Skip to content
Docker, Helm and OCP CI

bug: use SHA256 in alm-example (#1249) #179

Sign in to view logs

bug: use SHA256 in alm-example (#1249)

bug: use SHA256 in alm-example (#1249) #179

Workflow file for this run

.github/workflows/ci.yaml at d76d4c6
name: Docker, Helm and OCP CI
on:
push:
branches:
- "master"
- "v*.x"
tags:
- "v*"
# note: various environment variable names are set to match expectation from the Makefile; do not change without comparing
env:
DEFAULT_BRANCH: master
REGISTRY: nvcr.io/nvstaging/mellanox
IMAGE_NAME: network-operator
jobs:
docker-build-push:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Determine docker tags
run: |
git_sha=$(git rev-parse --short HEAD) # short git commit hash
git_tag=${{ github.ref_type == 'tag' && github.ref_name || '' }} # git tag, if triggered by tag event
latest=${{ github.ref_name == env.DEFAULT_BRANCH && 'latest' || '' }} # 'latest', if branch is master
echo DOCKER_TAGS=""$git_sha $git_tag $latest"" | tee -a $GITHUB_ENV
- uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.NVCR_USERNAME }}
password: ${{ secrets.NVCR_TOKEN }}
- name: Make build and push
env:
TAG: mellanox/${{ env.IMAGE_NAME }}
run: |
echo "Docker tags will be: $DOCKER_TAGS"
for docker_tag in $DOCKER_TAGS; do
make VERSION=$docker_tag image-build-multiarch image-push-multiarch
done
outputs:
default_branch: ${{ env.DEFAULT_BRANCH }} # we output this here, to use in the following job's conditioning (due to github actions environment variable scope limitations).
helm-package-publish:
if: github.ref_type == 'tag' || github.ref_name == ${{ needs.docker-build-push.outputs.default_branch }}
needs:
- docker-build-push
runs-on: ubuntu-latest
env:
NGC_REPO: nvstaging/mellanox/network-operator
steps:
- uses: actions/checkout@v4
- name: NGC setup and authentication
run: |
wget \
--no-verbose \
--content-disposition \
-O ngccli_linux.zip \
https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions/3.41.4/files/ngccli_linux.zip
unzip -q ngccli_linux.zip
echo "./ngc-cli" >> $GITHUB_PATH
ngc-cli/ngc config set <<EOF
${{ secrets.NVCR_TOKEN }}
json
nvstaging
mellanox
no-ace
EOF
- name: Make package and push (`current_version+git_sha` as chart version)
run: |
git_sha=$(git rev-parse --short HEAD) # short git commit hash
current_chart_version=$(yq '.version' deployment/network-operator/Chart.yaml)
APP_VERSION=$git_sha VERSION=$current_chart_version-$git_sha make chart-build chart-push
- name: Make package and push (`git_tag` as chart version)
if: github.ref_type == 'tag'
run: |
git_tag=${{ github.ref_name }}
APP_VERSION=$git_tag VERSION=${git_tag:1} make chart-build chart-push # VERSION as 'v' prefix removed
ocp-bundle:
needs:
- docker-build-push
runs-on: ubuntu-latest
env:
GH_TOKEN: ${{ secrets.GH_TOKEN_NVIDIA_CI_CD }}
DOWNSTREAM_REPO_OWNER: nvidia-ci-cd
UPSTREAM_REPO_OWNER: redhat-openshift-ecosystem
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GH_TOKEN_NVIDIA_CI_CD }} # token must be explicitly set here for push to work in following step
- name: Set is_push flag
id: set-is-push
run: |
if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_type }}" == "tag" ]]; then
echo "is_push=false" >> $GITHUB_ENV
else
echo "is_push=true" >> $GITHUB_ENV
fi
- name: Determine version, tag, and base branch - Process based on is_push flag
run: |
if [[ "$is_push" == "true" ]]; then
echo "Setting VERSION_WITH_PREFIX to git commit hash."
VERSION_WITH_PREFIX=$(git rev-parse --short HEAD)
echo VERSION_WITH_PREFIX=$VERSION_WITH_PREFIX >> $GITHUB_ENV
else
git_tag=${{ github.ref_name }}
echo VERSION_WITH_PREFIX=$git_tag >> $GITHUB_ENV
echo VERSION_WITHOUT_PREFIX=${git_tag:1} >> $GITHUB_ENV # without the 'v' prefix
if echo $git_tag | grep beta; then
base_branch=$DEFAULT_BRANCH
else
v_major_minor=$(echo $git_tag | grep -Eo '^v[0-9]+\.[0-9]+')
base_branch=$v_major_minor.x
