From 5b8b6ee54f7203afc96a9db5c769ed21cbb83693 Mon Sep 17 00:00:00 2001 From: Maximilian Greve Date: Wed, 4 Dec 2024 15:59:30 +0000 Subject: [PATCH 1/2] add optional deployment prevention --- ...publish-check-deploy-on-push-scheduled.yml | 48 ++++++++++++++++++- 1 file changed, 46 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml b/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml index 451bc4e4..a62804ff 100644 --- a/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml +++ b/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml @@ -16,6 +16,46 @@ concurrency: cancel-in-progress: true jobs: + + check_deployment_clearance: + name: "Check deployment clearance" + runs-on: ubuntu-latest + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + outputs: + deployment_clearance: ${{ steps.determine_deployment_clearance.outputs.deployment_clearance }} + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Get PR number + id: get_pr_number + run: | + PR_NUMBER=$(gh pr list --state open --head ${{ github.ref_name }} --json number --jq '.[0].number') + if [ -z "$PR_NUMBER" ]; then + echo "No existing PR found for ${{ github.ref_name }} " + else + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV + fi + + - name: Get PR labels + id: get_pr_labels + if: ${{ env.PR_NUMBER != '' }} + run: | + PR_LABELS=$(gh pr view ${{ env.PR_NUMBER }} --json labels --jq '.labels | map(.name) | join(",")') + echo "PR_LABELS=$PR_LABELS" >> $GITHUB_ENV + + - name: Determine deployment clearance + id: determine_deployment_clearance + run: | + if [ -z "$env.PR_NUMBER" ] || [[ ${{ ! contains(env.PR_LABELS, 'prevent_auto_deployment') }} == true ]]; then + echo "deployment_clearance=true" >> "$GITHUB_OUTPUT" + echo "Deployment clearance: true" + else + echo "deployment_clearance=false" >> "$GITHUB_OUTPUT" + echo "Deployment clearance: false" + fi + codeql_analyze: name: 'CodeQL' if: ${{ github.event_name == 'push' }} @@ -45,8 +85,10 @@ jobs: secrets: inherit build_image_on_push: + needs: + - check_deployment_clearance name: 'Publish image and scan with trivy' - if: ${{ github.event_name == 'push' }} + if: ${{ github.event_name == 'push' && needs.check_deployment_clearance.outputs.deployment_clearance == 'true' }} permissions: packages: write security-events: write @@ -67,7 +109,9 @@ jobs: contents: read select_helm_version_generation_and_image_tag_generation: - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} + needs: + - check_deployment_clearance + if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') && needs.check_deployment_clearance.outputs.deployment_clearance == 'true' }} runs-on: ubuntu-latest outputs: SELECT_HELM_VERION_GENERATION: ${{ steps.select_generation.outputs.SELECT_HELM_VERION_GENERATION }} From 71e2732ff8a534c28f99acd6870e1fc993ea4cdb Mon Sep 17 00:00:00 2001 From: Maximilian Greve Date: Thu, 19 Dec 2024 13:12:06 +0000 Subject: [PATCH 2/2] switch output --- .../image-and-helm-publish-check-deploy-on-push-scheduled.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml b/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml index dc6e9360..ef9309a9 100644 --- a/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml +++ b/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml @@ -49,11 +49,11 @@ jobs: id: determine_deployment_clearance run: | if [ -z "$env.PR_NUMBER" ] || [[ ${{ ! contains(env.PR_LABELS, 'prevent_auto_deployment') }} == true ]]; then - echo "deployment_clearance=true" >> "$GITHUB_OUTPUT" echo "Deployment clearance: true" + echo "deployment_clearance=true" >> "$GITHUB_OUTPUT" else - echo "deployment_clearance=false" >> "$GITHUB_OUTPUT" echo "Deployment clearance: false" + echo "deployment_clearance=false" >> "$GITHUB_OUTPUT" fi codeql_analyze: