Skip to content

Adding Bicep private registry support using basic auth, Azure workload identity and AWS IRSA #19304

Adding Bicep private registry support using basic auth, Azure workload identity and AWS IRSA

Adding Bicep private registry support using basic auth, Azure workload identity and AWS IRSA #19304

Workflow file for this run

# ------------------------------------------------------------
# Copyright 2023 The Radius Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ------------------------------------------------------------
name: Build and Test
on:
# Enable manual trigger
workflow_dispatch:
push:
branches:
- main
- release/*
tags:
- v*
pull_request:
branches:
- main
- features/*
- release/*
permissions:
id-token: write # Required for requesting the JWT
contents: write # Required for creating releases
issues: write # Required for creating comments
checks: write # Required for updating check runs
pull-requests: write # Required for updating pull requests
packages: write # Required for uploading the package
concurrency:
# Cancel the previously triggered build for only PR build.
group: build-${{ github.ref }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true
env:
# Go version to install
GOVER: "1.22.2"
# gotestsum version - see: https://github.com/gotestyourself/gotestsum
GOTESTSUMVERSION: 1.10.0
# GitHub Actor for pushing images to GHCR
GHCR_ACTOR: rad-ci-bot
# Container registry url for GitHub container registry.
CONTAINER_REGISTRY: "ghcr.io/radius-project"
# Local file path to the release binaries.
RELEASE_PATH: ./release
# ORAS (OCI Registry As Storage) CLI version
ORAS_VERSION: 1.1.0
# URL to get source code for building the image
IMAGE_SRC: https://github.com/radius-project/radius
# bicep-types ACR url for uploading Radius Bicep types
BICEP_TYPES_REGISTRY: 'biceptypes.azurecr.io'
jobs:
build-and-push-cli:
name: Build ${{ matrix.target_os }}_${{ matrix.target_arch }} binaries
runs-on: ubuntu-latest
if: github.repository == 'radius-project/radius'
env:
GOOS: ${{ matrix.target_os }}
GOARCH: ${{ matrix.target_arch }}
GOPROXY: https://proxy.golang.org
strategy:
fail-fast: false
matrix:
include:
- target_os: linux
target_arch: arm
- target_os: linux
target_arch: arm64
- target_os: linux
target_arch: amd64
- target_os: windows
target_arch: amd64
- target_os: darwin
target_arch: amd64
- target_os: darwin
target_arch: arm64
steps:
- name: Check out repo
uses: actions/checkout@v4
- name: Set up Go ${{ env.GOVER }}
uses: actions/setup-go@v5
with:
go-version: ${{ env.GOVER }}
cache-dependency-path: go.sum
- name: Parse release version and set environment variables
run: python ./.github/scripts/get_release_version.py
- name: Make build
run: make build
- name: Run make test (unit tests)
if: matrix.target_arch == 'amd64' && matrix.target_os == 'linux'
env:
GOTESTSUM_OPTS: "--junitfile ./dist/unit_test/results.xml"
GOTEST_OPTS: "-race -coverprofile ./dist/unit_test/ut_coverage.out"
run: |
mkdir -p ./dist/unit_test
go install gotest.tools/gotestsum@v${{ env.GOTESTSUMVERSION }}
make test
- name: Upload coverage to Codecov
if: matrix.target_arch == 'amd64' && matrix.target_os == 'linux'
uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
codecov_yml_path: ./.codecov.yml
file: ./dist/unit_test/ut_coverage.out
fail_ci_if_error: false
verbose: true
- name: Process Unit Test Results
uses: ./.github/actions/process-test-results
# Always is required here to make sure this target runs even when tests fail.
if: always() && matrix.target_arch == 'amd64' && matrix.target_os == 'linux'
with:
test_group_name: "Unit Tests"
artifact_name: "unit_test_results"
result_directory: "dist/unit_test/"
- name: Copy cli binaries to release (unix-like)
if: matrix.target_os != 'windows'
run: |
mkdir ${{ env.RELEASE_PATH }}
cp ./dist/${{ matrix.target_os}}_${{ matrix.target_arch}}/release/rad ${{ env.RELEASE_PATH }}/rad_${{ matrix.target_os}}_${{ matrix.target_arch}}
