diff --git a/.github/workflows/sync-to-nexus.yml b/.github/workflows/sync-to-nexus.yml new file mode 100644 index 0000000000..f3aa8c2795 --- /dev/null +++ b/.github/workflows/sync-to-nexus.yml @@ -0,0 +1,130 @@ +name: Sync Release To Nexus + +# Triggers a Hub-resolved Tekton PipelineRun on the in-cluster ARC runner +# whenever an alauda-suffixed tag is pushed. The pipeline (defined in +# ops/edge-devops-task, exposed via Hub catalog `extras`) waits for the +# corresponding GitHub Release to be ready, then mirrors its assets to +# the internal Nexus under both a versioned path and a `latest/` channel. + +on: + push: + tags: + - 'v*-alauda-*' + # Debug-phase: lets us iterate on this workflow file inside a PR + # against master without first merging it. GitHub picks up the + # workflow content from the PR head branch for `pull_request` events, + # which is what makes "test the workflow before it lands on master" + # possible. Required because `workflow_dispatch` only registers + # workflows that already exist on the default branch — so until this + # file lands on master, PR is the only path to a real GA run. The + # `paths` filter scopes triggers to edits of this file specifically, + # so unrelated source-code commits in the PR do not re-spam runs. + pull_request: + branches: [master] + paths: + - '.github/workflows/sync-to-nexus.yml' + # Debug-phase: lets the maintainer re-run the Pipeline against an + # ALREADY-PUBLISHED tag from the GitHub Actions UI (Run workflow + # button) without pushing a new tag. Pick the tag from the input + # field; the default points at a known-good tag with full release + # assets so smoke runs are zero-config. Note: `workflow_dispatch` + # only becomes available once this file is on the default branch. + workflow_dispatch: + inputs: + tag: + description: 'Existing release tag to mirror (e.g. v4.47.2-alauda-19)' + required: true + default: 'v4.47.2-alauda-19' + +jobs: + trigger-sync: + # Base ARC runner image already bundles tkn / kubectl / curl / jq / yq; + # no `container:` override needed. + runs-on: alauda-devops-runner + steps: + - name: create PipelineRun (Hub-resolved) and follow logs + env: + TEKTON_NS: devops + # Debug mode: the Pipeline is `kubectl apply`-ed directly into + # ${TEKTON_NS} by the maintainer for end-to-end testing before + # the catalog PR lands. Once merged into Tekton Hub catalog + # `extras`, switch the `pipelineRef` block below back to the + # hub resolver form (catalog=extras / kind=pipeline / + # name=sync-github-release-to-nexus / version=0.1). + PIPELINE_NAME: sync-github-release-to-nexus + # Deterministic PipelineRun name avoids racy label lookup. + # github.run_id is globally unique; run_attempt disambiguates re-runs. + PR_NAME: sync-${{ github.run_id }}-${{ github.run_attempt }} + REPO: ${{ github.repository }} + # Tag selection priority: + # 1. `workflow_dispatch.inputs.tag` (UI Run-workflow button). + # 2. `pull_request` event → `github.ref_name` is the PR's + # head branch name (useless as a release tag), so fall + # back to a known-good debug tag with full release assets. + # 3. `push:tags` → `github.ref_name` is the tag itself. + # GitHub Actions has no real ternary; the `&&`/`||` + # short-circuit chain emulates one — `(cond && X) || Y` + # yields X when cond is truthy and Y otherwise. + TAG: ${{ github.event.inputs.tag || (github.event_name == 'pull_request' && 'v4.47.2-alauda-19') || github.ref_name }} + RELEASE_URL: ${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ github.event.inputs.tag || (github.event_name == 'pull_request' && 'v4.47.2-alauda-19') || github.ref_name }} + run: | + set -euo pipefail + + # Source-repo label uses dots instead of slashes to satisfy + # Kubernetes label value charset (no '/'). + SOURCE_REPO_LABEL="${REPO//\//.}" + + # Create PipelineRun with metadata.name (not generateName) so the + # PR name is known up front for `tkn pr logs -f` below. + # github-token workspace intentionally omitted: forks are public, + # pipeline declares it `optional: true` and falls back to anonymous. + cat <