Add webhook for private registry mirror #1707
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Continuous Integration | |
| permissions: | |
| contents: read | |
| actions: write | |
| checks: write | |
| env: | |
| MISE_VERSION: v2025.8.1 | |
| on: # rebuild any PRs and main branch changes | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| test-omes: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Run tests | |
| run: | | |
| go test -v -race ./... 2>&1 | \ | |
| go run github.com/jstemmer/go-junit-report/v2@latest \ | |
| -set-exit-code -iocopy -out junit-omes.xml | |
| - name: Publish Test Results | |
| uses: mikepenz/[email protected] | |
| if: failure() | |
| with: | |
| report_paths: "junit-omes.xml" | |
| check_name: "Omes Test Failures" | |
| detailed_summary: true | |
| check_annotations: false | |
| annotate_only: true | |
| skip_annotations: true | |
| check-worker: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| sdk: [go, java, python, typescript, dotnet] | |
| include: | |
| - sdk: go | |
| tools: go | |
| - sdk: java | |
| tools: java go | |
| - sdk: python | |
| tools: python go | |
| - sdk: typescript | |
| tools: rust go node protoc | |
| - sdk: dotnet | |
| tools: dotnet go | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| - name: Install mise | |
| uses: jdx/[email protected] | |
| with: | |
| version: ${{ env.MISE_VERSION }} | |
| - name: Install Tools | |
| run: | | |
| go run ./cmd/dev install ${{ matrix.tools }} | |
| - name: Add Go bin to PATH | |
| run: | | |
| echo "$(go env GOPATH)/bin" >> $GITHUB_PATH | |
| - name: Lint and format ${{ matrix.sdk }} worker | |
| run: | | |
| go run ./cmd/dev lint-and-format ${{ matrix.sdk }} | |
| - name: Check formatting | |
| run: | | |
| git diff --exit-code || (echo "${{ matrix.sdk }} worker has uncommitted formatting changes" && exit 1) | |
| - name: Test ${{ matrix.sdk }} worker | |
| run: | | |
| go run ./cmd/dev test ${{ matrix.sdk }} | |
| build-worker: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| sdk: [go, java, python, typescript, dotnet] | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| - name: Build ${{ matrix.sdk }} worker image | |
| run: | | |
| go run ./cmd/dev build-worker-image \ | |
| --language ${{ matrix.sdk }} \ | |
| --tag-as-latest | |
| - name: Start ${{ matrix.sdk }} worker image | |
| run: | | |
| docker run \ | |
| --rm \ | |
| -i -p 10233:10233 omes:${{ matrix.sdk }}-latest \ | |
| --scenario workflow_with_single_noop_activity \ | |
| --log-level debug \ | |
| --language ${{ matrix.sdk }} \ | |
| --run-id ${{ github.run_id }} \ | |
| --embedded-server-address 0.0.0.0:10233 & | |
| - name: Wait for ${{ matrix.sdk }} worker image to start | |
| run: | | |
| timeout 30 bash -c 'until nc -z 127.0.0.1 10233; do sleep 1; done' || (echo "Server failed to start" && exit 1) | |
| - name: Start ${{ matrix.sdk }} worker image | |
| run: | | |
| go run ./cmd run-scenario \ | |
| --scenario workflow_with_single_noop_activity \ | |
| --log-level debug \ | |
| --server-address 127.0.0.1:10233 \ | |
| --run-id ${{ github.run_id }} \ | |
| --connect-timeout 1m \ | |
| --iterations 5 | |
| test-kitchensink: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| sdk: [go, java, python, typescript, dotnet] | |
| include: | |
| - sdk: go | |
| tools: go | |
| - sdk: java | |
| tools: java go | |
| - sdk: python | |
| tools: python go | |
| - sdk: typescript | |
| tools: node go | |
| - sdk: dotnet | |
| tools: dotnet go | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| - name: Install mise | |
| uses: jdx/[email protected] | |
| with: | |
| version: ${{ env.MISE_VERSION }} | |
| - name: Install Tools | |
| run: | | |
| go run ./cmd/dev install ${{ matrix.tools }} | |
| - name: Test Kitchensink ${{ matrix.sdk }} | |
| run: | | |
| SDK=${{ matrix.sdk }} go test -v -race ./loadgen -run TestKitchenSink 2>&1 | \ | |
| go run github.com/jstemmer/go-junit-report/v2@latest \ | |
| -set-exit-code -iocopy -out junit-kitchensink-${{ matrix.sdk }}.xml | |
| - name: Publish Kitchensink Test Results | |
| uses: mikepenz/[email protected] | |
| if: failure() | |
| with: | |
| report_paths: "junit-kitchensink-${{ matrix.sdk }}.xml" | |
| check_name: "Kitchensink Test Failures (${{ matrix.sdk }})" | |
| detailed_summary: true | |
| check_annotations: false | |
| annotate_only: true | |
| skip_annotations: true | |
| build-ks-gen-and-ensure-protos-up-to-date: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v2 | |
| with: | |
| submodules: "true" | |
| - name: Install mise | |
| uses: jdx/[email protected] | |
| with: | |
| version: ${{ env.MISE_VERSION }} | |
| - name: Install Tools | |
| run: | | |
| go run ./cmd/dev install rust go protoc node | |
| - name: Add Go bin to PATH | |
| run: | | |
| echo "$(go env GOPATH)/bin" >> $GITHUB_PATH | |
| - name: Build proto | |
| run: | | |
| go run ./cmd/dev build-proto | |
| - name: Check diff | |
| run: | | |
| git config --global core.safecrlf false | |
| git diff > generator.diff | |
| git diff --exit-code | |
| - name: Upload generator diff | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: generator-diff | |
| path: generator.diff | |
| if-no-files-found: ignore | |
| build-cli: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build CLI image | |
| run: | | |
| go run ./cmd/dev build-cli-image | |
| - name: Test CLI image | |
| run: | | |
| IMAGE_TAG=$(echo "$BUILT_IMAGE_TAGS" | cut -d';' -f1) | |
| docker run --rm --pull never $IMAGE_TAG --help | |
| docker run --rm --pull never $IMAGE_TAG list-scenarios | |
| docker run --rm --pull never --entrypoint /app/kitchen-sink-gen $IMAGE_TAG --help | |
| # env cannot be referenced in jobs.<job_id>.with.<with_id>, so we need a job to run before | |
| # to append a "v" to the version string | |
| prepare-for-docker-push: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| go-sdk-version: ${{ steps.set-output.outputs.go-sdk-version }} | |
| ts-sdk-version: ${{ steps.set-output.outputs.ts-sdk-version }} | |
| java-sdk-version: ${{ steps.set-output.outputs.java-sdk-version }} | |
| python-sdk-version: ${{ steps.set-output.outputs.python-sdk-version }} | |
| dotnet-sdk-version: ${{ steps.set-output.outputs.dotnet-sdk-version }} | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v2 | |
| - name: Load versions | |
| run: | | |
| set -a && source versions.env && set +a | |
| printenv >> $GITHUB_ENV | |
| - name: Set output variables to pass to docker YML | |
| id: set-output | |
| run: | | |
| echo "go-sdk-version=v${{ env.GO_SDK_VERSION }}" >> "$GITHUB_OUTPUT" | |
| echo "ts-sdk-version=v${{ env.TYPESCRIPT_SDK_VERSION }}" >> "$GITHUB_OUTPUT" | |
| echo "java-sdk-version=v${{ env.JAVA_SDK_VERSION }}" >> "$GITHUB_OUTPUT" | |
| echo "python-sdk-version=v${{ env.PYTHON_SDK_VERSION }}" >> "$GITHUB_OUTPUT" | |
| echo "dotnet-sdk-version=v${{ env.DOTNET_SDK_VERSION }}" >> "$GITHUB_OUTPUT" | |
| push-docker-images: | |
| needs: prepare-for-docker-push | |
| uses: ./.github/workflows/all-docker-images.yml | |
| secrets: inherit | |
| with: | |
| # Only images that are built from `main` are tagged as `latest`. | |
| # This ensures that internal systems can rely on the latest tag to be stable. | |
| as-latest: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
| do-push: true | |
| go-version: ${{ needs.prepare-for-docker-push.outputs.go-sdk-version }} | |
| ts-version: ${{ needs.prepare-for-docker-push.outputs.ts-sdk-version }} | |
| java-version: ${{ needs.prepare-for-docker-push.outputs.java-sdk-version }} | |
| py-version: ${{ needs.prepare-for-docker-push.outputs.python-sdk-version }} | |
| dotnet-version: ${{ needs.prepare-for-docker-push.outputs.dotnet-sdk-version }} | |
| trigger-private-registry-mirror: | |
| name: Trigger private registry mirror | |
| runs-on: ubuntu-latest | |
| needs: | |
| - push-docker-images | |
| - prepare-for-docker-push | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - name: Prepare webhook payload | |
| id: payload | |
| env: | |
| GO_VERSION: ${{ needs.prepare-for-docker-push.outputs.go-sdk-version }} | |
| PYTHON_VERSION: ${{ needs.prepare-for-docker-push.outputs.python-sdk-version }} | |
| JAVA_VERSION: ${{ needs.prepare-for-docker-push.outputs.java-sdk-version }} | |
| TS_VERSION: ${{ needs.prepare-for-docker-push.outputs.ts-sdk-version }} | |
| DOTNET_VERSION: ${{ needs.prepare-for-docker-push.outputs.dotnet-sdk-version }} | |
| run: | | |
| # Create webhook payload with all omes images | |
| PAYLOAD=$(jq -n \ | |
| --arg type "repository" \ | |
| --arg timestamp "$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \ | |
| --arg repository "${{ github.repository }}" \ | |
| --arg ref "${{ github.ref }}" \ | |
| --arg commit_sha "${{ github.sha }}" \ | |
| --arg go_version "$GO_VERSION" \ | |
| --arg python_version "$PYTHON_VERSION" \ | |
| --arg java_version "$JAVA_VERSION" \ | |
| --arg ts_version "$TS_VERSION" \ | |
| --arg dotnet_version "$DOTNET_VERSION" \ | |
| '{ | |
| metadata: { | |
| type: $type, | |
| timestamp: $timestamp, | |
| repository: $repository, | |
| ref: $ref, | |
| commit_sha: $commit_sha | |
| }, | |
| images: [ | |
| {source: "docker.io/temporaliotest/omes:go-\($go_version)", destination: "omes:go-\($go_version)"}, | |
| {source: "docker.io/temporaliotest/omes:python-\($python_version)", destination: "omes:python-\($python_version)"}, | |
| {source: "docker.io/temporaliotest/omes:java-\($java_version)", destination: "omes:java-\($java_version)"}, | |
| {source: "docker.io/temporaliotest/omes:typescript-\($ts_version)", destination: "omes:typescript-\($ts_version)"}, | |
| {source: "docker.io/temporaliotest/omes:dotnet-\($dotnet_version)", destination: "omes:dotnet-\($dotnet_version)"}, | |
| {source: "docker.io/temporaliotest/omes:cli", destination: "omes:cli"} | |
| ] | |
| }') | |
| echo "payload=$PAYLOAD" >> $GITHUB_OUTPUT | |
| - name: Send webhook | |
| env: | |
| WEBHOOK_URL: ${{ secrets.PRIVATE_REGISTRY_MIRROR_WEBHOOK_URL }} | |
| WEBHOOK_SECRET: ${{ secrets.PRIVATE_REGISTRY_MIRROR_WEBHOOK_SECRET }} | |
| PAYLOAD: ${{ steps.payload.outputs.payload }} | |
| run: | | |
| # Compute HMAC-SHA256 signature (hex-encoded) | |
| SIGNATURE=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$WEBHOOK_SECRET" -binary | xxd -p -c 256) | |
| # Send webhook with retries | |
| curl -X POST "$WEBHOOK_URL" \ | |
| -H "Content-Type: application/json" \ | |
| -H "X-Webhook-Signature: $SIGNATURE" \ | |
| -H "X-Request-ID: ${{ github.run_id }}" \ | |
| --data "$PAYLOAD" \ | |
| --fail-with-body \ | |
| --retry 3 \ | |
| --retry-delay 2 |