python-discord · ChrisLovering · Dec 20, 2022
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -1,44 +1,32 @@
 name: Build
 
 on:
-  workflow_run:
-    workflows: ["Lint & Test"]
-    branches:
-      - main
-    types:
-      - completed
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+  workflow_call:
+    inputs:
+      sha-tag:
+        description: "A short-form SHA tag for the commit that triggered this flow"
+        required: true
+        type: string
 
 jobs:
   build:
-    if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'push'
     name: Build & Push
     runs-on: ubuntu-latest
 
     steps:
-      # Create a commit SHA-based tag for the container repositories
-      - name: Create SHA Container Tag
-        id: sha_tag
-        run: |
-          tag=$(cut -c 1-7 <<< $GITHUB_SHA)
-          echo "::set-output name=tag::$tag"
       - name: Checkout code
         uses: actions/checkout@v3
-
       # The current version (v2) of Docker's build-push action uses
       # buildx, which comes with BuildKit features that help us speed
       # up our builds using additional cache features. Buildx also
       # has a lot of other features that are not as relevant to us.
       #
       # See https://github.com/docker/build-push-action
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
 
       - name: Login to Github Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -48,7 +36,7 @@ jobs:
       # Repository. The container will be tagged as "latest"
       # and with the short SHA of the commit.
       - name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           context: .
           file: ./Dockerfile
@@ -57,7 +45,7 @@ jobs:
           cache-to: type=inline
           tags: |
             ghcr.io/python-discord/code-jam-management:latest
-            ghcr.io/python-discord/code-jam-management:${{ steps.sha_tag.outputs.tag }}
+            ghcr.io/python-discord/code-jam-management:${{ inputs.sha-tag }}
           build-args: |
             git_sha=${{ github.sha }}
 
@@ -67,12 +55,6 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      # Create a commit SHA-based tag for the container repositories
-      - name: Create SHA Container Tag
-        id: sha_tag
-        run: |
-          tag=$(cut -c 1-7 <<< $GITHUB_SHA)
-          echo "::set-output name=tag::$tag"
 
       # Check out the private "kubernetes" repository in the `kubernetes`
       # subdirectory using a GitHub Personal Access Token
@@ -82,16 +64,17 @@ jobs:
           repository: python-discord/kubernetes
           path: kubernetes
 
+      - uses: azure/setup-kubectl@v3
+
       - name: Authenticate with Kubernetes
-        uses: azure/k8s-set-context@v1
+        uses: azure/k8s-set-context@v3
         with:
           method: kubeconfig
-          kubeconfig: ${{ secrets.KUBECONFIG }}
+          kubeconfig: ${{ secrets.kube-config }}
 
       - name: Deploy to Kubernetes
-        uses: Azure/k8s-deploy@v1
+        uses: Azure/k8s-deploy@v4
         with:
           manifests: |
             kubernetes/namespaces/default/code-jam-management/deployment.yaml
-          images: 'ghcr.io/python-discord/code-jam-management:${{ steps.sha_tag.outputs.tag }}'
-          kubectl-version: 'latest'
+          images: 'ghcr.io/python-discord/code-jam-management:${{ inputs.sha-tag }}'
diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
@@ -1,14 +1,13 @@
 name: Lint & Test
 
 on:
-  push:
-    branches:
-      - main
-  pull_request:
+  workflow_call:
+    secrets:
+      github-token:
+        required: true
+      github-event-path:
+        required: true
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
 
 jobs:
   lint:
@@ -35,17 +34,17 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Install Python Dependencies
-        uses: HassanAbouelela/actions/setup-python@setup-python_v1.3.2
+        uses: HassanAbouelela/actions/setup-python@setup-python_v1.4.0
         with:
           # Set dev=true to install flake8 extensions, which are dev dependencies
           dev: true
-          python_version: '3.9'
+          python_version: "3.11"
 
       # We will not run `flake8` here, as we will use a separate flake8
       # action. As pre-commit does not support user installs, we set
       # PIP_USER=0 to not do a user install.
       - name: Run pre-commit hooks
-        run: export PIP_USER=0; SKIP=flake8 pre-commit run --all-files
+        run: SKIP=flake8 pre-commit run --all-files
 
       # Run flake8 and have it format the linting errors in the format of
       # the GitHub Workflow command to register error annotations. This
@@ -58,6 +57,7 @@ jobs:
       - name: Run flake8
         run: "flake8 \
         --format='::error file=%(path)s,line=%(row)d,col=%(col)d::[flake8] %(code)s: %(text)s'"
+
       # We run `coverage` using the `python` command so we can suppress
       # irrelevant warnings in our CI output.
       - name: Run tests and generate coverage report
@@ -73,7 +73,7 @@ jobs:
       # print a "job" link in the output of the GitHub Action
       - name: Publish coverage report to coveralls.io
         env:
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            GITHUB_TOKEN: ${{ secrets.github-token }}
         run: coveralls --service=github
 
       # Prepare the Pull Request Payload artifact. If this fails, we
@@ -84,7 +84,7 @@ jobs:
         id: prepare-artifact
         if: always() && github.event_name == 'pull_request'
         continue-on-error: true
-        run: cat $GITHUB_EVENT_PATH | jq '.pull_request' > pull_request_payload.json
+        run: cat ${{ secrets.github-event-path }} | jq '.pull_request' > pull_request_payload.json
 
       # This only makes sense if the previous step succeeded. To
       # get the original outcome of the previous step before the

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -0,0 +1,41 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches: main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+
+  lint-test:
+    uses: ./.github/workflows/lint-test.yaml
+    secrets:
+      github-token: ${{ github.token }}
+      github-event-path: ${{ github.event_path }}
+
+  generate-inputs:
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    outputs:
+      sha-tag: ${{ steps.sha-tag.outputs.sha-tag }}
+    steps:
+      - name: Create SHA Container Tag
+        id: sha-tag
+        run: |
+          tag=$(cut -c 1-7 <<< $GITHUB_SHA)
+          echo "sha-tag=$tag" >> $GITHUB_OUTPUT
+
+  build-deploy:
+    if: github.ref == 'refs/heads/main'
+    uses: ./.github/workflows/build.yaml
+    needs:
+      - lint
+      - generate-inputs
+    with:
+      sha-tag: ${{ needs.generate-inputs.outputs.sha-tag }}
+    secrets:
+      kube-config: ${{ secrets.KUBECONFIG }}