Tekton Nightly Build #186
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tekton Nightly Build | |
| "on": | |
| schedule: | |
| # Run at 03:00 UTC daily | |
| - cron: "0 3 * * *" | |
| workflow_dispatch: | |
| inputs: | |
| kubernetes_version: | |
| description: 'Kubernetes version to test with' | |
| required: false | |
| default: 'v1.33.x' | |
| nightly_bucket: | |
| description: 'Oracle Cloud bucket name for builds' | |
| required: false | |
| default: 'tekton-nightly' | |
| type: string | |
| env: | |
| KUBERNETES_VERSION: ${{ inputs.kubernetes_version || 'v1.33.x' }} | |
| REGISTRY: ghcr.io | |
| PACKAGE: github.com/${{ github.repository }} | |
| BUCKET: ${{ inputs.nightly_bucket || 'tekton-nightly' }} | |
| REPO_NAME: ${{ github.event.repository.name }} | |
| IMAGE_REGISTRY_PATH: ${{ github.repository }} | |
| IMAGE_REGISTRY_USER: tekton-robot | |
| jobs: | |
| build: | |
| name: Nightly Build (K8s ${{ inputs.kubernetes_version || 'v1.33.x' }}) | |
| runs-on: ubuntu-latest | |
| if: github.repository_owner == 'tektoncd' # do not run this elsewhere | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Generate version info | |
| id: version | |
| run: | | |
| latest_sha=${{ github.sha }} | |
| date_tag=$(date +v%Y%m%d-${latest_sha:0:7}) | |
| echo "version_tag=${date_tag}" >> "$GITHUB_OUTPUT" | |
| echo "latest_sha=${latest_sha}" >> "$GITHUB_OUTPUT" | |
| - name: Set up Kind cluster | |
| uses: chainguard-dev/actions/setup-kind@18e5e3427cf9d6bcfbefe60dca48e40292f000c5 # v1.5.13 | |
| with: | |
| k8s-version: ${{ env.KUBERNETES_VERSION }} | |
| - name: Set up Tekton | |
| uses: tektoncd/actions/setup-tektoncd@dd92514472167b361de1c95fd31fc2ef83c282ec # main | |
| with: | |
| pipeline_version: latest | |
| setup_registry: "true" | |
| patch_etc_hosts: "true" | |
| - name: Configure Tekton Git Resolver | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN || github.token }} | |
| run: | | |
| # Create Git authentication secret with proper Tekton annotations | |
| kubectl create secret generic git-resolver-secret \ | |
| --from-literal=token="${GITHUB_TOKEN}" \ | |
| -n tekton-pipelines-resolvers || true | |
| kubectl annotate secret git-resolver-secret \ | |
| tekton.dev/git-0=github.com \ | |
| -n tekton-pipelines-resolvers || true | |
| kubectl create secret generic git-resolver-secret \ | |
| --from-literal=token="${GITHUB_TOKEN}" \ | |
| -n default || true | |
| kubectl annotate secret git-resolver-secret \ | |
| tekton.dev/git-0=github.com \ | |
| -n default || true | |
| kubectl patch configmap git-resolver-config -n tekton-pipelines-resolvers --patch=' | |
| data: | |
| api-token-secret-name: "git-resolver-secret" | |
| api-token-secret-key: "token" | |
| ' || true | |
| kubectl patch configmap feature-flags -n tekton-pipelines --patch=' | |
| data: | |
| enable-cel-in-whenexpression: "true" | |
| ' || true | |
| - name: Apply Build Pipeline Definition | |
| run: | | |
| kustomize build tekton | kubectl apply -f - | |
| - name: Create secrets, service account and PVC template | |
| env: | |
| OCI_API_KEY: ${{ secrets.OCI_API_KEY }} | |
| OCI_FINGERPRINT: ${{ secrets.OCI_FINGERPRINT }} | |
| OCI_TENANCY_OCID: ${{ secrets.OCI_TENANCY_OCID }} | |
| OCI_USER_OCID: ${{ secrets.OCI_USER_OCID }} | |
| OCI_REGION: ${{ secrets.OCI_REGION }} | |
| GHCR_TOKEN: ${{ secrets.GHCR_TOKEN || github.token }} | |
| IMAGE_REGISTRY_USER: ${{ env.IMAGE_REGISTRY_USER }} | |
| run: | | |
| # Create Oracle Cloud credentials secret for release bucket access | |
| echo "${OCI_API_KEY}" > /tmp/oci_api_key.pem | |
| echo "${OCI_FINGERPRINT}" > /tmp/fingerprint | |
| echo "${OCI_TENANCY_OCID}" > /tmp/tenancy_ocid | |
| echo "${OCI_USER_OCID}" > /tmp/user_ocid | |
| echo "${OCI_REGION}" > /tmp/region | |
| kubectl create secret generic release-secret \ | |
| --from-file=oci_api_key.pem=/tmp/oci_api_key.pem \ | |
| --from-file=fingerprint=/tmp/fingerprint \ | |
| --from-file=tenancy_ocid=/tmp/tenancy_ocid \ | |
| --from-file=user_ocid=/tmp/user_ocid \ | |
| --from-file=region=/tmp/region | |
| rm -f /tmp/oci_api_key.pem /tmp/fingerprint /tmp/tenancy_ocid /tmp/user_ocid /tmp/region | |
| # Create a Kubernetes secret for GHCR authentication. | |
| # This version creates the secret with a custom key name `docker-config.json` | |
| # (instead of the default `.dockerconfigjson`) to match what the publish task expects. | |
| echo "${GHCR_TOKEN}" > /tmp/docker-config.json | |
| kubectl create secret generic release-images-secret \ | |
| --from-file=docker-config.json=/tmp/docker-config.json | |
| rm -f /tmp/docker-config.json | |
| # Apply service account configuration with proper RBAC | |
| kubectl apply -f tekton/account.yaml | |
| cat > workspace-template.yaml << EOF | |
| spec: | |
| accessModes: | |
| - ReadWriteOnce | |
| resources: | |
| requests: | |
| storage: 1Gi | |
| EOF | |
| - name: Start Tekton Build Pipeline | |
| run: | | |
| set -euo pipefail # Exit on any error, undefined variables, or pipe failures | |
| echo "Starting Tekton pipeline..." | |
| PIPELINE_RUN=$(tkn pipeline start pipeline-release \ | |
| --serviceaccount=release-right-meow \ | |
| --param package="${{ env.PACKAGE }}" \ | |
| --param repoName="${{ env.REPO_NAME }}" \ | |
| --param gitRevision="${{ steps.version.outputs.latest_sha }}" \ | |
| --param versionTag="${{ steps.version.outputs.version_tag }}" \ | |
| --param releaseBucket="${{ env.BUCKET }}" \ | |
| --param imageRegistry=${{ env.REGISTRY }} \ | |
| --param imageRegistryPath="${{ env.IMAGE_REGISTRY_PATH }}" \ | |
| --param imageRegistryUser="${{ env.IMAGE_REGISTRY_USER }}" \ | |
| --param imageRegistryRegions="" \ | |
| --param buildPlatforms="linux/amd64,linux/arm64,linux/s390x,linux/ppc64le" \ | |
| --param publishPlatforms="linux/amd64,linux/arm64,linux/s390x,linux/ppc64le,windows/amd64" \ | |
| --param koExtraArgs="" \ | |
| --param serviceAccountImagesPath=docker-config.json \ | |
| --param releaseAsLatest="true" \ | |
| --param runTests="false" \ | |
| --workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml \ | |
| --workspace name=release-secret,secret=release-secret \ | |
| --workspace name=release-images-secret,secret=release-images-secret \ | |
| --tasks-timeout 2h \ | |
| --pipeline-timeout 3h \ | |
| --output name) || { | |
| echo "Failed to start Tekton pipeline!" | |
| exit 1 | |
| } | |
| echo "Pipeline started: ${PIPELINE_RUN}" | |
| tkn pipelinerun logs "${PIPELINE_RUN}" -f | |
| # Check if pipeline succeeded | |
| tkn pipelinerun describe "${PIPELINE_RUN}" --output jsonpath='{.status.conditions[?(@.type=="Succeeded")].status}' | grep -q "True" || { | |
| echo "Pipeline failed!" | |
| tkn pipelinerun describe "${PIPELINE_RUN}" | |
| exit 1 | |
| } | |
| echo "✅ Pipeline Run completed successfully!" |