|
| 1 | +name: Tekton Nightly Build |
| 2 | + |
| 3 | +"on": |
| 4 | + schedule: |
| 5 | + # Run at 03:00 UTC daily |
| 6 | + - cron: "0 3 * * *" |
| 7 | + workflow_dispatch: |
| 8 | + inputs: |
| 9 | + kubernetes_version: |
| 10 | + description: 'Kubernetes version to test with' |
| 11 | + required: false |
| 12 | + default: 'v1.33.x' |
| 13 | + nightly_bucket: |
| 14 | + description: 'Oracle Cloud bucket name for builds' |
| 15 | + required: false |
| 16 | + default: 'tekton-nightly' |
| 17 | + type: string |
| 18 | + |
| 19 | +env: |
| 20 | + KUBERNETES_VERSION: ${{ inputs.kubernetes_version || 'v1.33.x' }} |
| 21 | + REGISTRY: ghcr.io |
| 22 | + PACKAGE: github.com/${{ github.repository }} |
| 23 | + BUCKET: ${{ inputs.nightly_bucket || 'tekton-nightly' }} |
| 24 | + REPO_NAME: ${{ github.event.repository.name }} |
| 25 | + IMAGE_REGISTRY_PATH: ${{ github.repository }} |
| 26 | + IMAGE_REGISTRY_USER: tekton-robot |
| 27 | + |
| 28 | +jobs: |
| 29 | + build: |
| 30 | + name: Nightly Build (K8s ${{ inputs.kubernetes_version || 'v1.33.x' }}) |
| 31 | + runs-on: ubuntu-latest |
| 32 | + if: github.repository_owner == 'tektoncd' # do not run this elsewhere |
| 33 | + |
| 34 | + permissions: |
| 35 | + contents: read |
| 36 | + packages: write |
| 37 | + id-token: write |
| 38 | + |
| 39 | + steps: |
| 40 | + - name: Checkout repository |
| 41 | + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 |
| 42 | + with: |
| 43 | + fetch-depth: 0 |
| 44 | + |
| 45 | + - name: Generate version info |
| 46 | + id: version |
| 47 | + run: | |
| 48 | + latest_sha=${{ github.sha }} |
| 49 | + date_tag=$(date +v%Y%m%d-${latest_sha:0:7}) |
| 50 | + echo "version_tag=${date_tag}" >> "$GITHUB_OUTPUT" |
| 51 | + echo "latest_sha=${latest_sha}" >> "$GITHUB_OUTPUT" |
| 52 | +
|
| 53 | + - name: Set up Kind cluster |
| 54 | + uses: chainguard-dev/actions/setup-kind@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7 |
| 55 | + with: |
| 56 | + k8s-version: ${{ env.KUBERNETES_VERSION }} |
| 57 | + |
| 58 | + - name: Set up Tekton |
| 59 | + uses: tektoncd/actions/setup-tektoncd@0986bcdfbaf4f83a8a7b19bc2fa360c44ee55929 # main |
| 60 | + with: |
| 61 | + pipeline_version: latest |
| 62 | + setup_registry: "true" |
| 63 | + patch_etc_hosts: "true" |
| 64 | + |
| 65 | + - name: Configure Tekton Git Resolver |
| 66 | + env: |
| 67 | + GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN || github.token }} |
| 68 | + run: | |
| 69 | + # Create Git authentication secret as basic-auth type for Git resolver |
| 70 | + kubectl create secret generic git-resolver-secret \ |
| 71 | + --type=kubernetes.io/basic-auth \ |
| 72 | + --from-literal=username=git \ |
| 73 | + --from-literal=password="${GITHUB_TOKEN}" \ |
| 74 | + -n tekton-pipelines-resolvers || true |
| 75 | +
|
| 76 | + kubectl annotate secret git-resolver-secret \ |
| 77 | + tekton.dev/git-0=github.com \ |
| 78 | + -n tekton-pipelines-resolvers --overwrite || true |
| 79 | +
|
| 80 | + # Configure Git resolver to use the secret |
| 81 | + kubectl patch configmap git-resolver-config -n tekton-pipelines-resolvers --type=merge --patch=' |
| 82 | + data: |
| 83 | + default-url: "https://github.com" |
| 84 | + fetch-timeout: "1m" |
| 85 | + scm-type: "github" |
| 86 | + server-url: "https://api.github.com" |
| 87 | + api-secret-name: "git-resolver-secret" |
| 88 | + api-secret-key: "password" |
| 89 | + api-secret-namespace: "tekton-pipelines-resolvers" |
| 90 | + ' || true |
| 91 | +
|
| 92 | + kubectl patch configmap feature-flags -n tekton-pipelines --patch=' |
| 93 | + data: |
| 94 | + enable-cel-in-whenexpression: "true" |
| 95 | + ' || true |
| 96 | +
|
| 97 | + - name: Install tkn CLI |
| 98 | + uses: tektoncd/actions/setup-tektoncd-cli@0986bcdfbaf4f83a8a7b19bc2fa360c44ee55929 # main |
| 99 | + with: |
| 100 | + version: latest |
| 101 | + |
| 102 | + - name: Apply Build Pipeline Definition |
| 103 | + run: | |
| 104 | + kustomize build tekton | kubectl apply -f - |
| 105 | +
|
| 106 | + - name: Create secrets, service account and PVC template |
| 107 | + env: |
| 108 | + OCI_API_KEY: ${{ secrets.OCI_API_KEY }} |
| 109 | + OCI_FINGERPRINT: ${{ secrets.OCI_FINGERPRINT }} |
| 110 | + OCI_TENANCY_OCID: ${{ secrets.OCI_TENANCY_OCID }} |
| 111 | + OCI_USER_OCID: ${{ secrets.OCI_USER_OCID }} |
| 112 | + OCI_REGION: ${{ secrets.OCI_REGION }} |
| 113 | + GHCR_TOKEN: ${{ secrets.GHCR_TOKEN || github.token }} |
| 114 | + IMAGE_REGISTRY_USER: ${{ env.IMAGE_REGISTRY_USER }} |
| 115 | + run: | |
| 116 | + # Create Oracle Cloud credentials secret for release bucket access |
| 117 | + echo "${OCI_API_KEY}" > /tmp/oci_api_key.pem |
| 118 | + echo "${OCI_FINGERPRINT}" > /tmp/fingerprint |
| 119 | + echo "${OCI_TENANCY_OCID}" > /tmp/tenancy_ocid |
| 120 | + echo "${OCI_USER_OCID}" > /tmp/user_ocid |
| 121 | + echo "${OCI_REGION}" > /tmp/region |
| 122 | +
|
| 123 | + kubectl create secret generic release-secret \ |
| 124 | + --from-file=oci_api_key.pem=/tmp/oci_api_key.pem \ |
| 125 | + --from-file=fingerprint=/tmp/fingerprint \ |
| 126 | + --from-file=tenancy_ocid=/tmp/tenancy_ocid \ |
| 127 | + --from-file=user_ocid=/tmp/user_ocid \ |
| 128 | + --from-file=region=/tmp/region |
| 129 | +
|
| 130 | + rm -f /tmp/oci_api_key.pem /tmp/fingerprint /tmp/tenancy_ocid /tmp/user_ocid /tmp/region |
| 131 | +
|
| 132 | + # Create a Kubernetes secret for GHCR authentication. |
| 133 | + # This version creates the secret with a custom key name `docker-config.json` |
| 134 | + # (instead of the default `.dockerconfigjson`) to match what the publish task expects. |
| 135 | + echo "${GHCR_TOKEN}" > /tmp/docker-config.json |
| 136 | + kubectl create secret generic release-images-secret \ |
| 137 | + --from-file=docker-config.json=/tmp/docker-config.json |
| 138 | + rm -f /tmp/docker-config.json |
| 139 | +
|
| 140 | + # Apply service account configuration with proper RBAC |
| 141 | + kubectl apply -f tekton/account.yaml |
| 142 | +
|
| 143 | + cat > workspace-template.yaml << EOF |
| 144 | + spec: |
| 145 | + accessModes: |
| 146 | + - ReadWriteOnce |
| 147 | + resources: |
| 148 | + requests: |
| 149 | + storage: 1Gi |
| 150 | + EOF |
| 151 | +
|
| 152 | + - name: Start Tekton Build Pipeline |
| 153 | + run: | |
| 154 | + set -euo pipefail # Exit on any error, undefined variables, or pipe failures |
| 155 | +
|
| 156 | + echo "Starting Tekton pipeline..." |
| 157 | +
|
| 158 | + PIPELINE_RUN=$(tkn pipeline start pipeline-release \ |
| 159 | + --serviceaccount=release-right-meow \ |
| 160 | + --param package="${{ env.PACKAGE }}" \ |
| 161 | + --param repoName="${{ env.REPO_NAME }}" \ |
| 162 | + --param gitRevision="${{ steps.version.outputs.latest_sha }}" \ |
| 163 | + --param versionTag="${{ steps.version.outputs.version_tag }}" \ |
| 164 | + --param releaseBucket="${{ env.BUCKET }}" \ |
| 165 | + --param imageRegistry=${{ env.REGISTRY }} \ |
| 166 | + --param imageRegistryPath="${{ env.IMAGE_REGISTRY_PATH }}" \ |
| 167 | + --param imageRegistryUser="${{ env.IMAGE_REGISTRY_USER }}" \ |
| 168 | + --param imageRegistryRegions="" \ |
| 169 | + --param buildPlatforms="linux/amd64,linux/arm64,linux/s390x,linux/ppc64le" \ |
| 170 | + --param publishPlatforms="linux/amd64,linux/arm64,linux/s390x,linux/ppc64le,windows/amd64" \ |
| 171 | + --param koExtraArgs="" \ |
| 172 | + --param serviceAccountImagesPath=docker-config.json \ |
| 173 | + --param releaseAsLatest="true" \ |
| 174 | + --param runTests="false" \ |
| 175 | + --workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml \ |
| 176 | + --workspace name=release-secret,secret=release-secret \ |
| 177 | + --workspace name=release-images-secret,secret=release-images-secret \ |
| 178 | + --tasks-timeout 2h \ |
| 179 | + --pipeline-timeout 3h \ |
| 180 | + --output name) || { |
| 181 | + echo "Failed to start Tekton pipeline!" |
| 182 | + exit 1 |
| 183 | + } |
| 184 | +
|
| 185 | + echo "Pipeline started: ${PIPELINE_RUN}" |
| 186 | + tkn pipelinerun logs "${PIPELINE_RUN}" -f |
| 187 | +
|
| 188 | + # Check if pipeline succeeded |
| 189 | + tkn pipelinerun describe "${PIPELINE_RUN}" --output jsonpath='{.status.conditions[?(@.type=="Succeeded")].status}' | grep -q "True" || { |
| 190 | + echo "Pipeline failed!" |
| 191 | + tkn pipelinerun describe "${PIPELINE_RUN}" |
| 192 | + exit 1 |
| 193 | + } |
| 194 | +
|
| 195 | + echo "✅ Pipeline Run completed successfully!" |
0 commit comments