This repository has been archived by the owner on Jun 4, 2024. It is now read-only.
add archive notice (#1073) #251
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build release | |
on: | |
workflow_dispatch: | |
inputs: | |
artifact-tag: | |
description: "The tag associated with the artifact to deploy (eg. v1.2.3)." | |
type: string | |
required: true | |
# This is a workaround so that the actor who initiated a workflow run via a workflow dispatch event can determine the run ID of the started workflow run | |
workflow-tag: | |
description: "This field adds the provided value to a run step, allowing the calling actor to associate the started run with the GHA run ID." | |
type: string | |
required: false | |
pull_request: | |
branches: | |
- master | |
push: | |
tags: | |
- "v*" | |
branches: | |
- master | |
concurrency: | |
group: "Limit to one build at a time for ref ${{ inputs.artifact-tag || github.head_ref || github.ref }}" | |
cancel-in-progress: true | |
jobs: | |
setup: | |
runs-on: ubuntu-latest | |
outputs: | |
gitref: ${{ steps.set-gitref.outputs.gitref }} | |
environment: ${{ steps.set-variables.outputs.environment }} | |
version: ${{ steps.set-variables.outputs.version }} | |
steps: | |
# TODO this really needs to move to shared workflows. This is the ~fourth place | |
# that this logic has been used. | |
- name: Determine git ref | |
id: set-gitref | |
env: | |
REF_VALUE: ${{ inputs.artifact-tag || github.head_ref || github.ref }} | |
run: | | |
# If a workflow dispatche triggered the run | |
if [ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]; then | |
# REF_VALUE = inputs.artifact-tag, tag name | |
echo "gitref=refs/tags/$REF_VALUE" >> "$GITHUB_OUTPUT" | |
exit 0 | |
fi | |
# If a push triggered the run | |
if [ "$GITHUB_EVENT_NAME" == "push" ]; then | |
# REF_VALUE = github.ref (fully formed) | |
echo "gitref=$REF_VALUE" >> "$GITHUB_OUTPUT" | |
exit 0 | |
fi | |
# Otherwise, ref must be a branch | |
# REF_VALUE = github.head_ref, branch name | |
echo "gitref=refs/heads/$REF_VALUE" >> "$GITHUB_OUTPUT" | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ steps.set-gitref.outputs.gitref }} | |
- name: Set environment output values | |
id: set-variables | |
env: | |
INPUT_VERSION: ${{ inputs.artifact-tag }} | |
SEMVER_REGEX: ^v?(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)(?:-(?:(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?:[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ | |
run: | | |
generate_version() { | |
# Example: v1.2.3-gen.4+g5678abcd | |
# If HEAD is tagged (and matches the format) then the output will be just the tag (no commit count or hash) | |
git describe --tags --match "v[[:digit:]]*.[[:digit:]]*.[[:digit:]]" | sed 's/\(.*\)-\(.*\)-\(.*\)/\1-gen.\2+\3/' | |
} | |
get_output_vars() { | |
case "$GITHUB_EVENT_NAME" in | |
"workflow_dispatch") | |
# Case: workflow dispatch event. Pull most vars from inputs. | |
echo "environment=build-stage" | |
echo "version=$INPUT_VERSION" | |
;; | |
"pull_request") | |
echo "environment=build-stage" | |
echo "version=$(generate_version)" | |
;; | |
"push") | |
# Case: commit push event. | |
if [ "$GITHUB_REF_TYPE" != "tag" ]; then | |
echo "environment=build-stage" | |
echo "version=$(generate_version)" | |
return | |
fi | |
# Case: tag event with prerelease version. | |
if [ "${GITHUB_REF_NAME#*-}" != "$GITHUB_REF_NAME" ]; then | |
echo "environment=build-stage" | |
echo "version=$GITHUB_REF_NAME" | |
return | |
fi | |
# Case: tag event with release version. Only this | |
# should go to prod. | |
echo "environment=build-prod" | |
echo "version=$GITHUB_REF_NAME" | |
;; | |
*) | |
>&2 echo "Unknown GHA event $GITHUB_EVENT_NAME, failing" | |
exit 1 | |
;; | |
esac | |
} | |
# ********************************************** | |
# WARNING: the $GITHUB_OUTPUT file is sourced | |
# by the shell below. Multiline comments will | |
# break parsing and cause a build failure. For | |
# details, see | |
# https://github.com/gravitational/teleport-plugins/pull/983#discussion_r1477745917 | |
# ********************************************** | |
get_output_vars >> "$GITHUB_OUTPUT" | |
# Validate the semver | |
. "$GITHUB_OUTPUT" # Load the variables into the current environment | |
