-
Notifications
You must be signed in to change notification settings - Fork 4.4k
139 lines (120 loc) · 5.35 KB
/
build-artifacts.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# This workflow builds a dev binary and distributes a Docker image on every push to the main branch.
name: build-artifacts
on:
push:
branches:
- main
permissions:
contents: read
env:
GOPRIVATE: github.com/hashicorp # Required for enterprise deps
jobs:
setup:
name: Setup
runs-on: ubuntu-latest
outputs:
compute-small: ${{ steps.setup-outputs.outputs.compute-small }}
compute-medium: ${{ steps.setup-outputs.outputs.compute-medium }}
compute-large: ${{ steps.setup-outputs.outputs.compute-large }}
compute-xl: ${{ steps.setup-outputs.outputs.compute-xl }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- id: setup-outputs
name: Setup outputs
run: ./.github/scripts/get_runner_classes.sh
get-go-version:
uses: ./.github/workflows/reusable-get-go-version.yml
dev-build-push:
needs:
- setup
- get-go-version
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }}
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
contents: read
steps:
# NOTE: ENT specific step as we store secrets in Vault.
- name: Authenticate to Vault
if: ${{ endsWith(github.repository, '-enterprise') }}
id: vault-auth
run: vault-auth
# NOTE: ENT specific step as we store secrets in Vault.
- name: Fetch Secrets
if: ${{ endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
secrets: |
kv/data/github/${{ github.repository }}/dockerhub username | DOCKERHUB_USERNAME;
kv/data/github/${{ github.repository }}/dockerhub token | DOCKERHUB_TOKEN;
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: ENT specific step as we need to set elevated GitHub permissions.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: go env
- name: Build dev binary
run: make dev
- name: Set env vars
run: |
echo "SHORT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
echo "GITHUB_BUILD_URL=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> $GITHUB_ENV
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
# NOTE: conditional specific logic as we store secrets in Vault in ENT and use GHA secrets in CE.
- name: Login to Docker Hub
uses: docker/#-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
username: ${{ endsWith(github.repository, '-enterprise') && steps.secrets.outputs.DOCKERHUB_USERNAME || secrets.DOCKERHUB_USERNAME }}
password: ${{ endsWith(github.repository, '-enterprise') && steps.secrets.outputs.DOCKERHUB_TOKEN || secrets.DOCKERHUB_TOKEN }}
- name: Docker build and push
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
context: ./bin
file: ./build-support/docker/Consul-Dev.dockerfile
labels: COMMIT_SHA=${{ github.sha }},GITHUB_BUILD_URL=${{ env.GITHUB_BUILD_URL }}
push: true
# This is required or else the image is not pullable.
# See https://github.com/docker/build-push-action/issues/820 for further
# details.
# TODO - investigate further and see if we can find a solution where we
# we don't have to know to set this.
provenance: false
tags: |
hashicorpdev/${{ github.event.repository.name }}:${{ env.SHORT_SHA }}
hashicorpdev/${{ github.event.repository.name }}:latest
# This is job is required for branch protection as a required gihub check
# because GitHub actions show up as checks at the job level and not the
# workflow level. This is currently a feature request:
# https://github.com/orgs/community/discussions/12395
#
# This job must:
# - be placed after the fanout of a workflow so that everything fans back in
# to this job.
# - "need" any job that is part of the fan out / fan in
# - implement the if logic because we have conditional jobs
# (go-test-enteprise) that this job needs and this would potentially get
# skipped if a previous job got skipped. So we use the if clause to make
# sure it does not get skipped.
build-artifacts-success:
needs:
- setup
- dev-build-push
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
if: ${{ always() }}
steps:
- name: evaluate upstream job results
run: |
# exit 1 if failure or cancelled result for any upstream job
if printf '${{ toJSON(needs) }}' | grep -E -i '\"result\": \"(failure|cancelled)\"'; then
printf "Tests failed or workflow cancelled:\n\n${{ toJSON(needs) }}"
exit 1
fi