From 3d5a189fa732ef462dbbd73b88c128ebaf1833f9 Mon Sep 17 00:00:00 2001 From: "Jens L." Date: Fri, 22 Nov 2024 18:26:56 +0100 Subject: [PATCH] ci: mirror repo to internal repo (#12160) * don't push when on internal repo Signed-off-by: Jens Langhammer * only run certain workflows on main repo Signed-off-by: Jens Langhammer * add mirror Signed-off-by: Jens Langhammer * how tf did a tab get in there Signed-off-by: Jens Langhammer * ooops Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer --- .../actions/docker-push-variables/action.yml | 6 +++--- .../actions/docker-push-variables/push_vars.py | 11 +++++++++-- .github/workflows/api-py-publish.yml | 1 + .github/workflows/api-ts-publish.yml | 1 + .github/workflows/ci-main.yml | 10 +++++----- .github/workflows/ci-outpost.yml | 8 ++++---- .github/workflows/gen-update-webauthn-mds.yml | 1 + .github/workflows/ghcr-retention.yml | 1 + .github/workflows/publish-source-docs.yml | 1 + .github/workflows/release-next-branch.yml | 1 + .github/workflows/repo-mirror.yml | 17 +++++++++++++++++ .github/workflows/repo-stale.yml | 1 + 12 files changed, 45 insertions(+), 14 deletions(-) create mode 100644 .github/workflows/repo-mirror.yml diff --git a/.github/actions/docker-push-variables/action.yml b/.github/actions/docker-push-variables/action.yml index 66f5a1605513..e95361a5d836 100644 --- a/.github/actions/docker-push-variables/action.yml +++ b/.github/actions/docker-push-variables/action.yml @@ -11,9 +11,9 @@ inputs: description: "Docker image arch" outputs: - shouldBuild: - description: "Whether to build image or not" - value: ${{ steps.ev.outputs.shouldBuild }} + shouldPush: + description: "Whether to push the image or not" + value: ${{ steps.ev.outputs.shouldPush }} sha: description: "sha" diff --git a/.github/actions/docker-push-variables/push_vars.py b/.github/actions/docker-push-variables/push_vars.py index 8f91abbe3245..d5e7b811ad19 100644 --- a/.github/actions/docker-push-variables/push_vars.py +++ b/.github/actions/docker-push-variables/push_vars.py @@ -7,7 +7,14 @@ parser = configparser.ConfigParser() parser.read(".bumpversion.cfg") -should_build = str(len(os.environ.get("DOCKER_USERNAME", "")) > 0).lower() +# Decide if we should push the image or not +should_push = True +if len(os.environ.get("DOCKER_USERNAME", "")) > 0: + # Don't push if we don't have DOCKER_USERNAME, i.e. no secrets are available + should_push = False +if os.environ.get("GITHUB_REPOSITORY").lower() == "goauthentik/authentik-internal": + # Don't push on the internal repo + should_push = False branch_name = os.environ["GITHUB_REF"] if os.environ.get("GITHUB_HEAD_REF", "") != "": @@ -64,7 +71,7 @@ def get_attest_image_names(image_with_tags: list[str]): with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output: - print(f"shouldBuild={should_build}", file=_output) + print(f"shouldPush={str(should_push).lower()}", file=_output) print(f"sha={sha}", file=_output) print(f"version={version}", file=_output) print(f"prerelease={prerelease}", file=_output) diff --git a/.github/workflows/api-py-publish.yml b/.github/workflows/api-py-publish.yml index 79a1d274e01b..60cf8cfdf5e1 100644 --- a/.github/workflows/api-py-publish.yml +++ b/.github/workflows/api-py-publish.yml @@ -7,6 +7,7 @@ on: workflow_dispatch: jobs: build: + if: ${{ github.repository != 'goauthentik/authentik-internal' }} runs-on: ubuntu-latest permissions: id-token: write diff --git a/.github/workflows/api-ts-publish.yml b/.github/workflows/api-ts-publish.yml index 4e06ffd8f000..7176cb5ed1b3 100644 --- a/.github/workflows/api-ts-publish.yml +++ b/.github/workflows/api-ts-publish.yml @@ -7,6 +7,7 @@ on: workflow_dispatch: jobs: build: + if: ${{ github.repository != 'goauthentik/authentik-internal' }} runs-on: ubuntu-latest steps: - id: generate_token diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml index 7c223fac8cb2..914afdc339a5 100644 --- a/.github/workflows/ci-main.yml +++ b/.github/workflows/ci-main.yml @@ -252,7 +252,7 @@ jobs: image-name: ghcr.io/goauthentik/dev-server image-arch: ${{ matrix.arch }} - name: Login to Container Registry - if: ${{ steps.ev.outputs.shouldBuild == 'true' }} + if: ${{ steps.ev.outputs.shouldPush == 'true' }} uses: docker/login-action@v3 with: registry: ghcr.io @@ -269,15 +269,15 @@ jobs: GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }} GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }} tags: ${{ steps.ev.outputs.imageTags }} - push: ${{ steps.ev.outputs.shouldBuild == 'true' }} + push: ${{ steps.ev.outputs.shouldPush == 'true' }} build-args: | GIT_BUILD_HASH=${{ steps.ev.outputs.sha }} cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache - cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }} + cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }} platforms: linux/${{ matrix.arch }} - uses: actions/attest-build-provenance@v1 id: attest - if: ${{ steps.ev.outputs.shouldBuild == 'true' }} + if: ${{ steps.ev.outputs.shouldPush == 'true' }} with: subject-name: ${{ steps.ev.outputs.attestImageNames }} subject-digest: ${{ steps.push.outputs.digest }} @@ -303,7 +303,7 @@ jobs: with: image-name: ghcr.io/goauthentik/dev-server - name: Comment on PR - if: ${{ steps.ev.outputs.shouldBuild == 'true' }} + if: ${{ steps.ev.outputs.shouldPush == 'true' }} uses: ./.github/actions/comment-pr-instructions with: tag: ${{ steps.ev.outputs.imageMainTag }} diff --git a/.github/workflows/ci-outpost.yml b/.github/workflows/ci-outpost.yml index 3f8888f9ff74..8b1eaf3b6085 100644 --- a/.github/workflows/ci-outpost.yml +++ b/.github/workflows/ci-outpost.yml @@ -90,7 +90,7 @@ jobs: with: image-name: ghcr.io/goauthentik/dev-${{ matrix.type }} - name: Login to Container Registry - if: ${{ steps.ev.outputs.shouldBuild == 'true' }} + if: ${{ steps.ev.outputs.shouldPush == 'true' }} uses: docker/login-action@v3 with: registry: ghcr.io @@ -104,16 +104,16 @@ jobs: with: tags: ${{ steps.ev.outputs.imageTags }} file: ${{ matrix.type }}.Dockerfile - push: ${{ steps.ev.outputs.shouldBuild == 'true' }} + push: ${{ steps.ev.outputs.shouldPush == 'true' }} build-args: | GIT_BUILD_HASH=${{ steps.ev.outputs.sha }} platforms: linux/amd64,linux/arm64 context: . cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache - cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }} + cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }} - uses: actions/attest-build-provenance@v1 id: attest - if: ${{ steps.ev.outputs.shouldBuild == 'true' }} + if: ${{ steps.ev.outputs.shouldPush == 'true' }} with: subject-name: ${{ steps.ev.outputs.attestImageNames }} subject-digest: ${{ steps.push.outputs.digest }} diff --git a/.github/workflows/gen-update-webauthn-mds.yml b/.github/workflows/gen-update-webauthn-mds.yml index ef19a94875c8..45e7a5b679e2 100644 --- a/.github/workflows/gen-update-webauthn-mds.yml +++ b/.github/workflows/gen-update-webauthn-mds.yml @@ -11,6 +11,7 @@ env: jobs: build: + if: ${{ github.repository != 'goauthentik/authentik-internal' }} runs-on: ubuntu-latest steps: - id: generate_token diff --git a/.github/workflows/ghcr-retention.yml b/.github/workflows/ghcr-retention.yml index f1543820fe0c..2ee1d65b9658 100644 --- a/.github/workflows/ghcr-retention.yml +++ b/.github/workflows/ghcr-retention.yml @@ -7,6 +7,7 @@ on: jobs: clean-ghcr: + if: ${{ github.repository != 'goauthentik/authentik-internal' }} name: Delete old unused container images runs-on: ubuntu-latest steps: diff --git a/.github/workflows/publish-source-docs.yml b/.github/workflows/publish-source-docs.yml index 036c4c04b577..3c98ca1c92d9 100644 --- a/.github/workflows/publish-source-docs.yml +++ b/.github/workflows/publish-source-docs.yml @@ -12,6 +12,7 @@ env: jobs: publish-source-docs: + if: ${{ github.repository != 'goauthentik/authentik-internal' }} runs-on: ubuntu-latest timeout-minutes: 120 steps: diff --git a/.github/workflows/release-next-branch.yml b/.github/workflows/release-next-branch.yml index 57b672d28378..3b8385ef191c 100644 --- a/.github/workflows/release-next-branch.yml +++ b/.github/workflows/release-next-branch.yml @@ -11,6 +11,7 @@ permissions: jobs: update-next: + if: ${{ github.repository != 'goauthentik/authentik-internal' }} runs-on: ubuntu-latest environment: internal-production steps: diff --git a/.github/workflows/repo-mirror.yml b/.github/workflows/repo-mirror.yml new file mode 100644 index 000000000000..2f57dda611af --- /dev/null +++ b/.github/workflows/repo-mirror.yml @@ -0,0 +1,17 @@ +name: "authentik-repo-mirror" + +on: [push, delete] + +jobs: + to_internal: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - uses: pixta-dev/repository-mirroring-action@v1 + with: + target_repo_url: + git@github.com:goauthentik/authentik-internal.git + ssh_private_key: + ${{ secrets.GH_MIRROR_KEY }} diff --git a/.github/workflows/repo-stale.yml b/.github/workflows/repo-stale.yml index 4918171953ca..141212b03bba 100644 --- a/.github/workflows/repo-stale.yml +++ b/.github/workflows/repo-stale.yml @@ -11,6 +11,7 @@ permissions: jobs: stale: + if: ${{ github.repository != 'goauthentik/authentik-internal' }} runs-on: ubuntu-latest steps: - id: generate_token