echo "$version" | grep -qP "$SEMVER_REGEX" || { echo "The artifact version $version is not a valid semver-coerced value"; exit 1; } | |
# Log the build details | |
echo "Built config:" | tee -a "$GITHUB_STEP_SUMMARY" | |
sed 's/^/* /' "$GITHUB_OUTPUT" | tee -a "$GITHUB_STEP_SUMMARY" | |
- name: ${{ inputs.workflow-tag }} | |
if: inputs.workflow-tag != '' | |
run: | | |
# Do nothing | |
# Each section here could be split out into a separate job, at the cost of slightly increased complexity. | |
# This would improve the (already somewhat fast) performance a bit, but I'm not sure if it's worth the | |
# tradeoff. | |
build-plugins: | |
needs: setup | |
runs-on: ubuntu-22.04-32core | |
environment: ${{ needs.setup.outputs.environment }} | |
permissions: | |
contents: read | |
id-token: write | |
env: | |
ARTIFACT_DIRECTORY: /tmp/build | |
steps: | |
# Setup | |
- name: Enable performance telemetry/metrics | |
uses: catchpoint/workflow-telemetry-action@v2 | |
with: | |
comment_on_pr: false | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ needs.setup.outputs.gitref }} | |
fetch-depth: 0 # This is required by some of the commands in the makefiles | |
- name: Setup Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: "./go.mod" | |
check-latest: true | |
- name: Set environment variables for Makefiles | |
env: | |
VERSION_TAG: ${{ needs.setup.outputs.version }} | |
run: | | |
{ | |
echo "VERSION=${VERSION_TAG##v}" | |
echo "GITREF=$VERSION_TAG" | |
} >> "$GITHUB_ENV" | |
# File artifacts | |
- name: Build the release tarballs | |
run: | | |
# Download Go dependencies | |
go mod download | |
# Build Binaries | |
make releases | |
# Build Helm charts | |
make helm-package-charts | |
# Terraform provider and event handler, as appropriate | |
go install github.com/konoui/lipo@latest # At some point this should be merged into the buildbox | |
make OS=linux ARCH=amd64 release/terraform release/event-handler | |
make OS=linux ARCH=arm64 release/terraform | |
make OS=darwin ARCH=amd64 release/terraform release/event-handler | |
make OS=darwin ARCH=arm64 release/terraform | |
make OS=darwin ARCH=universal release/terraform | |
- name: Collect the build files | |
run: | | |
mkdir -pv "$ARTIFACT_DIRECTORY" | |
find . \( -name '*.tar.gz' -o -name '*.tgz' \) -type f -exec cp {} "$ARTIFACT_DIRECTORY" \; | |
- name: Generate checksum files for built files | |
working-directory: ${{ env.ARTIFACT_DIRECTORY }} | |
run: | | |
shopt -s nullglob | |
for tarball in *.tar.gz *.tgz; do | |
sha256sum "$(basename "$tarball")" > "${tarball}.sha256" | |
done | |
echo "Artifacts:" | |
ls -lh | |
- name: Assume AWS role for uploading the artifacts | |
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 | |
with: | |
role-skip-session-tagging: true | |
aws-region: us-west-2 | |
role-to-assume: ${{ vars.ARTIFACT_UPLOAD_AWS_ROLE }} | |
role-session-name: "tag-build-artifact-upload-${{ github.run_attempt }}" | |
role-duration-seconds: 900 | |
- name: Upload artifacts to S3 | |
working-directory: ${{ env.ARTIFACT_DIRECTORY }} | |
env: | |
PENDING_BUCKET: ${{ vars.PENDING_BUCKET }} | |
ARTIFACT_VERSION: ${{ needs.setup.outputs.version }} | |
run: aws s3 cp . "s3://$PENDING_BUCKET/teleport-plugins/tag/$ARTIFACT_VERSION/" --recursive | |
# Container artifacts | |
- name: Assume AWS role for pushing the container images | |
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 | |
with: | |
role-skip-session-tagging: true | |
aws-region: us-west-2 | |
role-to-assume: ${{ vars.CONTAINER_IMAGE_UPLOAD_AWS_ROLE }} | |
role-session-name: "tag-build-container-image-upload-${{ github.run_attempt }}" | |
role-duration-seconds: 900 | |
- name: Authenticate with ECR | |
env: | |
CONTAINER_IMAGE_PRIVATE_REGISTRY: ${{ vars.CONTAINER_IMAGE_PRIVATE_REGISTRY }} | |
run: | | |
aws ecr get-login-password | docker login -u="AWS" --password-stdin "$CONTAINER_IMAGE_PRIVATE_REGISTRY" | |
- name: Build and push the container images | |
env: | |
CONTAINER_IMAGE_PRIVATE_REGISTRY: ${{ vars.CONTAINER_IMAGE_PRIVATE_REGISTRY }} | |
run: | | |
# Access plugins and event handler | |
make DOCKER_PRIVATE_REGISTRY="$CONTAINER_IMAGE_PRIVATE_REGISTRY" \ | |
docker-push-access-all docker-push-event-handler |