-
Notifications
You must be signed in to change notification settings - Fork 33
GitHub actions
The following Github actions are unpublished, but available directly from the registry repository.
The setup-registry action ensures registry CLI is locally installed and configured for further workflow actions. For example, a setup to access a Registry hosted on Google Cloud might look like this:
- name: Installs and configures Registry CLI
uses: apigee/registry/.github/actions/setup-registry@main
with:
name: cloud
project: ${{ env.GOOGLE_CLOUD_PROJECT }}
address: apigeeregistry.googleapis.com:443
token-source: gcloud auth print-access-token
insecure: falseOnce setup, most registry cli commands can simply be run as steps like so:
- run: registry apply -f entity.yamlAs checking a registry for conformance is more involved than simply running registry check, we provide
a registry-check
action that allows for not only running a set of rules, but also formatting and interpreting the results.
- name: Check project and fail workflow if WARNING or ERROR
uses: apigee/registry/.github/actions/registry-check@main
with:
pattern: projects/test
error-level: WARNINGHere's an example of a full-featured workflow that pulls everything together. It performs the following:
- Create a local Registry for the workflow
- Set up the CLI to access the local Registry
- Apply some yaml to the local Registry
- Run
registry checkon the local Registry - Only if
registry checksucceeds, the workflow continues... - Set up the CLI to access a cloud Registry
- Apply the yaml to the cloud Registry
Note: The following example uses GCP Workload Identity Federation with Github OIDC, see Enabling keyless authentication from GitHub Actions for an overview of this setup and the Github reference for detailed security attributes: Configuring OpenID Connect in Google Cloud Platform.
on: [push, pull_request]
jobs:
test-check-and-apply:
name: Test entity.yaml locally and conditionally apply it to the cloud.
runs-on: ubuntu-latest
env:
registry-yaml: entity.yaml
workload_identity_provider: "projects/test/locations/global/workloadIdentityPools/github/providers/github"
service_account: "serviceaccount@test.iam.gserviceaccount.com"
permissions:
id-token: write # required for requesting the JWT
contents: read # required for actions/checkout
services:
local-registry: # will use a local SQLite3 instance
image: ghcr.io/apigee/registry-server:main
env:
REGISTRY_LOGGING_LEVEL: debug
ports:
- 8080:8080
steps:
- uses: actions/checkout@v3
- name: Configure a local Registry
uses: apigee/registry/.github/actions/setup-registry@main
with:
name: local
address: localhost:8080
insecure: true
project: test
- name: Create a project on local Registry
run: registry rpc admin create-project --project_id test
- name: Apply yaml to the local Registry
run: registry apply -f ${{ env.registry-yaml }}
- name: Run check on the local Registry, stop if WARNING or above
uses: apigee/registry/.github/actions/registry-check@main
with:
pattern: projects/test
error-level: WARNING
# No WARNINGS or ERRORS on local Registry check, continuing on...
- name: Set up Google Cloud auth
uses: google-github-actions/auth@v1
with:
workload_identity_provider: ${{ env.workload_identity_provider }}
service_account: ${{ env.service_account }}
- name: Set up Google Cloud SDK
uses: google-github-actions/setup-gcloud@v1
- uses: apigee/registry/.github/actions/setup-registry@main
with:
name: cloud
project: ${{ env.GCP_PROJECT }} # set by setup-gcloud action
address: apigeeregistry.googleapis.com:443
insecure: false
token-source: gcloud auth print-access-token
- name: Apply API to cloud registry
run: registry apply -f ${{ env.registry-yaml }}