Adding Bicep private registry support using basic auth, Azure workload identity and AWS IRSA #19304
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ------------------------------------------------------------ | |
# Copyright 2023 The Radius Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
# ------------------------------------------------------------ | |
name: Build and Test | |
on: | |
# Enable manual trigger | |
workflow_dispatch: | |
push: | |
branches: | |
- main | |
- release/* | |
tags: | |
- v* | |
pull_request: | |
branches: | |
- main | |
- features/* | |
- release/* | |
permissions: | |
id-token: write # Required for requesting the JWT | |
contents: write # Required for creating releases | |
issues: write # Required for creating comments | |
checks: write # Required for updating check runs | |
pull-requests: write # Required for updating pull requests | |
packages: write # Required for uploading the package | |
concurrency: | |
# Cancel the previously triggered build for only PR build. | |
group: build-${{ github.ref }}-${{ github.event.pull_request.number || github.sha }} | |
cancel-in-progress: true | |
env: | |
# Go version to install | |
GOVER: "1.22.2" | |
# gotestsum version - see: https://github.com/gotestyourself/gotestsum | |
GOTESTSUMVERSION: 1.10.0 | |
# GitHub Actor for pushing images to GHCR | |
GHCR_ACTOR: rad-ci-bot | |
# Container registry url for GitHub container registry. | |
CONTAINER_REGISTRY: "ghcr.io/radius-project" | |
# Local file path to the release binaries. | |
RELEASE_PATH: ./release | |
# ORAS (OCI Registry As Storage) CLI version | |
ORAS_VERSION: 1.1.0 | |
# URL to get source code for building the image | |
IMAGE_SRC: https://github.com/radius-project/radius | |
# bicep-types ACR url for uploading Radius Bicep types | |
BICEP_TYPES_REGISTRY: 'biceptypes.azurecr.io' | |
jobs: | |
build-and-push-cli: | |
name: Build ${{ matrix.target_os }}_${{ matrix.target_arch }} binaries | |
runs-on: ubuntu-latest | |
if: github.repository == 'radius-project/radius' | |
env: | |
GOOS: ${{ matrix.target_os }} | |
GOARCH: ${{ matrix.target_arch }} | |
GOPROXY: https://proxy.golang.org | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- target_os: linux | |
target_arch: arm | |
- target_os: linux | |
target_arch: arm64 | |
- target_os: linux | |
target_arch: amd64 | |
- target_os: windows | |
target_arch: amd64 | |
- target_os: darwin | |
target_arch: amd64 | |
- target_os: darwin | |
target_arch: arm64 | |
steps: | |
- name: Check out repo | |
uses: actions/checkout@v4 | |
- name: Set up Go ${{ env.GOVER }} | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GOVER }} | |
cache-dependency-path: go.sum | |
- name: Parse release version and set environment variables | |
run: python ./.github/scripts/get_release_version.py | |
- name: Make build | |
run: make build | |
- name: Run make test (unit tests) | |
if: matrix.target_arch == 'amd64' && matrix.target_os == 'linux' | |
env: | |
GOTESTSUM_OPTS: "--junitfile ./dist/unit_test/results.xml" | |
GOTEST_OPTS: "-race -coverprofile ./dist/unit_test/ut_coverage.out" | |
run: | | |
mkdir -p ./dist/unit_test | |
go install gotest.tools/gotestsum@v${{ env.GOTESTSUMVERSION }} | |
make test | |
- name: Upload coverage to Codecov | |
if: matrix.target_arch == 'amd64' && matrix.target_os == 'linux' | |
uses: codecov/codecov-action@v4 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
codecov_yml_path: ./.codecov.yml | |
file: ./dist/unit_test/ut_coverage.out | |
fail_ci_if_error: false | |
verbose: true | |
- name: Process Unit Test Results | |
uses: ./.github/actions/process-test-results | |
# Always is required here to make sure this target runs even when tests fail. | |
if: always() && matrix.target_arch == 'amd64' && matrix.target_os == 'linux' | |
with: | |
test_group_name: "Unit Tests" | |
artifact_name: "unit_test_results" | |
result_directory: "dist/unit_test/" | |
- name: Copy cli binaries to release (unix-like) | |
if: matrix.target_os != 'windows' | |
run: | | |
mkdir ${{ env.RELEASE_PATH }} | |
cp ./dist/${{ matrix.target_os}}_${{ matrix.target_arch}}/release/rad ${{ env.RELEASE_PATH }}/rad_${{ matrix.target_os}}_${{ matrix.target_arch}} | |
- name: Copy cli binaries to release (windows) | |
if: matrix.target_os == 'windows' | |
run: | | |
mkdir ${{ env.RELEASE_PATH }} | |
cp ./dist/${{ matrix.target_os}}_${{ matrix.target_arch}}/release/rad.exe ${{ env.RELEASE_PATH }}/rad_${{ matrix.target_os}}_${{ matrix.target_arch}}.exe | |
- name: Upload CLI binary | |
uses: actions/upload-artifact@v4 | |
with: | |
name: rad_cli_${{ matrix.target_os}}_${{ matrix.target_arch}} | |
path: ${{ env.RELEASE_PATH }} | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- uses: oras-project/setup-oras@main | |
with: | |
version: ${{ env.ORAS_VERSION }} | |
- name: Push latest rad cli binary to GHCR (unix-like) | |
if: github.ref == 'refs/heads/main' && matrix.target_os != 'windows' | |
run: | | |
cp ./dist/${{ matrix.target_os}}_${{ matrix.target_arch}}/release/rad ./rad | |
oras push ${{ env.CONTAINER_REGISTRY }}/rad/${{ matrix.target_os }}-${{ matrix.target_arch }}:latest ./rad --annotation "org.opencontainers.image.source=${{ env.IMAGE_SRC }}" | |
- name: Copy cli binaries to release (windows) | |
if: github.ref == 'refs/heads/main' && matrix.target_os == 'windows' | |
run: | | |
cp ./dist/${{ matrix.target_os}}_${{ matrix.target_arch}}/release/rad.exe ./rad.exe | |
oras push ${{ env.CONTAINER_REGISTRY }}/rad/${{ matrix.target_os }}-${{ matrix.target_arch }}:latest ./rad.exe --annotation "org.opencontainers.image.source=${{ env.IMAGE_SRC }}" | |
build-and-push-images: | |
name: Build and publish container images | |
runs-on: ubuntu-latest | |
if: github.repository == 'radius-project/radius' | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Parse release version and set environment variables | |
run: python ./.github/scripts/get_release_version.py | |
- name: Set up Go ${{ env.GOVER }} | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GOVER }} | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
platforms: linux/amd64,linux/arm64,linux/arm/v7 | |
- name: Push container images (latest) | |
run: | | |
make docker-multi-arch-push | |
if: (github.ref == 'refs/heads/main') # push image to latest on merge to main | |
env: | |
DOCKER_REGISTRY: ${{ env.CONTAINER_REGISTRY }} | |
DOCKER_TAG_VERSION: latest | |
- name: Build container images (PR) # Don't push on PR, agent will not have permission. | |
run: | | |
make docker-multi-arch-build | |
if: github.event_name == 'pull_request' | |
env: | |
DOCKER_REGISTRY: ${{ env.CONTAINER_REGISTRY }} | |
DOCKER_TAG_VERSION: ${{ env.REL_VERSION }} # includes PR number | |
- name: Push container images (release) | |
run: | | |
make docker-multi-arch-push | |
if: startsWith(github.ref, 'refs/tags/v') # push image on tag | |
env: | |
DOCKER_REGISTRY: ${{ env.CONTAINER_REGISTRY }} | |
DOCKER_TAG_VERSION: ${{ env.REL_CHANNEL }} | |
build-and-push-helm-chart: | |
name: Helm chart build | |
needs: ["build-and-push-images"] | |
runs-on: ubuntu-latest | |
# Don't push on PR, agent will not have permission. | |
if: github.repository == 'radius-project/radius' && ((startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main')) | |
env: | |
ARTIFACT_DIR: ./dist/Charts | |
HELM_PACKAGE_DIR: helm | |
HELM_CHARTS_DIR: deploy/Chart | |
OCI_REGISTRY: ghcr.io | |
# We only push the chart on pushes to main or to a tag. The versioning logic will select the right | |
# version for us. | |
OCI_REPOSITORY: "radius-project/helm-chart" | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install helm | |
uses: azure/setup-helm@v4 | |
with: | |
version: "v3.11.1" | |
- name: Parse release version and set environment variables | |
run: python ./.github/scripts/get_release_version.py | |
- name: Run Helm linter | |
run: | | |
helm lint ${{ env.HELM_CHARTS_DIR }} | |
- name: Package Helm chart | |
run: | | |
mkdir -p ${{ env.ARTIFACT_DIR }}/${{ env.HELM_PACKAGE_DIR }} | |
helm package ${{ env.HELM_CHARTS_DIR }} --version ${{ env.CHART_VERSION }} --app-version ${{ env.REL_VERSION }} --destination ${{ env.ARTIFACT_DIR }}/${{ env.HELM_PACKAGE_DIR }} | |
# TODO: Delete this step once we use GHCR as the helm chart repo. | |
# Cannot use Workload Identity because azure federated identity doesn't accept wildcard tag version. | |
- name: Setup Azure CLI | |
