From 987358613dff6953dd99c42c2d6fb63e57befd51 Mon Sep 17 00:00:00 2001 From: immxmmi Date: Mon, 5 May 2025 11:32:02 +0200 Subject: [PATCH 1/5] refactor GitHub Actions workflow: reorganize jobs and enhance deployment comments for clarity and maintainability adapt push main refactor GitHub Actions workflows: consolidate push logic into build.yaml and remove redundant push-main.yaml fix: update Docker image tag formatting for pull requests feat: add GitHub Actions workflow for build and publish process fix: update Docker image tagging logic for cosign to handle main branch and PRs --- .../{build.yaml => build-and-publish.yaml} | 11 ++- .github/workflows/pr-cleanup.yaml | 7 +- .github/workflows/push-main.yaml | 98 ------------------- scripts/deploy_helm_release.sh | 2 - scripts/redeploy_deployment.sh | 2 +- 5 files changed, 14 insertions(+), 106 deletions(-) rename .github/workflows/{build.yaml => build-and-publish.yaml} (87%) delete mode 100644 .github/workflows/push-main.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build-and-publish.yaml similarity index 87% rename from .github/workflows/build.yaml rename to .github/workflows/build-and-publish.yaml index 346eea4..e2f165c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build-and-publish.yaml @@ -1,4 +1,4 @@ -name: Build Training +name: Dagger Techlab Puzzle Build and Publish permissions: contents: read @@ -9,6 +9,9 @@ permissions: on: pull_request: workflow_dispatch: + push: + branches: + - main env: REGISTRY: ghcr.io @@ -72,7 +75,7 @@ jobs: file: ./Dockerfile push: true tags: | - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }} + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref == 'refs/heads/main' && 'latest' || format('pr-{0}', github.event.pull_request.number) }} cache-from: type=gha cache-to: type=gha,mode=max - name: Install cosign @@ -81,13 +84,13 @@ jobs: cosign-release: 'v2.2.4' - name: Sign Docker image with cosign env: - TAG: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }} + TAG: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref == 'refs/heads/main' && 'latest' || format('pr-{0}', github.event.pull_request.number) }} DIGEST: ${{ steps.build-and-push.outputs.digest }} run: | COSIGN_EXPERIMENTAL=1 cosign sign --yes ${TAG}@${DIGEST} - name: Verify Docker image with cosign env: - TAG: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }} + TAG: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref == 'refs/heads/main' && 'latest' || format('pr-{0}', github.event.pull_request.number) }} DIGEST: ${{ steps.build-and-push.outputs.digest }} run: bash ./scripts/verify_cosign.sh diff --git a/.github/workflows/pr-cleanup.yaml b/.github/workflows/pr-cleanup.yaml index 3013b65..78570f3 100644 --- a/.github/workflows/pr-cleanup.yaml +++ b/.github/workflows/pr-cleanup.yaml @@ -17,15 +17,20 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: - submodules: recursive + sparse-checkout: | + scripts + sparse-checkout-cone-mode: false + - name: Install Helm uses: azure/setup-helm@v4 with: version: 'latest' + - name: Install Kubectl uses: azure/setup-kubectl@v4 with: version: 'latest' + - name: Create KUBECONFIG env: KUBE_CONFIG: '${{ secrets.KUBECONFIG_TEST_AV2 }}' diff --git a/.github/workflows/push-main.yaml b/.github/workflows/push-main.yaml deleted file mode 100644 index 350c0aa..0000000 --- a/.github/workflows/push-main.yaml +++ /dev/null @@ -1,98 +0,0 @@ -name: Publish Main Version - -on: - push: - branches: - - main - -env: - REGISTRY: ghcr.io - # github.repository as / - IMAGE_NAME: ${{ github.repository }} - -jobs: - build: - runs-on: ubuntu-latest - env: - KUBE_CONFIG_PATH: '$HOME/.kube' - KUBE_CONFIG_FILENAME: 'config' - steps: - - - name: Checkout - uses: