-
Notifications
You must be signed in to change notification settings - Fork 372
Expand file tree
/
Copy pathaction.yml
More file actions
131 lines (117 loc) · 5.72 KB
/
Copy pathaction.yml
File metadata and controls
131 lines (117 loc) · 5.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Build Docker Image
description: Builds and pushes the app image for a Control Plane workload
inputs:
app_name:
description: Name of the application
required: true
org:
description: Control Plane organization name
required: true
commit:
description: Commit SHA to tag the image with
required: true
pr_number:
description: Pull request number for status messaging
required: false
docker_build_extra_args:
description: Optional newline-delimited extra docker build tokens. Use key=value forms like --build-arg=FOO=bar.
required: false
docker_build_ssh_key:
description: Optional private SSH key used for Docker builds that fetch private dependencies with RUN --mount=type=ssh
required: false
docker_build_ssh_known_hosts:
description: Optional SSH known_hosts entries used with docker_build_ssh_key. Defaults to pinned GitHub.com host keys.
required: false
working_directory:
description: Directory containing the app .controlplane config and Docker build context
required: false
default: "."
runs:
using: composite
steps:
# Keep SSH key handling in a dedicated step so DOCKER_BUILD_SSH_KEY is never present
# in the main build step's environment. ACTIONS_STEP_DEBUG=true dumps env before any
# command runs, so keeping the key out of env there avoids even admin-triggered exposure.
- name: Prepare SSH agent for Docker build
if: ${{ inputs.docker_build_ssh_key != '' }}
shell: bash
env:
# Pass the key via env so the file write is a single printf call rather than a
# heredoc with a fixed terminator (a heredoc would silently truncate the key if
# any line of the key value happened to match the terminator). Scope is still
# this step only — the build step below does not receive DOCKER_BUILD_SSH_KEY.
DOCKER_BUILD_SSH_KEY: ${{ inputs.docker_build_ssh_key }}
DOCKER_BUILD_SSH_KNOWN_HOSTS: ${{ inputs.docker_build_ssh_known_hosts }}
run: |
set -euo pipefail
umask 077
mkdir -p ~/.ssh
chmod 700 ~/.ssh
if [[ -n "${DOCKER_BUILD_SSH_KNOWN_HOSTS}" ]]; then
printf '%s\n' "${DOCKER_BUILD_SSH_KNOWN_HOSTS}" | tr -d '\r' > ~/.ssh/known_hosts
else
printf '%s\n' \
'github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl' \
'github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=' \
'github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=' \
> ~/.ssh/known_hosts
fi
chmod 600 ~/.ssh/known_hosts
printf '%s\n' "${DOCKER_BUILD_SSH_KEY}" | tr -d '\r' > ~/.ssh/cpflow_build_key
chmod 600 ~/.ssh/cpflow_build_key
- name: Build Docker image
shell: bash
env:
APP_NAME: ${{ inputs.app_name }}
COMMIT_SHA: ${{ inputs.commit }}
CONTROL_PLANE_ORG: ${{ inputs.org }}
DOCKER_BUILD_EXTRA_ARGS: ${{ inputs.docker_build_extra_args }}
PR_NUMBER: ${{ inputs.pr_number }}
WORKING_DIRECTORY: ${{ inputs.working_directory }}
run: |
set -euo pipefail
PR_INFO=""
docker_build_args=()
ssh_agent_started=false
build_ssh_prepped=false
cleanup_build_ssh() {
if [[ "${ssh_agent_started}" == "true" ]]; then
ssh-agent -k >/dev/null || true
fi
rm -f "${HOME}/.ssh/cpflow_build_key"
# Only remove known_hosts if this action's prep step wrote it. On self-hosted
# or reused runners we must not touch a user-managed file we did not create,
# so the flag is set inside the same prep-detection branch below.
if [[ "${build_ssh_prepped}" == "true" ]]; then
rm -f "${HOME}/.ssh/known_hosts"
fi
}
trap cleanup_build_ssh EXIT
cd "${WORKING_DIRECTORY}"
if [[ -n "${PR_NUMBER}" ]]; then
PR_INFO=" for PR #${PR_NUMBER}"
fi
if [[ -n "${DOCKER_BUILD_EXTRA_ARGS}" ]]; then
while IFS= read -r arg; do
arg="${arg%$'\r'}"
[[ -n "${arg}" ]] || continue
if [[ "${arg}" =~ [[:space:]] ]]; then
echo "docker_build_extra_args entries must be single docker-build tokens. " \
"Use key=value forms like --build-arg=FOO=bar." >&2
exit 1
fi
docker_build_args+=("${arg}")
done <<< "${DOCKER_BUILD_EXTRA_ARGS}"
fi
if [[ -f "${HOME}/.ssh/cpflow_build_key" ]]; then
# Mark prep-step ownership so cleanup_build_ssh only removes known_hosts
# when this action wrote it (see trap above).
build_ssh_prepped=true
eval "$(ssh-agent -s)"
ssh_agent_started=true
ssh-add "${HOME}/.ssh/cpflow_build_key"
docker_build_args+=("--ssh=default")
fi
echo "🏗️ Building Docker image${PR_INFO} (commit ${COMMIT_SHA})..."
cpflow build-image -a "${APP_NAME}" --commit="${COMMIT_SHA}" --org="${CONTROL_PLANE_ORG}" "${docker_build_args[@]}"
echo "✅ Docker image build successful${PR_INFO} (commit ${COMMIT_SHA})"