From f0652be31b44fa8d3e7b6bb24d05a2c672925f38 Mon Sep 17 00:00:00 2001 From: Peter Deme Date: Mon, 21 Nov 2022 14:07:31 +0100 Subject: [PATCH] Add versioning to `main` branch (#29) --- .github/workflows/build.yml | 7 +- .github/workflows/deploy.yml | 63 ------------------ .github/workflows/prod-pr.yml | 21 ------ .github/workflows/publish/action.yml | 88 +++++++++++++++++++++++++ .github/workflows/publish_future.yml | 32 +++++++++ .github/workflows/publish_scheduled.yml | 53 +++++++++++++++ .github/workflows/publish_tagged.yml | 43 ++++++++++++ .github/workflows/trivy.yml | 4 +- README.md | 15 +++-- 9 files changed, 230 insertions(+), 96 deletions(-) delete mode 100644 .github/workflows/deploy.yml delete mode 100644 .github/workflows/prod-pr.yml create mode 100644 .github/workflows/publish/action.yml create mode 100644 .github/workflows/publish_future.yml create mode 100644 .github/workflows/publish_scheduled.yml create mode 100644 .github/workflows/publish_tagged.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b965fc4..e1bf20e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,7 +4,6 @@ on: push: ignore-branches: - main - - future jobs: deployment: @@ -23,7 +22,7 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 - - name: Build and push the image + - name: Test if image can be built with buildx uses: docker/build-push-action@v3 with: push: false @@ -32,12 +31,12 @@ jobs: # Can't use the output of the previous step because it's # a multiplatform build, so we need to build it again. - - name: Test if terragrunt & infracost works (AMD64) + - name: Test if terragrunt & infracost are executable (AMD64) run: | docker build --build-arg TARGETARCH=amd64 -t runner-terraform-test . docker run --rm runner-terraform-test sh -c "terragrunt --version && infracost --version" - - name: Test if terragrunt & infracost works (ARM64) + - name: Test if terragrunt & infracost are executable (ARM64) run: | docker build --build-arg TARGETARCH=arm64 -t runner-terraform-test . docker run --rm runner-terraform-test sh -c "terragrunt --version && infracost --version" diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml deleted file mode 100644 index 048b692..0000000 --- a/.github/workflows/deploy.yml +++ /dev/null @@ -1,63 +0,0 @@ -name: Deploy - -on: - push: - branches: - - main - - future - schedule: - - cron: '20 8 * * 1' - -jobs: - deployment: - name: Build and deploy the image - runs-on: ubuntu-latest - container: docker - permissions: - id-token: write - contents: read - packages: write - - steps: - - name: Check out repository code - uses: actions/checkout@main - - - name: Install the latest AWS CLI - run: | - apk add --no-cache python3 py3-pip - pip3 install --upgrade pip - pip3 install awscli - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-region: us-east-1 - role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - role-duration-seconds: 900 - - - name: Log in to Amazon public ECR - run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws - - - name: Log in to GitHub registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - with: - platforms: linux/arm64 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Build and push the image - uses: docker/build-push-action@v3 - with: - push: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/future' }} - platforms: linux/amd64,linux/arm64 - tags: | - ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:${{ github.ref == 'refs/heads/main' && 'latest' || 'future' }} - ghcr.io/spacelift-io/runner-terraform:${{ github.ref == 'refs/heads/main' && 'latest' || 'future' }} diff --git a/.github/workflows/prod-pr.yml b/.github/workflows/prod-pr.yml deleted file mode 100644 index 220c74d..0000000 --- a/.github/workflows/prod-pr.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: prod-pr - -on: - push: - branches: [future] - -jobs: - create-pr: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@main - - - name: Create Pull Request - uses: vsoch/pull-request-action@1.0.22 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PASS_IF_EXISTS: true - PULL_REQUEST_BODY: Let's synchronize future changes with the main branch - PULL_REQUEST_BRANCH: main - PULL_REQUEST_DRAFT: true - PULL_REQUEST_TITLE: Synchronizing future with main diff --git a/.github/workflows/publish/action.yml b/.github/workflows/publish/action.yml new file mode 100644 index 0000000..6ef6da7 --- /dev/null +++ b/.github/workflows/publish/action.yml @@ -0,0 +1,88 @@ +name: Publish +description: Builds and pushes the Docker image to the public ECR and GitHub registry + +inputs: + aws_role_to_assume: + description: The AWS role to assume. Used to authenticate with ECR. + required: true + github_token: + description: The GitHub token. Used to authenticate with GitHub registry. + required: true + git_tag: + description: Git tag to use for the GitHub Release + required: false + image_tags: + description: The tags of the Docker image to push + required: true + publish_release: + description: Whether to publish a GitHub Release + required: true + default: false + release_title: + description: The title of the GitHub Release. + required: false + release_body: + description: The body of the GitHub Release. If not provided, the body will be auto-generated. + required: false + checkout_ref: + description: The ref to checkout. If not provided, the basic checkout action will be used. + required: false + +runs: + using: composite + steps: + - name: Check out repository code + uses: actions/checkout@main + with: + fetch-depth: 0 + ref: ${{ inputs.checkout_ref }} + + - name: Install the latest AWS CLI + shell: sh + run: | + apk add --no-cache python3 py3-pip + pip3 install --upgrade pip + pip3 install awscli + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-region: us-east-1 + role-to-assume: ${{ inputs.aws_role_to_assume }} + role-duration-seconds: 900 + + - name: Log in to Amazon public ECR + run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws + + - name: Log in to GitHub registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ inputs.github_token }} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + