From be25d56aab6fdf3eff389ac653a34bed52d3c985 Mon Sep 17 00:00:00 2001 From: Amit Rajput Date: Mon, 6 Apr 2026 17:45:07 +0530 Subject: [PATCH] ci: migrate workflows from Gitea to GitHub Actions Archive non-GCP workflows, rename GCP variants to drop -gcp suffix, replace Gitea-hosted aws-cli-action with aws-actions/configure-aws-credentials@v4. --- .../workflows/archive/base-build-image.yml | 61 ++++++++ .../archive/dispatch-container-base.yml | 59 ++++++++ .github/workflows/archive/push-container.yml | 52 +++++++ .../{push-s3-gcp.yml => archive/push-s3.yml} | 26 +--- .github/workflows/base-build-image-gcp.yml | 71 ---------- .github/workflows/base-build-image.yml | 42 +++--- .../workflows/dispatch-container-base-gcp.yml | 69 --------- .github/workflows/dispatch-container-base.yml | 42 +++--- .github/workflows/push-container-gcp.yml | 63 --------- .github/workflows/push-container.yml | 79 ++++++----- .github/workflows/push-s3.yml | 49 ++++--- .../.history.jsonl | 13 ++ .../.status.yaml | 42 ++++++ .../checklist.md | 34 +++++ .../intake.md | 108 +++++++++++++++ .../spec.md | 131 ++++++++++++++++++ .../tasks.md | 28 ++++ 17 files changed, 663 insertions(+), 306 deletions(-) create mode 100644 .github/workflows/archive/base-build-image.yml create mode 100644 .github/workflows/archive/dispatch-container-base.yml create mode 100644 .github/workflows/archive/push-container.yml rename .github/workflows/{push-s3-gcp.yml => archive/push-s3.yml} (76%) delete mode 100644 .github/workflows/base-build-image-gcp.yml delete mode 100644 .github/workflows/dispatch-container-base-gcp.yml delete mode 100644 .github/workflows/push-container-gcp.yml create mode 100644 fab/changes/260406-vhk4-migrate-workflows-github-actions/.history.jsonl create mode 100644 fab/changes/260406-vhk4-migrate-workflows-github-actions/.status.yaml create mode 100644 fab/changes/260406-vhk4-migrate-workflows-github-actions/checklist.md create mode 100644 fab/changes/260406-vhk4-migrate-workflows-github-actions/intake.md create mode 100644 fab/changes/260406-vhk4-migrate-workflows-github-actions/spec.md create mode 100644 fab/changes/260406-vhk4-migrate-workflows-github-actions/tasks.md diff --git a/.github/workflows/archive/base-build-image.yml b/.github/workflows/archive/base-build-image.yml new file mode 100644 index 0000000..c855c47 --- /dev/null +++ b/.github/workflows/archive/base-build-image.yml @@ -0,0 +1,61 @@ +name: Build base images (Generally from basin repo) + +on: + workflow_call: + inputs: + image_tag: + required: true + type: string + fail_on_scan: + default: true + type: boolean + +jobs: + docker-build-and-push: + + runs-on: ubuntu-22.04 #ubuntu-latest + + steps: + - id: get-id + name: Get a unique tag for this build + run: | + echo "DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT"; + + - name: Print image name + run: | + echo "${{ steps.get-id.outputs.DOCKER_IMAGE }}"; + + - uses: actions/checkout@v4 + + - name: Login to Docker Container Registry + # if: ${{ github.event_name == 'push' }} + uses: docker/login-action@v3 + with: + registry: ${{ vars.docker_repo2_registry }} + username: ${{ secrets.docker_repo2_username }} + password: ${{ secrets.docker_repo2_password }} + + - name: Build and push the Docker image + run: | + docker build \ + --file context/Dockerfile \ + --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \ + ./context; + + - name: Container details + run: | + IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`; + echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; + + - name: Scan Docker Image for vulnerabilities with Grype + uses: anchore/scan-action@v6 + with: + image: ${{ steps.get-id.outputs.DOCKER_IMAGE }} + cache-db: true #Cache Grype DB in Github Actions + output-format: table + only-fixed: true + severity-cutoff: critical + fail-build: ${{ inputs.fail_on_scan }} + + - name: Push the container image + run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }} diff --git a/.github/workflows/archive/dispatch-container-base.yml b/.github/workflows/archive/dispatch-container-base.yml new file mode 100644 index 0000000..e8fede4 --- /dev/null +++ b/.github/workflows/archive/dispatch-container-base.yml @@ -0,0 +1,59 @@ +name: Build base images from code repos + +on: + workflow_call: + inputs: + image_tag: + required: true + type: string + +jobs: + docker-base-build-and-push: + + runs-on: ubuntu-22.04 #ubuntu-latest + + steps: + - id: get-id + name: Get a unique tag for this build + run: | + echo "DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT"; + + - name: Print image name + run: | + echo "${{ steps.get-id.outputs.DOCKER_IMAGE }}"; + + - uses: actions/checkout@v4 + + - name: Login to Docker Container Registry + # if: ${{ github.event_name == 'push' }} + uses: docker/login-action@v3 + with: + registry: ${{ vars.docker_repo2_registry }} + username: ${{ secrets.docker_repo2_username }} + password: ${{ secrets.docker_repo2_password }} + + - name: Build and push the Docker image + run: | + docker build \ + --file fab/d/actions-base.Dockerfile \ + --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \ + .; + + - name: Container details + run: | + IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`; + echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; + + - name: Push the container image + run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }} + + - name: Scan Docker Image for vulnerabilities with Grype + uses: anchore/scan-action@v6 + with: + image: ${{ steps.get-id.outputs.DOCKER_IMAGE }} + cache-db: true #Cache Grype DB in Github Actions + output-format: table + only-fixed: true + severity-cutoff: critical + fail-build: