proto: prepare to publish admin protos to buf #2
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Buf CI | |
| on: | |
| push: | |
| paths: | |
| - 'proto/*.proto' | |
| - 'buf.yaml' | |
| - '.github/workflows/buf.yml' | |
| pull_request: | |
| types: [opened, synchronize, reopened, labeled, unlabeled] | |
| delete: | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| buf: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: bufbuild/buf-action@v1 | |
| with: | |
| version: 1.57.0 | |
| paths: proto | |
| # We use clang-format not buf | |
| format: false | |
| # Publishing schema changes to the BSR requires a BSR authentication token. | |
| token: ${{ secrets.BUF_TOKEN }} | |
| # Include a GitHub token to ensure API requests aren't rate limited. | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| --- | |
| # --------------------------------------------------------------------------- | |
| # Buf CI | |
| # --------------------------------------------------------------------------- | |
| # 1. validate -> lint + format + breaking checks (runs on both push & pull_request) | |
| # 2. push-to-registry -> push to Buf registry only (runs after validation passes) | |
| # 3. archive-label -> archive label in registry when branch/tag deleted (with error handling) | |
| # --------------------------------------------------------------------------- | |
| name: Buf CI | |
| on: | |
| push: | |
| paths: | |
| - 'proto/**/*.proto' | |
| - '**/buf.yaml' | |
| - '**/buf.gen.openapi.yaml' | |
| - '**/buf.gen.yaml' | |
| - '**/buf.lock' | |
| - '.github/workflows/buf.yml' | |
| pull_request: | |
| types: [opened, synchronize, reopened, labeled, unlabeled] | |
| paths: | |
| - 'proto/**/*.proto' | |
| - '**/buf.yaml' | |
| - '**/buf.gen.openapi.yaml' | |
| - '**/buf.gen.yaml' | |
| - '**/buf.lock' | |
| - '.github/workflows/buf.yml' | |
| delete: | |
| permissions: | |
| contents: read # checkout + annotations | |
| pull-requests: write # inline lint / breaking comments | |
| id-token: write # OIDC to assume AWS role (push job) | |
| # =========================================================================== | |
| # Job: validate (both push and pull_request - comprehensive validation) | |
| # =========================================================================== | |
| jobs: | |
| validate: | |
| if: github.event_name == 'push' || github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Buf – lint, format & breaking | |
| uses: bufbuild/buf-action@v1 | |
| with: | |
| paths: proto | |
| lint: true | |
| format: false # We use clang-tidy | |
| breaking: true | |
| push: false # Only validate, don't push to registry | |
| # =========================================================================== | |
| # Job: push-to-registry (push events only - registry operations only) | |
| # =========================================================================== | |
| push-to-registry: | |
| if: | | |
| github.event_name == 'push' && | |
| github.repository == 'redpanda-data/redpanda' | |
| needs: validate # Only run after validation passes | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ vars.RP_AWS_CRED_REGION }} | |
| role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} | |
| - uses: aws-actions/aws-secretsmanager-get-secrets@v2 | |
| with: | |
| secret-ids: | | |
| ,sdlc/prod/github/buf_token | |
| parse-json-secrets: true | |
| - uses: actions/checkout@v4 | |
| - name: Buf – push to registry | |
| uses: bufbuild/buf-action@v1 | |
| with: | |
| paths: proto | |
| # No validation - already done in validate job | |
| lint: false | |
| format: false | |
| breaking: false | |
| # Only push to registry | |
| push: true | |
| token: ${{ env.BUF_TOKEN }} | |
| # =========================================================================== | |
| # Job: archive-label (delete events only - with error handling) | |
| # =========================================================================== | |
| archive-label: | |
| if: | | |
| github.event_name == 'delete' && | |
| github.repository == 'redpanda-data/redpanda' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ vars.RP_AWS_CRED_REGION }} | |
| role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} | |
| - uses: aws-actions/aws-secretsmanager-get-secrets@v2 | |
| with: | |
| secret-ids: | | |
| ,sdlc/prod/github/buf_token | |
| parse-json-secrets: true | |
| - uses: actions/checkout@v4 | |
| - name: Buf – archive label (ignore if not found) | |
| uses: bufbuild/buf-action@v1 | |
| with: | |
| paths: proto | |
| # Only archive - no other operations | |
| push: true | |
| token: ${{ env.BUF_TOKEN }} | |
| # Don't fail the workflow if label doesn't exist | |
| continue-on-error: true |