- name: Copy cli binaries to release (windows)
if: matrix.target_os == 'windows'
run: |
mkdir ${{ env.RELEASE_PATH }}
cp ./dist/${{ matrix.target_os}}_${{ matrix.target_arch}}/release/rad.exe ${{ env.RELEASE_PATH }}/rad_${{ matrix.target_os}}_${{ matrix.target_arch}}.exe
- name: Upload CLI binary
uses: actions/upload-artifact@v4
with:
name: rad_cli_${{ matrix.target_os}}_${{ matrix.target_arch}}
path: ${{ env.RELEASE_PATH }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: oras-project/setup-oras@main
with:
version: ${{ env.ORAS_VERSION }}
- name: Push latest rad cli binary to GHCR (unix-like)
if: github.ref == 'refs/heads/main' && matrix.target_os != 'windows'
run: |
cp ./dist/${{ matrix.target_os}}_${{ matrix.target_arch}}/release/rad ./rad
oras push ${{ env.CONTAINER_REGISTRY }}/rad/${{ matrix.target_os }}-${{ matrix.target_arch }}:latest ./rad --annotation "org.opencontainers.image.source=${{ env.IMAGE_SRC }}"
- name: Copy cli binaries to release (windows)
if: github.ref == 'refs/heads/main' && matrix.target_os == 'windows'
run: |
cp ./dist/${{ matrix.target_os}}_${{ matrix.target_arch}}/release/rad.exe ./rad.exe
oras push ${{ env.CONTAINER_REGISTRY }}/rad/${{ matrix.target_os }}-${{ matrix.target_arch }}:latest ./rad.exe --annotation "org.opencontainers.image.source=${{ env.IMAGE_SRC }}"
build-and-push-images:
name: Build and publish container images
runs-on: ubuntu-latest
if: github.repository == 'radius-project/radius'
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Parse release version and set environment variables
run: python ./.github/scripts/get_release_version.py
- name: Set up Go ${{ env.GOVER }}
uses: actions/setup-go@v5
with:
go-version: ${{ env.GOVER }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
platforms: linux/amd64,linux/arm64,linux/arm/v7
- name: Push container images (latest)
run: |
make docker-multi-arch-push
if: (github.ref == 'refs/heads/main') # push image to latest on merge to main
env:
DOCKER_REGISTRY: ${{ env.CONTAINER_REGISTRY }}
DOCKER_TAG_VERSION: latest
- name: Build container images (PR) # Don't push on PR, agent will not have permission.
run: |
make docker-multi-arch-build
if: github.event_name == 'pull_request'
env:
DOCKER_REGISTRY: ${{ env.CONTAINER_REGISTRY }}
DOCKER_TAG_VERSION: ${{ env.REL_VERSION }} # includes PR number
- name: Push container images (release)
run: |
make docker-multi-arch-push
if: startsWith(github.ref, 'refs/tags/v') # push image on tag
env:
DOCKER_REGISTRY: ${{ env.CONTAINER_REGISTRY }}
DOCKER_TAG_VERSION: ${{ env.REL_CHANNEL }}
build-and-push-helm-chart:
name: Helm chart build
needs: ["build-and-push-images"]
runs-on: ubuntu-latest
# Don't push on PR, agent will not have permission.
if: github.repository == 'radius-project/radius' && ((startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main'))
env:
ARTIFACT_DIR: ./dist/Charts
HELM_PACKAGE_DIR: helm
HELM_CHARTS_DIR: deploy/Chart
OCI_REGISTRY: ghcr.io
# We only push the chart on pushes to main or to a tag. The versioning logic will select the right
# version for us.
OCI_REPOSITORY: "radius-project/helm-chart"
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install helm
uses: azure/setup-helm@v4
with:
version: "v3.11.1"
- name: Parse release version and set environment variables
run: python ./.github/scripts/get_release_version.py
- name: Run Helm linter
run: |
helm lint ${{ env.HELM_CHARTS_DIR }}
- name: Package Helm chart
run: |
mkdir -p ${{ env.ARTIFACT_DIR }}/${{ env.HELM_PACKAGE_DIR }}
helm package ${{ env.HELM_CHARTS_DIR }} --version ${{ env.CHART_VERSION }} --app-version ${{ env.REL_VERSION }} --destination ${{ env.ARTIFACT_DIR }}/${{ env.HELM_PACKAGE_DIR }}
# TODO: Delete this step once we use GHCR as the helm chart repo.
# Cannot use Workload Identity because azure federated identity doesn't accept wildcard tag version.
- name: Setup Azure CLI
