Run tag_image_push workflows during PR builder [DI-315]
#813
Conversation
The `tag_image_push` workflows are triggered _only_ with a release, which means that any changes are not able to be tested. Using a `DRY_RUN` mode we can execute the workflow as a non-destructive sanity check, _without_ making any publicly observable changes. Changes: - Add execution of `tag_image_push` workflows (in `DRY_RUN` mode) to PR builder - Add `DRY_RUN` mode to `tag_image_push_rhel` workflow - Extend `tag_image_push` workflow's `DRY_RUN` parameter by also skipping Dockerhub description/readme updates - Support calling `tag_image_push` workflows from other workflows via `workflow_call` ([require duplication of parameters](https://github.com/orgs/community/discussions/39357)) - Invert `DRY_RUN` check so that it _only_ runs if it's `false` (previously - ran always unless `true`) as a safety net for bad inputs (e.g. ``!)
It was done on purpose to avoid backward incompatibility here:
If you change the default value of |
👍 |
JackPGreen
changed the title
tag_image_push workflows during PR buildertag_image_push workflows during PR builder [DI-315]
|
Is this in relation to discussion we had to reduce Docker image testing during release? BTW...JIRA needs parent, SP and description |
Partially, but it's primarily to give test coverage for: |
|
@ldziedziul are you able to take a look at this, please? |
| HZ_VERSION: ${{ needs.prepare.outputs.LAST_RELEASED_HZ_VERSION_OSS }} | ||
| RELEASE_VERSION: ${{ needs.prepare.outputs.LAST_RELEASED_HZ_VERSION_OSS }} | ||
| DRY_RUN: true | ||
| secrets: inherit |
There was a problem hiding this comment.
I'm concerned that we pass all the secrets needed to do the actual push to the prod registry. What if one creates a PR and modifies tag_image_push.yml that DRY_RUN is not working anymore? We would end up with pushing broken image to prod.
WDYT about passing here secrets explicitly and only the ones that are used for read-only operations?
There was a problem hiding this comment.
WDYT about passing here secrets explicitly and only the ones that are used for read-only operations?
I was trying to avoid a change to the push action necessitating a change to build-pr as well, but I can see your concern.
However, if they are passed explicitly, how are they accessed in the workflow? AFAIK with the with syntax it passes them as environment variables, so the ${{ secrets.MY_CRED }} would fail if MY_CRED was instead an environment variable?
There was a problem hiding this comment.
There's also secrets section. Check the first example https://docs.github.com/en/enterprise-cloud@latest/actions/sharing-automations/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow:
jobs:
call-workflow-passing-data:
uses: octo-org/example-repo/.github/workflows/reusable-workflow.yml@main
with:
config-path: .github/labeler.yml
secrets:
personal_access_token: ${{ secrets.token }}
There was a problem hiding this comment.
I've tried in f1f1a3f
However the RHEL push needs the credentials for pushing, but also the preflight etc stuff we actually want to test, so it's still inherit.
The
tag_image_pushworkflows are triggered only with a release, which means that any changes are not able to be tested.Using a
DRY_RUNmode we can execute the workflow as a non-destructive sanity check, without making any publicly observable changes.Changes:
tag_image_pushworkflows (inDRY_RUNmode) to PR builderDRY_RUNmode totag_image_push_rhelworkflowtag_image_pushworkflow'sDRY_RUNparameter by also skipping Dockerhub description/readme updatestag_image_pushworkflows from other workflows viaworkflow_call(requires duplication of parameters)inputs(github.event.inputs->inputs) to supportworkflow_callexecutionsFixes: DI-315
Post-merge actions: