Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci(rh-shield-operator): enhance operator release pipeline #2068

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

ci(rh-shield-operator): enhance operator release pipeline #2068

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
88562ce
ci(rh-shield-operator): enhance operator release pipeline
aroberts87 Nov 5, 2024
f0847e0
chore(rh-shield-operator): address PR comments
aroberts87 Dec 6, 2024
6709f11
Merge branch 'main' into aroberts/feat/extend-operator-pipeline-to-ce…
aroberts87 Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
137 changes: 123 additions & 14 deletions .github/workflows/release-rh-shield-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,34 @@
name: Release the Shield Operator
name: Build and Push the Shield Operator

on:
workflow_dispatch:
inputs:
release_version:
description: 'The version of the operator to release'
required: true
type: string

env:
IMAGE_TAG_BASE: quay.io/sysdig/rh-shield-operator

jobs:
build-and-push:
name: Build and Push the Operator Images
determine-operator-version:
name: Get the Operator Version from the Makefile
runs-on: ubuntu-latest
outputs:
release_version: ${{ steps.get-operator-version.outputs.release_version }}
steps:
- name: Checkout
- name: Checkout charts repo
uses: actions/checkout@v4
with:
fetch-depth: '1'

- name: Get Operator Version
id: get-operator-version
run: |
echo "::set-output name=release_version::$(awk "/^VERSION/ {print $3}" Makefile)"
working-directory: rh-shield-operator

build-operator:
name: Build the Operator Image
runs-on: ubuntu-latest
steps:
- name: Checkout charts repo
uses: actions/checkout@v4
with:
fetch-depth: '1'
Expand All @@ -24,10 +40,103 @@ jobs:
username: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_USERNAME }}
password: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_PASSWORD }}

- name: Build and Push Operator and Bundle Images
env:
IMAGE_TAG_BASE: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_IMAGE_TAG_BASE }}
VERSION: ${{ github.event.inputs.release_version }}
- name: Build and Push Operator Image
id: build-operator
run: |
make docker-build docker-push bundle-build bundle-push
make docker-build docker-push
working-directory: rh-shield-operator

build-operator-bundle:
name: Build the Operator Bundle
runs-on: ubuntu-latest
needs:
- build-operator
- determine-operator-version
steps:
- name: Make Operator Bundle
# 'make bundle' uses the live image from the registry to generate the image digest
# so this step must be after the image is pushed to the registry
run: |
USE_IMAGE_DIGESTS=true make bundle

- name: Set Labels and Annotations required for Certification on the Bundle
uses: mikefarah/yq@v4
with:
cmd: |
yq e -i '.metadata.name |= sub("rh-shield-operator", "sysdig-shield-operator")' manifests/rh-shield-operator.clusterserviceversion.yaml
yq e -i '.metadata.name |= sub("rh-shield-operator", "sysdig-shield-operator")' metadata/annotations.yaml
yq e -i '.metadata.annotations.containerImage = (.spec.relatedImages[] | select(.name == "manager").image)' manifests/rh-shield-operator.clusterserviceversion.yaml
yq e -i '.metadata.annotations += {
"features.operators.openshift.io/cnf": "false",
"features.operators.openshift.io/cni": "false",
"features.operators.openshift.io/csi": "false",
"features.operators.openshift.io/disconnected": "false",
"features.operators.openshift.io/fips-compliant": "false",
"features.operators.openshift.io/proxy-aware": "false",
"features.operators.openshift.io/tls-profiles": "false",
"features.operators.openshift.io/token-auth-aws": "false",
"features.operators.openshift.io/token-auth-azure": "false",
"features.operators.openshift.io/token-auth-gcp": "false"
}' manifests/rh-shield-operator.clusterserviceversion.yaml
yq e -i '.annotations."com.redhat.openshift.versions" = "v4.8-v4.17"' metadata/annotations.yaml

- name: Open Pull Request for Bundle update
uses: peter-evans/[email protected]
id: open-pr
with:
token: ${{ secrets.TOOLS_JENKINS_ADMIN_ACCESS_GITHUB_TOKEN }}
commit-message: |
"chore(rh-shield-operator): update bundle for rh-shield-operator:v${{ steps.determine-operator-version.outputs.release_version }}"
title: |
"chore(rh-shield-operator): update bundle for rh-shield-operator:v${{ steps.determine-operator-version.outputs.release_version }}"
body: |
This is an automated pull request that is generated as a part of the rh-shield-operator release pipeline.
The changes here update the bundle metadata using the newly published Operator image to generate the
image checksum, as well as adjusting some metadata that is required for certification.

- name: Wait for PR to be merged
shell: bash
run: |
echo "Waiting for PR ${{ steps.open-pr.outputs.pull-request-url }} to be merged..."

PR_STATUS=$(gh pr view ${{ steps.open-pr.outputs.pull-request-number }} --json state -q .state)

timeout 2h bash -c 'until [[ "$PR_STATUS" == "MERGED" ]]; do
echo "PR not merged yet, waiting 10s..."
sleep 10
PR_STATUS="$(gh pr view ${{ steps.open-pr.outputs.pull-request-number }} --json state -q .state)"
done'

if [[ "$PR_STATUS" != "MERGED" ]]; then
echo "PR was not merged in time. Check ${{ steps.open-pr.outputs.pull-request-url }} for more information."
exit 1
else
echo "PR was merged!"
fi

Copy link
Contributor

@mavimo mavimo Dec 4, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about using:

gh pr checks --watch  --json state ${{ steps.open-pr.outputs.pull-request-url }}
sleep 10
PR_STATUS="$(gh pr view ${{ steps.open-pr.outputs.pull-request-number }} --json state -q .state)"
echo "pr_status=$PR_STATUS" >> "$GITHUB_OUTPUT"

and then use other if condition in other steps to decide what is expected to happne?

steps:
    - name: validate PR
      id: validate-pr
      # ...
    - name: Build and Push Bundle Image
      if: ${{ contains(steps.validate-pr.outputs.pr_status, 'MERGED') }}
      # ...

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe I'm not understanding correctly (😅), but the gh pr checks command seems to return as soon as the PR checks have completed and not when the PR is merged. The need here is to wait until the merge has been completed so we do not build and push a bundle image that is based on content that hasn't actually been committed yet.

- name: Build and Push Bundle Image
run: |
make bundle-build bundle-push
working-directory: rh-shield-operator

certify-operator-image:
name: Certify the Operator Image with Preflight
runs-on: ubuntu-latest
needs:
- build-operator
- determine-operator-version
steps:
- name: Install Preflight
uses: redhat-actions/openshift-tools-installer@v1
with:
source: "github"
preflight: "latest"
github_pat: ${{ secrets.GITHUB_TOKEN }}

- name: Run Preflight checks
run: |
preflight check container \
--pyxis-api-token=${{ secrets.RH_SHIELD_OPERATOR_PYXIS_API_TOKEN }} \
--certification-project-id=${{ secrets.RH_SHIELD_OPERATOR_CERTIFICATION_PROJECT_ID }} \
--submit \
${{ env.IMAGE_TAG_BASE }}:${{ steps.determine-operator-version.outputs.release_version }}
Loading