run: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
- name: az CLI login
run: |
az login --service-principal \
--username ${{ secrets.AZURE_SP_TESTS_APPID }} \
--password ${{ secrets.AZURE_SP_TESTS_PASSWORD }} \
--tenant ${{ secrets.AZURE_SP_TESTS_TENANTID }}
# TODO: Delete this step once we use GHCR as the helm chart repo.
- name: Push helm chart to ACR
run: |
az acr helm push --name radius ${{ env.ARTIFACT_DIR }}/${{ env.HELM_PACKAGE_DIR }}/radius-${{ env.CHART_VERSION }}.tgz --force
- name: Push helm chart to GHCR
run: |
echo ${{ secrets.GITHUB_TOKEN }} | helm registry login -u ${{ github.actor }} --password-stdin ${{ env.OCI_REGISTRY }}
helm push ${{ env.ARTIFACT_DIR }}/${{ env.HELM_PACKAGE_DIR }}/radius-${{ env.CHART_VERSION }}.tgz oci://${{ env.OCI_REGISTRY }}/${{ env.OCI_REPOSITORY }}
build-and-push-bicep-types:
name: Publish Radius bicep types to ACR
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Parse release version and set environment variables
run: python ./.github/scripts/get_release_version.py
- name: Set up Go ${{ env.GOVER }}
uses: actions/setup-go@v5
with:
go-version: ${{ env.GOVER }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
- name: Generate Bicep extensibility types from OpenAPI specs
run: |
make generate-bicep-types VERSION=${{ env.REL_CHANNEL == 'edge' && 'latest' || env.REL_CHANNEL }}
- name: Upload Radius Bicep types artifacts
uses: actions/upload-artifact@v4
with:
name: radius-bicep-types
path: ./hack/bicep-types-radius/generated
if-no-files-found: error
- name: 'Login via Azure CLI'
if: github.repository == 'radius-project/radius' && ((startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main'))
uses: azure/login@v2
with:
client-id: ${{ secrets.BICEPTYPES_CLIENT_ID }}
tenant-id: ${{ secrets.BICEPTYPES_TENANT_ID }}
subscription-id: ${{ secrets.BICEPTYPES_SUBSCRIPTION_ID }}
- name: Setup and verify bicep CLI
if: github.repository == 'radius-project/radius' && ((startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main'))
run: |
curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64
chmod +x ./bicep
sudo mv ./bicep /usr/local/bin/bicep
bicep --version
- name: Publish bicep types
if: github.repository == 'radius-project/radius' && ((startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main'))
run: |
bicep publish-extension ./hack/bicep-types-radius/generated/index.json --target br:${{ env.BICEP_TYPES_REGISTRY }}/radius:${{ env.REL_CHANNEL == 'edge' && 'latest' || env.REL_CHANNEL }} --force
publish-release:
name: Publish GitHub Release
needs: ["build-and-push-cli"]
runs-on: ubuntu-latest
if: github.repository == 'radius-project/radius' && startsWith(github.ref, 'refs/tags/v')
env:
GITHUB_TOKEN: ${{ secrets.GH_RAD_CI_BOT_PAT }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Parse release version and set environment variables
run: python ./.github/scripts/get_release_version.py
- name: Download release artifacts
uses: actions/download-artifact@v4
with:
pattern: rad_cli_*
merge-multiple: true
path: ${{ env.RELEASE_PATH }}
- name: generate checksum files
run: |
cd ${{ env.RELEASE_PATH }} && for i in *; do sha256sum -b $i > "$i.sha256"; done && cd -
ls -l ${{ env.RELEASE_PATH }}
- name: Create GitHub RC Release (pre-release and auto-generate release notes)
if: ${{ contains(env.REL_VERSION, 'rc') }}
run: |
gh release create v${{ env.REL_VERSION }} \
${{ env.RELEASE_PATH }}/* \
--title "Radius v${{ env.REL_VERSION }}" \
--generate-notes \
--verify-tag \
--prerelease
- name: Create GitHub Official Release
if: ${{ !contains(env.REL_VERSION, 'rc') }}
run: |
gh release create v${{ env.REL_VERSION }} \
${{ env.RELEASE_PATH }}/* \
--title "Radius v${{ env.REL_VERSION }}" \
--notes-file docs/release-notes/v${{ env.REL_VERSION }}.md \
--verify-tag