true + diff --git a/.github/workflows/archive/push-container.yml b/.github/workflows/archive/push-container.yml new file mode 100644 index 0000000..12b8a16 --- /dev/null +++ b/.github/workflows/archive/push-container.yml @@ -0,0 +1,52 @@ +name: Reusable container push workflow + +on: + workflow_call: + +env: + REPO: ${{ github.repository }} + +jobs: + + push-container: + runs-on: ubuntu-22.04 + steps: + - id: get-id + name: Get a unique tag for this build + run: | + SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }}; + BUILD_ID=$BRANCH_NAME-${SHA:0:8}; + DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/$REPO:$BUILD_ID; + echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT"; + echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT"; + + - name: Print build id and image name + run: | + echo "BUILD_ID: ${{ steps.get-id.outputs.BUILD_ID }}"; + echo "DOCKER_IMAGE: ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; + + - uses: actions/checkout@v4 + + - name: Login to docker container registry + uses: docker/login-action@v3 + with: + registry: ${{ vars.docker_repo2_registry }} + username: ${{ secrets.docker_repo2_username }} + password: ${{ secrets.docker_repo2_password }} + + - name: Build the container image + run: | + docker build \ + --build-arg BUILD_STEP=container \ + --build-arg PUBLIC_BUILD_VERSION=${{ steps.get-id.outputs.BUILD_ID }} \ + --file fab/d/actions-build.Dockerfile \ + --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \ + .; + + - name: Container details + run: | + IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`; + echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; + + - name: Push the container image + run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }} \ No newline at end of file diff --git a/.github/workflows/push-s3-gcp.yml b/.github/workflows/archive/push-s3.yml similarity index 76% rename from .github/workflows/push-s3-gcp.yml rename to .github/workflows/archive/push-s3.yml index e8b5a29..0351be5 100644 --- a/.github/workflows/push-s3-gcp.yml +++ b/.github/workflows/archive/push-s3.yml @@ -19,7 +19,7 @@ jobs: run: | SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }}; BUILD_ID=$BRANCH_NAME-${SHA:0:8}; - DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/$REPO:$BUILD_ID; + DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/$REPO:$BUILD_ID; echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT"; echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT"; @@ -29,25 +29,13 @@ jobs: echo "DOCKER_IMAGE: ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; - uses: actions/checkout@v4 - - # ✅ 1) Auth to GCP (this is where your SA key is used) - - name: Auth to GCP - uses: google-github-actions/auth@v2 + + - name: Login to docker container registry + uses: docker/login-action@v3 with: - # using your existing secret that contains the SA JSON - credentials_json: ${{ secrets.GCP_SA_KEY }} - - # ✅ 2) Install gcloud (no creds here) - - name: Set up gcloud - uses: google-github-actions/setup-gcloud@v2 - with: - project_id: ${{ vars.GCP_PROJECT_ID }} - export_default_credentials: true - - - name: Configure Docker for GAR - run: | - gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev - + registry: ${{ vars.docker_repo2_registry }} + username: ${{ secrets.docker_repo2_username }} + password: ${{ secrets.docker_repo2_password }} - name: Build the container image for bundle step run: | diff --git a/.github/workflows/base-build-image-gcp.yml b/.github/workflows/base-build-image-gcp.yml deleted file mode 100644 index f9321e2..0000000 --- a/.github/workflows/base-build-image-gcp.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: Build base images (Generally from basin repo) - -on: - workflow_call: - inputs: - image_tag: - required: true - type: string - fail_on_scan: - default: true - type: boolean - -jobs: - docker-build-and-push: - - runs-on: ubuntu-22.04 #ubuntu-latest - - steps: - - id: get-id - name: Get a unique tag for this build - run: | - echo "DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT"; - - - name: Print image name - run: | - echo "${{ steps.get-id.outputs.DOCKER_IMAGE }}"; - - - uses: actions/checkout@v4 - - # ✅ 1) Auth to GCP (this is where your SA key is used) - - name: Auth to GCP - uses: google-github-actions/auth@v2 - with: - # using your existing secret that contains the SA JSON - credentials_json: ${{ secrets.GCP_SA_KEY }} - - # ✅ 2) Install gcloud (no creds here) - - name: Set up gcloud - uses: google-github-actions/setup-gcloud@v2 - with: - project_id: ${{ vars.GCP_PROJECT_ID }} - export_default_credentials: true - - - name: Configure Docker for GAR - run: | - gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev - - - name: Build and push the Docker image - run: | - docker build \ - --file context/Dockerfile \ - --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \ - ./context; - - - name: Container details - run: | - IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`; - echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; - -# - name: Scan Docker Image for vulnerabilities with Grype -# uses: anchore/scan-action@v6 -# with: -# image: ${{ steps.get-id.outputs.DOCKER_IMAGE }} -# cache-db: true #Cache Grype DB in Github Actions -# output-format: table -# only-fixed: true -# severity-cutoff: critical -# fail-build: ${{ inputs.fail_on_scan }} - - - name: Push the container image - run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }} diff --git a/.github/workflows/base-build-image.yml b/.github/workflows/base-build-image.yml index c855c47..f9321e2 100644 --- a/.github/workflows/base-build-image.yml +++ b/.github/workflows/base-build-image.yml @@ -19,7 +19,7 @@ jobs: - id: get-id name: Get a unique tag for this build run: | - echo "DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT"; + echo "DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT"; - name: Print image name run: | @@ -27,13 +27,23 @@ jobs: - uses: actions/checkout@v4 - - name: Login to Docker Container Registry - # if: ${{ github.event_name == 'push' }} - uses: docker/login-action@v3 + # ✅ 1) Auth to GCP (this is where your SA key is used) + - name: Auth to GCP + uses: google-github-actions/auth@v2 with: - registry: ${{ vars.docker_repo2_registry }} - username: ${{ secrets.docker_repo2_username }} - password: ${{ secrets.docker_repo2_password }} + # using your existing secret that contains the SA JSON + credentials_json: ${{ secrets.GCP_SA_KEY }} + + # ✅ 2) Install gcloud (no creds here) + - name: Set up gcloud + uses: google-github-actions/setup-gcloud@v2 + with: + project_id: ${{ vars.GCP_PROJECT_ID }} + export_default_credentials: true + + - name: Configure Docker for GAR + run: | + gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev - name: Build and push the Docker image run: | @@ -47,15 +57,15 @@ jobs: IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`; echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; - - name: Scan Docker Image for vulnerabilities with Grype - uses: anchore/scan-action@v6 - with: - image: ${{ steps.get-id.outputs.DOCKER_IMAGE }} - cache-db: true #Cache Grype DB in Github Actions - output-format: table - only-fixed: true - severity-cutoff: critical - fail-build: ${{ inputs.fail_on_scan }} +# - name: Scan Docker Image for vulnerabilities with Grype +# uses: anchore/scan-action@v6 +# with: +# image: ${{ steps.get-id.outputs.DOCKER_IMAGE }} +# cache-db: true #Cache Grype DB in Github Actions +# output-format: table +# only-fixed: true +# severity-cutoff: critical +# fail-build: ${{ inputs.fail_on_scan }} - name: Push the container image run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }} diff --git a/.github/workflows/dispatch-container-base-gcp.yml b/.github/workflows/dispatch-container-base-gcp.yml deleted file mode 100644 index e11afe9..0000000 --- a/.github/workflows/dispatch-container-base-gcp.yml +++ /dev/null @@ -1,69 +0,0 @@ -name: Build base images from code repos - -on: - workflow_call: - inputs: - image_tag: - required: true - type: string - -jobs: - docker-base-build-and-push: - - runs-on: ubuntu-22.04 #ubuntu-latest - - steps: - - id: get-id - name: Get a unique tag for this build - run: | - echo "DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT"; - - - name: Print image name - run: | - echo "${{ steps.get-id.outputs.DOCKER_IMAGE }}"; - - - uses: actions/checkout@v4 - - # ✅ 1) Auth to GCP (this is where your SA key is used) - - name: Auth to GCP - uses: google-github-actions/auth@v2 - with: - # using your existing secret that contains the SA JSON - credentials_json: ${{ secrets.GCP_SA_KEY }} - - # ✅ 2) Install gcloud (no creds here) - - name: Set up gcloud - uses: google-github-actions/setup-gcloud@v2 - with: - project_id: ${{ vars.GCP_PROJECT_ID }} - export_default_credentials: true - - - name: Configure Docker for GAR - run: | - gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev - - - name: Build and push the Docker image - run: | - docker build \ - --file fab/d/actions-base.Dockerfile \ - --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \ - .; - - - name: Container details - run: | - IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`; - echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; - - - name: Push the container image - run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }} - -# - name: Scan Docker Image for vulnerabilities with Grype -# uses: anchore/scan-action@v6 -# with: -# image: ${{ steps.get-id.outputs.DOCKER_IMAGE }} -# cache-db: true #Cache Grype DB in Github Actions -# output-format: table -# only-fixed: true -# severity-cutoff: critical -# fail-build: true - diff --git a/.github/workflows/dispatch-container-base.yml b/.github/workflows/dispatch-container-base.yml index e8fede4..e11afe9 100644 --- a/.github/workflows/dispatch-container-base.yml +++ b/.github/workflows/dispatch-container-base.yml @@ -16,7 +16,7 @@ jobs: - id: get-id name: Get a unique tag for this build run: | - echo "DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT"; + echo "DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT"; - name: Print image name run: | @@ -24,13 +24,23 @@ jobs: - uses: actions/checkout@v4 - - name: Login to Docker Container Registry - # if: ${{ github.event_name == 'push' }} - uses: docker/login-action@v3 + # ✅ 1) Auth to GCP (this is where your SA key is used) + - name: Auth to GCP + uses: google-github-actions/auth@v2 with: - registry: ${{ vars.docker_repo2_registry }} - username: ${{ secrets.docker_repo2_username }} - password: ${{ secrets.docker_repo2_password }} + # using your existing secret that contains the SA JSON + credentials_json: ${{ secrets.GCP_SA_KEY }} + + # ✅ 2) Install gcloud (no creds here) + - name: Set up gcloud + uses: google-github-actions/setup-gcloud@v2 + with: + project_id: ${{ vars.GCP_PROJECT_ID }} + export_default_credentials: true + + - name: Configure Docker for GAR + run: | + gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev - name: Build and push the Docker image run: | @@ -47,13 +57,13 @@ jobs: - name: Push the container image run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }} - - name: Scan Docker Image for vulnerabilities with Grype - uses: anchore/scan-action@v6 - with: - image: ${{ steps.get-id.outputs.DOCKER_IMAGE }} - cache-db: