Skip to content
Build Notebooks (pr, AIPCC bases)

Update quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2 Docker digest to 0ea6f3f #442

Sign in to view logs

Update quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2 Docker digest to 0ea6f3f

Update quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2 Docker digest to 0ea6f3f #442

Workflow file for this run

.github/workflows/build-notebooks-pr-aipcc.yaml at a8e4e8e
---
"name": "Build Notebooks (pr, AIPCC bases)"
"on":
"pull_request_target":
"paths-ignore":
# Don't build images if the only thing that changed is image digests in manifests
- manifests/base/params-latest.env
- manifests/base/params.env
# In fact, skip the build if there are only changes in manifests and nowhere else
- manifests/**
# BEWARE: This GitHub Actions workflow runs on pull_request_target, meaning it has access to our secrets
# see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-secrets
# and https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
permissions:
contents: read
packages: read
concurrency:
group: ${{ format('build-notebooks-pr-apicc-{0}', github.event.pull_request.number) }}
cancel-in-progress: true
env:
# language=json
contributors: |
["atheo89", "andyatmiami", "caponetto", "daniellutz", "dibryant", "harshad16", "jesuino", "jiridanek", "jstourac", "paulovmr", "Fiona-Waters", "grdryn", "kryanbeane", "mtchoum1", "obrown1205", "dependabot[bot]", "ide-developer", "ysok"]
jobs:
gen:
name: Generate job matrix
runs-on: ubuntu-latest
# rhds/notebooks builds from AIPCC bases and requires pull_request_target trigger
if: ${{ github.repository == 'red-hat-data-services/notebooks' }}
outputs:
matrix: ${{ steps.gen.outputs.matrix }}
has_jobs: ${{ steps.gen.outputs.has_jobs }}
steps:
- name: Check permissions and deny untrusted users (this must be done FIRST, for security, before we checkout)
if: |-
!(
github.event.repository.private == true ||
contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association) ||
contains(fromJSON(env.contributors), github.actor)
)
run: |
echo "GitHub user ${{ github.actor }} is not a registered project contributor, not allowed to run actions requiring secrets!"
exit 1
# Here we are checking out the pull request, so that we can build from the new code
# We can do this because we already checked that the submitting user is a contributor
- uses: actions/checkout@v5
if: ${{ github.event_name == 'pull_request_target' }}
with:
ref: "refs/pull/${{ github.event.number }}/merge"
- uses: actions/checkout@v5
if: ${{ github.event_name != 'pull_request_target' }}
- uses: actions/setup-go@v5
with:
cache-dependency-path: "**/*.sum"
- name: Determine targets to build based on changed files
if: ${{ github.event_name == 'pull_request_target' }}
run: |
set -x
git fetch --no-tags origin 'pull/${{ github.event.pull_request.number }}/head:${{ github.event.pull_request.head.ref }}'
git fetch --no-tags origin '+refs/heads/${{ github.event.pull_request.base.ref }}:refs/remotes/origin/${{ github.event.pull_request.base.ref }}'
python3 ci/cached-builds/gen_gha_matrix_jobs.py \
--from-ref 'origin/${{ github.event.pull_request.base.ref }}' \
--to-ref '${{ github.event.pull_request.head.ref }}' \
--rhel-images exclude \
--s390x-images include
id: gen
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
build:
needs: ["gen"]
strategy:
fail-fast: false
matrix: "${{ fromJson(needs.gen.outputs.matrix) }}"
uses: ./.github/workflows/build-notebooks-TEMPLATE.yaml
if: ${{ fromJson(needs.gen.outputs.has_jobs) }}
with:
target: "${{ matrix.target }}"
python: "${{ matrix.python }}"
github: "${{ toJSON(github) }}"
platform: "${{ matrix.platform }}"
subscription: "${{ matrix.subscription }}"
secrets: inherit