Building and Pushing to MCR #52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This Github Action will build and publish images to Azure Container Registry(ACR), from where the published images will be | |
# automatically pushed to the trusted registry, Microsoft Container Registry(MCR). | |
name: Building and Pushing to MCR | |
on: | |
workflow_dispatch: | |
inputs: | |
releaseTag: | |
description: 'Release tag to publish images, defaults to the latest one' | |
type: string | |
permissions: | |
id-token: write | |
contents: read | |
env: | |
# `public` indicates images to MCR wil be publicly available, and will be removed in the final MCR images | |
REGISTRY_REPO: public/aks/fleet | |
GO_VERSION: '1.20' | |
jobs: | |
prepare-variables: | |
runs-on: ubuntu-latest | |
outputs: | |
release_tag: ${{ steps.vars.outputs.release_tag }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: 'Set output variables' | |
id: vars | |
run: | | |
# set the image version | |
RELEASE_TAG=${{ inputs.releaseTag }} | |
if [ -z "$RELEASE_TAG" ]; then | |
RELEASE_TAG=`git describe --tags $(git rev-list --tags --max-count=1)` | |
echo "The user input release tag is empty, will use the latest tag $RELEASE_TAG." | |
fi | |
echo "::set-output name=release_tag::$RELEASE_TAG" | |
# NOTE(mainred): As exporting a variable from a secret is not possible, the shared variable registry obtained | |
# from AZURE_REGISTRY secret is not exported from here. | |
publish-images: | |
runs-on: ubuntu-latest | |
needs: prepare-variables | |
steps: | |
- name: Set up Go ${{ env.GO_VERSION }} | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ needs.prepare-variables.outputs.release_tag }} | |
# reference: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure | |
- name: 'OIDC Login to Azure Public Cloud' | |
uses: azure/login@v1 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- name: 'Login the ACR' | |
run: az acr login -n ${{ secrets.AZURE_REGISTRY }} | |
- name: Build and publish controller manager images | |
run: | | |
make push | |
env: | |
TAG: ${{ needs.prepare-variables.outputs.release_tag }} | |
REGISTRY: ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}} | |