with: + platforms: linux/arm64 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Build and push the image + uses: docker/build-push-action@v3 + with: + push: true + context: . + platforms: linux/amd64,linux/arm64 + tags: ${{ inputs.image_tags }} + + - name: Create release + uses: ncipollo/release-action@v1 + if: inputs.publish_release == 'true' + with: + name: ${{ inputs.release_title }} + tag: ${{ inputs.git_tag }} + body: ${{ inputs.release_body }} + generateReleaseNotes: true + allowUpdates: true \ No newline at end of file diff --git a/.github/workflows/publish_future.yml b/.github/workflows/publish_future.yml new file mode 100644 index 0000000..c5b825c --- /dev/null +++ b/.github/workflows/publish_future.yml @@ -0,0 +1,32 @@ +name: Deploy future tag + +on: + push: + branches: + - main + +jobs: + deployment: + name: Build and publish future tag + runs-on: ubuntu-latest + container: docker + permissions: + id-token: write + contents: write + packages: write + + steps: + - name: Checkout publish workflow + uses: Bhacaz/checkout-files@v2 + with: + files: .github/workflows/publish/action.yml + + - name: Build and push future image + uses: ./.github/workflows/publish + with: + aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} + github_token: ${{ secrets.GITHUB_TOKEN }} + publish_release: false + image_tags: | + ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:future + ghcr.io/spacelift-io/runner-terraform:future diff --git a/.github/workflows/publish_scheduled.yml b/.github/workflows/publish_scheduled.yml new file mode 100644 index 0000000..b963b16 --- /dev/null +++ b/.github/workflows/publish_scheduled.yml @@ -0,0 +1,53 @@ +name: Scheduled publish + +on: + schedule: + - cron: '20 8 * * 1' + +jobs: + deployment: + name: Rebuild and publish the latest tagged image + runs-on: ubuntu-latest + container: docker + permissions: + id-token: write + contents: write + packages: write + + steps: + - name: Get latest tag + uses: oprypin/find-latest-tag@v1 + id: latest-tag + with: + repository: ${{ github.repository }} + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Set current date as env variable + run: echo "TODAY=$(date +'%Y%m%d')" >> $GITHUB_ENV + + - name: Set nicely formatted current date as env variable + run: echo "TODAY_FORMATTED=$(date +'%Y-%m-%d')" >> $GITHUB_ENV + + - name: Checkout publish workflow + uses: Bhacaz/checkout-files@v2 + with: + files: .github/workflows/publish/action.yml + + - name: Build and push weekly image + uses: ./.github/workflows/publish + with: + aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} + github_token: ${{ secrets.GITHUB_TOKEN }} + git_tag: ${{ steps.latest-tag.outputs.tag }} + publish_release: true + release_title: ${{ steps.latest-tag.outputs.tag }} - weekly release (${{ env.TODAY_FORMATTED }}) + release_body: | + ## Weekly rebuild + This is a weekly rebuild of the latest image (`${{ steps.latest-tag.outputs.tag }}`). + The image is rebuilt to ensure that it is up to date with the latest security patches. + checkout_ref: ${{ steps.latest-tag.outputs.tag }} + image_tags: | + ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:latest + ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:${{ steps.latest-tag.outputs.tag }}_${{ env.TODAY }} + ghcr.io/spacelift-io/runner-terraform:latest + ghcr.io/spacelift-io/runner-terraform:${{ steps.latest-tag.outputs.tag }}_${{ env.TODAY }} diff --git a/.github/workflows/publish_tagged.yml b/.github/workflows/publish_tagged.yml new file mode 100644 index 0000000..01e124a --- /dev/null +++ b/.github/workflows/publish_tagged.yml @@ -0,0 +1,43 @@ +name: Deploy tagged + +on: + push: + tags: + - v* + +jobs: + deployment: + name: Build and publish the newly tagged image + runs-on: ubuntu-latest + container: docker + permissions: + id-token: write + contents: write + packages: write + + steps: + - name: Get latest tag + uses: oprypin/find-latest-tag@v1 + id: latest-tag + with: + repository: ${{ github.repository }} + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Checkout publish workflow + uses: Bhacaz/checkout-files@v2 + with: + files: .github/workflows/publish/action.yml + + - name: Build and push latest image + uses: ./.github/workflows/publish + with: + aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} + github_token: ${{ secrets.GITHUB_TOKEN }} + git_tag: ${{ steps.latest-tag.outputs.tag }} + publish_release: true + release_title: ${{ steps.latest-tag.outputs.tag }} + image_tags: | + ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:latest + ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:${{ steps.latest-tag.outputs.tag }} + ghcr.io/spacelift-io/runner-terraform:latest + ghcr.io/spacelift-io/runner-terraform:${{ steps.latest-tag.outputs.tag }} \ No newline at end of file diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 69c73b3..eeb6dce 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -2,9 +2,9 @@ name: Trivy on: push: - branches: ["main", "future"] + branches: [main] pull_request: - branches: ["main", "future"] + branches: [main] schedule: - cron: "19 7 * * 0" diff --git a/README.md b/README.md index 2813f9a..592b099 100644 --- a/README.md +++ b/README.md @@ -10,11 +10,14 @@ with ECR. ## Branch Model -This repository uses two main branches: +All changes merged to `main` branch are automatically built and pushed to the Docker repository with the `future` tag. -- `main` - contains the production version of the runner image. -- `future` - used to test development changes. +Once it is considered stable, we can release it as `latest` by creating a tag (semver) and pushing it to the +repository. Example: -Pushes to `main` deploy to the `latest` tag, whereas pushes to `future` deploy to the `future` -tag. This means that to use the development version you can use the `public.ecr.aws/spacelift/runner-terraform:future` -image. +```bash +$ git tag -a v1.1.0 -m "Release v1.1.0" +$ git push origin v1.1.0 +``` + +Note: we also have a weekly cron job that re-runs the `main` branch just to have the latest package updates. \ No newline at end of file