Skip to content

Envoy/Publish & verify #6745

Envoy/Publish & verify

Envoy/Publish & verify #6745

Workflow file for this run

# This workflow is triggered by azp currently
# Once arm/x64 build jobs are shifted to github, this can be triggered
# by on: workflow_run
name: Envoy/Publish & verify
permissions:
contents: read
on:
# This runs untrusted code, do not expose secrets in the verify job
workflow_dispatch:
inputs:
ref:
description: "Git SHA ref to checkout"
sha:
description: "Git SHA of commit HEAD (ie last commit of PR)"
head_ref:
description: "Ref for grouping PRs"
concurrency:
group: >-
${{ github.actor != 'trigger-release-envoy[bot]'
&& github.event.inputs.head_ref
|| github.run_id
}}-${{ github.event.workflow.id }}
cancel-in-progress: true
jobs:
load:
secrets:
app-key: ${{ secrets.ENVOY_CI_APP_KEY }}
app-id: ${{ secrets.ENVOY_CI_APP_ID }}
lock-app-key: ${{ secrets.ENVOY_CI_MUTEX_APP_KEY }}
lock-app-id: ${{ secrets.ENVOY_CI_MUTEX_APP_ID }}
permissions:
actions: read
contents: read
packages: read
pull-requests: read
if: >-
${{
(github.repository == 'envoyproxy/envoy'
|| vars.ENVOY_CI)
&& (!contains(github.actor, '[bot]')
|| github.actor == 'trigger-workflow-envoy[bot]'
|| github.actor == 'trigger-release-envoy[bot]')
}}
uses: ./.github/workflows/_load.yml
with:
check-name: publish
head-sha: ${{ inputs.sha }}
publish:
secrets:
ENVOY_CI_SYNC_APP_ID: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_SYNC_APP_ID || '' }}
ENVOY_CI_SYNC_APP_KEY: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_SYNC_APP_KEY || '' }}
ENVOY_CI_PUBLISH_APP_ID: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_PUBLISH_APP_ID || '' }}
ENVOY_CI_PUBLISH_APP_KEY: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_PUBLISH_APP_KEY || '' }}
permissions:
contents: read
packages: read
if: ${{ fromJSON(needs.load.outputs.request).run.publish }}
needs:
- load
uses: ./.github/workflows/_stage_publish.yml
name: Publish
with:
request: ${{ needs.load.outputs.request }}
trusted: ${{ fromJSON(needs.load.outputs.trusted) }}
verify:
permissions:
contents: read
packages: read
if: ${{ fromJSON(needs.load.outputs.request).run.verify }}
needs:
- load
uses: ./.github/workflows/_stage_verify.yml
name: Verify
with:
request: ${{ needs.load.outputs.request }}
trusted: ${{ fromJSON(needs.load.outputs.trusted) }}
request:
secrets:
app-id: ${{ secrets.ENVOY_CI_APP_ID }}
app-key: ${{ secrets.ENVOY_CI_APP_KEY }}
permissions:
actions: read
contents: read
pull-requests: read
if: >-
${{ always()
&& (fromJSON(needs.load.outputs.request).run.publish
|| fromJSON(needs.load.outputs.request).run.verify) }}
needs:
- load
- publish
- verify
uses: ./.github/workflows/_finish.yml
with:
needs: ${{ toJSON(needs) }}