From e0eb946b2b1ecb7f3f8e30d06bfc96ddc43bdb57 Mon Sep 17 00:00:00 2001
From: healthy-pod <ahmad@cockroachlabs.com>
Date: Thu, 28 Sep 2023 16:45:31 -0700
Subject: [PATCH] build,workflows: add a workflow to build and push builder
 image

Release note: None
Epic: none
---
 ...flows-build-push-acceptance-gss-images.yml | 48 ++++++++++++
 ...-workflows-build-push-acceptance-image.yml | 25 +++++++
 ...rkflows-build-push-bazel-builder-image.yml | 26 +++++++
 ...usable-build-push-multiplatform-images.yml | 74 +++++++++++++++++++
 4 files changed, 173 insertions(+)
 create mode 100644 .github/workflows/gar-workflows-build-push-acceptance-gss-images.yml
 create mode 100644 .github/workflows/gar-workflows-build-push-acceptance-image.yml
 create mode 100644 .github/workflows/gar-workflows-build-push-bazel-builder-image.yml
 create mode 100644 .github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml

diff --git a/.github/workflows/gar-workflows-build-push-acceptance-gss-images.yml b/.github/workflows/gar-workflows-build-push-acceptance-gss-images.yml
new file mode 100644
index 000000000000..ec39e27d2735
--- /dev/null
+++ b/.github/workflows/gar-workflows-build-push-acceptance-gss-images.yml
@@ -0,0 +1,48 @@
+name: Build and Push acceptance gss compose images
+
+on:
+  pull_request
+
+jobs:
+  tags:
+    runs-on: ubuntu-latest
+    outputs:
+      time_tag: ${{ steps.vars.outputs.TIME_TAG }}
+    steps:
+      -
+        name: Set TAG value
+        id: vars
+        run: echo "TIME_TAG=$(date +%Y%m%d-%H%M%S)" >> $GITHUB_OUTPUT
+
+  acceptance-kdc-docker:
+    needs: tags
+    uses: ./.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml
+    with:
+      tags: |
+        us-east1-docker.pkg.dev/crl-ci-images/cockroach/acceptance-gss-kdc:${{ needs.tags.outputs.time_tag }}
+      context: "{{defaultContext}}:pkg/acceptance/compose/gss/kdc"
+    secrets:
+      gcp_wif_provider: ${{ secrets.GCP_CRL_CI_IMAGES_WIF_PROVIDER }}
+      gcp_wif_service_account: ${{ secrets.GCP_CRL_CI_IMAGES_SERVICE_ACCOUNT }}
+
+  acceptance-psql-docker:
+    needs: tags
+    uses: ./.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml
+    with:
+      tags: |
+        us-east1-docker.pkg.dev/crl-ci-images/cockroach/acceptance-gss-psql:${{ needs.tags.outputs.time_tag }}
+      context: "{{defaultContext}}:pkg/acceptance/compose/gss/psql"
+    secrets:
+      gcp_wif_provider: ${{ secrets.GCP_CRL_CI_IMAGES_WIF_PROVIDER }}
+      gcp_wif_service_account: ${{ secrets.GCP_CRL_CI_IMAGES_SERVICE_ACCOUNT }}
+
+  acceptance-python-docker:
+    needs: tags
+    uses: ./.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml
+    with:
+      tags: |
+        us-east1-docker.pkg.dev/crl-ci-images/cockroach/acceptance-gss-python:${{ needs.tags.outputs.time_tag }}
+      context: "{{defaultContext}}:pkg/acceptance/compose/gss/python"
+    secrets:
+      gcp_wif_provider: ${{ secrets.GCP_CRL_CI_IMAGES_WIF_PROVIDER }}
+      gcp_wif_service_account: ${{ secrets.GCP_CRL_CI_IMAGES_SERVICE_ACCOUNT }}
diff --git a/.github/workflows/gar-workflows-build-push-acceptance-image.yml b/.github/workflows/gar-workflows-build-push-acceptance-image.yml
new file mode 100644
index 000000000000..9828b885f23d
--- /dev/null
+++ b/.github/workflows/gar-workflows-build-push-acceptance-image.yml
@@ -0,0 +1,25 @@
+name: Build and Push acceptance image
+
+on:
+  pull_request
+
+jobs:
+  tags:
+    runs-on: ubuntu-latest
+    outputs:
+      time_tag: ${{ steps.vars.outputs.TIME_TAG }}
+    steps:
+      -
+        name: Set TAG value
+        id: vars
+        run: echo "TIME_TAG=$(date +%Y%m%d-%H%M%S)" >> $GITHUB_OUTPUT
+  docker:
+    needs: tags
+    uses: ./.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml
+    with:
+      tags: |
+        us-east1-docker.pkg.dev/crl-ci-images/cockroach/acceptance:${{ needs.tags.outputs.time_tag }}
+      context: "{{defaultContext}}:pkg/acceptance/testdata"
+    secrets:
+      gcp_wif_provider: ${{ secrets.GCP_CRL_CI_IMAGES_WIF_PROVIDER }}
