Skip to content

Commit 2e5f961

Browse files
fix: add GHA based nightly workflow for chains (#1634)
Signed-off-by: Anitha Natarajan <anataraj@redhat.com>
1 parent 12e6db0 commit 2e5f961

5 files changed

Lines changed: 140 additions & 5 deletions

File tree

.github/workflows/chatops_retest.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,4 +12,4 @@ jobs:
1212
retest:
1313
name: Rerun Failed Actions
1414
uses: tektoncd/plumbing/.github/workflows/_chatops_retest.yml@48c53b4e7f1e0bb206575b80eb9fcf07b5854907 # main
15-
secrets: inherit
15+
secrets: inherit # zizmor: ignore[secrets-inherit]

.github/workflows/ci.yaml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,17 +25,22 @@ jobs:
2525
steps:
2626
- name: Get base depth
2727
id: base-depth
28-
run: echo "base-depth=$(expr ${{ github.event.pull_request.commits }} + 1)" >> $GITHUB_OUTPUT
28+
env:
29+
PR_COMMITS: ${{ github.event.pull_request.commits }}
30+
run: echo "base-depth=$(expr ${PR_COMMITS} + 1)" >> $GITHUB_OUTPUT
2931
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3032
with:
3133
ref: ${{ github.event.pull_request.head.sha }}
3234
fetch-depth: ${{ steps.base-depth.outputs.base-depth }}
3335
persist-credentials: false
3436
- name: detect
3537
id: detect
38+
env:
39+
BASE_SHA: ${{ github.event.pull_request.base.sha }}
40+
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
3641
run: |
3742
git fetch origin ${GITHUB_BASE_REF}
38-
CHANGED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }} | tr ' ' '\n')
43+
CHANGED_FILES=$(git diff --name-only ${BASE_SHA}...${HEAD_SHA} | tr ' ' '\n')
3944
4045
echo -e "Changed files:\n${CHANGED_FILES}"
4146
Lines changed: 128 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,128 @@
1+
name: Tekton Chains Nightly Build
2+
3+
permissions:
4+
contents: read
5+
6+
concurrency:
7+
group: ${{ github.workflow }}
8+
cancel-in-progress: false
9+
10+
'on':
11+
schedule:
12+
# Run at 03:00 UTC daily
13+
- cron: "0 3 * * *"
14+
workflow_dispatch:
15+
inputs:
16+
kubernetes_version:
17+
description: 'Kubernetes version to test with'
18+
required: false
19+
nightly_bucket:
20+
description: 'Nightly bucket for builds'
21+
required: false
22+
23+
env:
24+
KUBERNETES_VERSION: ${{ inputs.kubernetes_version || 'v1.33.x' }}
25+
REGISTRY: ghcr.io
26+
BUCKET: ${{ inputs.nightly_bucket || 'tekton-nightly' }}
27+
IMAGE_REGISTRY_PATH: ${{ github.repository }}
28+
IMAGE_REGISTRY_USER: tekton-robot
29+
REPO_NAME: ${{ github.event.repository.name }}
30+
31+
jobs:
32+
build:
33+
name: Nightly Build
34+
runs-on: ubuntu-24.04
35+
if: github.repository_owner == 'tektoncd' # do not run this elsewhere
36+
37+
permissions:
38+
contents: read
39+
packages: write # to push container images to ghcr.io
40+
id-token: write # to mint OIDC tokens for keyless signing
41+
42+
steps:
43+
# - name: Harden runner
44+
# uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
45+
# with:
46+
# egress-policy: audit
47+
48+
- name: Checkout repository
49+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
50+
with:
51+
fetch-depth: 0
52+
persist-credentials: false
53+
54+
- name: Generate version info
55+
id: version
56+
env:
57+
GITHUB_SHA: ${{ github.sha }}
58+
run: |
59+
date_tag=$(date +v%Y%m%d-${GITHUB_SHA:0:10})
60+
echo "version_tag=${date_tag}" >> "$GITHUB_OUTPUT"
61+
echo "latest_sha=${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
62+
63+
- name: Setup Tekton Nightly Infra
64+
uses: tektoncd/plumbing/.github/actions/setup-nightly-infra@c4d1d3e6b8e8ac398636f75aef0faf50784a5ca7 # main
65+
with:
66+
