quay/.github/workflows/build-and-publish.yaml

---
name: Build and Publish

on:
  push:
    branches:
      - redhat-** # IMPORTANT! this must match the jobs.build-and-publish.env.BRANCH_PREFIX (save the **).
  workflow_dispatch:
    # Allows you to run this workflow manually from the Actions tab
    inputs:
      tag:
        description: 'Tag to attach to image'
        required: true
jobs:
  build-and-publish:
    name: Publish container image
    env:
      BRANCH_PREFIX: redhat- # IMPORTANT! this must match the .on.push.branches prefix!
      REGISTRY: ${{ secrets.REGISTRY || 'quay.io/projectquay' }}
      REPO_NAME: ${{ github.event.repository.name }}
      TAG_SUFFIX: -unstable
    runs-on: 'ubuntu-latest'
    steps:
      - name: Check out the repo
        uses: actions/checkout@v3

      - name: Set version from branch name
        id: version-from-branch
        if: startsWith('env.BRANCH_PREFIX', env.GITHUB_REF)
        run: |
          BRANCH_NAME=${GITHUB_REF#refs/heads/}
          echo "version=${BRANCH_NAME/${{ env.BRANCH_PREFIX }}/}" >> $GITHUB_OUTPUT

      - name: install ibmcli and setup ibm login
        run: |
          curl -fsSL https://clis.cloud.ibm.com/install/linux | sh
          ibmcloud login -q --apikey ${{ secrets.IBMCLOUD_API_KEY }} -r eu-gb
          ibmcloud plugin install vpc-infrastructure

      - name: Add rule to VPC
        id: sg-rule-id
        run: |
          cidr=$(dig +short myip.opendns.com @resolver1.opendns.com)
          echo $cidr
          SGRID=$(ibmcloud is security-group-rule-add --sg ${{ secrets.SG_ID }} --direction=inbound --protocol=tcp --port-min=22 --port-max=22 --remote=$cidr --output JSON | jq -r '.id')
          echo $SGRID
          echo "RID=${SGRID}" >> $GITHUB_ENV

      - name: Setup SSH config for builders
        env:
          BUILDER_AARCH64_SSH_CONFIG: ${{ secrets.BUILDER_AARCH64_SSH_CONFIG }}
          BUILDER_AARCH64_SSH_KEY: ${{ secrets.BUILDER_AARCH64_SSH_KEY }}
          BUILDER_AARCH64_SSH_KNOWN_HOSTS: ${{ secrets.BUILDER_AARCH64_SSH_KNOWN_HOSTS }}
          BUILDER_PPC64LE_SSH_CONFIG: ${{ secrets.BUILDER_PPC64LE_SSH_CONFIG }}
          BUILDER_PPC64LE_SSH_KEY: ${{ secrets.BUILDER_PPC64LE_SSH_KEY }}
          BUILDER_PPC64LE_SSH_KNOWN_HOSTS: ${{ secrets.BUILDER_PPC64LE_SSH_KNOWN_HOSTS }}
          BUILDER_S390X_SSH_HOST: ${{ secrets.BUILDER_S390X_SSH_HOST }}
          BUILDER_S390X_SSH_KEY: ${{ secrets.BUILDER_S390X_SSH_KEY }}
        run: |
          mkdir ~/.ssh
          chmod 700 ~/.ssh

          touch ~/.ssh/id_builder_aarch64
          chmod 600 ~/.ssh/id_builder_aarch64
          echo "$BUILDER_AARCH64_SSH_KEY" >~/.ssh/id_builder_aarch64

          touch ~/.ssh/id_builder_ppc64le
          chmod 600 ~/.ssh/id_builder_ppc64le
          echo "$BUILDER_PPC64LE_SSH_KEY" >~/.ssh/id_builder_ppc64le

          touch ~/.ssh/id_builder_s390x
          chmod 600 ~/.ssh/id_builder_s390x
          echo "$BUILDER_S390X_SSH_KEY" > ~/.ssh/id_builder_s390x

          touch ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
          cat >~/.ssh/known_hosts <<END
          $BUILDER_AARCH64_SSH_KNOWN_HOSTS
          $BUILDER_PPC64LE_SSH_KNOWN_HOSTS
          END

          touch ~/.ssh/config
          chmod 600 ~/.ssh/config
          cat >~/.ssh/config <<END
          Host builder-aarch64
            IdentityFile "~/.ssh/id_builder_aarch64"
          $BUILDER_AARCH64_SSH_CONFIG

          Host builder-ppc64le
            IdentityFile "~/.ssh/id_builder_ppc64le"
          $BUILDER_PPC64LE_SSH_CONFIG

          Host builder-s390x
            StrictHostKeyChecking no
            HostName $BUILDER_S390X_SSH_HOST
            User wfuser
            IdentityFile "~/.ssh/id_builder_s390x"
          END

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
          platforms: linux/amd64
          append: |
            - endpoint: ssh://builder-aarch64
              platforms: linux/arm64
            - endpoint: ssh://builder-ppc64le
              platforms: linux/ppc64le
            - endpoint: ssh://builder-s390x
              platforms: linux/s390x

      - name: Login to Quay.io
        uses: docker/login-action@v1
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USER }}
          password: ${{ secrets.QUAY_TOKEN }}

      - name: Build and push
        id: docker_build
        uses: docker/build-push-action@v2
        env:
          TAG: ${{ steps.version-from-branch.outputs.version }}${{ env.TAG_SUFFIX }}
        with:
          platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
          push: true
          tags: ${{ env.REGISTRY }}/${{ env.REPO_NAME }}:${{ github.event.inputs.tag || env.TAG }}

      - name: Clean up
        if: success() || failure()
        run: |
          ibmcloud is security-group-rule-delete ${{ secrets.SG_ID }} $RID -f