cicd.yaml

name: CICD

env:
  # 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context.
  # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
  # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
  OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
  OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
  # 🖊️ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace.
  OPENSHIFT_NAMESPACE: exhort
  # 🖊️ EDIT to set the deployemnt resource data for image update.
  OPENSHIFT_DEPLOYMENT_NAME: exhort
  OPENSHIFT_CONTAINER_NAME: exhort
  # 🖊️ EDIT to change the image registry settings.
  # Registries such as GHCR, Quay.io, and Docker Hub are supported.
  IMAGE_REGISTRY: quay.io/ecosystem-appeng
  IMAGE_NAME: exhort
  IMAGE_REGISTRY_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
  IMAGE_REGISTRY_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}
  REGISTRY_REDHAT_IO_USER: ${{ secrets.REGISTRY_REDHAT_IO_USER }}
  REGISTRY_REDHAT_IO_PASSWORD: ${{ secrets.REGISTRY_REDHAT_IO_PASSWORD }}
  
  # 🖊️ EDIT to change Dockerfile.
  DOCKERFILE_PATH: ./src/main/docker/Dockerfile.jvm

on:
  push:
    branches:
      - main
    tags:
      - '*'
  workflow_dispatch:

jobs:
  validate_workflow_requirements:
    runs-on: ubuntu-latest

    if: github.repository == 'RHEcosystemAppEng/exhort'

    steps:
      - name: Check For Required Secrets
        uses: actions/github-script@v6
        with:
          script: |
            const secrets = {
              OPENSHIFT_SERVER: `${{ env.OPENSHIFT_SERVER }}`,
              OPENSHIFT_TOKEN: `${{ env.OPENSHIFT_TOKEN }}`,
              REGISTRY_REDHAT_IO_USER: `${{ env.REGISTRY_REDHAT_IO_USER }}`,
              REGISTRY_REDHAT_IO_PASSWORD: `${{ env.REGISTRY_REDHAT_IO_PASSWORD }}`
            };
            
            // if image registry is ghcr.io - no registry credentials required, otherwise get registry credentials
            if (!`${{ env.IMAGE_REGISTRY }}`.startsWith("ghcr.io")) {
              secrets["IMAGE_REGISTRY_USER"] = `${{ env.IMAGE_REGISTRY_USER }}`;
              secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ env.IMAGE_REGISTRY_PASSWORD }}`;
            }

            const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
              if (value.length === 0) {
                core.error(`Secret "${name}" is not set`);
                return true;
              }
              core.info(`✔️ Secret "${name}" is set`);
              return false;
            });

            if (missingSecrets.length > 0) {
              core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
                "You can add it using:\n" +
                "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
                "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
                "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
            }
            else {
              core.info(`✅ All the required secrets are set`);
            }
  
  build_and_push_image:
    needs: validate_workflow_requirements
    runs-on: ubuntu-latest
    
    outputs:
      digest: ${{ steps.push-to-registry.outputs.digest }}
      tag: ${{ steps.extract_branch.outputs.tag }}
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v3

      - name: Extract tag name
        shell: bash
        run: |
          branch=${GITHUB_REF_NAME}
          case ${branch} in
          'main') tag='latest' ;;
          *) tag=${branch} ;;
          esac
          echo "tag=${tag}" >> $GITHUB_OUTPUT
        id: extract_branch

      - name: Setup JDK
        uses: actions/setup-java@v3
        with:
          distribution: 'temurin'
          java-version: '21'
          cache: 'maven'

      - name: Build Package with Maven
        run: |
          ./mvnw -B verify
        env:
          GITHUB_ACTOR: ${{ secrets.GITHUB_ACTOR }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Log in to Red Hat Registry
        uses: redhat-actions/podman-login@v1
        with:
          registry: registry.redhat.io
          username: ${{ env.REGISTRY_REDHAT_IO_USER }}
          password: ${{ env.REGISTRY_REDHAT_IO_PASSWORD }}
      - name: Build Image With buildah
        id: build-image
        uses: redhat-actions/buildah-build@v2
        with:
          image: ${{ env.IMAGE_NAME }}
          tags: ${{ steps.extract_branch.outputs.tag }}
          dockerfiles: |
            ${{ env.DOCKERFILE_PATH }}
          
      - name: Push Image To Registry
        id: push-to-registry
        uses: redhat-actions/push-to-registry@v2
        with:
          image: ${{ steps.build-image.outputs.image }}
          tags: ${{ steps.build-image.outputs.tags }}
          registry: ${{ env.IMAGE_REGISTRY }}
          username: ${{ env.IMAGE_REGISTRY_USER }}
          password: ${{ env.IMAGE_REGISTRY_PASSWORD }}

  deploy_to_openshift:
    needs: build_and_push_image
    runs-on: ubuntu-latest
    steps:
      - name: Install oc
        uses: redhat-actions/openshift-tools-installer@v1
        with:
          oc: 4

      - name: Log In To OpenShift
        uses: redhat-actions/oc-login@v1
        with:
          openshift_server_url: ${{ env.OPENSHIFT_SERVER }}
          openshift_token: ${{ env.OPENSHIFT_TOKEN }}
          insecure_skip_tls_verify: true
          namespace: ${{ env.OPENSHIFT_NAMESPACE }}

      - name: Patch Image
        run: |
          DEPLOYMENT_PATCH=$(printf '{"spec": {"template": {"spec": {"containers": [{"name": "%s", "image": "%s/%s@%s"}]}}}}' ${{ env.OPENSHIFT_CONTAINER_NAME }} ${{ env.IMAGE_REGISTRY }} ${{ env.IMAGE_NAME }} ${{ needs.build_and_push_image.outputs.digest }})
          oc patch deployment ${{ env.OPENSHIFT_DEPLOYMENT_NAME }}-${{ needs.build_and_push_image.outputs.tag }} -p "${DEPLOYMENT_PATCH}"
          
      - name: Monitor Deployment Status
        run: oc rollout status deployment/${{ env.OPENSHIFT_DEPLOYMENT_NAME }}-${{ needs.build_and_push_image.outputs.tag }}