true #Cache Grype DB in Github Actions - output-format: table - only-fixed: true - severity-cutoff: critical - fail-build: true +# - name: Scan Docker Image for vulnerabilities with Grype +# uses: anchore/scan-action@v6 +# with: +# image: ${{ steps.get-id.outputs.DOCKER_IMAGE }} +# cache-db: true #Cache Grype DB in Github Actions +# output-format: table +# only-fixed: true +# severity-cutoff: critical +# fail-build: true diff --git a/.github/workflows/push-container-gcp.yml b/.github/workflows/push-container-gcp.yml deleted file mode 100644 index 69cdb5c..0000000 --- a/.github/workflows/push-container-gcp.yml +++ /dev/null @@ -1,63 +0,0 @@ -name: Reusable container push workflow - -on: - workflow_call: - -env: - REPO: ${{ github.repository }} - -jobs: - - push-container: - runs-on: ubuntu-22.04 - steps: - - id: get-id - name: Get a unique tag for this build - run: | - SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }}; - BUILD_ID=$BRANCH_NAME-${SHA:0:8}; - DOCKER_IMAGE="${{vars.GCP_DOCKER_REGISTRY}}/$REPO:$BUILD_ID" - echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT"; - echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT"; - - - name: Print build id and image name - run: | - echo "BUILD_ID: ${{ steps.get-id.outputs.BUILD_ID }}"; - echo "DOCKER_IMAGE: ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; - - - uses: actions/checkout@v4 - - # ✅ 1) Auth to GCP (this is where your SA key is used) - - name: Auth to GCP - uses: google-github-actions/auth@v2 - with: - # using your existing secret that contains the SA JSON - credentials_json: ${{ secrets.GCP_SA_KEY }} - - # ✅ 2) Install gcloud (no creds here) - - name: Set up gcloud - uses: google-github-actions/setup-gcloud@v2 - with: - project_id: ${{ vars.GCP_PROJECT_ID }} - export_default_credentials: true - - - name: Configure Docker for GAR - run: | - gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev - - - name: Build the container image - run: | - docker build \ - --build-arg BUILD_STEP=container \ - --build-arg PUBLIC_BUILD_VERSION=${{ steps.get-id.outputs.BUILD_ID }} \ - --file fab/d/actions-build.Dockerfile \ - --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \ - .; - - - name: Container details - run: | - IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`; - echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; - - - name: Push the container image - run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }} diff --git a/.github/workflows/push-container.yml b/.github/workflows/push-container.yml index 12b8a16..69cdb5c 100644 --- a/.github/workflows/push-container.yml +++ b/.github/workflows/push-container.yml @@ -11,42 +11,53 @@ jobs: push-container: runs-on: ubuntu-22.04 steps: - - id: get-id - name: Get a unique tag for this build - run: | - SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }}; - BUILD_ID=$BRANCH_NAME-${SHA:0:8}; - DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/$REPO:$BUILD_ID; - echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT"; - echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT"; + - id: get-id + name: Get a unique tag for this build + run: | + SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }}; + BUILD_ID=$BRANCH_NAME-${SHA:0:8}; + DOCKER_IMAGE="${{vars.GCP_DOCKER_REGISTRY}}/$REPO:$BUILD_ID" + echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT"; + echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT"; - - name: Print build id and image name - run: | - echo "BUILD_ID: ${{ steps.get-id.outputs.BUILD_ID }}"; - echo "DOCKER_IMAGE: ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; + - name: Print build id and image name + run: | + echo "BUILD_ID: ${{ steps.get-id.outputs.BUILD_ID }}"; + echo "DOCKER_IMAGE: ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; - - uses: actions/checkout@v4 + - uses: actions/checkout@v4 - - name: Login to docker container registry - uses: docker/login-action@v3 - with: - registry: ${{ vars.docker_repo2_registry }} - username: ${{ secrets.docker_repo2_username }} - password: ${{ secrets.docker_repo2_password }} + # ✅ 1) Auth to GCP (this is where your SA key is used) + - name: Auth to GCP + uses: google-github-actions/auth@v2 + with: + # using your existing secret that contains the SA JSON + credentials_json: ${{ secrets.GCP_SA_KEY }} - - name: Build the container image - run: | - docker build \ - --build-arg BUILD_STEP=container \ - --build-arg PUBLIC_BUILD_VERSION=${{ steps.get-id.outputs.BUILD_ID }} \ - --file fab/d/actions-build.Dockerfile \ - --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \ - .; - - - name: Container details - run: | - IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`; - echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; + # ✅ 2) Install gcloud (no creds here) + - name: Set up gcloud + uses: google-github-actions/setup-gcloud@v2 + with: + project_id: ${{ vars.GCP_PROJECT_ID }} + export_default_credentials: true - - name: Push the container image - run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }} \ No newline at end of file + - name: Configure Docker for GAR + run: | + gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev + + - name: Build the container image + run: | + docker build \ + --build-arg BUILD_STEP=container \ + --build-arg PUBLIC_BUILD_VERSION=${{ steps.get-id.outputs.BUILD_ID }} \ + --file fab/d/actions-build.Dockerfile \ + --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \ + .; + + - name: Container details + run: | + IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`; + echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; + + - name: Push the container image + run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }} diff --git a/.github/workflows/push-s3.yml b/.github/workflows/push-s3.yml index 0351be5..686aafa 100644 --- a/.github/workflows/push-s3.yml +++ b/.github/workflows/push-s3.yml @@ -19,7 +19,7 @@ jobs: run: | SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }}; BUILD_ID=$BRANCH_NAME-${SHA:0:8}; - DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/$REPO:$BUILD_ID; + DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/$REPO:$BUILD_ID; echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT"; echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT"; @@ -29,13 +29,25 @@ jobs: echo "DOCKER_IMAGE: ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; - uses: actions/checkout@v4 - - - name: Login to docker container registry - uses: docker/login-action@v3 + + # ✅ 1) Auth to GCP (this is where your SA key is used) + - name: Auth to GCP + uses: google-github-actions/auth@v2 with: - registry: ${{ vars.docker_repo2_registry }} - username: ${{ secrets.docker_repo2_username }} - password: ${{ secrets.docker_repo2_password }} + # using your existing secret that contains the SA JSON + credentials_json: ${{ secrets.GCP_SA_KEY }} + + # ✅ 2) Install gcloud (no creds here) + - name: Set up gcloud + uses: google-github-actions/setup-gcloud@v2 + with: + project_id: ${{ vars.GCP_PROJECT_ID }} + export_default_credentials: true + + - name: Configure Docker for GAR + run: | + gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev + - name: Build the container image for bundle step run: | @@ -59,16 +71,17 @@ jobs: echo "Running: ls $destination_path" ls $destination_path - - name: Upload cloud files - uses: https://git.gmetri.io/gmetribin/aws-cli-action@v1.0.0 - env: - AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }} - AWS_DEFAULT_REGION: ${{ vars.aws_default_region }} + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 with: - args: > - s3 cp \ + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ vars.AWS_DEFAULT_REGION }} + + - name: Upload cloud files + run: | + aws s3 cp \ --recursive \ - --cache-control max-age=31536000\ - --storage-class 'STANDARD_IA' \ - cloud/ s3://${{ vars.aws_upload_bucket }}/${{ env.REPO_SHORT_NAME }}/${{ steps.get-id.outputs.BUILD_ID }} + --cache-control max-age=31536000 \ + --storage-class STANDARD_IA \ + cloud/ s3://${{ vars.AWS_UPLOAD_BUCKET }}/${{ env.REPO_SHORT_NAME }}/${{ steps.get-id.outputs.BUILD_ID }} diff --git a/fab/changes/260406-vhk4-migrate-workflows-github-actions/.history.jsonl b/fab/changes/260406-vhk4-migrate-workflows-github-actions/.history.jsonl new file mode 100644 index 0000000..c8ff154 --- /dev/null +++ b/fab/changes/260406-vhk4-migrate-workflows-github-actions/.history.jsonl @@ -0,0 +1,13 @@ +{"action":"enter","driver":"fab-new","event":"stage-transition","stage":"intake","ts":"2026-04-06T12:01:00Z"} +{"args":"Migrate *-gcp workflows to GitHub Actions, archive non-GCP workflows, rename GCP workflows to drop suffix, replace aws-cli-action with aws-actions/configure-aws-credentials","cmd":"fab-new","event":"command","ts":"2026-04-06T12:01:00Z"} +{"delta":"+4.4","event":"confidence","score":4.4,"trigger":"calc-score","ts":"2026-04-06T12:01:54Z"} +{"delta":"+0.0","event":"confidence","score":4.4,"trigger":"calc-score","ts":"2026-04-06T12:02:15Z"} +{"cmd":"fab-ff","event":"command","ts":"2026-04-06T12:08:20Z"} +{"delta":"+0.3","event":"confidence","score":4.7,"trigger":"calc-score","ts":"2026-04-06T12:09:03Z"} +{"action":"enter","driver":"fab-ff","event":"stage-transition","stage":"spec","ts":"2026-04-06T12:09:06Z"} +{"action":"enter","driver":"fab-ff","event":"stage-transition","stage":"tasks","ts":"2026-04-06T12:09:37Z"} +{"action":"enter","driver":"fab-ff","event":"stage-transition","stage":"apply","ts":"2026-04-06T12:09:37Z"} +{"action":"enter","driver":"fab-ff","event":"stage-transition","stage":"review","ts":"2026-04-06T12:11:03Z"} +{"action":"enter","driver":"fab-ff","event":"stage-transition","stage":"hydrate","ts":"2026-04-06T12:12:36Z"} +{"event":"review","result":"passed","ts":"2026-04-06T12:12:36Z"} +{"action":"enter","driver":"fab-ff","event":"stage-transition","stage":"ship","ts":"2026-04-06T12:12:40Z"} diff --git a/fab/changes/260406-vhk4-migrate-workflows-github-actions/.status.yaml b/fab/changes/260406-vhk4-migrate-workflows-github-actions/.status.yaml new file mode 100644 index 0000000..30d5a60 --- /dev/null +++ b/fab/changes/260406-vhk4-migrate-workflows-github-actions/.status.yaml @@ -0,0 +1,42 @@ +id: vhk4 +name: 260406-vhk4-migrate-workflows-github-actions +created: 2026-04-06T12:01:00Z +created_by: amitrajput1992 +change_type: ci +issues: [] +progress: + intake: done + spec: done + tasks: done + apply: done + review: done + hydrate: done + ship: active + review-pr: pending +checklist: + generated: true + path: checklist.md + completed: 15 + total: 15 +confidence: + certain: 9 + confident: 1 + tentative: 0 + unresolved: 0 + score: 4.7 + fuzzy: true + dimensions: + signal: 92.0 + reversibility: 88.0 + competence: 91.5 + disambiguation: 88.0 +stage_metrics: + intake: {started_at: "2026-04-06T12:01:00Z", driver: fab-new, iterations: 1, completed_at: "2026-04-06T12:09:06Z"} + spec: {started_at: "2026-04-06T12:09:06Z", driver: fab-ff, iterations: 1, completed_at: "2026-04-06T12:09:37Z"} + tasks: {started_at: "2026-04-06T12:09:37Z", driver: fab-ff, iterations: 1, completed_at: "2026-04-06T12:09:37Z"} + apply: {started_at: "2026-04-06T12:09:37Z", driver: fab-ff, iterations: 1, completed_at: "2026-04-06T12:11:03Z"} + review: {started_at: "2026-04-06T12:11:03Z", driver: fab-ff, iterations: 1, completed_at: "2026-04-06T12:12:36Z"} + hydrate: {started_at: "2026-04-06T12:12:36Z", driver: fab-ff, iterations: 1, completed_at: "2026-04-06T12:12:40Z"} + ship: {started_at: "2026-04-06T12:12:40Z", driver: fab-ff, iterations: 1} +prs: [] +last_updated: 2026-04-06T12:12:40Z diff --git a/fab/changes/260406-vhk4-migrate-workflows-github-actions/checklist.md b/fab/changes/260406-vhk4-migrate-workflows-github-actions/checklist.md new file mode 100644 index 0000000..7836ec0 --- /dev/null +++ b/fab/changes/260406-vhk4-migrate-workflows-github-actions/checklist.md @@ -0,0 +1,34 @@ +# Quality Checklist: Migrate Workflows to GitHub Actions + +**Change**: 260406-vhk4-migrate-workflows-github-actions +**Generated**: 2026-04-06 +**Spec**: `spec.md` + +## Functional Completeness +- [x] CHK-001 Archive: 4 non-GCP files exist in `.github/workflows/archive/` +- [x] CHK-002 Archive: 4 non-GCP files no longer exist in `.github/workflows/` +- [x] CHK-003 Rename: 4 GCP files renamed without `-gcp` suffix +- [x] CHK-004 Rename: No `-gcp.yml` files remain in `.github/workflows/` +- [x] CHK-005 S3 fix: `push-s3.yml` uses `aws-actions/configure-aws-credentials@v4` +- [x] CHK-006 S3 fix: `push-s3.yml` uses inline `aws s3 cp` command (no external action) + +## Behavioral Correctness +- [x] CHK-007 GCP auth steps identical in all 4 renamed workflows (auth@v2, setup-gcloud@v2, configure-docker) +- [x] CHK-008 All runners are `ubuntu-22.04` +- [x] CHK-009 Grype scanning remains commented out in all workflows +- [x] CHK-010 AWS secret/var names are uppercase: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_DEFAULT_REGION`, `AWS_UPLOAD_BUCKET` +- [x] CHK-011 S3 upload preserves all flags: `--recursive`, `--cache-control max-age=31536000`, `--storage-class STANDARD_IA` + +## Scenario Coverage +- [x] CHK-012 Archive directory exists with correct files +- [x] CHK-013 S3 destination path matches pattern: `s3://{bucket}/{repo_short_name}/{build_id}` + +## Code Quality +- [x] CHK-014 Pattern consistency: Workflow YAML follows existing naming and structural patterns +- [x] CHK-015 No unnecessary duplication: No Gitea-specific references remain in active workflows + +## Notes + +- Check items as you review: `- [x]` +- All items must pass before `/fab-continue` (hydrate) +- If an item is not applicable, mark checked and prefix with **N/A**: `- [x] CHK-008 **N/A**: {reason}` diff --git a/fab/changes/260406-vhk4-migrate-workflows-github-actions/intake.md b/fab/changes/260406-vhk4-migrate-workflows-github-actions/intake.md new file mode 100644 index 0000000..12e663e --- /dev/null +++ b/fab/changes/260406-vhk4-migrate-workflows-github-actions/intake.md @@ -0,0 +1,108 @@ +# Intake: Migrate Workflows to GitHub Actions + +**Change**: 260406-vhk4-migrate-workflows-github-actions +**Created**: 2026-04-06 +**Status**: Draft + +## Origin + +> Migrate the GitHub workflows ending with *-gcp to be compatible with GitHub Actions. Currently used inside a self-hosted Gitea instance. Once migrated, the repo moves to GitHub directly. + +Conversational mode — extensive discussion preceded this intake. User confirmed all key decisions (see Assumptions). + +## Why + +The build-tools repo currently lives on a self-hosted Gitea instance. The organization is moving it to GitHub. The `*-gcp` workflow variants already use GitHub-compatible actions (`google-github-actions/auth@v2`, `actions/checkout@v4`, etc.) but one workflow (`push-s3-gcp.yml`) references a Gitea-hosted action (`https://git.gmetri.io/gmetribin/aws-cli-action@v1.0.0`) that GitHub Actions cannot resolve. The non-GCP workflows use Gitea-specific registry credentials (`docker_repo2_*`) that won't be needed on GitHub. + +Without this change, the repo cannot be moved to GitHub — workflows would fail on first run. + +## What Changes + +### 1. Archive non-GCP workflows + +Move these 4 files to `.github/workflows/archive/`: +- `base-build-image.yml` +- `dispatch-container-base.yml` +- `push-container.yml` +- `push-s3.yml` + +### 2. Rename GCP workflows (drop `-gcp` suffix) + +- `base-build-image-gcp.yml` → `base-build-image.yml` +- `dispatch-container-base-gcp.yml` → `dispatch-container-base.yml` +- `push-container-gcp.yml` → `push-container.yml` +- `push-s3-gcp.yml` → `push-s3.yml` + +### 3. Fix `push-s3.yml` (formerly `push-s3-gcp.yml`) + +Replace the Gitea-hosted `aws-cli-action` with the pattern from `dg2n-core`: + +```yaml +# Replace this: +- name: Upload cloud files + uses: https://git.gmetri.io/gmetribin/aws-cli-action@v1.0.0 + env: + AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }} + ... + with: + args: > + s3 cp ... + +# With this: +- name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ vars.AWS_DEFAULT_REGION }} + +- name: Upload cloud files + run: | + aws s3 cp \ + --recursive \ + --cache-control max-age=31536000 \ + --storage-class STANDARD_IA \ + cloud/ s3://${{ vars.AWS_UPLOAD_BUCKET }}/${{ env.REPO_SHORT_NAME }}/${{ steps.get-id.outputs.BUILD_ID }} +``` + +Also uppercase the AWS secret/var names to match dg2n-core convention: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_DEFAULT_REGION`, `AWS_UPLOAD_BUCKET`. + +### 4. No changes to other workflows + +These 5 workflows remain untouched — they already use standard GitHub Actions: +- `pr-lint-and-check.yml` +- `push-code-test.yml` +- `push-code-scan.yml` +- `push-npm.yml` +- `push-npm-from-container.yml` + +## Affected Memory + +- None — no spec-level behavior changes requiring memory updates. + +## Impact + +- `.github/workflows/` — 4 files archived, 4 files renamed, 1 file content-modified +- All consuming repos that call these reusable workflows will need to update their `uses:` references