-
Notifications
You must be signed in to change notification settings - Fork 1
104 lines (98 loc) · 3.73 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
name: Build and deploy Aivenator
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
push:
paths-ignore:
- hack/**
- '*.md'
env:
GOOGLE_REGISTRY: "europe-north1-docker.pkg.dev"
jobs:
build:
name: Build and push
runs-on: ubuntu-22.04
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4
- name: Install cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # ratchet:sigstore/[email protected]
with:
cosign-release: 'v2.2.3'
- name: Verify runner image
run: cosign verify --certificate-identity [email protected] --certificate-oidc-issuer https://accounts.google.com gcr.io/distroless/static-debian11
- uses: nais/platform-build-push-sign@main # ratchet:exclude
id: build-push-sign
with:
name: aivenator
google_service_account: gh-aivenator
push: ${{ github.actor != 'dependabot[bot]' }}
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
multi-platform: true
cache_from: type=gha
cache_to: type=gha,mode=max
outputs:
version: "${{ steps.build-push-sign.outputs.version }}"
chart:
permissions:
contents: 'read'
id-token: 'write'
name: Build and push chart
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4
- id: 'auth'
name: 'Authenticate to Google Cloud'
if: github.ref == 'refs/heads/main'
uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # ratchet:google-github-actions/[email protected]
with:
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
service_account: '[email protected]'
token_format: 'access_token'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7' # ratchet:google-github-actions/setup-gcloud@v1
- name: 'Log in to Google Artifact Registry'
if: github.ref == 'refs/heads/main'
run: |-
echo '${{ steps.auth.outputs.access_token }}' | docker login -u oauth2accesstoken --password-stdin https://${{ env.GOOGLE_REGISTRY }}
- uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # ratchet:azure/setup-helm@v3
name: 'Setup Helm'
with:
version: '3.8.0'
- name: Set versions
run: |-
for chart in charts/*; do
yq e '.version = "${{ needs.build.outputs.version }}"' --inplace "${chart}/Chart.yaml"
yq e '.image.tag = "${{ needs.build.outputs.version }}"' --inplace "${chart}/values.yaml"
done
- name: Build Chart
run: |-
for chart in charts/*; do
helm package "$chart"
done
- name: Push Chart
if: github.ref == 'refs/heads/main'
run: |-
for chart in *.tgz; do
helm push "$chart" oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature
done
rollout:
name: Rollout
if: github.actor != 'dependabot[bot]' && github.ref == 'refs/heads/main'
needs:
- build
- chart
runs-on: fasit-deploy
permissions:
id-token: write
steps:
- uses: nais/fasit-deploy@v2 # ratchet:exclude
with:
chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/aivenator
version: ${{ needs.build.outputs.version }}
feature_name: aivenator