-
Notifications
You must be signed in to change notification settings - Fork 19
144 lines (136 loc) · 5.21 KB
/
pr_release_artifacts.yml
File metadata and controls
144 lines (136 loc) · 5.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: pr release artifacts
on:
schedule:
- cron: '0 15 * * 4'
workflow_dispatch:
inputs:
cleanup:
description: Run cleanup instead of creating artifacts
required: false
type: boolean
default: false
jobs:
nix-build:
uses: ./.github/workflows/nix_build.yml
secrets:
GITHUB_TOKEN_IN: ${{ secrets.GITHUB_TOKEN_IN }}
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
create-release-artifacts:
name: Create release artifacts for PR
if: github.event_name == 'workflow_dispatch' && github.event.inputs.cleanup == 'false'
runs-on: ubuntu-24.04
needs: nix-build
permissions:
pull-requests: write
issues: write
contents: read
packages: write
id-token: write
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
persist-credentials: false
- uses: ./.github/actions/setup_nix
with:
githubToken: ${{ secrets.GITHUB_TOKEN }}
cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
- name: Log in to ghcr.io Container registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Get pre-release version
id: get-version
run: |
echo "version=$(cat version.txt)" | tee -a "$GITHUB_OUTPUT"
- name: Configure git
run: |
git config --global user.name "edgelessci"
git config --global user.email "edgelessci@users.noreply.github.com"
- name: Create release artifacts
id: create-artifacts
uses: ./.github/actions/release_artifacts
with:
version: ${{ steps.get-version.outputs.version }}
container_registry: ghcr.io/edgelesssys
s3-bucket-path: "pr-artifacts"
- name: Get PR number
id: get-pr-number
env:
COMMIT_SHA: ${{ github.sha }}
REPO: ${{ github.repository }}
run: |
prs=$(
curl -fsSL \
-H "Accept: application/vnd.github+json" \
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
"https://api.github.com/repos/${REPO}/commits/${COMMIT_SHA}/pulls"
)
pr=$(echo "$prs" | jq -r '.[0]?.number // ""')
echo "pr_number=$pr" | tee -a "$GITHUB_OUTPUT"
- name: Create PR comment with artifact links
if: ${{ steps.get-pr-number.outputs.pr_number != '' }}
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
with:
issue-number: ${{ steps.get-pr-number.outputs.pr_number }}
body: |
### Pre-release artifacts on ${{ github.sha }}
The pre-release artifacts for this commit are available at the following link:
${{ steps.create-artifacts.outputs.s3-bucket-url }}
Created by @${{ github.actor }} in [pr_release_artifacts workflow](
https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}?pr=${{ steps.get-pr-number.outputs.pr_number }}
).
cleanup-artifacts:
name: Cleanup artifacts
if: |
github.event_name == 'schedule' ||
(github.event_name == 'workflow_dispatch' && github.event.inputs.cleanup == 'true')
runs-on: ubuntu-24.04
permissions:
pull-requests: read
contents: write
id-token: write
steps:
- name: AWS login (IAM role)
uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
with:
role-to-assume: arn:aws:iam::795746500882:role/ContrastPublicBucketRW
aws-region: eu-central-1
- name: Delete pre-release artifacts from S3 bucket contrast-public
env:
S3_BUCKET_PATH: "pr-artifacts"
run: |
echo "Listing directories in S3 bucket contrast-public/${S3_BUCKET_PATH}..."
dirs=$(
aws s3 ls --recursive "s3://contrast-public/${S3_BUCKET_PATH}/" |
awk '{print $4}' |
cut -d/ -f2 |
sort -u
)
if [[ -z "$dirs" ]]; then
echo "No directories found in S3 bucket."
exit 0
fi
echo "Existing directories in S3 bucket contrast-public/${S3_BUCKET_PATH}:"
echo "$dirs"
now=$(date +%s)
cleanup_after_seconds=$((20 * 24 * 60 * 60)) # 20 days
exit_code=0
for dir in $dirs; do
if ! [[ "$dir" =~ ^[0-9]+$ ]]; then
echo "Expected directory name to be a timestamp, but got '$dir'. Skipping..."
exit_code=1
continue
fi
if (( now - dir > cleanup_after_seconds )); then
echo "Deleting directory $dir from S3 bucket contrast-public/${S3_BUCKET_PATH}..."
aws s3 rm --recursive "s3://contrast-public/${S3_BUCKET_PATH}/$dir/" || {
echo "Failed to delete directory $dir from S3 bucket."
exit_code=1
}
else
echo "Skipping directory $dir, younger than 20 days."
fi
done
exit $exit_code