diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index c4c1561..39948e3 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -1,52 +1,157 @@ -name: radix-image-builder-build +name: Build & push on: push: branches: - - master - - release - - playground + - master + - release + workflow_dispatch: permissions: id-token: write + contents: read + jobs: - get-target-configs: - name: Get target configs for branch - outputs: - target_configs: ${{ steps.get-target-configs.outputs.target_configs }} - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v2 - - name: Get target configs - id: get-target-configs - run: | - configs=$(ls $GITHUB_WORKSPACE/.github/workflows/config/${GITHUB_REF_NAME} | jq -Rsc '. / "\n" - [""]') - echo ::set-output name=target_configs::${configs} - - build-deploy-image: - name: Build & push + build-deploy: runs-on: ubuntu-20.04 - needs: - - get-target-configs strategy: fail-fast: false - matrix: - config: ${{ fromJson(needs.get-target-configs.outputs.target_configs) }} + matrix: + target: + - name: "dev" + ref: "refs/heads/master" + acr-name: "radixdev" + client-id: "2bfe6984-f5e3-4d09-a0b2-4dd96de3f21e" + subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b" + + - name: "playground" + ref: "refs/heads/release" + acr-name: "radixplayground" + client-id: "7c000a42-1edb-4491-a241-4ac77bf7dd6d" + subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b" + + - name: "platform" + ref: "refs/heads/release" + acr-name: "radixprod" + client-id: "044f760d-aabb-4d29-a879-e774f16e3bcc" + subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a" + + - name: "c2" + ref: "refs/heads/release" + acr-name: "radixc2prod" + client-id: "581bb747-7b9f-4e80-a843-249eafb0a5fa" + subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a" + steps: - - uses: actions/checkout@v2 - - name: Persist environment from ${{ matrix.config }} across steps + - uses: actions/checkout@v4 + if: matrix.target.ref == github.ref + + - uses: azure/login@v2 + if: matrix.target.ref == github.ref + with: + client-id: ${{matrix.target.client-id}} + tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + subscription-id: ${{matrix.target.subscription-id}} + + - name: Get GitHub Public IP + if: matrix.target.ref == github.ref + id: github_public_ip + run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT + + - name: Add GitHub IP to ACR + if: matrix.target.ref == github.ref + id: update_firewall + run: az acr network-rule add + --name ${{matrix.target.acr-name}} + --subscription ${{matrix.target.subscription-id}} + --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} + + - name: Wait for 2 minutes while the network rule to take effect + if: matrix.target.ref == github.ref + run: | + sleep 120 + + - name: Wait for Specific IP in ACR Network Rules + if: matrix.target.ref == github.ref run: | - env_vars_from_cfg=`env -i GITHUB_WORKSPACE=$GITHUB_WORKSPACE /bin/bash -c "set -a && source $GITHUB_WORKSPACE/.github/workflows/config/${GITHUB_REF_NAME}/${{ matrix.config }} && printenv"` - for env_var in $env_vars_from_cfg - do - echo $env_var >> $GITHUB_ENV + MAX_ATTEMPTS=10 + ATTEMPT=0 + TARGET_IP="${{ steps.github_public_ip.outputs.ipv4 }}" + echo "Waiting for IP $TARGET_IP to be allowed in ACR network rules..." + while [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do + NETWORK_RULES=$(az acr network-rule list --name ${{matrix.target.acr-name}} --subscription ${{ matrix.target.subscription-id }} --query "ipRules[]|[?contains(ipAddressOrRange, '$TARGET_IP')]" --output tsv) + if [ -n "$NETWORK_RULES" ]; then + echo "IP $TARGET_IP is allowed." + break + fi + echo "Attempt $((ATTEMPT+1)) of $MAX_ATTEMPTS. Retrying in 10 seconds..." + ATTEMPT=$((ATTEMPT+1)) + sleep 10 done + if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then + echo "IP $TARGET_IP was not allowed after $MAX_ATTEMPTS attempts. Exiting." + exit 1 + fi + + - name: Get ACR Login Server + if: matrix.target.ref == github.ref + id: get-acr-login-server + run: | + echo "login_server=$(az acr show --name ${{ matrix.target.acr-name }} --query loginServer --output tsv)" >> $GITHUB_OUTPUT - - uses: azure/login@v1 + - name: Get ACR Access Token + if: matrix.target.ref == github.ref + id: get-acr-token + run: | + echo "Getting ACR access token" + access_token=$(az acr login --name ${{ matrix.target.acr-name }} --expose-token --output tsv --query accessToken) + echo "::add-mask::$access_token" + echo "access_token=$access_token" >> $GITHUB_OUTPUT + + - name: Log in to ACR + if: matrix.target.ref == github.ref + uses: docker/login-action@v3 with: - client-id: ${{ env.AZURE_CLIENT_ID }} - tenant-id: ${{ env.AZURE_TENANT_ID }} - subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }} - - - name: Build image + registry: ${{ steps.get-acr-login-server.outputs.login_server }} + username: "00000000-0000-0000-0000-000000000000" + password: ${{ steps.get-acr-token.outputs.access_token }} + + - name: Set up Docker Buildx + if: matrix.target.ref == github.ref + uses: docker/setup-buildx-action@v3 + + - name: Build an image name + if: matrix.target.ref == github.ref + id: build-image-name run: | - $GITHUB_WORKSPACE/.github/workflows/scripts/build-push.sh + echo "image-name=${{ matrix.target.acr-name }}.azurecr.io/radix-image-builder" >> $GITHUB_OUTPUT + + - name: Build an image tag + if: matrix.target.ref == github.ref + id: build-tag + run: | + echo "tag=${GITHUB_REF_NAME}-latest" >> $GITHUB_OUTPUT + + - name: Extract labels from metadata for Docker + if: matrix.target.ref == github.ref + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ steps.build-image-name.outputs.image-name }} + + - name: Build and push Docker image + if: matrix.target.ref == github.ref + uses: docker/build-push-action@v5 + with: + context: . + push: true + platforms: | + linux/amd64 + linux/arm64 + tags: "${{ steps.build-image-name.outputs.image-name }}:${{ steps.build-tag.outputs.tag }}" + labels: ${{ steps.meta.outputs.labels }} + - name: Revoke GitHub IP on ACR + if: ${{ matrix.target.ref == github.ref && steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed + run: az acr network-rule remove + --name ${{matrix.target.acr-name}} + --subscription ${{matrix.target.subscription-id}} + --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} diff --git a/.github/workflows/config/common.cfg b/.github/workflows/config/common.cfg deleted file mode 100644 index ad85886..0000000 --- a/.github/workflows/config/common.cfg +++ /dev/null @@ -1,2 +0,0 @@ -AZURE_TENANT_ID=3aa4a235-b6e2-48d5-9195-7fcf05b459b0 -IMAGE_NAME=radix-image-builder \ No newline at end of file diff --git a/.github/workflows/config/master/dev.cfg b/.github/workflows/config/master/dev.cfg deleted file mode 100644 index 4546f98..0000000 --- a/.github/workflows/config/master/dev.cfg +++ /dev/null @@ -1,4 +0,0 @@ -source $GITHUB_WORKSPACE/.github/workflows/config/common.cfg -ACR_NAME=radixdev -AZURE_CLIENT_ID=6e96429a-3ad5-40ee-b961-6de864d878fc -AZURE_SUBSCRIPTION_ID=16ede44b-1f74-40a5-b428-46cca9a5741b \ No newline at end of file diff --git a/.github/workflows/config/playground/playground.cfg b/.github/workflows/config/playground/playground.cfg deleted file mode 100644 index 4126980..0000000 --- a/.github/workflows/config/playground/playground.cfg +++ /dev/null @@ -1,4 +0,0 @@ -source $GITHUB_WORKSPACE/.github/workflows/config/common.cfg -ACR_NAME=radixdev -AZURE_CLIENT_ID=bc7934db-95bc-40b0-b9b8-c0944b0f6937 -AZURE_SUBSCRIPTION_ID=16ede44b-1f74-40a5-b428-46cca9a5741b \ No newline at end of file diff --git a/.github/workflows/config/release/c2.cfg b/.github/workflows/config/release/c2.cfg deleted file mode 100644 index d701254..0000000 --- a/.github/workflows/config/release/c2.cfg +++ /dev/null @@ -1,4 +0,0 @@ -source $GITHUB_WORKSPACE/.github/workflows/config/common.cfg -ACR_NAME=radixc2prod -AZURE_CLIENT_ID=9304412c-98e6-414c-bde4-c5d5047add70 -AZURE_SUBSCRIPTION_ID=ded7ca41-37c8-4085-862f-b11d21ab341a \ No newline at end of file diff --git a/.github/workflows/config/release/playground.cfg b/.github/workflows/config/release/playground.cfg deleted file mode 100644 index 4546f98..0000000 --- a/.github/workflows/config/release/playground.cfg +++ /dev/null @@ -1,4 +0,0 @@ -source $GITHUB_WORKSPACE/.github/workflows/config/common.cfg -ACR_NAME=radixdev -AZURE_CLIENT_ID=6e96429a-3ad5-40ee-b961-6de864d878fc -AZURE_SUBSCRIPTION_ID=16ede44b-1f74-40a5-b428-46cca9a5741b \ No newline at end of file diff --git a/.github/workflows/config/release/prod.cfg b/.github/workflows/config/release/prod.cfg deleted file mode 100644 index d47bb9e..0000000 --- a/.github/workflows/config/release/prod.cfg +++ /dev/null @@ -1,4 +0,0 @@ -source $GITHUB_WORKSPACE/.github/workflows/config/common.cfg -ACR_NAME=radixprod -AZURE_CLIENT_ID=9304412c-98e6-414c-bde4-c5d5047add70 -AZURE_SUBSCRIPTION_ID=ded7ca41-37c8-4085-862f-b11d21ab341a \ No newline at end of file diff --git a/.github/workflows/scripts/build-push.sh b/.github/workflows/scripts/build-push.sh deleted file mode 100755 index 445fdda..0000000 --- a/.github/workflows/scripts/build-push.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -image_tag=${ACR_NAME}.azurecr.io/${IMAGE_NAME}:${GITHUB_REF_NAME}-latest -az acr task run \ - --subscription ${AZURE_SUBSCRIPTION_ID} \ - --name radix-image-builder-internal \ - --registry ${ACR_NAME} \ - --context ${GITHUB_WORKSPACE} \ - --file ${GITHUB_WORKSPACE}/Dockerfile \ - --set DOCKER_REGISTRY=${ACR_NAME} \ - --set BRANCH=${GITHUB_REF_NAME} \ - --set TAGS="--tag ${image_tag}" \ - --set DOCKER_FILE_NAME=Dockerfile \ - --set PUSH="--push" \ - --set REPOSITORY_NAME=${IMAGE_NAME} \ - --set CACHE="" \ - --set CACHE_TO_OPTIONS="--cache-to=type=registry,ref=${ACR_NAME}.azurecr.io/${IMAGE_NAME}:radix-cache-${GITHUB_REF_NAME},mode=max" \ No newline at end of file diff --git a/Makefile b/Makefile index 116f6ee..28579c0 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ .PHONY: test build run-test-image build: - docker build -t radixdev.azurecr.io/radix-image-builder:dev . + docker buildx build --platform linux/arm64 -t radixdev.azurecr.io/radix-image-builder:dev . test: rm -f ./test/credentials.json @@ -24,3 +24,5 @@ push-dev: run-test-image: docker run radixdev.azurecr.io/radix-image-builder-test:1 + +deploy: build push-dev \ No newline at end of file