Build & Push Fetch-Repos Bot Runner image (Kaniko) #43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Push Fetch-Repos Bot Runner image (Kaniko) | |
| on: | |
| push: | |
| paths: | |
| - 'robot.yaml' | |
| - 'conda.yaml' | |
| - 'repos/fetch-repos/Dockerfile' | |
| pull_request: | |
| paths: | |
| - 'robot.yaml' | |
| - 'conda.yaml' | |
| - 'repos/fetch-repos/Dockerfile' | |
| workflow_dispatch: | |
| env: | |
| KANIKO_CACHE_ARGS: "--cache=true --cache-copy-layers=true --cache-ttl=24h" | |
| concurrency: | |
| group: kaniko-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build-to-ghcr: | |
| runs-on: fetch-repos-bot-runner-k8s-kaniko # self-hosted label | |
| permissions: | |
| contents: read | |
| packages: write # push to GHCR | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/[email protected] | |
| - name: Build & push with Kaniko | |
| env: | |
| GIT_USERNAME: ${{ github.actor }} | |
| GIT_PASSWORD: ${{ secrets.CR_PAT }} | |
| run: | | |
| set -euo pipefail | |
| REPO_OWNER_LC=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]') | |
| IMAGE_BASE="ghcr.io/${REPO_OWNER_LC}/fetch-repos-bot-runner" | |
| CACHE_IMG="ghcr.io/${REPO_OWNER_LC}/fetch-repos-bot-runner-cache" | |
| # Use a writable directory for Kaniko auth | |
| KANIKO_CONFIG_DIR="${{ runner.temp }}/kaniko/.docker" | |
| mkdir -p "$KANIKO_CONFIG_DIR" | |
| cat >"$KANIKO_CONFIG_DIR/config.json" <<EOF | |
| { "auths": { "ghcr.io": { "auth": "$(echo -n "$GIT_USERNAME:$GIT_PASSWORD" | base64 -w0)" } } } | |
| EOF | |
| SHORT_SHA=$(echo $GITHUB_SHA | head -c7) | |
| /kaniko/executor \ | |
| --dockerfile="repos/fetch-repos/Dockerfile" \ | |
| --context="${{ github.repositoryUrl }}#${{ github.ref }}#${{ github.sha }}" \ | |
| --destination="${IMAGE_BASE}:${SHORT_SHA}" \ | |
| ${KANIKO_CACHE_ARGS} \ | |
| --cache-repo="${CACHE_IMG}" \ | |
| --docker-config="$KANIKO_CONFIG_DIR" \ | |
| --push-retry 5 | |
| echo "IMAGE_BASE=${IMAGE_BASE}" >> $GITHUB_ENV | |
| echo "SHORT_SHA=${SHORT_SHA}" >> $GITHUB_ENV | |
| - name: Set NEW_TAG output | |
| id: set_tag | |
| run: echo "NEW_TAG=${IMAGE_BASE}:${SHORT_SHA}" >>"$GITHUB_OUTPUT" | |
| - name: Update values.yaml | |
| env: | |
| NEW_TAG: ${{ steps.set_tag.outputs.NEW_TAG }} | |
| uses: mikefarah/[email protected] | |
| with: | |
| cmd: | | |
| echo "Updating repos/fetch-repos/values.yaml → $NEW_TAG" | |
| yq -i '.template.spec.containers[0].image = strenv(NEW_TAG)' repos/fetch-repos/values.yaml | |
| - name: Create or update tag-bump PR | |
| uses: peter-evans/create-pull-request@v7 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| branch: chore/update-runner-image | |
| commit-message: "chore: update runner image tag to ${{ steps.set_tag.outputs.NEW_TAG }}" | |
| title: "chore: bump runner image → ${{ steps.set_tag.outputs.NEW_TAG }}" | |
| body: | | |
| Automated build updated: | |
| • repos/fetch-repos/values.yaml | |
| reviewers: joshyorko | |
| draft: false |