From b9d0a272f76696af0741b1cd59b29cbee8a234e4 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 26 Jan 2024 16:25:41 +0000 Subject: [PATCH 1/2] build test image on the forked workflow --- .github/actions/smoke-tests/action.yaml | 12 +++------ .github/workflows/ci.yml | 33 ++++++++++++++++++++++--- 2 files changed, 32 insertions(+), 13 deletions(-) diff --git a/.github/actions/smoke-tests/action.yaml b/.github/actions/smoke-tests/action.yaml index e509dcbaf9..99fe781b42 100644 --- a/.github/actions/smoke-tests/action.yaml +++ b/.github/actions/smoke-tests/action.yaml @@ -112,6 +112,7 @@ runs: token_format: access_token workload_identity_provider: ${{ inputs.gcr-workload-identity-secret }} service_account: ${{ inputs.gcr-service-account-secret }} + if: github.event.pull_request.head.repo.full_name == github.repository - name: Login to GCR uses: docker/login-action@v3 @@ -119,13 +120,7 @@ runs: registry: gcr.io username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - - - name: Check if image exists - id: check-image - run: | - docker manifest inspect ${{ inputs.test-image }} - shell: bash - continue-on-error: true + if: github.event.pull_request.head.repo.full_name == github.repository - name: Build Test-Runner Container uses: docker/build-push-action@v3 @@ -135,8 +130,7 @@ runs: cache-from: type=gha,scope=test-runner tags: ${{ inputs.test-image }} pull: true - push: true - if: steps.check-image.outcome == 'failure' + if: github.event.pull_request.head.repo.full_name != github.repository - name: Run Smoke Tests run: | diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 95c0fc8849..2463d8d36c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -320,16 +320,41 @@ jobs: - name: Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@v2 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + if: github.event.pull_request.head.repo.full_name == github.repository + + - name: Login to GCR + uses: docker/login-action@v3 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + if: github.event.pull_request.head.repo.full_name == github.repository + + - name: Check if image exists + id: check-image + run: | + docker manifest inspect "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" + shell: bash + continue-on-error: true + if: github.event.pull_request.head.repo.full_name == github.repository + - name: Build Test-Runner Container - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + uses: docker/build-push-action@v3 with: file: tests/Dockerfile context: "." cache-from: type=gha,scope=test-runner - cache-to: type=gha,scope=test-runner,mode=max - tags: test-runner:${{ github.sha }} + tags: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" pull: true - load: true + push: ${{ github.event.pull_request.head.repo.full_name == github.repository }} + if: ${{ steps.check-image.outcome == 'failure' || github.event.pull_request.head.repo.full_name != github.repository }} smoke-tests: name: ${{ matrix.images.label }} ${{ matrix.images.image }} smoke tests From 7be2d5aeeb58f5750c4ec3c37913b41401b31232 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 26 Jan 2024 17:01:17 +0000 Subject: [PATCH 2/2] give matrix access to secrets --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2463d8d36c..977f5e61ff 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -303,6 +303,9 @@ jobs: name: Setup Matrix for Smoke Tests runs-on: ubuntu-22.04 needs: [binaries, checks] + permissions: + contents: read + id-token: write outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: