ci: update GH workflows as a result of the main branch being used for Registry 3.x

jsenko · jsenko · commit 12648d2b7723 · 2024-06-26T15:37:42.000+02:00
- Make sure the workflows are only triggered by updates on the 2.6.x branch.
- Remove or fix some older workflows that have been previously only triggered on main.
- Correctly build latest images.
- Update Trivy scan config.
diff --git a/.github/scripts/build-and-push-multiarch-images.sh b/.github/scripts/build-and-push-multiarch-images.sh
@@ -52,16 +52,9 @@ then
 fi
 
 
+# In the past, if the branch name was "main", we have built and pushed images with tag "latest-{type}" instead of "{branch}-type".
+# But since main now contains code for Registry 3.x, which also uses different image repositories (apicurio-registry and apicurio-registry-ui),
+# we now need to use the latest tags for the latest minor branch (2.<minor>.x).
 
-case $BRANCH_NAME in
+make IMAGE_REPO=${IMAGE_REPOSITORY} IMAGE_TAG=${BRANCH_NAME}-${RELEASE_TYPE} ${VARIANT}
 
-  "main"|"2.5.x")
-       # if main branch, build images with tag "latest-${RELEASE_TYPE}"
-       make IMAGE_REPO=${IMAGE_REPOSITORY} IMAGE_TAG=latest-${RELEASE_TYPE} ${VARIANT}
-       ;;
-
-   *)
-       # if other than main, build images with tag "${BRANCH_NAME}-${RELEASE_TYPE}"
-       make IMAGE_REPO=${IMAGE_REPOSITORY} IMAGE_TAG=${BRANCH_NAME}-${RELEASE_TYPE} ${VARIANT}
-       ;;
-esac
diff --git a/.github/workflows/dispatch-openapi.yaml b/.github/workflows/dispatch-openapi.yaml
diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml
@@ -9,15 +9,15 @@ jobs:
   call-image-scan-registry-mem:
     uses: Apicurio/apicurio-gh-workflows/.github/workflows/image-scan.yaml@main
     with:
-      image: quay.io/apicurio/apicurio-registry-mem:latest-snapshot
+      image: quay.io/apicurio/apicurio-registry-mem:2.5.x-snapshot
 
   call-image-scan-registry-sql:
     uses: Apicurio/apicurio-gh-workflows/.github/workflows/image-scan.yaml@main
     with:
-      image: quay.io/apicurio/apicurio-registry-sql:latest-snapshot
+      image: quay.io/apicurio/apicurio-registry-sql:2.5.x-snapshot
 
   call-image-scan-registry-kafkasql:
     uses: Apicurio/apicurio-gh-workflows/.github/workflows/image-scan.yaml@main
     with:
-      image: quay.io/apicurio/apicurio-registry-kafkasql:latest-snapshot
+      image: quay.io/apicurio/apicurio-registry-kafkasql:2.5.x-snapshot
 
diff --git a/.github/workflows/integration-tests.yaml b/.github/workflows/integration-tests.yaml
@@ -7,14 +7,14 @@ on:
       - 'README*'
       - 'docs/**'
       - '.github/workflows/**'
-    branches: [main, '[1-9].[1-9].x', 2.4.x, 2.5.x]
+    branches: ['2.5.x']
   pull_request:
     paths-ignore:
       - '.gitignore'
       - 'LICENSE'
       - 'README*'
       - 'docs/**'
-    branches: [main, '[1-9].[0-9].x']
+    branches: ['2.5.x']
 
 concurrency:
   # Only run once for latest commit per ref and cancel other (previous) runs.
@@ -51,7 +51,6 @@ jobs:
           IMAGE_TAG: 1d
         run: make build-sql-image push-sql-image
 
-
   prepare-kafkasql-tests:
     name: Prepare for KafkaSQL Integration Tests
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -6,14 +6,14 @@ on:
       - 'LICENSE'
       - 'README*'
       - 'docs/**'
-    branches: [main]
+    branches: ['2.5.x']
   pull_request:
     paths-ignore:
       - '.gitignore'
       - 'LICENSE'
       - 'README*'
       - 'docs/**'
-    branches: [main, 2.0.x]
+    branches: ['2.5.x']
 
 concurrency:
   # Only run once for latest commit per ref and cancel other (previous) runs.
diff --git a/.github/workflows/python-sdk.yaml b/.github/workflows/python-sdk.yaml
@@ -7,14 +7,14 @@ on:
       - 'README*'
       - 'docs/**'
       - '.github/workflows/**'
-    branches: [main, '[1-9].[0-9].x']
+    branches: ['2.5.x']
   pull_request:
     paths-ignore:
       - '.gitignore'
       - 'LICENSE'
       - 'README*'
       - 'docs/**'
-    branches: [main]
+    branches: ['2.5.x']
 
 jobs:
   build-verify:
diff --git a/.github/workflows/release-images.yaml b/.github/workflows/release-images.yaml
@@ -19,12 +19,18 @@ env:
 
 jobs:
   release-images:
-    if: github.repository_owner == 'Apicurio' && (github.event_name == 'workflow_dispatch' || startsWith(github.event.release.tag_name, '2.5.'))
+    if: github.repository_owner == 'Apicurio'
     runs-on: ubuntu-20.04
     timeout-minutes: 120
     env:
       RELEASE_TYPE: release
     steps:
+
+      - name: Check Prerequisites
+        if: github.event_name != 'workflow_dispatch' && !startsWith(github.event.release.tag_name, '2.5.')
+        run: |
+          exit 1
+
       - name: View Disk Usage
         run: df -h
 
diff --git a/.github/workflows/tag-registry-examples.yaml b/.github/workflows/tag-registry-examples.yaml
@@ -21,6 +21,7 @@ on:
 jobs:
   tag-registry-examples:
     runs-on: ubuntu-20.04
+    if: false # Registry Examples repository is archived, since we moved them to the Registry repository. This workflow can be later removed.
     steps:
       - name: Set Versions
         run: |
diff --git a/.github/workflows/update-openapi.yaml b/.github/workflows/update-openapi.yaml
@@ -5,7 +5,7 @@ on:
       - common/src/main/resources/META-INF/openapi.json
       - utils/tools/src/main/java/io/apicurio/registry/utils/tools/AddOpenApiAuth.java
       - utils/tools/src/main/java/io/apicurio/registry/utils/tools/TransformOpenApiForClientGen.java
-    branches: [ main ]
+    branches: [ '2.5.x' ]
 
 jobs:
   update-openapi:
@@ -22,8 +22,8 @@ jobs:
           git config --global user.email "apicurio.ci@gmail.com"
           git remote add origin "https://apicurio-ci:${{ secrets.ACCESS_TOKEN }}@github.com/Apicurio/apicurio-registry.git"
           git fetch
-          git checkout main
-          git branch --set-upstream-to=origin/main
+          git checkout 2.5.x
+          git branch --set-upstream-to=origin/2.5.x
           git pull
 
       - name: Set up JDK 17
@@ -61,7 +61,3 @@ jobs:
   validate:
     needs: update-openapi
     uses: ./.github/workflows/validate-openapi.yaml
-
-  dispatch:
-    needs: validate
-    uses: ./.github/workflows/dispatch-openapi.yaml
diff --git a/.github/workflows/update-website.yaml b/.github/workflows/update-website.yaml
@@ -6,10 +6,15 @@ on:
 
 jobs:
   update-website:
-    if: github.repository_owner == 'Apicurio' && (github.event_name == 'workflow_dispatch' || startsWith(github.event.release.tag_name, '2.5.'))
+    if: github.repository_owner == 'Apicurio'
     runs-on: ubuntu-20.04
     steps:
 
+      - name: Check Prerequisites
+        if: github.event_name != 'workflow_dispatch' && !startsWith(github.event.release.tag_name, '2.5.')
+        run: |
+          exit 1
+
       - name: Apicurio Website Checkout
         run: |
           mkdir website
diff --git a/.github/workflows/validate-openapi.yaml b/.github/workflows/validate-openapi.yaml
@@ -2,8 +2,7 @@ name: Validate OpenAPI schema with Spectral
 on:
   workflow_call: { }
   pull_request:
-    branches:
-      - main
+    branches: ['2.5.x']
     paths:
       - common/src/main/resources/META-INF/openapi.json
 
diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml
@@ -7,14 +7,14 @@ on:
       - 'README*'
       - 'docs/**'
       - '.github/workflows/**'
-    branches: [main, '[1-9].[0-9].x']
+    branches: ['2.5.x']
   pull_request:
     paths-ignore:
       - '.gitignore'
       - 'LICENSE'
       - 'README*'
       - 'docs/**'
-    branches: [main, '[1-9].[0-9].x']
+    branches: ['2.5.x']
 
 concurrency:
   # Only run once for latest commit per ref and cancel other (previous) runs.
diff --git a/Makefile b/Makefile
@@ -16,6 +16,7 @@ DOCKER_BUILD_WORKSPACE ?= $(DOCKERFILE_LOCATION)
 IMAGE_REPO ?= docker.io
 IMAGE_GROUP ?= apicurio
 IMAGE_TAG ?= latest
+ADDITIONAL_IMAGE_TAG ?= none
 IMAGE_PLATFORMS ?= linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
 SKIP_TESTS ?= false
 INTEGRATION_TESTS_PROFILE ?= ci
@@ -284,8 +285,13 @@ mem-multiarch-images:
 	@echo " Supported Platforms: $(IMAGE_PLATFORMS)"
 	@echo " Repository: $(IMAGE_REPO)"
 	@echo " Tag: $(IMAGE_TAG)"
+	@echo " Additional image tag: $(ADDITIONAL_IMAGE_TAG)"
 	@echo "------------------------------------------------------------------------"
 	docker buildx build --push -f $(DOCKERFILE_LOCATION)/$(MEM_DOCKERFILE) -t $(IMAGE_REPO)/$(IMAGE_GROUP)/apicurio-registry-mem:$(IMAGE_TAG) --platform $(IMAGE_PLATFORMS) $(DOCKER_BUILD_WORKSPACE)
+ifneq ($(ADDITIONAL_IMAGE_TAG), none)
+	@echo "Publishing additional tag: $(ADDITIONAL_IMAGE_TAG)"
+	docker buildx build --push -f $(DOCKERFILE_LOCATION)/$(MEM_DOCKERFILE) -t $(IMAGE_REPO)/$(IMAGE_GROUP)/apicurio-registry-mem:$(ADDITIONAL_IMAGE_TAG) --platform $(IMAGE_PLATFORMS) $(DOCKER_BUILD_WORKSPACE)
+endif
 
 .PHONY: sql-multiarch-images ## Builds and pushes multi-arch images for 'sql' storage variant. Variables available for override [SQL_DOCKERFILE, IMAGE_REPO, IMAGE_TAG, DOCKER_BUILD_WORKSPACE]
 sql-multiarch-images:
@@ -294,8 +300,13 @@ sql-multiarch-images:
 	@echo " Supported Platforms: $(IMAGE_PLATFORMS)"
 	@echo " Repository: $(IMAGE_REPO)"
 	@echo " Tag: $(IMAGE_TAG)"
+	@echo " Additional image tag: $(ADDITIONAL_IMAGE_TAG)"
 	@echo "------------------------------------------------------------------------"
 	docker buildx build --push -f $(DOCKERFILE_LOCATION)/$(SQL_DOCKERFILE) -t $(IMAGE_REPO)/$(IMAGE_GROUP)/apicurio-registry-sql:$(IMAGE_TAG) --platform $(IMAGE_PLATFORMS) $(DOCKER_BUILD_WORKSPACE)
+ifneq ($(ADDITIONAL_IMAGE_TAG), none)
+	@echo "Publishing additional tag: $(ADDITIONAL_IMAGE_TAG)"
+	docker buildx build --push -f $(DOCKERFILE_LOCATION)/$(SQL_DOCKERFILE) -t $(IMAGE_REPO)/$(IMAGE_GROUP)/apicurio-registry-sql:$(ADDITIONAL_IMAGE_TAG) --platform $(IMAGE_PLATFORMS) $(DOCKER_BUILD_WORKSPACE)
+endif
 
 .PHONY: mssql-multiarch-images ## Builds and pushes multi-arch images for 'mssql' storage variant. Variables available for override [MSSQL_DOCKERFILE, IMAGE_REPO, IMAGE_TAG, DOCKER_BUILD_WORKSPACE]
 mssql-multiarch-images:
@@ -304,8 +315,13 @@ mssql-multiarch-images:
 	@echo " Supported Platforms: $(IMAGE_PLATFORMS)"
 	@echo " Repository: $(IMAGE_REPO)"
 	@echo " Tag: $(IMAGE_TAG)"
+	@echo " Additional image tag: $(ADDITIONAL_IMAGE_TAG)"
 	@echo "------------------------------------------------------------------------"
 	docker buildx build --push -f $(DOCKERFILE_LOCATION)/$(MSSQL_DOCKERFILE) -t $(IMAGE_REPO)/$(IMAGE_GROUP)/apicurio-registry-mssql:$(IMAGE_TAG) --platform $(IMAGE_PLATFORMS) $(DOCKER_BUILD_WORKSPACE)
+ifneq ($(ADDITIONAL_IMAGE_TAG), none)
+	@echo "Publishing additional tag: $(ADDITIONAL_IMAGE_TAG)"
+	docker buildx build --push -f $(DOCKERFILE_LOCATION)/$(MSSQL_DOCKERFILE) -t $(IMAGE_REPO)/$(IMAGE_GROUP)/apicurio-registry-mssql:$(ADDITIONAL_IMAGE_TAG) --platform $(IMAGE_PLATFORMS) $(DOCKER_BUILD_WORKSPACE)
+endif
 
 .PHONY: mysql-multiarch-images ## Builds and pushes multi-arch images for 'mysql' storage variant. Variables available for override [MYSQL_DOCKERFILE, IMAGE_REPO, IMAGE_TAG, DOCKER_BUILD_WORKSPACE]
 mysql-multiarch-images:
@@ -314,8 +330,13 @@ mysql-multiarch-images:
 	@echo " Supported Platforms: $(IMAGE_PLATFORMS)"
 	@echo " Repository: $(IMAGE_REPO)"
 	@echo " Tag: $(IMAGE_TAG)"
+	@echo " Additional image tag: $(ADDITIONAL_IMAGE_TAG)"
 	@echo "------------------------------------------------------------------------"
 	docker buildx build --push -f $(DOCKERFILE_LOCATION)/$(MYSQL_DOCKERFILE) -t $(IMAGE_REPO)/apicurio/apicurio-registry-mysql:$(IMAGE_TAG) --platform $(IMAGE_PLATFORMS) $(DOCKER_BUILD_WORKSPACE)
+ifneq ($(ADDITIONAL_IMAGE_TAG), none)
+	@echo "Publishing additional tag: $(ADDITIONAL_IMAGE_TAG)"
+	docker buildx build --push -f $(DOCKERFILE_LOCATION)/$(MYSQL_DOCKERFILE) -t $(IMAGE_REPO)/apicurio/apicurio-registry-mysql:$(ADDITIONAL_IMAGE_TAG) --platform $(IMAGE_PLATFORMS) $(DOCKER_BUILD_WORKSPACE)
+endif
 
 .PHONY: kafkasql-multiarch-images ## Builds and pushes multi-arch images for kafkasql storage variant. Variables available for override [KAFKASQL_DOCKERFILE, IMAGE_REPO, IMAGE_TAG, DOCKER_BUILD_WORKSPACE]
 kafkasql-multiarch-images:
@@ -324,8 +345,13 @@ kafkasql-multiarch-images:
 	@echo " Supported Platforms: $(IMAGE_PLATFORMS)"
 	@echo " Repository: $(IMAGE_REPO)"
 	@echo " Tag: $(IMAGE_TAG)"
+	@echo " Additional image tag: $(ADDITIONAL_IMAGE_TAG)"
 	@echo "------------------------------------------------------------------------"
 	docker buildx build --push -f $(DOCKERFILE_LOCATION)/$(KAFKASQL_DOCKERFILE) -t $(IMAGE_REPO)/$(IMAGE_GROUP)/apicurio-registry-kafkasql:$(IMAGE_TAG) --platform $(IMAGE_PLATFORMS) $(DOCKER_BUILD_WORKSPACE)
+ifneq ($(ADDITIONAL_IMAGE_TAG), none)
+	@echo "Publishing additional tag: $(ADDITIONAL_IMAGE_TAG)"
+	docker buildx build --push -f $(DOCKERFILE_LOCATION)/$(KAFKASQL_DOCKERFILE) -t $(IMAGE_REPO)/$(IMAGE_GROUP)/apicurio-registry-kafkasql:$(ADDITIONAL_IMAGE_TAG) --platform $(IMAGE_PLATFORMS) $(DOCKER_BUILD_WORKSPACE)
+endif
 
 .PHONY: mem-native-scratch-image ## Builds and pushes multi-arch images for mem storage variant based on scratch. Variables available for override [MEM_SCRATCH_DOCKERFILE, IMAGE_REPO, IMAGE_TAG, DOCKER_BUILD_WORKSPACE]
 mem-native-scratch-image:
diff --git a/scripts/validate-files.sh b/scripts/validate-files.sh
@@ -20,4 +20,6 @@ done
 echo "DB version ok between build and DDLs"
 
 echo "Linting openshift templates"
-spectral lint distro/openshift-template/mt/apicurio-registry-mt-template.yaml --ruleset scripts/ocp-template-ruleset.js
+spectral lint distro/openshift-template/mt/apicurio-registry-template-mem.yml --ruleset scripts/ocp-template-ruleset.js
+spectral lint distro/openshift-template/mt/apicurio-registry-template-sql.yml --ruleset scripts/ocp-template-ruleset.js
+spectral lint distro/openshift-template/mt/apicurio-registry-template-kafkasql.yml --ruleset scripts/ocp-template-ruleset.js
