diff --git a/.github/workflows/delivery-docker.yml b/.github/workflows/delivery-docker.yml index 61c0650bd..a82f859b5 100644 --- a/.github/workflows/delivery-docker.yml +++ b/.github/workflows/delivery-docker.yml @@ -16,8 +16,9 @@ on: default: false env: + REGISTRY_NAME: 'index.docker.io' + USER_NAME: 'buildpacksio' IMG_NAME: 'pack' - USERNAME: 'buildpacksio' jobs: deliver-docker: @@ -52,7 +53,7 @@ jobs: with: ref: v${{ steps.version.outputs.result }} - name: Determine App Name - run: 'echo "IMG_NAME=${{ env.USERNAME }}/${{ env.IMG_NAME }}" >> $GITHUB_ENV' + run: 'echo "IMG_NAME=${{ env.REGISTRY_NAME }}/${{ env.USER_NAME }}/${{ env.IMG_NAME }}" >> $GITHUB_ENV' - name: Login to Dockerhub uses: docker/login-action@v3 with: diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index 9bdd4c7a1..f6f16acc7 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -26,6 +26,29 @@ Alternatively, you can use Gitpod to run pre-configured dev environment in the c * Symlinks - Some of our tests attempt to create symlinks. On Windows, this requires the [permission to be provided](https://stackoverflow.com/a/24353758). +### Testing GitHub actions on forks + +The pack release process involves chaining a series of GitHub actions together, such as: +* The "build" workflow, which creates: + * .tgz files containing the pack binaries and shasums for the .tgz files + * a draft release with the above artifacts +* The "delivery-docker" workflow, which builds and pushes OCI images containing the pack binary +* The "benchmark" workflow, which runs performance checks for each commit and uploads reports to GitHub Pages + +It can be rather cumbersome to test changes to these workflows, as they are heavily intertwined. Thus, we recommend forking the buildpacks/pack repository on GitHub and running through the entire release process end-to-end. + +For the fork, it is necessary to complete the following preparations: + +* Add the following secrets: + * `DOCKER_PASSWORD` for the delivery-docker workflow, if not using ghcr.io + * `DOCKER_USERNAME` for the delivery-docker workflow, if not using ghcr.io + * `DEPLOY_KEY` for the release-merge workflow, as a SSH private key for repository access +* Enable the issues feature on the repository and create `status/triage` and `type/bug` labels for the check-latest-release workflow +* Create a branch named `gh-pages` for uploading benchmark reports for the benchmark workflow + +The `tools/test-fork.sh` script can be used to update the source code to reflect the state of the fork and disable workflows that should not run on the fork repository. +It can be invoked like so: `./tools/test-fork.sh ` + ## Tasks ### Building diff --git a/tools/test-fork.sh b/tools/test-fork.sh new file mode 100755 index 000000000..84a7d770a --- /dev/null +++ b/tools/test-fork.sh @@ -0,0 +1,77 @@ +#!/usr/bin/env bash + +readonly wfdir=".github/workflows" + +# $1 - registry repo name + +echo "Parse registry: $1" +firstPart=$(echo "$1" | cut -d/ -f1) +secondPart=$(echo "$1" | cut -d/ -f2) +thirdPart=$(echo "$1" | cut -d/ -f3) + +registry="" +username="" +reponame="" +if [[ -z $thirdPart ]]; then # assume Docker Hub + registry="index.docker.io" + username=$firstPart + reponame=$secondPart +else + registry=$firstPart + username=$secondPart + reponame=$thirdPart +fi + +echo "Using registry $registry and username $username" +if [[ $reponame != "pack" ]]; then + echo "Repo name must be 'pack'" + exit 1 +fi + +echo "Disabling workflows that should not run on the forked repository" +disable=( + delivery-archlinux-git.yml + delivery-archlinux.yml + delivery-chocolatey.yml + delivery-homebrew.yml + delivery-release-dispatch.yml + delivery-ubuntu.yml + privileged-pr-process.yml +) +for d in "${disable[@]}"; do + if [ -e "$wfdir/$d" ]; then + mv "$wfdir/$d" "$wfdir/$d.disabled" + fi +done + +echo "Removing upstream maintainers from the benchmark alert CC" +sed -i '' "/alert-comment-cc-users:/d" $wfdir/benchmark.yml + +echo "Removing the architectures that require self-hosted runner from the build strategies." +sed -i '' "/config: \[.*\]/ s/windows-lcow, //g" $wfdir/build.yml +sed -i '' "/- config: windows-lcow/,+4d" $wfdir/build.yml + +echo "Replacing the registry account with owned one (assumes DOCKER_PASSWORD and DOCKER_USERNAME have been added to GitHub secrets, if not using ghcr.io)" +sed -i '' "s/buildpacksio\/pack/$registry\/$username\/$reponame/g" $wfdir/check-latest-release.yml +sed -i '' "/REPO_NAME: 'index.docker.io'/ s/index.docker.io/$registry/g" $wfdir/delivery-docker.yml +sed -i '' "/USER_NAME: 'buildpacksio'/ s/buildpacksio/$username/g" $wfdir/delivery-docker.yml + +if [[ $registry != "index.docker.io" ]]; then + echo "Updating login action to specify the registry" + sed -i '' "s/username: \${{ secrets.DOCKER_USERNAME }}/registry: $registry\n username: $username/g" $wfdir/delivery-docker.yml +fi + +if [[ $registry == *"ghcr.io"* ]]; then + echo "Updating login action to use GitHub token for ghcr.io" + sed -i '' "s/secrets.DOCKER_PASSWORD/secrets.GITHUB_TOKEN/g" $wfdir/delivery-docker.yml + + echo "Adding workflow permissions to push images to ghcr.io" + LF=$'\n' + sed -i '' "/runs-on: ubuntu-latest/ a\\ + permissions:\\ + contents: read\\ + packages: write\\ + attestations: write\\ + id-token: write${LF}" $wfdir/delivery-docker.yml + LF="" +fi