+      gcp_wif_service_account: ${{ secrets.GCP_CRL_CI_IMAGES_SERVICE_ACCOUNT }}
diff --git a/.github/workflows/gar-workflows-build-push-bazel-builder-image.yml b/.github/workflows/gar-workflows-build-push-bazel-builder-image.yml
new file mode 100644
index 000000000000..e5b042ab4812
--- /dev/null
+++ b/.github/workflows/gar-workflows-build-push-bazel-builder-image.yml
@@ -0,0 +1,26 @@
+name: Build and Push bazel-builder image
+
+on:
+  pull_request
+
+jobs:
+  tags:
+    runs-on: ubuntu-latest
+    outputs:
+      time_tag: ${{ steps.vars.outputs.TIME_TAG }}
+    steps:
+      -
+        name: Set TAG value
+        id: vars
+        run: echo "TIME_TAG=$(date +%Y%m%d-%H%M%S)" >> $GITHUB_OUTPUT
+  docker:
+    needs: tags
+    uses: ./.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml
+    with:
+      tags: |
+        us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel-builder:latest-do-not-use
+        us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel-builder:${{ needs.tags.outputs.time_tag }}
+      context: "{{defaultContext}}:build/bazelbuilder"
+    secrets:
+      gcp_wif_provider: ${{ secrets.GCP_CRL_CI_IMAGES_WIF_PROVIDER }}
+      gcp_wif_service_account: ${{ secrets.GCP_CRL_CI_IMAGES_SERVICE_ACCOUNT }}
diff --git a/.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml b/.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml
new file mode 100644
index 000000000000..af724eaeeb97
--- /dev/null
+++ b/.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml
@@ -0,0 +1,74 @@
+name: Build and Push Multi-Platform Docker Images
+# Note: This workflow is adapted to work with GAR only and specifically `us-east1-docker.pkg.dev` registry.
+# If supporting more registries (within GAR) is needed in the future, we can pass the registry as an input from the
+# calling workflow.
+# To support pushing outside GAR, we will need to support authenticating to other non-google registries.
+
+on:
+  workflow_call:
+    inputs:
+      tags:
+        # Example:
+        # tags: |
+        #   us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel-builder:latest-do-not-use
+        #   us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel-builder:${{ needs.tags.outputs.time_tag }}
+        required: true
+        type: string
+      context:
+        type: string
+        required: true
+    secrets:
+      gcp_wif_provider:
+        required: true
+      gcp_wif_service_account:
+        required: true
+
+jobs:
+  reusable-workflow:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    steps:
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # Below we will build without pushing, then authenticate, then build and push. We do this
+      # dance because the token will only be valid for one hour and building + pushing might
+      # take more than one hour. The second build will use the cache so it's not bad.
+      -
+        name: Build (but do not push)
+        uses: docker/build-push-action@v5
+        with:
+          push: false
+          tags: ${{ inputs.tags }}
+          platforms: linux/amd64,linux/arm64
+          context: ${{ inputs.context }}
+      -
+        name: GCP Auth
+        id: auth
+        uses: 'google-github-actions/auth@v1'
+        with:
+          token_format: access_token
+          workload_identity_provider: '${{ secrets.gcp_wif_provider }}'
+          service_account: '${{ secrets.gcp_wif_service_account }}'
+          access_token_lifetime: 600s # 10 minutes
+      -
+        name: Login to Artifact Registry
+        uses: docker/login-action@v1
+        with:
+          registry: us-east1-docker.pkg.dev 
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+      -
+        name: Build (will use cache) and push (using recently generated token above)
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          tags: ${{ inputs.tags }}
+          platforms: linux/amd64,linux/arm64
+          context: ${{ inputs.context }}