actions/checkout@v4 - with: - submodules: recursive - - - name: Set up npm for linting - uses: actions/setup-node@v4 - with: - node-version: 'latest' - - - name: Lint Markdown - run: npm ci && npm run mdlint - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log into registry ${{ env.REGISTRY }} - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and Push Latest version - id: build-and-push - uses: docker/build-push-action@v6 - with: - context: . - file: ./Dockerfile - push: true - tags: | - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest - cache-from: type=gha - cache-to: type=gha,mode=max - - - name: 'Install Helm' - uses: azure/setup-helm@v4 - with: - version: 'latest' - - - name: Install Kubectl - uses: azure/setup-kubectl@v4 - with: - version: 'latest' - - - name: Create KUBECONFIG - env: - KUBE_CONFIG: '${{ secrets.KUBECONFIG_PROD_AV2 }}' - run: bash ./scripts/create_kubeconfig.sh - - - name: Deploy Helm Release - env: - TRAINING_HELM_RELEASE: 'latest' - TRAINING_NAMESPACE: 'pitc-cicd-dagger-techlab-prod' - TRAINING_VERSION: '${{ github.sha }}' - run: | - helm upgrade $TRAINING_HELM_RELEASE acend-training-chart --install --wait \ - --kubeconfig "$KUBE_CONFIG_PATH/$KUBE_CONFIG_FILENAME" \ - --namespace=$TRAINING_NAMESPACE \ - --set=app.name=$HELM_RELEASE \ - --set=app.version=$TRAINING_VERSION \ - --repo=https://acend.github.io/helm-charts/ \ - --values=helm-chart/values.yaml \ - --set-string=acendTraining.deployments[0].ingress.labels.public=true \ - --atomic - - - name: Redeploy Deployments - env: - TRAINING_HELM_RELEASE: 'latest' - TRAINING_HELM_NAME: 'dagger-techlab-puzzle' - TRAINING_NAMESPACE: 'pitc-cicd-dagger-techlab-prod' - run: | - kubectl rollout restart deployment/${TRAINING_HELM_RELEASE}-${TRAINING_HELM_NAME} \ - --kubeconfig "$KUBE_CONFIG_PATH/$KUBE_CONFIG_FILENAME" \ - --namespace $TRAINING_NAMESPACE diff --git a/scripts/deploy_helm_release.sh b/scripts/deploy_helm_release.sh index 0df5348..9642c7c 100755 --- a/scripts/deploy_helm_release.sh +++ b/scripts/deploy_helm_release.sh @@ -1,4 +1,3 @@ - #!/bin/bash set -euo pipefail @@ -20,7 +19,6 @@ helm upgrade "$HELM_RELEASE" acend-training-chart \ --set=app.version="$TRAINING_VERSION" \ --repo=https://acend.github.io/helm-charts/ \ --values=helm-chart/values.yaml \ - --set-string=acendTraining.deployments[0].ingress.labels.public=true \ --atomic echo "✅ Helm release '$HELM_RELEASE' deployed successfully." \ No newline at end of file diff --git a/scripts/redeploy_deployment.sh b/scripts/redeploy_deployment.sh index 0fe4b51..fe76510 100755 --- a/scripts/redeploy_deployment.sh +++ b/scripts/redeploy_deployment.sh @@ -16,4 +16,4 @@ kubectl rollout restart deployment/"$DEPLOYMENT_NAME" \ --kubeconfig "$KUBE_CONFIG_PATH/$KUBE_CONFIG_FILENAME" \ --namespace "$NAMESPACE" -echo "✅ Deployment '$DEPLOYMENT_NAME' restarted successfully." \ No newline at end of file +echo "✅ Deployment '$DEPLOYMENT_NAME' restarted successfully." From d007500e7ac2c676628afda482a5749386feabc6 Mon Sep 17 00:00:00 2001 From: immxmmi Date: Mon, 19 May 2025 10:51:23 +0200 Subject: [PATCH 2/5] add image tag to PR comment for better deployment visibility refactor: streamline image tagging process in build and push workflow refactor: simplify image tagging and digest handling in build workflow refactor: restructure build workflow to separate image building and pushing steps refactor: update image digest handling in push_image job and add error check for empty digest feat: add Docker login step to push_image and verify_image jobs refactor: add image digest handling in sign_image and verify_image jobs refactor: remove redundant checkout steps in sign_image and verify_image jobs refactor: update sparse-checkout