kubernetes_version: ${{ env.KUBERNETES_VERSION }}
67+
image_registry_user: ${{ env.IMAGE_REGISTRY_USER }}
68+
ghcr_token: ${{ secrets.GHCR_TOKEN }}
69+
oci_api_key: ${{ secrets.OCI_API_KEY }}
70+
oci_fingerprint: ${{ secrets.OCI_FINGERPRINT }}
71+
oci_tenancy_ocid: ${{ secrets.OCI_TENANCY_OCID }}
72+
oci_user_ocid: ${{ secrets.OCI_USER_OCID }}
73+
oci_region: ${{ secrets.OCI_REGION }}
74+
75+
- name: Apply Build Pipeline Definition
76+
run: |
77+
kustomize build release | kubectl apply -f -
78+
79+
- name: Start Tekton Build Pipeline
80+
env:
81+
GIT_REVISION: ${{ steps.version.outputs.latest_sha }}
82+
VERSION_TAG: ${{ steps.version.outputs.version_tag }}
83+
RELEASE_BUCKET: ${{ env.BUCKET }}
84+
IMAGE_REGISTRY: ${{ env.REGISTRY }}
85+
IMAGE_REGISTRY_PATH: ${{ env.IMAGE_REGISTRY_PATH }}
86+
IMAGE_REGISTRY_USER: ${{ env.IMAGE_REGISTRY_USER }}
87+
REPO_NAME: ${{ env.REPO_NAME }}
88+
run: |
89+
set -euo pipefail # Exit on any error, undefined variables, or pipe failures
90+
91+
echo "Starting Tekton pipeline…"
92+
93+
PIPELINE_RUN=$(tkn pipeline start chains-release \
94+
--serviceaccount=release-right-meow \
95+
--param gitRevision="${GIT_REVISION}" \
96+
--param versionTag="${VERSION_TAG}" \
97+
--param releaseBucket="${RELEASE_BUCKET}" \
98+
--param imageRegistry="${IMAGE_REGISTRY}" \
99+
--param imageRegistryPath="${IMAGE_REGISTRY_PATH}" \
100+
--param imageRegistryUser="${IMAGE_REGISTRY_USER}" \
101+
--param imageRegistryRegions="" \
102+
--param koExtraArgs="" \
103+
--param repoName="${REPO_NAME}" \
104+
--param serviceAccountImagesPath=credentials \
105+
--param releaseAsLatest="true" \
106+
--workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml \
107+
--workspace name=release-secret,secret=release-secret \
108+
--workspace name=release-images-secret,secret=ghcr-creds \
109+
--tasks-timeout 1h \
110+
--pipeline-timeout 2h \
111+
--use-param-defaults \
112+
--output name) || {
113+
echo "Failed to start Tekton pipeline!"
114+
echo "$PIPELINE_RUN"
115+
exit 1
116+
}
117+
118+
echo "Pipeline started: ${PIPELINE_RUN}"
119+
tkn pipelinerun logs "${PIPELINE_RUN}" -f
120+
121+
# Check if pipeline succeeded
122+
tkn pipelinerun describe "${PIPELINE_RUN}" --output jsonpath='{.status.conditions[?(@.type=="Succeeded")].status}' | grep -q "True" || {
123+
echo "Pipeline failed!"
124+
tkn pipelinerun describe "${PIPELINE_RUN}"
125+
exit 1
126+
}
127+
128+
echo "✅ Pipeline Run completed successfully!"

.github/workflows/slash.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,4 +14,4 @@ jobs:
1414
issues: write # for peter-evans/slash-command-dispatch to create issue reaction
1515
pull-requests: write # for peter-evans/slash-command-dispatch to create PR reaction
1616
uses: tektoncd/plumbing/.github/workflows/_slash.yml@5fcd73e7a60655e2cc717015e91be844523ab8f1 # main
17-
secrets: inherit
17+
secrets: inherit # zizmor: ignore[secrets-inherit]

.github/workflows/test-on-microshift.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,8 @@ jobs:
4848
4949
- name: Install Tekton Chains and Run e2e tests
5050
working-directory: ${{ github.workspace }}/src/github.com/tektoncd/chains
51+
env:
52+
WORKSPACE: ${{ github.workspace }}
5153

5254
run: |
5355
echo -e "\n************************ Install openshift client ************************\n"
@@ -67,4 +69,4 @@ jobs:
6769
6870
export KUBECONFIG=$HOME/.kube/config
6971
70-
source ${{ github.workspace }}/src/github.com/tektoncd/chains/test/microshift_test.sh
72+
source ${WORKSPACE}/src/github.com/tektoncd/chains/test/microshift_test.sh

0 commit comments

Comments
 (0)