Envoy/Publish & verify #42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow is triggered by azp currently | |
# Once arm/x64 build jobs are shifted to github, this can be triggered | |
# by on: workflow_run | |
name: Envoy/Publish & verify | |
permissions: | |
contents: read | |
on: | |
workflow_run: | |
workflows: | |
# Workaround issue with PRs not triggering tertiary workflows | |
- Request | |
# - Envoy/Prechecks | |
types: | |
- completed | |
concurrency: | |
group: >- | |
${{ ((github.event.workflow_run.head_branch == 'main' | |
|| startsWith(github.event.workflow_run.head_branch, 'release/v')) | |
&& github.event.repository.full_name == github.repository) | |
&& github.run_id | |
|| github.event.workflow_run.head_branch }}-${{ github.event.repository.full_name }}-${{ github.workflow }} | |
cancel-in-progress: true | |
env: | |
CI_DEBUG: ${{ vars.CI_DEBUG }} | |
jobs: | |
load: | |
secrets: | |
app-key: ${{ secrets.ENVOY_CI_APP_KEY }} | |
app-id: ${{ secrets.ENVOY_CI_APP_ID }} | |
permissions: | |
actions: read | |
contents: read | |
packages: read | |
pull-requests: read | |
if: >- | |
${{ github.event.workflow_run.conclusion == 'success' | |
&& (github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI) }} | |
uses: ./.github/workflows/_load.yml | |
with: | |
check-name: publish | |
# head-sha: ${{ github.sha }} | |
build: | |
permissions: | |
contents: read | |
packages: read | |
secrets: | |
dockerhub-username: >- | |
${{ fromJSON(needs.load.outputs.trusted) | |
&& secrets.DOCKERHUB_USERNAME | |
|| '' }} | |
dockerhub-password: >- | |
${{ fromJSON(needs.load.outputs.trusted) | |
&& secrets.DOCKERHUB_PASSWORD | |
|| '' }} | |
gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }} | |
gpg-key: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_GPG_MAINTAINER_KEY || secrets.ENVOY_GPG_SNAKEOIL_KEY }} | |
gpg-key-password: >- | |
${{ fromJSON(needs.load.outputs.trusted) | |
&& secrets.ENVOY_GPG_MAINTAINER_KEY_PASSWORD | |
|| secrets.ENVOY_GPG_SNAKEOIL_KEY_PASSWORD }} | |
if: ${{ fromJSON(needs.load.outputs.request).run.publish || fromJSON(needs.load.outputs.request).run.verify }} | |
needs: | |
- load | |
uses: ./.github/workflows/_publish_build.yml | |
name: Build | |
with: | |
gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} | |
request: ${{ needs.load.outputs.request }} | |
trusted: ${{ fromJSON(needs.load.outputs.trusted) }} | |
publish: | |
secrets: | |
ENVOY_CI_SYNC_APP_ID: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_SYNC_APP_ID || '' }} | |
ENVOY_CI_SYNC_APP_KEY: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_SYNC_APP_KEY || '' }} | |
ENVOY_CI_PUBLISH_APP_ID: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_PUBLISH_APP_ID || '' }} | |
ENVOY_CI_PUBLISH_APP_KEY: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_PUBLISH_APP_KEY || '' }} | |
gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }} | |
permissions: | |
contents: read | |
packages: read | |
if: ${{ fromJSON(needs.load.outputs.request).run.publish }} | |
needs: | |
- load | |
- build | |
uses: ./.github/workflows/_publish_publish.yml | |
name: Publish | |
with: | |
gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} | |
request: ${{ needs.load.outputs.request }} | |
trusted: ${{ fromJSON(needs.load.outputs.trusted) }} | |
verify: | |
secrets: | |
gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }} | |
permissions: | |
contents: read | |
packages: read | |
if: ${{ fromJSON(needs.load.outputs.request).run.verify }} | |
needs: | |
- load | |
- build | |
uses: ./.github/workflows/_publish_verify.yml | |
name: Verify | |
with: | |
gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} | |
request: ${{ needs.load.outputs.request }} | |
trusted: ${{ fromJSON(needs.load.outputs.trusted) }} | |
request: | |
secrets: | |
app-id: ${{ secrets.ENVOY_CI_APP_ID }} | |
app-key: ${{ secrets.ENVOY_CI_APP_KEY }} | |
permissions: | |
actions: read | |
contents: read | |
pull-requests: read | |
if: >- | |
${{ always() | |
&& (fromJSON(needs.load.outputs.request).run.publish | |
|| fromJSON(needs.load.outputs.request).run.verify) }} | |
needs: | |
- load | |
- build | |
- publish | |
- verify | |
uses: ./.github/workflows/_finish.yml | |
with: | |
needs: ${{ toJSON(needs) }} |