Merge pull request #3500 from jupyterhub/vuln-scan-singleuser-sample #2302
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is a GitHub workflow defining a set of jobs with a set of steps. | |
# ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions | |
# | |
name: Publish | |
# Trigger the workflow on pushed tags or commits to main branch. | |
on: | |
pull_request: | |
paths-ignore: | |
- "docs/**" | |
- "**.md" | |
- ".github/workflows/*" | |
- "!.github/workflows/publish.yaml" | |
push: | |
paths-ignore: | |
- "docs/**" | |
- "**.md" | |
- ".github/workflows/*" | |
- "!.github/workflows/publish.yaml" | |
branches-ignore: | |
- "dependabot/**" | |
- "pre-commit-ci-update-config" | |
- "update-*" | |
- "vuln-scan-*" | |
tags: | |
- "**" | |
jobs: | |
# Builds and pushes docker images to DockerHub and package the Helm chart and | |
# pushes it to jupyterhub/helm-chart@gh-pages where index.yaml represents the | |
# JupyterHub organization Helm chart repository. | |
# | |
# ref: https://github.com/jupyterhub/helm-chart | |
# ref: https://quay.io/organization/jupyterhub | |
publish: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
# chartpress requires git history to set chart version and image tags | |
# correctly | |
fetch-depth: 0 | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: "3.11" | |
- name: Decide to publish or not | |
id: publishing | |
shell: python | |
run: | | |
import os | |
repo = "${{ github.repository }}" | |
event = "${{ github.event_name }}" | |
ref = "${{ github.event.ref }}" | |
publishing = "" | |
if ( | |
repo == "jupyterhub/zero-to-jupyterhub-k8s" | |
and event == "push" | |
and ( | |
ref.startswith("refs/tags/") | |
or ref == "refs/heads/main" | |
) | |
): | |
publishing = "true" | |
print("Publishing chart") | |
with open(os.environ["GITHUB_OUTPUT"], "a") as f: | |
f.write(f"publishing={publishing}\n") | |
- name: Set up QEMU (for docker buildx) | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx (for chartpress multi-arch builds) | |
uses: docker/setup-buildx-action@v3 | |
- name: Install chart publishing dependencies (chartpress, helm) | |
run: | | |
pip install chartpress pyyaml | |
pip list | |
helm version | |
- name: Setup push rights to jupyterhub/helm-chart | |
# This was setup by... | |
# 1. Generating a private/public key pair: | |
# ssh-keygen -t ed25519 -C "jupyterhub/zero-to-jupyterhub-k8s" -f /tmp/id_ed25519 | |
# 2. Registering the private key (/tmp/id_ed25519) as a secret for this | |
# repo: | |
# https://github.com/jupyterhub/zero-to-jupyterhub-k8s/settings/secrets/actions | |
# 3. Registering the public key (/tmp/id_ed25519.pub) as a deploy key | |
# with push rights for the jupyterhub/helm chart repo: | |
# https://github.com/jupyterhub/helm-chart/settings/keys | |
if: steps.publishing.outputs.publishing | |
run: | | |
mkdir -p ~/.ssh | |
ssh-keyscan github.com >> ~/.ssh/known_hosts | |
echo "${{ secrets.JUPYTERHUB_HELM_CHART_DEPLOY_KEY }}" > ~/.ssh/id_ed25519 | |
chmod 600 ~/.ssh/id_ed25519 | |
- name: Setup push rights to Docker Hub | |
# This was setup by... | |
# 1. Creating a Docker Hub service account "jupyterhubbot" | |
# 2. Making the account part of the "bots" team, and granting that team | |
# permissions to push to the relevant images: | |
# https://hub.docker.com/orgs/jupyterhub/teams/bots/permissions | |
# 3. Registering the username and password as a secret for this repo: | |
# https://github.com/jupyterhub/zero-to-jupyterhub-k8s/settings/secrets/actions | |
if: steps.publishing.outputs.publishing | |
run: | | |
docker login -u "${{ secrets.QUAY_USERNAME }}" -p "${{ secrets.QUAY_PASSWORD }}" quay.io | |
docker login -u "${{ secrets.DOCKER_USERNAME }}" -p "${{ secrets.DOCKER_PASSWORD }}" docker.io | |
- name: Configure a git user | |
# Having a user.email and user.name configured with git is required to | |
# make commits, which is something chartpress does when publishing. | |
# While Travis CI had a dummy user by default, GitHub Actions doesn't | |
# and require this explicitly setup. | |
run: | | |
git config --global user.email "github-actions@example.local" | |
git config --global user.name "GitHub Actions user" | |
- name: build chart with chartpress | |
run: | | |
# Create values.schema.json from values.schema.yaml. | |
./tools/generate-json-schema.py | |
# Append annotations to Chart.yaml with current images so that | |
# artifacthub.io can scan and provide vulnerability reports for them. | |
chartpress --no-build | |
./tools/set-chart-yaml-annotations.py | |
- name: Publish images and chart with chartpress | |
if: steps.publishing.outputs.publishing | |
env: | |
GITHUB_REPOSITORY: "${{ github.repository }}" | |
run: | | |
# Package the Helm chart and publish it to the gh-pages branch of | |
# the jupyterhub/helm-chart repo. | |
./ci/publish | |
- name: Package helm chart as a CI artifact | |
if: steps.publishing.outputs.publishing == '' | |
run: helm package jupyterhub | |
# ref: https://github.com/actions/upload-artifact | |
- uses: actions/upload-artifact@v4 | |
if: steps.publishing.outputs.publishing == '' | |
with: | |
name: jupyterhub-${{ github.sha }} | |
path: "jupyterhub-*.tgz" | |
if-no-files-found: error |