run: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash | |
- name: az CLI login | |
run: | | |
az login --service-principal \ | |
--username ${{ secrets.AZURE_SP_TESTS_APPID }} \ | |
--password ${{ secrets.AZURE_SP_TESTS_PASSWORD }} \ | |
--tenant ${{ secrets.AZURE_SP_TESTS_TENANTID }} | |
# TODO: Delete this step once we use GHCR as the helm chart repo. | |
- name: Push helm chart to ACR | |
run: | | |
az acr helm push --name radius ${{ env.ARTIFACT_DIR }}/${{ env.HELM_PACKAGE_DIR }}/radius-${{ env.CHART_VERSION }}.tgz --force | |
- name: Push helm chart to GHCR | |
run: | | |
echo ${{ secrets.GITHUB_TOKEN }} | helm registry login -u ${{ github.actor }} --password-stdin ${{ env.OCI_REGISTRY }} | |
helm push ${{ env.ARTIFACT_DIR }}/${{ env.HELM_PACKAGE_DIR }}/radius-${{ env.CHART_VERSION }}.tgz oci://${{ env.OCI_REGISTRY }}/${{ env.OCI_REPOSITORY }} | |
build-and-push-bicep-types: | |
name: Publish Radius bicep types to ACR | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Parse release version and set environment variables | |
run: python ./.github/scripts/get_release_version.py | |
- name: Set up Go ${{ env.GOVER }} | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GOVER }} | |
- name: Setup Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: '18' | |
- name: Generate Bicep extensibility types from OpenAPI specs | |
run: | | |
make generate-bicep-types VERSION=${{ env.REL_CHANNEL == 'edge' && 'latest' || env.REL_CHANNEL }} | |
- name: Upload Radius Bicep types artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: radius-bicep-types | |
path: ./hack/bicep-types-radius/generated | |
if-no-files-found: error | |
- name: 'Login via Azure CLI' | |
if: github.repository == 'radius-project/radius' && ((startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main')) | |
uses: azure/login@v2 | |
with: | |
client-id: ${{ secrets.BICEPTYPES_CLIENT_ID }} | |
tenant-id: ${{ secrets.BICEPTYPES_TENANT_ID }} | |
subscription-id: ${{ secrets.BICEPTYPES_SUBSCRIPTION_ID }} | |
- name: Setup and verify bicep CLI | |
if: github.repository == 'radius-project/radius' && ((startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main')) | |
run: | | |
curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64 | |
chmod +x ./bicep | |
sudo mv ./bicep /usr/local/bin/bicep | |
bicep --version | |
- name: Publish bicep types | |
if: github.repository == 'radius-project/radius' && ((startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main')) | |
run: | | |
bicep publish-extension ./hack/bicep-types-radius/generated/index.json --target br:${{ env.BICEP_TYPES_REGISTRY }}/radius:${{ env.REL_CHANNEL == 'edge' && 'latest' || env.REL_CHANNEL }} --force | |
publish-release: | |
name: Publish GitHub Release | |
needs: ["build-and-push-cli"] | |
runs-on: ubuntu-latest | |
if: github.repository == 'radius-project/radius' && startsWith(github.ref, 'refs/tags/v') | |
env: | |
GITHUB_TOKEN: ${{ secrets.GH_RAD_CI_BOT_PAT }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Parse release version and set environment variables | |
run: python ./.github/scripts/get_release_version.py | |
- name: Download release artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: rad_cli_* | |
merge-multiple: true | |
path: ${{ env.RELEASE_PATH }} | |
- name: generate checksum files | |
run: | | |
cd ${{ env.RELEASE_PATH }} && for i in *; do sha256sum -b $i > "$i.sha256"; done && cd - | |
ls -l ${{ env.RELEASE_PATH }} | |
- name: Create GitHub RC Release (pre-release and auto-generate release notes) | |
if: ${{ contains(env.REL_VERSION, 'rc') }} | |
run: | | |
gh release create v${{ env.REL_VERSION }} \ | |
${{ env.RELEASE_PATH }}/* \ | |
--title "Radius v${{ env.REL_VERSION }}" \ | |
--generate-notes \ | |
--verify-tag \ | |
--prerelease | |
- name: Create GitHub Official Release | |
if: ${{ !contains(env.REL_VERSION, 'rc') }} | |
run: | | |
gh release create v${{ env.REL_VERSION }} \ | |
${{ env.RELEASE_PATH }}/* \ | |
--title "Radius v${{ env.REL_VERSION }}" \ | |
--notes-file docs/release-notes/v${{ env.REL_VERSION }}.md \ | |
--verify-tag |