Skip to content

feat: Add service account to hook-image-puller and continuous-image-puller #2434

feat: Add service account to hook-image-puller and continuous-image-puller

feat: Add service account to hook-image-puller and continuous-image-puller #2434

Workflow file for this run

# This is a GitHub workflow defining a set of jobs with a set of steps.
# ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
#
name: Publish
# Trigger the workflow on pushed tags or commits to main branch.
on:
pull_request:
paths-ignore:
- "docs/**"
- "**.md"
- ".github/workflows/*"
- "!.github/workflows/publish.yaml"
push:
paths-ignore:
- "docs/**"
- "**.md"
- ".github/workflows/*"
- "!.github/workflows/publish.yaml"
branches-ignore:
- "dependabot/**"
- "pre-commit-ci-update-config"
- "update-*"
- "vuln-scan-*"
tags:
- "**"
jobs:
# Builds and pushes docker images to DockerHub and package the Helm chart and
# pushes it to jupyterhub/helm-chart@gh-pages where index.yaml represents the
# JupyterHub organization Helm chart repository.
#
# ref: https://github.com/jupyterhub/helm-chart
# ref: https://quay.io/organization/jupyterhub
publish:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
with:
# chartpress requires git history to set chart version and image tags
# correctly
fetch-depth: 0
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Decide to publish or not
id: publishing
shell: python
run: |
import os
repo = "${{ github.repository }}"
event = "${{ github.event_name }}"
ref = "${{ github.event.ref }}"
publishing = ""
if (
repo == "jupyterhub/zero-to-jupyterhub-k8s"
and event == "push"
and (
ref.startswith("refs/tags/")
or ref == "refs/heads/main"
)
):
publishing = "true"
print("Publishing chart")
with open(os.environ["GITHUB_OUTPUT"], "a") as f:
f.write(f"publishing={publishing}\n")
- name: Set up QEMU (for docker buildx)
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx (for chartpress multi-arch builds)
uses: docker/setup-buildx-action@v3
- name: Install chart publishing dependencies (chartpress, helm)
run: |
pip install chartpress pyyaml
pip list
helm version
- name: Setup push rights to jupyterhub/helm-chart
# This was setup by...
# 1. Generating a private/public key pair:
# ssh-keygen -t ed25519 -C "jupyterhub/zero-to-jupyterhub-k8s" -f /tmp/id_ed25519
# 2. Registering the private key (/tmp/id_ed25519) as a secret for this
# repo:
# https://github.com/jupyterhub/zero-to-jupyterhub-k8s/settings/secrets/actions
# 3. Registering the public key (/tmp/id_ed25519.pub) as a deploy key
# with push rights for the jupyterhub/helm chart repo:
# https://github.com/jupyterhub/helm-chart/settings/keys
if: steps.publishing.outputs.publishing
run: |
mkdir -p ~/.ssh
ssh-keyscan github.com >> ~/.ssh/known_hosts
echo "${{ secrets.JUPYTERHUB_HELM_CHART_DEPLOY_KEY }}" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
- name: Setup push rights to Docker Hub
# This was setup by...
# 1. Creating a Docker Hub service account "jupyterhubbot"
# 2. Making the account part of the "bots" team, and granting that team
# permissions to push to the relevant images:
# https://hub.docker.com/orgs/jupyterhub/teams/bots/permissions
# 3. Registering the username and password as a secret for this repo:
# https://github.com/jupyterhub/zero-to-jupyterhub-k8s/settings/secrets/actions
if: steps.publishing.outputs.publishing
run: |
docker login -u "${{ secrets.QUAY_USERNAME }}" -p "${{ secrets.QUAY_PASSWORD }}" quay.io
docker login -u "${{ secrets.DOCKER_USERNAME }}" -p "${{ secrets.DOCKER_PASSWORD }}" docker.io
- name: Configure a git user
# Having a user.email and user.name configured with git is required to
# make commits, which is something chartpress does when publishing.
# While Travis CI had a dummy user by default, GitHub Actions doesn't
# and require this explicitly setup.
run: |
git config --global user.email "[email protected]"
git config --global user.name "GitHub Actions user"
- name: build chart with chartpress
run: |
# Create values.schema.json from values.schema.yaml.
./tools/generate-json-schema.py
# Append annotations to Chart.yaml with current images so that
# artifacthub.io can scan and provide vulnerability reports for them.
chartpress --no-build
./tools/set-chart-yaml-annotations.py
- name: Publish images and chart with chartpress
if: steps.publishing.outputs.publishing
env:
GITHUB_REPOSITORY: "${{ github.repository }}"
run: |
# Package the Helm chart and publish it to the gh-pages branch of
# the jupyterhub/helm-chart repo.
./ci/publish
- name: Package helm chart as a CI artifact
if: steps.publishing.outputs.publishing == ''
run: helm package jupyterhub
# ref: https://github.com/actions/upload-artifact
- uses: actions/upload-artifact@v4
if: steps.publishing.outputs.publishing == ''
with:
name: jupyterhub-${{ github.sha }}
path: "jupyterhub-*.tgz"
if-no-files-found: error