-
Notifications
You must be signed in to change notification settings - Fork 2
181 lines (161 loc) · 7.14 KB
/
build-push.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
name: Build & push
on:
push:
branches:
- master
- release
workflow_dispatch:
permissions:
id-token: write
contents: read
jobs:
build-deploy:
runs-on: ubuntu-20.04
strategy:
fail-fast: false
matrix:
target:
- name: "dev"
ref: "refs/heads/master"
acr-name: "radixdev"
client-id: "2bfe6984-f5e3-4d09-a0b2-4dd96de3f21e"
subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b"
- name: "playground"
ref: "refs/heads/release"
acr-name: "radixplayground"
client-id: "7c000a42-1edb-4491-a241-4ac77bf7dd6d"
subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b"
- name: "platform"
ref: "refs/heads/release"
acr-name: "radixprod"
client-id: "044f760d-aabb-4d29-a879-e774f16e3bcc"
subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
- name: "c2"
ref: "refs/heads/release"
acr-name: "radixc2prod"
client-id: "581bb747-7b9f-4e80-a843-249eafb0a5fa"
subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
steps:
- uses: actions/checkout@v4
if: matrix.target.ref == github.ref
- uses: azure/login@v2
if: matrix.target.ref == github.ref
with:
client-id: ${{matrix.target.client-id}}
tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
subscription-id: ${{matrix.target.subscription-id}}
- name: Get GitHub Public IP
if: matrix.target.ref == github.ref
id: github_public_ip
run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
- name: Add GitHub IP to ACR
if: matrix.target.ref == github.ref
id: update_firewall
run: az acr network-rule add
--name ${{matrix.target.acr-name}}
--subscription ${{matrix.target.subscription-id}}
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }}
- name: Wait for 2 minutes while the network rule to take effect
if: matrix.target.ref == github.ref
run: |
sleep 120
- name: Wait for Specific IP in ACR Network Rules
if: matrix.target.ref == github.ref
run: |
MAX_ATTEMPTS=10
ATTEMPT=0
TARGET_IP="${{ steps.github_public_ip.outputs.ipv4 }}"
echo "Waiting for IP $TARGET_IP to be allowed in ACR network rules..."
while [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do
NETWORK_RULES=$(az acr network-rule list --name ${{matrix.target.acr-name}} --subscription ${{ matrix.target.subscription-id }} --query "ipRules[]|[?contains(ipAddressOrRange, '$TARGET_IP')]" --output tsv)
if [ -n "$NETWORK_RULES" ]; then
echo "IP $TARGET_IP is allowed."
break
fi
echo "Attempt $((ATTEMPT+1)) of $MAX_ATTEMPTS. Retrying in 10 seconds..."
ATTEMPT=$((ATTEMPT+1))
sleep 10
done
if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then
echo "IP $TARGET_IP was not allowed after $MAX_ATTEMPTS attempts. Exiting."
exit 1
fi
- name: Get ACR Login Server
if: matrix.target.ref == github.ref
id: get-acr-login-server
run: |
echo "login_server=$(az acr show --name ${{ matrix.target.acr-name }} --query loginServer --output tsv)" >> $GITHUB_OUTPUT
- name: Get ACR Access Token
if: matrix.target.ref == github.ref
id: get-acr-token
run: |
echo "Getting ACR access token"
access_token=$(az acr login --name ${{ matrix.target.acr-name }} --expose-token --output tsv --query accessToken)
echo "::add-mask::$access_token"
echo "access_token=$access_token" >> $GITHUB_OUTPUT
- name: Log in to ACR
if: matrix.target.ref == github.ref
uses: docker/login-action@v3
with:
registry: ${{ steps.get-acr-login-server.outputs.login_server }}
username: "00000000-0000-0000-0000-000000000000"
password: ${{ steps.get-acr-token.outputs.access_token }}
- name: Set up Docker Buildx
if: matrix.target.ref == github.ref
uses: docker/setup-buildx-action@v3
- name: Build image names
if: matrix.target.ref == github.ref
id: build-image-names
run: |
echo "radix-operator-image-name=${{ matrix.target.acr-name }}.azurecr.io/radix-operator" >> $GITHUB_OUTPUT
echo "pipeline-runner-image-name=${{ matrix.target.acr-name }}.azurecr.io/radix-pipeline" >> $GITHUB_OUTPUT
- name: Build image tags
if: matrix.target.ref == github.ref
id: build-tags
run: |
sha=${GITHUB_SHA::8}
ts=$(date +%s)
echo "radix-operator-tag=${GITHUB_REF_NAME}-${sha}-${ts}" >> $GITHUB_OUTPUT
echo "pipeline-runner-tag=${GITHUB_REF_NAME}-latest" >> $GITHUB_OUTPUT
echo "cache-radix-operator-tag=cache-radix-operator-${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT
echo "cache-pipeline-runner-tag=cache-pipeline-runner-${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT
- name: Extract labels from metadata for Docker
if: matrix.target.ref == github.ref
id: radix-operator-meta
uses: docker/metadata-action@v5
with:
images: ${{ steps.build-image-names.outputs.radix-operator-image-name }}
- name: Build and push radix-operator docker image
if: matrix.target.ref == github.ref
uses: docker/build-push-action@v5
with:
context: .
push: true
file: ./operator.Dockerfile
platforms: |
linux/amd64
linux/arm64
tags: "${{ steps.build-image-names.outputs.radix-operator-image-name }}:${{ steps.build-tags.outputs.radix-operator-tag }}"
labels: ${{ steps.radix-operator-meta.outputs.labels }}
cache-from: "type=registry,ref=${{ steps.build-image-names.outputs.radix-operator-image-name }}:${{ steps.build-tags.outputs.cache-radix-operator-tag }}"
cache-to: "type=registry,ref=${{ steps.build-image-names.outputs.radix-operator-image-name }}:${{ steps.build-tags.outputs.cache-radix-operator-tag }},mode=max"
- name: Build and push pipeline-runner docker image
if: matrix.target.ref == github.ref
uses: docker/build-push-action@v5
with:
context: .
push: true
file: ./pipeline.Dockerfile
platforms: |
linux/amd64
linux/arm64
tags: "${{ steps.build-image-names.outputs.pipeline-runner-image-name }}:${{ steps.build-tags.outputs.pipeline-runner-tag }}"
labels: ${{ steps.pipeline-runner-meta.outputs.labels }}
cache-from: "type=registry,ref=${{ steps.build-image-names.outputs.pipeline-runner-image-name }}:${{ steps.build-tags.outputs.cache-pipeline-runner-tag }}"
cache-to: "type=registry,ref=${{ steps.build-image-names.outputs.pipeline-runner-image-name }}:${{ steps.build-tags.outputs.cache-pipeline-runner-tag }},mode=max"
- name: Revoke GitHub IP on ACR
if: ${{ matrix.target.ref == github.ref && steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
run: az acr network-rule remove
--name ${{matrix.target.acr-name}}
--subscription ${{matrix.target.subscription-id}}
--ip-address ${{ steps.github_public_ip.outputs.ipv4 }}