to drop the `-gcp` suffix +- GCP auth pattern (secrets/vars) stays identical — no infra changes needed +- Grype scanning stays disabled (commented out) in all GCP workflows + +## Open Questions + +- None — all questions resolved in discussion. + +## Assumptions + +| # | Grade | Decision | Rationale | Scores | +|---|-------|----------|-----------|--------| +| 1 | Certain | Non-GCP workflows archived, not deleted | Discussed — user explicitly said "put them in an archive folder" | S:95 R:90 A:95 D:90 | +| 2 | Certain | GCP workflows renamed to drop `-gcp` suffix | Discussed — user confirmed "yes lets remove gcp suffix" | S:95 R:85 A:90 D:85 | +| 3 | Certain | Grype scanning stays disabled | Discussed — user said "dont enable grype scanning" | S:95 R:90 A:95 D:95 | +| 4 | Certain | Use `aws-actions/configure-aws-credentials@v4` + inline `aws s3 cp` instead of custom action | Discussed — follows dg2n-core pattern, user pointed to that repo as reference | S:95 R:90 A:90 D:85 | +| 5 | Certain | AWS secret/var names uppercased to match dg2n-core convention | Discussed — user said dg2n-core has correct env vars/secrets config | S:90 R:85 A:90 D:85 | +| 6 | Certain | Use GitHub-hosted `ubuntu-22.04` runners | Discussed — user confirmed standard GitHub runners, was using self-hosted on Gitea | S:95 R:90 A:95 D:90 | +| 7 | Certain | `push-s3-gcp.yml` hybrid (GCP Docker + AWS S3) stays as-is | Discussed — user confirmed "yes" | S:90 R:85 A:90 D:90 | +| 8 | Confident | Other 5 workflows need no changes | Discussed — user confirmed "yes rest remain untouched", though npm workflows have gmetri email which user said is fine to keep | S:85 R:80 A:85 D:80 | +| 9 | Confident | Archive folder is `.github/workflows/archive/` | Reasonable default — user said "archive folder" without specifying exact path | S:80 R:75 A:85 D:80 | + +9 assumptions (7 certain, 2 confident, 0 tentative, 0 unresolved). diff --git a/fab/changes/260406-vhk4-migrate-workflows-github-actions/spec.md b/fab/changes/260406-vhk4-migrate-workflows-github-actions/spec.md new file mode 100644 index 0000000..1d2c622 --- /dev/null +++ b/fab/changes/260406-vhk4-migrate-workflows-github-actions/spec.md @@ -0,0 +1,131 @@ +# Spec: Migrate Workflows to GitHub Actions + +**Change**: 260406-vhk4-migrate-workflows-github-actions +**Created**: 2026-04-06 +**Affected memory**: None + +## Non-Goals + +- Enabling Grype vulnerability scanning — intentionally left disabled +- Modifying non-GCP workflows (`pr-lint-and-check.yml`, `push-code-test.yml`, `push-code-scan.yml`, `push-npm.yml`, `push-npm-from-container.yml`) +- Changing the GCP authentication pattern (secrets/vars remain identical) +- Updating consuming repos' `uses:` references (out of scope for this repo) + +## Workflows: Archive Non-GCP Variants + +### Requirement: Archive legacy workflows + +The system SHALL move the 4 non-GCP workflow files to `.github/workflows/archive/` to preserve history without cluttering the active workflows directory. + +Files to archive: +- `.github/workflows/base-build-image.yml` +- `.github/workflows/dispatch-container-base.yml` +- `.github/workflows/push-container.yml` +- `.github/workflows/push-s3.yml` + +#### Scenario: Archive directory creation and file move +- **GIVEN** the 4 non-GCP workflow files exist in `.github/workflows/` +- **WHEN** the migration is applied +- **THEN** `.github/workflows/archive/` directory SHALL exist +- **AND** all 4 files SHALL be moved to `.github/workflows/archive/` with identical filenames +- **AND** the files SHALL no longer exist in `.github/workflows/` + +## Workflows: Rename GCP Variants + +### Requirement: Drop `-gcp` suffix from workflow filenames + +The system SHALL rename the 4 GCP workflow files to remove the `-gcp` suffix, making them the canonical workflow files. + +| Current name | New name | +|---|---| +| `base-build-image-gcp.yml` | `base-build-image.yml` | +| `dispatch-container-base-gcp.yml` | `dispatch-container-base.yml` | +| `push-container-gcp.yml` | `push-container.yml` | +| `push-s3-gcp.yml` | `push-s3.yml` | + +#### Scenario: Rename after archive +- **GIVEN** the non-GCP files have been archived (no naming collision) +- **WHEN** the GCP files are renamed +- **THEN** each `-gcp.yml` file SHALL be renamed to the corresponding base name +- **AND** the original `-gcp.yml` files SHALL no longer exist +- **AND** the file contents SHALL be unchanged (rename only, no content modification at this stage) + +## Workflows: Fix S3 Upload Action + +### Requirement: Replace Gitea-hosted aws-cli-action + +The `push-s3.yml` workflow (formerly `push-s3-gcp.yml`) SHALL replace the Gitea-hosted action reference with the `aws-actions/configure-aws-credentials@v4` action plus an inline `aws s3 cp` command, matching the pattern established in the `dg2n-core` repo. + +#### Scenario: AWS credentials configuration +- **GIVEN** `push-s3.yml` has been renamed from `push-s3-gcp.yml` +- **WHEN** the S3 upload steps are updated +- **THEN** the `Upload cloud files` step using `https://git.gmetri.io/gmetribin/aws-cli-action@v1.0.0` SHALL be replaced with two steps: + 1. A `Configure AWS credentials` step using `aws-actions/configure-aws-credentials@v4` with: + - `aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}` + - `aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}` + - `aws-region: ${{ vars.AWS_DEFAULT_REGION }}` + 2. An `Upload cloud files` step using `run:` with inline `aws s3 cp` command + +#### Scenario: AWS secret/var name casing +- **GIVEN** the current workflow uses lowercase secret names (`secrets.aws_access_key_id`, etc.) +- **WHEN** the S3 steps are replaced +- **THEN** all