Prepare Platform 3.0.1 release #570
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - "**" | |
| tags: | |
| - "v*.*.*" | |
| pull_request: | |
| workflow_dispatch: | |
| inputs: | |
| confirm_publish: | |
| description: "Type true to publish Docker images to GHCR" | |
| required: true | |
| default: "false" | |
| permissions: | |
| contents: read | |
| jobs: | |
| ruff: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - uses: astral-sh/setup-uv@v5 | |
| - name: Install dependencies | |
| run: uv sync --extra dev --extra master | |
| - name: Ruff | |
| run: uv run ruff check . | |
| format: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - uses: astral-sh/setup-uv@v5 | |
| - name: Install dependencies | |
| run: uv sync --extra dev --extra master | |
| - name: Format | |
| run: uv run ruff format --check . | |
| mypy: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - uses: astral-sh/setup-uv@v5 | |
| - name: Install dependencies | |
| run: uv sync --extra dev --extra master | |
| - name: Mypy | |
| run: uv run mypy src tests | |
| coverage: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - uses: astral-sh/setup-uv@v5 | |
| - name: Install dependencies | |
| run: uv sync --extra dev --extra master | |
| - name: Coverage | |
| run: uv run pytest --cov=platform_network --cov-report=term-missing --cov-fail-under=80 | |
| helm-kubeconform: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - uses: azure/setup-helm@v4 | |
| - name: Install kubeconform | |
| env: | |
| KUBECONFORM_VERSION: v0.7.0 | |
| run: | | |
| curl -fsSL "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz" -o /tmp/kubeconform.tar.gz | |
| tar -xzf /tmp/kubeconform.tar.gz -C /tmp kubeconform | |
| sudo install /tmp/kubeconform /usr/local/bin/kubeconform | |
| - name: Helm lint | |
| run: helm lint deploy/helm/platform | |
| - name: Helm template default values | |
| run: helm template platform deploy/helm/platform > /tmp/platform-default.yaml | |
| - name: kubeconform default values | |
| run: kubeconform -strict -summary /tmp/platform-default.yaml | |
| - name: Helm template production values | |
| run: helm template platform deploy/helm/platform -f deploy/helm/platform/values.production.example.yaml > /tmp/platform-production.yaml | |
| - name: kubeconform production values | |
| run: kubeconform -strict -summary /tmp/platform-production.yaml | |
| production-policy: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - uses: astral-sh/setup-uv@v5 | |
| - uses: azure/setup-helm@v4 | |
| - name: Install dependencies | |
| run: uv sync --extra dev --extra master | |
| - name: Helm production policy tests | |
| run: uv run pytest tests/unit/test_helm_chart.py -q | |
| - name: Runtime production policy tests | |
| run: >- | |
| uv run pytest | |
| tests/unit/test_config_template_security.py | |
| tests/unit/test_db_and_models.py | |
| tests/unit/test_registry_extended.py | |
| tests/unit/test_admin_registry_proxy.py | |
| tests/unit/test_kubernetes_resources.py | |
| -q | |
| docker-build: | |
| needs: | |
| - ruff | |
| - format | |
| - mypy | |
| - coverage | |
| - helm-kubeconform | |
| - production-policy | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - image: platform | |
| dockerfile: docker/Dockerfile.validator | |
| - image: platform-master | |
| dockerfile: docker/Dockerfile.master | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: docker/setup-buildx-action@v3 | |
| - name: Build ${{ matrix.image }} image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| push: false | |
| tags: ghcr.io/platformnetwork/${{ matrix.image }}:ci-${{ github.sha }} | |
| docker-publish: | |
| if: >- | |
| github.event_name != 'pull_request' && | |
| (github.ref == 'refs/heads/main' || | |
| startsWith(github.ref, 'refs/tags/v') || | |
| (github.event_name == 'workflow_dispatch' && inputs.confirm_publish == 'true')) | |
| needs: | |
| - docker-build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| matrix: | |
| include: | |
| - image: platform | |
| dockerfile: docker/Dockerfile.validator | |
| - image: platform-master | |
| dockerfile: docker/Dockerfile.master | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/platformnetwork/${{ matrix.image }} | |
| tags: | | |
| type=ref,event=branch | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{raw}} | |
| type=sha,prefix=sha- | |
| type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} | |
| - name: Build and publish ${{ matrix.image }} image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| github-release: | |
| if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') | |
| needs: | |
| - docker-publish | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Prepare release metadata | |
| id: release | |
| run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT" | |
| - name: Create GitHub release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| tag_name: ${{ github.ref_name }} | |
| name: Platform ${{ steps.release.outputs.version }} | |
| generate_release_notes: true | |
| append_body: true | |
| draft: false | |
| prerelease: ${{ contains(github.ref_name, '-') }} | |
| make_latest: ${{ !contains(github.ref_name, '-') }} | |
| body: | | |
| ## Container Images | |
| - `ghcr.io/platformnetwork/platform:${{ steps.release.outputs.version }}` | |
| - `ghcr.io/platformnetwork/platform:${{ github.ref_name }}` | |
| - `ghcr.io/platformnetwork/platform:sha-${{ github.sha }}` | |
| - `ghcr.io/platformnetwork/platform-master:${{ steps.release.outputs.version }}` | |
| - `ghcr.io/platformnetwork/platform-master:${{ github.ref_name }}` | |
| - `ghcr.io/platformnetwork/platform-master:sha-${{ github.sha }}` | |
| ## Deployment Notes | |
| Production deployments should pin the SemVer image tag plus the immutable digest. The `latest` tag is published only from `main`, not from release tags. | |
| ## Documentation | |
| See `docs/versioning.md` for the SemVer, Git tag, GHCR tag, GitHub Release, and production image policy. |