add GHA for trino tests

bcgov · Apr 11, 2024 · 977e172 · 977e172
1 parent 8a61dbc
commit 977e172
Show file tree

Hide file tree

Showing 5 changed files with 138 additions and 21 deletions.
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
diff --git a/.github/workflows/docker-publish.yml → .github/workflows/docker-pipeline.yaml b/.github/workflows/docker-publish.yml → .github/workflows/docker-pipeline.yaml
@@ -15,7 +15,7 @@ env:
 
 jobs:
  build:
- 
+
  runs-on: ubuntu-latest
  permissions:
  contents: read
@@ -64,5 +64,5 @@ jobs:
  # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
  TAGS: ${{ steps.meta.outputs.tags }}
  DIGEST: ${{ steps.build-and-push.outputs.digest }}
- 
- run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+
+ run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
diff --git a/.github/workflows/docker-trino.yaml b/.github/workflows/docker-trino.yaml
@@ -0,0 +1,65 @@
+name: Push to GHCR
+
+on:
+ push:
+ branches: [ "main" ]
+
+env:
+ # DF-NOTE: pull ghcr.io/bcgov/nr-dap-ods-trino:main
+ REGISTRY: ghcr.io
+ DOCKERFILE_PATH: shared/trino
+ IMAGE_NAME: ${{ github.repository }}-trino
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ packages: write
+ id-token: write
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v3
+
+ - name: Install cosign
+ if: github.event_name != 'pull_request'
+ uses: sigstore/[email protected]
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+ - name: Log into registry ${{ env.REGISTRY }}
+ if: github.event_name != 'pull_request'
+ uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+ with:
+ registry: ${{ env.REGISTRY }}
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Extract Docker metadata
+ id: meta
+ uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+ with:
+ images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+ - name: Build and push Docker image
+ id: build-and-push
+ uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+ with:
+ # DF-NOTE: to help the action find the Dockerfile to build from
+ context: ${{ env.DOCKERFILE_PATH }}/
+ push: ${{ github.event_name != 'pull_request' }}
+ tags: ${{ steps.meta.outputs.tags }}
+ labels: ${{ steps.meta.outputs.labels }}
+ cache-from: type=gha
+ cache-to: type=gha,mode=max
+
+ - name: Sign the published Docker image
+ if: ${{ github.event_name != 'pull_request' }}
+ env:
+ # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+ TAGS: ${{ steps.meta.outputs.tags }}
+ DIGEST: ${{ steps.build-and-push.outputs.digest }}
+
+ run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
diff --git a/shared/trino/Dockerfile b/shared/trino/Dockerfile
@@ -0,0 +1,5 @@
+FROM trinodb/trino
+
+USER trino
+
+RUN chmod -R g+rwX /data/trino && chmod -R g+rwX /usr/lib/trino
diff --git a/workflows/docker-publish.yaml b/workflows/docker-publish.yaml
@@ -0,0 +1,65 @@
+name: Publish to GHCR
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+env:
+ REGISTRY: ghcr.io
+ # github.repository as <account>/<repo>
+ IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+ build:
+
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ packages: write
+ id-token: write
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v3
+
+ - name: Install cosign
+ if: github.event_name != 'pull_request'
+ uses: sigstore/[email protected]
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+ - name: Log into registry ${{ env.REGISTRY }}
+ if: github.event_name != 'pull_request'
+ uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+ with:
+ registry: ${{ env.REGISTRY }}
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Extract Docker metadata
+ id: meta
+ uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+ with:
+ images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+ - name: Build and push Docker image
+ id: build-and-push
+ uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+ with:
+ push: ${{ github.event_name != 'pull_request' }}
+ tags: ${{ steps.meta.outputs.tags }}
+ labels: ${{ steps.meta.outputs.labels }}
+ cache-from: type=gha
+ cache-to: type=gha,mode=max
+
+ - name: Sign the published Docker image
+ if: ${{ github.event_name != 'pull_request' }}
+ env:
+ # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+ TAGS: ${{ steps.meta.outputs.tags }}
+ DIGEST: ${{ steps.build-and-push.outputs.digest }}
+
+ run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}