Merge pull request #59 from eugene-davis/pr-builds

Pr scoped images
tomtom-international · Jul 13, 2022 · 972908a · 972908a
2 parents 202f51d + bd9c3e7
commit 972908a
Show file tree

Hide file tree

Showing 6 changed files with 91 additions and 7 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.0.10
+current_version = 1.0.11
 commit = True
 tag = False
 message = Bump version: {current_version} → {new_version}

diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
@@ -3,7 +3,6 @@ name: PR Checks
 on:
   pull_request:
     branches: [ main ]
-  workflow_dispatch:
 
 env:
   REQUIRED_COVERAGE: 30
@@ -12,7 +11,6 @@ jobs:
   python:
     name: python checks
     runs-on: ubuntu-latest
-
     steps:
     - uses: actions/checkout@v2
     - uses: actions/setup-python@v2
@@ -46,18 +44,56 @@ jobs:
     - uses: hadolint/[email protected]
       with:
         dockerfile: Dockerfile
+
+    - name: Build PR Check
+      id: containers
+      run: |
+       if [[ "${{ secrets.BUILD_PR }}" != "" && \
+             "${{ secrets.PR_CONTAINERS_USER }}" != "" && \
+             "${{ secrets.PR_CONTAINERS }}" != "" ]]
+       then
+         echo "PR Builds configured"
+         echo "::set-output name=BUILD_PR::true"
+       else
+         echo "PR Builds not configured"
+         echo "::set-output name=BUILD_PR::false"
+       fi
+
+    - name: Get PR ID
+      id: pr
+      run: echo "::set-output name=id::$(echo ${{ github.ref_name }} | cut -d"/" -f1)"
+      if: ${{ fromJSON(steps.containers.outputs.BUILD_PR) }}
 
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v1
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v1
 
-    - name: Test Cross Platform Build
+    - name: Login to ghcr.io
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ secrets.PR_CONTAINERS_USER }}
+        password: ${{ secrets.PR_CONTAINERS }}
+      if: ${{ fromJSON(steps.containers.outputs.BUILD_PR) }}
+
+    - name: PR Cross Platform Build and Push
+      uses: docker/build-push-action@v2
+      with:
+        context: .
+        push: true
+        tags: ghcr.io/${{ github.repository }}:pr-${{ steps.pr.outputs.id }}
+        platforms: linux/amd64,linux/arm64,linux/arm/v7
+      if: ${{ fromJSON(steps.containers.outputs.BUILD_PR) }}
+
+    - name: PR Cross Platform Build
       uses: docker/build-push-action@v2
       with:
         context: .
+        tags: ghcr.io/${{ github.repository }}:pr-${{ steps.pr.outputs.id }}
         platforms: linux/amd64,linux/arm64,linux/arm/v7
+      if: ${{ !fromJSON(steps.containers.outputs.BUILD_PR) }}
 
   security:
     name: security checks

diff --git a/.github/workflows/pr-cleanup.yaml b/.github/workflows/pr-cleanup.yaml
@@ -0,0 +1,33 @@
+name: 'Clean up Docker images from PR'
+
+on:
+  pull_request:
+    types: [closed]
+
+
+jobs:
+  purge-image:
+    name: Delete image from ghcr.io
+    runs-on: ubuntu-latest
+    steps:
+    - name: Build PR Check
+      id: containers
+      run: |
+       if [[ "${{ secrets.BUILD_PR }}" != "" && \
+             "${{ secrets.PR_CONTAINERS_USER }}" != "" && \
+             "${{ secrets.PR_CONTAINERS }}" != "" ]]
+       then
+         echo "PR Builds configured"
+         echo "::set-output name=BUILD_PR::true"
+       else
+         echo "PR Builds not configured"
+         echo "::set-output name=BUILD_PR::false"
+       fi
+       
+    - uses: eugene-davis/[email protected]
+      with:
+        package-name: ${{ github.event.repository.name }}
+        tag: pr-${{ github.event.pull_request.number }}
+        github-token: ${{ secrets.PR_CONTAINERS }}
+        github-org: ${{ secrets.ORG}} # Should only be set when running in an organization
+      if: ${{ fromJSON(steps.containers.outputs.BUILD_PR) }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 env:
-  VERSION: 1.0.10
+  VERSION: 1.0.11
 
 jobs:
   release:

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -48,4 +48,19 @@ To help protect the health of this project, all contributions are required to pa
 #### Other Checks
 
 * [gitleaks](https://github.com/zricethezav/gitleaks) - scans the repository for possible secrets (e.g. passwords, keys), this is only the last line of defense, you should double-check before you commit!
-* [bump2version](https://github.com/c4urself/bump2version) - we ensure that the version has been bumped by bump2version on every pull request
+* [bump2version](https://github.com/c4urself/bump2version) - we ensure that the version has been bumped by bump2version on every pull request
+
+#### Automatic PR Builds
+
+The [Docker Checks](#docker-checks) job can be configured to push a PR build image (tagged pr-#) to your repository.
+It does not work when running from a forked repository.
+This image will be cleaned up after the PR is closed.
+Using this functionality requires the following secrets to be added:
+
+* `BULD_PR` must be set to `true`
+* `PR_CONTAINERS_USER` must be set to the user associated with the `PR_CONTAINERS` token
+* `PR_CONTAINERS` must be set to a Github PAT with `read`, `write` and `delete` packages permissions
+
+A PAT must be used rather than the built-in token, as Github Actions does not currently support setting the `delete` permission for packages on the default token.
+
+If you wish to enable the functionality in an organization, you must also provide the organization name in a secret called `ORG`.
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "vault-assessment-prometheus-exporter"
-version = "1.0.10"
+version = "1.0.11"
 description = "Prometheus exporter to monitor custom metadata for KV2 secrets for (self-imposed) expiration."
 authors = ["Eugene Davis <[email protected]>"]
 readme = "README.md"