amp-devcontainer/.github/workflows/wc-build-push-test.yml at main · philips-software/amp-devcontainer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
---
name: Build, Push & Test

on:
  workflow_call:
    inputs:
      acceptance-test-devcontainer-file:
        description: Path to the devcontainer.json file to use for acceptance tests.
        required: false
        type: string
      acceptance-test-path:
        description: Path to the Playwright acceptance tests (directory that contains playwright.config.ts).
        required: false
        type: string
      build-args:
        description: Optional docker build args (newline-separated KEY=VALUE).
        required: false
        type: string
      build-test-runner-labels:
        description: >-
          JSON array used to select multi-architecture runners for build and test jobs.
          Must be valid JSON.

          Examples:
            '["ubuntu-latest"]'
            '["ubuntu-latest", "ubuntu-24.04-arm"]'
            '[["self-hosted", "linux", "x86_64"], ["self-hosted", "linux", "arm64"]]'
        required: false
        type: string
        default: '["ubuntu-latest", "ubuntu-24.04-arm"]'
      devcontainer-metadata-file:
        description: >-
          Path to a JSON file containing devcontainer metadata to add as a label to the built image.

          Examples:
            '.devcontainer/devcontainer-metadata.json'
            '.devcontainer/<flavor>/devcontainer-metadata.json'
        required: false
        type: string
      dockerfile:
        description: Path to the Dockerfile to build
        required: true
        type: string
      enable-edge-tag:
        description: Whether to also build and push an "edge" tag for the image.
        required: false
        type: boolean
        default: false
      image-name:
        description: >-
          Name of the Docker image to build, without registry or tag.

          Examples:
            'my-image'
            'my-org/my-image'
        required: true
        type: string
      integration-test-file:
        description: Path to the BATS test file to run for integration tests.
        required: false
        type: string
      integration-test-podman:
        description: Enable running the tests using the Podman container runtime, next to the default Docker container runtime.
        required: false
        type: boolean
        default: false
      registry:
        description: >-
          Docker registry to push built containers to.
          `DOCKER_REGISTRY_USERNAME` and `DOCKER_REGISTRY_PASSWORD` secrets must be set if not using GitHub Container Registry (ghcr.io).
        required: false
        type: string
        default: "ghcr.io"
      runner-labels:
        description: >-
          JSON array used to select the default linux runner for non-build jobs.
          Must be valid JSON.

          Examples:
            '["ubuntu-latest"]'
            '["self-hosted", "linux", "x86_64"]'
        required: false
        type: string
        default: '["ubuntu-latest"]'
    outputs:
      digest:
        value: ${{ jobs.build-push.outputs.digest }}
      fully-qualified-image-name:
        value: ${{ jobs.build-push.outputs.fully-qualified-image-name }}
      image-basename:
        value: ${{ jobs.build-push.outputs.image-basename }}
      version:
        value: ${{ jobs.build-push.outputs.version }}
    secrets:
      DOCKER_REGISTRY_PASSWORD:
        description: Password or token for Docker login, if not provided the GitHub token will be used.
        required: false
      DOCKER_REGISTRY_USERNAME:
        description: User name for Docker login, if not provided the GitHub actor will be used.
        required: false
      TEST_GITHUB_PASSWORD:
        required: false
      TEST_GITHUB_TOKEN:
        required: false
      TEST_GITHUB_TOTP_SECRET:
        required: false
      TEST_GITHUB_USER:
        required: false

permissions: {}

jobs:
  build-push:
    name: 🛠️
    uses: ./.github/workflows/wc-build-push.yml
    permissions:
      actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
      artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata
      attestations: write # is needed by actions/attest-build-provenance to push attestations
      contents: write # is needed by anchore/sbom-action for artifact uploads
      id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
      packages: write # is needed to push image manifest when using GitHub Container Registry
      pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
    secrets: &docker-secrets
      DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
      DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
    with:
      build-args: ${{ inputs.build-args }}
      dockerfile: ${{ inputs.dockerfile }}
      enable-edge-tag: ${{ inputs.enable-edge-tag }}
      registry: ${{ inputs.registry }}
      image-name: ${{ inputs.image-name }}
      devcontainer-metadata-file: ${{ inputs.devcontainer-metadata-file }}
      runner-labels: ${{ inputs.runner-labels }}
      build-test-runner-labels: ${{ inputs.build-test-runner-labels }}

  integration-test-docker:
    name: 🧪
    if: ${{ inputs.integration-test-file }}
    needs: build-push
    uses: ./.github/workflows/wc-integration-test-docker.yml
    permissions:
      contents: read
    secrets: *docker-secrets
    with: &integration-test-inputs
      build-test-runner-labels: ${{ inputs.build-test-runner-labels }}
      fully-qualified-image-name: ${{ needs.build-push.outputs.fully-qualified-image-name }}
      image-basename: ${{ needs.build-push.outputs.image-basename }}
      image-digest: ${{ needs.build-push.outputs.digest }}
      registry: ${{ inputs.registry }}
      test-file: ${{ inputs.integration-test-file }}

  integration-test-podman:
    name: 🧪
    if: ${{ inputs.integration-test-file && inputs.integration-test-podman }}
    needs: build-push
    uses: ./.github/workflows/wc-integration-test-podman.yml
    permissions:
      contents: read
    secrets: *docker-secrets
    with: *integration-test-inputs

  acceptance-test:
    name: 🏗️
    if: ${{ inputs.acceptance-test-devcontainer-file && inputs.acceptance-test-path }}
    needs: build-push
    uses: ./.github/workflows/wc-acceptance-test.yml
    permissions:
      contents: read
    secrets:
      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
    with:
      image-basename: ${{ needs.build-push.outputs.image-basename }}
      devcontainer-file: ${{ inputs.acceptance-test-devcontainer-file }}
      acceptance-test-path: ${{ inputs.acceptance-test-path }}