configuration to include only scripts refactor: update sparse-checkout configuration in verify_image and deploy jobs refactor: update image name output handling in build_image job refactor: remove QEMU and Buildx setup steps from build_image job refactor: streamline build_image job by removing redundant checkout and setup steps refactor: update image digest handling in sign_image job to use output from save_digest step refactor: update cache configuration in build_image job for improved efficiency refactor: add Docker Buildx setup step in build_image job for enhanced build capabilities refactor: optimize build_image job by removing Docker Buildx setup and exporting cached image steps refactor: add Docker Buildx setup step in build_image job for enhanced build capabilities refactor: consolidate build and push steps in build_push_image job for improved workflow efficiency fix: update output references in save_digest step to use build_push_image job fix: add output declaration for digest in verify_image job update PR comment to include verified image digest and change image tag emoji for clarity fix: correct output reference in build_push_image job and clean up comment job steps fix: update image digest handling in sign_image job to use outputs directly fix: update job dependencies and remove unused IMAGE_DIGEST variable --- .github/workflows/build-and-publish.yaml | 64 ++++++++++++++++++++---- 1 file changed, 53 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build-and-publish.yaml b/.github/workflows/build-and-publish.yaml index e2f165c..bf423b3 100644 --- a/.github/workflows/build-and-publish.yaml +++ b/.github/workflows/build-and-publish.yaml @@ -21,6 +21,7 @@ env: NAMESPACE: pitc-cicd-dagger-techlab-test TRAINING_VERSION: ${{ github.sha }} PR_ENV_URL: https://dagger-techlab-pr-${{ github.event.pull_request.number }}.ocp.cloudscale.puzzle.ch + IMAGE_TAG: ${{ github.ref == 'refs/heads/main' && 'latest' || format('pr-{0}', github.event.pull_request.number) }} jobs: lint: @@ -49,9 +50,12 @@ jobs: - name: Lint Markdown run: npm ci && npm run mdlint - build_and_push: + + build_push_image: runs-on: ubuntu-latest needs: lint + outputs: + digest: ${{ steps.build-push.outputs.digest }} steps: - name: Checkout Repository uses: actions/checkout@v4 @@ -67,36 +71,73 @@ jobs: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push Docker pr image - id: build-and-push + - name: Push Docker image + id: build-push uses: docker/build-push-action@v6 with: context: . file: ./Dockerfile push: true tags: | - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref == 'refs/heads/main' && 'latest' || format('pr-{0}', github.event.pull_request.number) }} + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} cache-from: type=gha cache-to: type=gha,mode=max + + sign_image: + runs-on: ubuntu-latest + needs: build_push_image + outputs: + digest: ${{ needs.build_push_image.outputs.digest }} + steps: + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Install cosign uses: sigstore/cosign-installer@v3.8.2 with: cosign-release: 'v2.2.4' - name: Sign Docker image with cosign env: - TAG: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref == 'refs/heads/main' && 'latest' || format('pr-{0}', github.event.pull_request.number) }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} + TAG: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} + DIGEST: ${{ needs.build_push_image.outputs.digest }} run: | COSIGN_EXPERIMENTAL=1 cosign sign --yes ${TAG}@${DIGEST} + + verify_image: + runs-on: ubuntu-latest + needs: sign_image + outputs: + digest: ${{ needs.sign_image.outputs.digest }} + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + sparse-checkout: | + scripts + sparse-checkout-cone-mode: false + fetch-depth: 0 + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Install cosign + uses: sigstore/cosign-installer@v3.8.2 + with: + cosign-release: 'v2.2.4' - name: Verify Docker image with cosign env: - TAG: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref == 'refs/heads/main' && 'latest' || format('pr-{0}', github.event.pull_request.number) }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} + TAG: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} + DIGEST: ${{ needs.sign_image.outputs.digest }} run: bash ./scripts/verify_cosign.sh deploy: runs-on: ubuntu-latest - needs: build_and_push + needs: verify_image env: KUBE_CONFIG_PATH: '$HOME/.kube' KUBE_CONFIG_FILENAME: 'config' @@ -128,7 +169,7 @@ jobs: comment: runs-on: ubuntu-latest - needs: deploy + needs: verify_image steps: - name: Comment PR Environments in PR uses: marocchino/sticky-pull-request-comment@v2 @@ -136,4 +177,5 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} message: | 🚀 PR Environment: [Open Deployment](${{ env.PR_ENV_URL }}) - 🖋️ Image Digest: `${{ steps.build-and-push.outputs.digest }}` \ No newline at end of file + 🏷️ Image Tag: `${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}` + 🖋️ Image Digest: `${{ needs.verify_image.outputs.digest }}` \ No newline at end of file From 3633b884cf4f76c5916cddac05cd7f44ccc581dd Mon Sep 17 00:00:00 2001 From: immxmmi Date: Mon, 19 May 2025 14:03:06 +0200 Subject: [PATCH 3/5] update cosign command to use --replace for signing Docker images --- .github/workflows/build-and-publish.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-publish.yaml b/.github/workflows/build-and-publish.yaml index bf423b3..e723e58 100644 --- a/.github/workflows/build-and-publish.yaml +++ b/.github/workflows/build-and-publish.yaml @@ -104,7 +104,7 @@ jobs: TAG: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} DIGEST: ${{ needs.build_push_image.outputs.digest }} run: | - COSIGN_EXPERIMENTAL=1 cosign sign --yes ${TAG}@${DIGEST} + COSIGN_EXPERIMENTAL=1 cosign sign --replace ${TAG}@${DIGEST} verify_image: runs-on: ubuntu-latest From 85d9845dc89977062eccd7855a90cb1f0b468208 Mon Sep 17 00:00:00 2001 From: immxmmi Date: Mon, 19 May 2025 14:06:24 +0200 Subject: [PATCH 4/5] update cosign command to include signing key and auto-yes option --- .github/workflows/build-and-publish.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-publish.yaml b/.github/workflows/build-and-publish.yaml index e723e58..d4d1907 100644 --- a/.github/workflows/build-and-publish.yaml +++ b/.github/workflows/build-and-publish.yaml @@ -104,7 +104,7 @@ jobs: TAG: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} DIGEST: ${{ needs.build_push_image.outputs.digest }} run: | - COSIGN_EXPERIMENTAL=1 cosign sign --replace ${TAG}@${DIGEST} + COSIGN_EXPERIMENTAL=1 cosign sign --key=cosign.key --yes ${TAG}@${DIGEST} verify_image: runs-on: ubuntu-latest From 7e57fc368fe5165de3f20a83eda585d6d52a1d12 Mon Sep 17 00:00:00 2001 From: immxmmi Date: Mon, 19 May 2025 14:07:03 +0200 Subject: [PATCH 5/5] remove redundant signing key specification in cosign command --- .github/workflows/build-and-publish.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-publish.yaml b/.github/workflows/build-and-publish.yaml index d4d1907..bf423b3 100644 --- a/.github/workflows/build-and-publish.yaml +++ b/.github/workflows/build-and-publish.yaml @@ -104,7 +104,7 @@ jobs: TAG: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} DIGEST: ${{ needs.build_push_image.outputs.digest }} run: | - COSIGN_EXPERIMENTAL=1 cosign sign --key=cosign.key --yes ${TAG}@${DIGEST} + COSIGN_EXPERIMENTAL=1 cosign sign --yes ${TAG}@${DIGEST} verify_image: runs-on: ubuntu-latest