1+ name : Tekton Chains Nightly Build
2+
3+ permissions :
4+ contents : read
5+
6+ concurrency :
7+ group : ${{ github.workflow }}
8+ cancel-in-progress : false
9+
10+ ' on ' :
11+ schedule :
12+ # Run at 03:00 UTC daily
13+ - cron : " 0 3 * * *"
14+ workflow_dispatch :
15+ inputs :
16+ kubernetes_version :
17+ description : ' Kubernetes version to test with'
18+ required : false
19+ nightly_bucket :
20+ description : ' Nightly bucket for builds'
21+ required : false
22+
23+ env :
24+ KUBERNETES_VERSION : ${{ inputs.kubernetes_version || 'v1.33.x' }}
25+ REGISTRY : ghcr.io
26+ BUCKET : ${{ inputs.nightly_bucket || 'tekton-nightly' }}
27+ IMAGE_REGISTRY_PATH : ${{ github.repository }}
28+ IMAGE_REGISTRY_USER : tekton-robot
29+ REPO_NAME : ${{ github.event.repository.name }}
30+
31+ jobs :
32+ build :
33+ name : Nightly Build
34+ runs-on : ubuntu-24.04
35+ if : github.repository_owner == 'tektoncd' # do not run this elsewhere
36+
37+ permissions :
38+ contents : read
39+ packages : write # to push container images to ghcr.io
40+ id-token : write # to mint OIDC tokens for keyless signing
41+
42+ steps :
43+ # - name: Harden runner
44+ # uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
45+ # with:
46+ # egress-policy: audit
47+
48+ - name : Checkout repository
49+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
50+ with :
51+ fetch-depth : 0
52+ persist-credentials : false
53+
54+ - name : Generate version info
55+ id : version
56+ env :
57+ GITHUB_SHA : ${{ github.sha }}
58+ run : |
59+ date_tag=$(date +v%Y%m%d-${GITHUB_SHA:0:10})
60+ echo "version_tag=${date_tag}" >> "$GITHUB_OUTPUT"
61+ echo "latest_sha=${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
62+
63+ - name : Setup Tekton Nightly Infra
64+ uses : tektoncd/plumbing/.github/actions/setup-nightly-infra@c4d1d3e6b8e8ac398636f75aef0faf50784a5ca7 # main
65+ with :
66+ kubernetes_version : ${{ env.KUBERNETES_VERSION }}
67+ image_registry_user : ${{ env.IMAGE_REGISTRY_USER }}
68+ ghcr_token : ${{ secrets.GHCR_TOKEN }}
69+ oci_api_key : ${{ secrets.OCI_API_KEY }}
70+ oci_fingerprint : ${{ secrets.OCI_FINGERPRINT }}
71+ oci_tenancy_ocid : ${{ secrets.OCI_TENANCY_OCID }}
72+ oci_user_ocid : ${{ secrets.OCI_USER_OCID }}
73+ oci_region : ${{ secrets.OCI_REGION }}
74+
75+ - name : Apply Build Pipeline Definition
76+ run : |
77+ kustomize build release | kubectl apply -f -
78+
79+ - name : Start Tekton Build Pipeline
80+ env :
81+ GIT_REVISION : ${{ steps.version.outputs.latest_sha }}
82+ VERSION_TAG : ${{ steps.version.outputs.version_tag }}
83+ RELEASE_BUCKET : ${{ env.BUCKET }}
84+ IMAGE_REGISTRY : ${{ env.REGISTRY }}
85+ IMAGE_REGISTRY_PATH : ${{ env.IMAGE_REGISTRY_PATH }}
86+ IMAGE_REGISTRY_USER : ${{ env.IMAGE_REGISTRY_USER }}
87+ REPO_NAME : ${{ env.REPO_NAME }}
88+ run : |
89+ set -euo pipefail # Exit on any error, undefined variables, or pipe failures
90+
91+ echo "Starting Tekton pipeline…"
92+
93+ PIPELINE_RUN=$(tkn pipeline start chains-release \
94+ --serviceaccount=release-right-meow \
95+ --param gitRevision="${GIT_REVISION}" \
96+ --param versionTag="${VERSION_TAG}" \
97+ --param releaseBucket="${RELEASE_BUCKET}" \
98+ --param imageRegistry="${IMAGE_REGISTRY}" \
99+ --param imageRegistryPath="${IMAGE_REGISTRY_PATH}" \
100+ --param imageRegistryUser="${IMAGE_REGISTRY_USER}" \
101+ --param imageRegistryRegions="" \
102+ --param koExtraArgs="" \
103+ --param repoName="${REPO_NAME}" \
104+ --param serviceAccountImagesPath=credentials \
105+ --param releaseAsLatest="true" \
106+ --workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml \
107+ --workspace name=release-secret,secret=release-secret \
108+ --workspace name=release-images-secret,secret=ghcr-creds \
109+ --tasks-timeout 1h \
110+ --pipeline-timeout 2h \
111+ --use-param-defaults \
112+ --output name) || {
113+ echo "Failed to start Tekton pipeline!"
114+ echo "$PIPELINE_RUN"
115+ exit 1
116+ }
117+
118+ echo "Pipeline started: ${PIPELINE_RUN}"
119+ tkn pipelinerun logs "${PIPELINE_RUN}" -f
120+
121+ # Check if pipeline succeeded
122+ tkn pipelinerun describe "${PIPELINE_RUN}" --output jsonpath='{.status.conditions[?(@.type=="Succeeded")].status}' | grep -q "True" || {
123+ echo "Pipeline failed!"
124+ tkn pipelinerun describe "${PIPELINE_RUN}"
125+ exit 1
126+ }
127+
128+ echo "✅ Pipeline Run completed successfully!"
0 commit comments