1
name: Docs-builder Image Build
3
# Any change in triggers needs to be reflected in the concurrency group.
11
- Documentation/Dockerfile
12
- Documentation/requirements.txt
15
# To be able to access the repository with `actions/checkout`
19
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
20
cancel-in-progress: true
24
name: Build and Push Image
27
environment: docs-builder
29
tag: ${{ steps.docs-builder-tag.outputs.tag }}
30
digest: ${{ steps.docker-build-docs-builder.outputs.digest }}
32
- name: Checkout default branch (trusted)
33
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
35
ref: ${{ github.event.repository.default_branch }}
36
persist-credentials: false
38
- name: Set environment variables
39
uses: ./.github/actions/set-env-variables
41
- name: Set up Docker Buildx
42
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
44
# Warning: since this is a privileged workflow, subsequent workflow job
45
# steps must take care not to execute untrusted code.
46
- name: Checkout pull request branch (NOT TRUSTED)
47
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
49
persist-credentials: false
50
ref: ${{ github.event.pull_request.head.sha }}
52
- name: Generate image tag for docs-builder
55
echo tag="$(git ls-tree --full-tree HEAD -- ./Documentation | awk '{ print $3 }')" >> $GITHUB_OUTPUT
57
- name: Check if tag for docs-builder already exists
58
id: docs-builder-tag-in-repositories
61
if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ steps.docs-builder-tag.outputs.tag }} &>/dev/null; then
62
echo exists="true" >> $GITHUB_OUTPUT
64
echo exists="false" >> $GITHUB_OUTPUT
67
- name: Login to quay.io
68
if: ${{ steps.docs-builder-tag-in-repositories.outputs.exists == 'false' }}
69
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
72
username: ${{ secrets.QUAY_DOCS_BUILDER_USERNAME }}
73
password: ${{ secrets.QUAY_DOCS_BUILDER_PASSWORD }}
76
- name: Build docs-builder image
77
if: ${{ steps.docs-builder-tag-in-repositories.outputs.exists == 'false' }}
78
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
79
id: docker-build-docs-builder
82
context: ./Documentation
83
file: ./Documentation/Dockerfile
86
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ steps.docs-builder-tag.outputs.tag }}
88
# Use a separate job for the steps below, to ensure we're no longer logged
91
name: Update Pull Request with new image reference
93
if: needs.build-and-push.outputs.digest
96
environment: docs-builder
98
- name: Checkout default branch (trusted)
99
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
101
ref: ${{ github.event.repository.default_branch }}
102
persist-credentials: false
104
- name: Set environment variables
105
uses: ./.github/actions/set-env-variables
107
# Warning: since this is a privileged workflow, subsequent workflow job
108
# steps must take care not to execute untrusted code.
109
- name: Checkout pull request branch (NOT TRUSTED)
110
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
112
persist-credentials: false
113
ref: ${{ github.event.pull_request.head.sha }}
117
git config user.name "Cilium Imagebot"
118
git config user.email "noreply@cilium.io"
120
- name: Update docs-builder image reference in CI workflow
122
NEW_IMAGE="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ needs.build-and-push.outputs.tag }}@${{ needs.build-and-push.outputs.digest }}"
123
# Run in Docker to prevent the script from accessing the environment.
124
docker run --rm -v $PWD:/cilium -w /cilium "${NEW_IMAGE}" \
125
bash -c "git config --global --add safe.directory /cilium && \
126
/cilium/Documentation/update-docs-builder-image.sh ${NEW_IMAGE}"
127
git commit -sam "ci: update docs-builder"
131
uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1
133
APP_PEM: ${{ secrets.AUTO_COMMITTER_PEM }}
134
APP_ID: ${{ secrets.AUTO_COMMITTER_APP_ID }}
136
- name: Push changes into PR
138
REF: ${{ github.event.pull_request.head.ref }}
141
git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ env.QUAY_ORGANIZATION }}/cilium.git HEAD:"$REF"
144
name: Retrieve and display image digest
145
needs: build-and-push
146
if: needs.build-and-push.outputs.digest
147
runs-on: ubuntu-22.04
150
- name: Checkout default branch (trusted)
151
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
153
ref: ${{ github.event.repository.default_branch }}
154
persist-credentials: false
156
- name: Set environment variables
157
uses: ./.github/actions/set-env-variables
159
- name: Retrieve image digest
162
NEW_IMAGE="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ needs.build-and-push.outputs.tag }}@${{ needs.build-and-push.outputs.digest }}"
163
mkdir -p image-digest/
164
echo "## docs-builder" > image-digest/docs-builder.txt
165
echo "" >> image-digest/docs-builder.txt
166
echo "\`${NEW_IMAGE}\`" >> image-digest/docs-builder.txt
167
echo "" >> image-digest/docs-builder.txt
169
- name: Upload artifact digests
170
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
172
name: image-digest docs-builder
176
- name: Output image digest
180
find -type f | sort | xargs -d '\n' cat