AWS secret and variable references SHALL use uppercase names: + - `secrets.AWS_ACCESS_KEY_ID` (was `secrets.aws_access_key_id`) + - `secrets.AWS_SECRET_ACCESS_KEY` (was `secrets.aws_secret_access_key`) + - `vars.AWS_DEFAULT_REGION` (was `vars.aws_default_region`) + - `vars.AWS_UPLOAD_BUCKET` (was `vars.aws_upload_bucket`) + +#### Scenario: S3 upload command equivalence +- **GIVEN** the old action ran `s3 cp --recursive --cache-control max-age=31536000 --storage-class 'STANDARD_IA' cloud/ s3://{bucket}/{repo}/{build_id}` +- **WHEN** the inline command replaces it +- **THEN** the `aws s3 cp` command SHALL preserve all flags: `--recursive`, `--cache-control max-age=31536000`, `--storage-class STANDARD_IA` +- **AND** the destination path SHALL remain `s3://${{ vars.AWS_UPLOAD_BUCKET }}/${{ env.REPO_SHORT_NAME }}/${{ steps.get-id.outputs.BUILD_ID }}` + +## Workflows: Preserve Existing Behavior + +### Requirement: No functional changes to GCP auth + +All 4 renamed workflows SHALL retain their existing GCP authentication steps unchanged: +- `google-github-actions/auth@v2` with `credentials_json: ${{ secrets.GCP_SA_KEY }}` +- `google-github-actions/setup-gcloud@v2` with `project_id: ${{ vars.GCP_PROJECT_ID }}` +- `gcloud auth configure-docker ${{ vars.GCP_REGION }}-docker.pkg.dev` + +#### Scenario: GCP auth preserved after rename +- **GIVEN** any of the 4 renamed workflow files +- **WHEN** the file content is inspected +- **THEN** the GCP auth steps SHALL be identical to the original `-gcp` variant + +### Requirement: Runners use GitHub-hosted ubuntu-22.04 + +All workflows SHALL use `runs-on: ubuntu-22.04` (GitHub-hosted runners). No self-hosted runner references. + +#### Scenario: Runner specification +- **GIVEN** any workflow file in `.github/workflows/` (excluding archive) +- **WHEN** the `runs-on` value is inspected +- **THEN** it SHALL be `ubuntu-22.04` + +### Requirement: Grype scanning remains disabled + +All workflows SHALL keep Grype vulnerability scanning commented out. No uncommented `anchore/scan-action` steps. + +#### Scenario: Grype stays commented +- **GIVEN** any workflow that previously had Grype scanning commented out +- **WHEN** the migration is complete +- **THEN** the Grype scanning steps SHALL remain commented out + +## Assumptions + +| # | Grade | Decision | Rationale | Scores | +|---|-------|----------|-----------|--------| +| 1 | Certain | Non-GCP workflows archived to `.github/workflows/archive/`, not deleted | Confirmed from intake #1 — user explicit | S:95 R:90 A:95 D:90 | +| 2 | Certain | GCP workflows renamed to drop `-gcp` suffix | Confirmed from intake #2 — user explicit | S:95 R:85 A:90 D:85 | +| 3 | Certain | Grype scanning stays disabled (commented out) | Confirmed from intake #3 — user explicit | S:95 R:90 A:95 D:95 | +| 4 | Certain | Use `aws-actions/configure-aws-credentials@v4` + inline `aws s3 cp` | Confirmed from intake #4 — matches dg2n-core reference | S:95 R:90 A:90 D:85 | +| 5 | Certain | AWS secret/var names uppercased to match dg2n-core | Confirmed from intake #5 — user said dg2n-core is correct | S:90 R:85 A:90 D:85 | +| 6 | Certain | GitHub-hosted `ubuntu-22.04` runners | Confirmed from intake #6 — already the value in all workflows | S:95 R:90 A:95 D:90 | +| 7 | Certain | S3 upload hybrid (GCP Docker + AWS S3) stays as-is | Confirmed from intake #7 — user explicit | S:90 R:85 A:90 D:90 | +| 8 | Certain | Other 5 workflows unchanged | Upgraded from intake #8 Confident — user confirmed explicitly | S:90 R:85 A:90 D:85 | +| 9 | Confident | Archive folder path is `.github/workflows/archive/` | Carried from intake #9 — user said "archive folder", path is reasonable convention | S:80 R:85 A:85 D:80 | +| 10 | Certain | Archive must happen before rename to avoid filename collisions | Ordering constraint derived from spec — both old and new files share the same base names | S:95 R:95 A:95 D:95 | + +10 assumptions (9 certain, 1 confident, 0 tentative, 0 unresolved). diff --git a/fab/changes/260406-vhk4-migrate-workflows-github-actions/tasks.md b/fab/changes/260406-vhk4-migrate-workflows-github-actions/tasks.md new file mode 100644 index 0000000..09ca8fe --- /dev/null +++ b/fab/changes/260406-vhk4-migrate-workflows-github-actions/tasks.md @@ -0,0 +1,28 @@ +# Tasks: Migrate Workflows to GitHub Actions + +**Change**: 260406-vhk4-migrate-workflows-github-actions +**Spec**: `spec.md` +**Intake**: `intake.md` + +## Phase 1: Archive Non-GCP Workflows + +- [x] T001 Create `.github/workflows/archive/` directory and move `base-build-image.yml`, `dispatch-container-base.yml`, `push-container.yml`, `push-s3.yml` into it + +## Phase 2: Rename GCP Workflows + +- [x] T002 [P] Rename `.github/workflows/base-build-image-gcp.yml` → `.github/workflows/base-build-image.yml` +- [x] T003 [P] Rename `.github/workflows/dispatch-container-base-gcp.yml` → `.github/workflows/dispatch-container-base.yml` +- [x] T004 [P] Rename `.github/workflows/push-container-gcp.yml` → `.github/workflows/push-container.yml` +- [x] T005 [P] Rename `.github/workflows/push-s3-gcp.yml` → `.github/workflows/push-s3.yml` + +## Phase 3: Fix S3 Upload Action + +- [x] T006 In `.github/workflows/push-s3.yml`, replace the Gitea-hosted `aws-cli-action` step with `aws-actions/configure-aws-credentials@v4` + inline `aws s3 cp`, and uppercase all AWS secret/var names (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_DEFAULT_REGION`, `AWS_UPLOAD_BUCKET`) + +--- + +## Execution Order + +- T001 must complete before T002-T005 (archive frees the base filenames) +- T002-T005 are independent and parallel +- T006 depends on T005 (operates on the renamed `push-s3.yml`)