schemas.yaml

# This Github Action is responsible for publishing Kubernetes schemas to an OCI registry.
# It is triggered by a push to the main branch, a weekly schedule, or a manual dispatch.
name: "Publish Kubernetes Schemas"

on:
  # Allows manually triggering the workflow from the Github Actions UI
  workflow_dispatch: {}
  # Runs the workflow weekly at midnight (UTC)
  schedule:
    - cron: "0 0 * * 0"
  push:
    branches:
      - "main"
    paths:
      - ".github/workflows/schemas.yaml"

env:
  OCI_REPO: "oci://ghcr.io/szinn/kubernetes-schemas/${{ github.event.repository.name }}"

jobs:
  publish-kubernetes-schemas:
    name: Publish Kubernetes Schemas
    runs-on: ["k8s-homelab"]
    steps:
      - name: Setup Tools
        shell: bash
        run: |
          sudo apt-get -qq update && \
          sudo apt-get -qq install --no-install-recommends -y curl

      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Kube Tools
        uses: yokawasa/action-setup-kube-tools@af4ebb1af1efd30c5bd84a2e9773355ad6362a33 # v0.9.3
        with:
          setup-tools: kubectl

      - name: Setup Python
        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
        with:
          python-version: "3.11"

      - name: Setup crd-extractor
        uses: robinraju/release-downloader@efa4cd07bd0195e6cc65e9e30c251b49ce4d3e51 # v1.8
        with:
          repository: datreeio/CRDs-catalog
          latest: true
          fileName: crd-extractor.zip

      - name: Write kubeconfig
        id: kubeconfig
        uses: timheuer/base64-to-file@ca9e30baf83f7f26708fb0059af9a0973fe5f27e # v1.2
        with:
          encodedString: ${{ secrets.KUBECONFIG }}
          fileName: kubeconfig

      - name: Run crd-extractor
        env:
          KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"
        run: |
          unzip -j $GITHUB_WORKSPACE/crd-extractor.zip -d $GITHUB_WORKSPACE
          bash "$GITHUB_WORKSPACE"/crd-extractor.sh

      - name: Login to GHCR
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Publish schemas as OCI
        run: |
          flux push artifact $OCI_REPO:$(git rev-parse --short HEAD) \
              --path="/home/runner/.datree/crdSchemas" \
              --source="${{ github.repositoryUrl }}" \
              --revision="main"

  publish-kubernetes-schemas-web:
    runs-on: ubuntu-latest
    needs: ["publish-kubernetes-schemas"]
    steps:
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup QEMU
        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0

      - name: Setup Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

      - name: Login to GHCR
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Pull schemas as OCI
        run: |
          mkdir -p /home/runner/crdSchemas
          flux pull artifact $OCI_REPO:$(git rev-parse --short HEAD) --output /home/runner/crdSchemas

      - name: Write nginx-unprivileged Dockerfile
        run: |
          cat <<EOF > /home/runner/crdSchemas/Dockerfile
          FROM docker.io/nginxinc/nginx-unprivileged:latest
          COPY --chown=nginx:nginx --chmod=755 . /usr/share/nginx/html
          USER nginx
          EOF

      - name: Publish schemas as web container
        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
        with:
          context: /home/runner/crdSchemas
          platforms: linux/amd64,linux/arm64
          file: /home/runner/crdSchemas/Dockerfile
          push: true
          tags: |
            ghcr.io/szinn/kubernetes-schemas-web:latest
          cache-from: type=gha
          cache-to: type=gha,mode=max
          labels: |
            org.opencontainers.image.source="${{ github.repositoryUrl }}"
            org.opencontainers.image.authors="Scotte Zinn <szinn@users.noreply.github.com>"