB_TOKEN}}
retries: 3
script: |
const statusConfig = 'workflow,final,restore-one-line';
const name = 'Build and test for release';
const needsContext = JSON.parse(process.env.NEEDS_CONTEXT);
const jobContext = JSON.parse(process.env.JOB_CONTEXT);
const stepsContext = JSON.parse(process.env.STEPS_CONTEXT);
let jobNames = null
if (process.env.JOB_NAMES) {
jobNames = JSON.parse(process.env.JOB_NAMES);
}
core.info(`needsContext: ${JSON.stringify(needsContext)}`);
core.info(`jobContext: ${JSON.stringify(jobContext)}`);
core.info(`stepsContext: ${JSON.stringify(stepsContext)}`);
core.info(`jobNames: ${JSON.stringify(jobNames)}`);
const ci = require('./.github/scripts/js/ci');
return await ci.updateCommentOnFinish({github, context, core, statusConfig, name, needsContext, jobContext, stepsContext, jobNames});
# </template: update_comment_on_finish>