fi
echo BASE_BRANCH=$base_branch >> $GITHUB_ENV
fi
- uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.NVCR_USERNAME }}
password: ${{ secrets.NVCR_TOKEN }}
- name: Lookup image digest
run: |
if [[ "$is_push" == "false" && "$VERSION_WITH_PREFIX" != *-* ]]; then
IMAGE_REGISTRY="nvcr.io/nvidia/cloud-native" # GA release
else
IMAGE_REGISTRY=$REGISTRY
fi
network_operator_digest=$(skopeo inspect docker://$IMAGE_REGISTRY/$IMAGE_NAME:$VERSION_WITH_PREFIX | jq -r .Digest)
echo $network_operator_digest | wc -w | grep 1 # verifies value not empty
echo NETWORK_OPERATOR_DIGEST=$network_operator_digest >> $GITHUB_ENV
echo IMAGE_REGISTRY=$IMAGE_REGISTRY >> $GITHUB_ENV
- name: Make bundle
env:
TAG: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ env.NETWORK_OPERATOR_DIGEST }}
BUNDLE_IMG: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-bundle:${{ env.VERSION_WITH_PREFIX }}
NGC_CLI_API_KEY: ${{ secrets.NVCR_TOKEN }}
run: |
if [[ "$is_push" == "false" ]]; then
export VERSION=${{ env.VERSION_WITHOUT_PREFIX }}
version_major_minor=$(echo $VERSION_WITH_PREFIX | grep -Eo 'v[0-9]+\.[0-9]+')
export CHANNELS=stable,$version_major_minor
export DEFAULT_CHANNEL=$version_major_minor
else
export DEFAULT_CHANNEL=v1.1 # hard coded
export CHANNELS=stable,v1.1 # hard coded
export VERSION=1.1.0-${{ env.VERSION_WITH_PREFIX }} # using the commit hash
fi
make bundle bundle-build bundle-push
if [[ "$is_push" == "true" ]]; then
export BUNDLE_IMG=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-bundle:latest # hard coded
make bundle-build bundle-push
fi
- name: Create PR with bundle to Network Operator
if: github.ref_type == 'tag'
env:
FEATURE_BRANCH: update-ocp-bundle-to-${{ env.VERSION_WITH_PREFIX }}
run: |
git config user.name nvidia-ci-cd
git config user.email [email protected]
git checkout -b $FEATURE_BRANCH
git status
git add bundle
git add bundle.Dockerfile
git commit -sm "task: update bundle to $VERSION_WITH_PREFIX"
git push -u origin $FEATURE_BRANCH
gh pr create \
--head $FEATURE_BRANCH \
--base $BASE_BRANCH \
--title "task: update bundle to $VERSION_WITH_PREFIX" \
--body "Created by the *${{ github.job }}* job in [${{ github.repository }} OCP bundle CI](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})."
- name: Determine if to send bundle to RedHat
if: github.ref_type == 'tag'
run: |
echo SEND_BUNDLE_TO_REDHAT=$(echo ${{ github.ref_name}} | grep -qE "v[0-9]+.[0-9]+.[0-9]+$" && echo true || echo false) >> $GITHUB_ENV
- if: ${{ github.ref_type == 'tag' && env.SEND_BUNDLE_TO_REDHAT == 'true' }}
uses: actions/checkout@v4
with:
token: ${{ secrets.GH_TOKEN_NVIDIA_CI_CD }} # token must be explicitly set here for push to work in following step
repository: ${{ env.UPSTREAM_REPO_OWNER }}/certified-operators
path: certified-operators
- if: ${{ github.ref_type == 'tag' && env.SEND_BUNDLE_TO_REDHAT == 'true' }}
name: Create PR with bundle to RedHat
env:
UPSTREAM_DEFAULT_BRANCH: main
FEATURE_BRANCH: network-operator-bundle-${{ env.VERSION_WITHOUT_PREFIX }}
NEW_BUNDLE_DIR: operators/nvidia-network-operator/${{ env.VERSION_WITHOUT_PREFIX }}
run: |
pushd certified-operators
git config user.name nvidia-ci-cd
git config user.email [email protected]
gh repo fork --remote --default-branch-only
gh repo sync $DOWNSTREAM_REPO_OWNER/certified-operators --source $UPSTREAM_REPO_OWNER/certified-operators --branch $UPSTREAM_DEFAULT_BRANCH
git checkout -b $FEATURE_BRANCH
mkdir -p $NEW_BUNDLE_DIR
cp -r ../bundle/* $NEW_BUNDLE_DIR
git add $NEW_BUNDLE_DIR
git commit -sm "operator nvidia-network-operator ($VERSION_WITHOUT_PREFIX)"
git push -u origin $FEATURE_BRANCH
gh pr create \
--head $DOWNSTREAM_REPO_OWNER:$FEATURE_BRANCH \
--base $UPSTREAM_DEFAULT_BRANCH \
--fill \
--body "Created by the *${{ github.job }}* job in [${{ github.repository }} CI](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})."
popd