nightly builds with gh actions

[anithapriyanatarajan]

Changes

This PR introduces a new GitHub Actions workflow that automates nightly releases of Tekton Pipeline using a Kind cluster as infrastructure. The existing pipeline-based approach to build and publish release artifacts is reused to ensure consistency with the current release process while enabling automated daily builds.

Core Implementation

• GitHub Actions Workflow to build and publish Images and publish nightly relase yamls on a kind cluster
• Scheduled execution at 03:00 UTC daily via cron trigger
• Manual trigger support with configurable parameters (Kubernetes version, dry-run mode)
• push images to ghcr & release artifact upload to the usual gcp bucket

Configuration

Required Secrets:
GHCR_TOKEN: GitHub Personal Access Token with packages:write scope
GCS_SERVICE_ACCOUNT_KEY: Google Cloud Service Account for bucket access

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
• Has Tests included if any functionality added or changed
• pre-commit Passed
• Follows the commit message standard
• Meets the Tekton contributor standards (including functionality, content, code)
• Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
• Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
• Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

None

[anithapriyanatarajan]

/kind misc

[anithapriyanatarajan]

@vdemeester @afrittoli - This PR is in response to tektoncd/plumbing#2670. Please review and share your comments. If the approach followed here for pipeline component is approved I could attempt the same approach across other components. The triggers related to pipeline could be removed from plumbing repo if this is approved.

[vdemeester]

Some comments. It is "verbose" 😛

[afrittoli]

NIT: If we move pipeline to a variable and use it throughout, it will be easier to adopt this into other repos. Perhaps we could even define this in tektoncd/actions or tektoncd/plumbing and reuse it across repos. This can be done as a follow-up.

[vdemeester]

Yes some of this could be defined or used in tektoncd/actions

[anithapriyanatarajan]

@afrittoli @vdemeester - I would like to create a follow up PR to address this. Would like to understand each repo release yaml in depth before abstracting. Hope this is acceptable.

[afrittoli]

Sure, it can be a follow-up. Even within this single repo PR the string "pipeline" is repeated many times in the workflow which is also why it would be nicer to have it in a variable.

[anithapriyanatarajan]

Some comments. It is "verbose" 😛

Reduced verbosity to some extent now. Hope this helps a little 😸

[anithapriyanatarajan]

/retest

[anithapriyanatarajan]

/test

[tekton-robot]

@anithapriyanatarajan: No presubmit jobs available for tektoncd/pipeline@main

Details

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vdemeester]

/retest

[afrittoli]

Thank you for this; it's much appreciated!
I'm looking forward to using this as soon as it's ready.

One comment that I have is that I would really prefer to avoid duplicating all Tekton resources used for nightly builds and Tekton releases, because it generates double the maintenance effort. If anything, we should further factor things up across projects, where possible.

I don't see anything in the new pipeline that requires having a dedicated pipeline.

The org and repo parameters can be added in the release pipeline with valid defaults, so they do not impact the release process.

The cleanup task is not something I would have added as part of this PR. We could use existing actions like https://github.com/marketplace/actions/container-retention-policy for that.

In future, we may decide to move the entire build and release process to GHA action entirely, if we can solve the issue of signing ko built images in GHA.

Something that would be nice to see as a follow-up (separate PR) would be to start publishing the manifests of nightly builds somewhere on GitHub, so to drop the dependency from GCP there are well.

[afrittoli]

Thanks for all the updates!
I have a couple more minor questions.

[anithapriyanatarajan]

@afrittoli @vdemeester -I believe this PR is now in a good state. Most of the review comments have been addressed.

I've aligned the use of the service account and image registry user with the guidance in the official documentation:
https://github.com/tektoncd/pipeline/blob/main/tekton/release-cheat-sheet.md

The remaining open questions are:

1. Should we create a separate GCP bucket for storing the release YAMLs generated by the GitHub workflows, distinct from those produced by the trigger-based workflow?
2. What should be the appropriate REGISTRY path for the nightly images generated by the workflow?
   please suggest.

[afrittoli]

Thanks for all the updates.
One very last change please, if we could continue to pin the precheck revision 🙏

[afrittoli]

Thanks for making this happen!!
/approve

[vdemeester]

/lgtm

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: afrittoli, vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [afrittoli,vdemeester]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment