feat: add PPM OIDC/SSO web UI configuration #242

Workflow file for this run

	# Team Operator Build and Push Workflow
	#
	# Image destinations:
	# - GHCR (ghcr.io/posit-dev/team-operator): PR builds only (adhoc testing)
	# - Docker Hub (posit/team-operator): Main branch only (releases)
	#
	# Adhoc images are automatically cleaned up when the PR is closed
	# (see cleanup-adhoc-images.yml)

	on:
	push:
	branches:
	- main
	paths-ignore:
	- '*/.md'
	- 'docs/**'
	- '.claude/**'
	- 'LICENSE'
	pull_request:
	paths-ignore:
	- '*/.md'
	- 'docs/**'
	- '.claude/**'
	- 'LICENSE'

	permissions:
	actions: write
	contents: read
	id-token: write
	packages: write

	env:
	DOCKER_HUB_ORG: posit
	GHCR_REGISTRY: ghcr.io/posit-dev

	name: build/push team-operator

	jobs:
	build:
	runs-on: ubuntu-latest-8x
	name: build
	outputs:
	image-tag: ${{ steps.image-tag.outputs.full-image }}
	image-name: ${{ steps.image-tag.outputs.image }}
	adhoc-tag: ${{ steps.adhoc-tag.outputs.tag }}
	version: ${{ steps.metadata.outputs.version }}

	steps:
	- name: Check Out Repo
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- uses: extractions/setup-just@v2

	- uses: actions/cache@v4
	with:
	path: .local/bin
	key: ${{ runner.os }}-local-bins-${{ hashFiles('*/.go', 'go.sum') }}
	restore-keys: \|
	${{ runner.os }}-local-bins-

	- name: Set up Snyk
	uses: snyk/actions/setup@0.4.0

	- uses: actions/setup-go@v5
	id: setup-go
	with:
	go-version-file: go.mod
	cache: true
	cache-dependency-path: go.sum

	- name: Set up Docker Buildx
	id: buildx
	uses: docker/setup-buildx-action@v3

	- name: Cache Operator SDK bins
	uses: actions/cache@v4
	with:
	path: bin/
	key: ${{ runner.os }}-operator-sdk-bins-${{ hashFiles('Makefile') }}
	restore-keys: \|
	${{ runner.os }}-operator-sdk-bins-

	- name: Smoke test the Justfile
	run: just -l

	- name: Smoke test the Makefile
	run: make help

	- name: Build
	run: make build
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Run unit tests
	run: make go-test cov
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Test kustomization
	run: make test-kustomize
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Helm lint
	run: make helm-lint

	- name: Helm template
	run: make helm-template > /dev/null

	- name: Verify Helm chart is in sync with kustomize
	run: \|
	# Regenerate Helm chart from base kustomize CRDs
	make helm-generate
	# Fail if regeneration produced any changes
	if ! git diff --quiet; then
	echo "::error::Helm chart is out of sync with kustomize CRDs"
	echo ""
	echo "The Helm chart in dist/chart/ was generated from config/crd/ but has drifted."
	echo "Run this locally to fix:"
	echo ""
	echo " make helm-generate"
	echo ""
	echo "Then commit the changes."
	echo ""
	git diff --stat
	exit 1
	fi

	- name: Assert no diff
	run: \|
	git diff --exit-code
	git diff --cached --exit-code

	- name: Get build metadata
	id: metadata
	run: \|
	GO_VERSION=$(go list -m -f '{{.GoVersion}}')
	VERSION=$(git describe --always --dirty --tags)
	echo "go-version=$GO_VERSION" >> $GITHUB_OUTPUT
	echo "version=$VERSION" >> $GITHUB_OUTPUT

	- name: Compute image tag
	id: image-tag
	run: \|
	IMAGE="team-operator:${{ steps.metadata.outputs.version }}"
	echo "image=$IMAGE" >> $GITHUB_OUTPUT
	echo "full-image=${{ env.GHCR_REGISTRY }}/team-operator:${{ steps.metadata.outputs.version }}" >> $GITHUB_OUTPUT

	- name: Compute adhoc tag for PRs
	id: adhoc-tag
	if: github.event_name == 'pull_request'
	env:
	DOCKER_TAG_MAX_LENGTH: 128
	run: \|
	BRANCH_NAME="${{ github.head_ref }}"
	VERSION="${{ steps.metadata.outputs.version }}"
	SANITIZED_BRANCH=$(echo "$BRANCH_NAME" \| tr '/' '-')
	TAG="adhoc-${SANITIZED_BRANCH}-${VERSION}"

	if [ ${#TAG} -gt $DOCKER_TAG_MAX_LENGTH ]; then
	OVERFLOW=$((${#TAG} - DOCKER_TAG_MAX_LENGTH))
	MAX_BRANCH_LEN=$((${#SANITIZED_BRANCH} - OVERFLOW))
	SANITIZED_BRANCH="${SANITIZED_BRANCH:0:$MAX_BRANCH_LEN}"
	TAG="adhoc-${SANITIZED_BRANCH}-${VERSION}"
	fi

	echo "tag=$TAG" >> $GITHUB_OUTPUT

	- name: Build and load Docker image
	uses: docker/build-push-action@v6
	with:
	context: .
	file: Dockerfile
	platforms: linux/amd64
	load: true
	tags: ${{ steps.image-tag.outputs.full-image }}
	build-args: \|
	VERSION=${{ steps.metadata.outputs.version }}
	GO_VERSION=${{ steps.metadata.outputs.go-version }}
	cache-from: type=gha,ignore-error=true
	cache-to: type=gha,mode=max,ignore-error=true

	- name: Show image size
	run: docker image ls

	- name: Snyk scan container vulnerabilities
	run: snyk container monitor "${{ steps.image-tag.outputs.full-image }}" --exclude-app-vulns --file=Dockerfile --platform=linux/amd64
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

	- name: Login to GHCR
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Push to GHCR (main branch)
	if: github.ref == 'refs/heads/main'
	run: \|
	docker push "${{ steps.image-tag.outputs.full-image }}"

	- name: Push to GHCR (for PRs - adhoc testing)
	if: github.event_name == 'pull_request'
	run: \|
	ADHOC_TAG="${{ steps.adhoc-tag.outputs.tag }}"
	docker tag "${{ steps.image-tag.outputs.full-image }}" "${{ env.GHCR_REGISTRY }}/team-operator:${ADHOC_TAG}"
	docker push "${{ env.GHCR_REGISTRY }}/team-operator:${ADHOC_TAG}"

	- name: Display adhoc image tag
	if: github.event_name == 'pull_request'
	run: \|
	ADHOC_TAG="${{ steps.adhoc-tag.outputs.tag }}"
	IMAGE="${{ env.GHCR_REGISTRY }}/team-operator:${ADHOC_TAG}"
	echo "### Adhoc Team Operator Image" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "Image pushed to GHCR: \`${IMAGE}\`" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "This image will be automatically deleted when the PR is closed." >> $GITHUB_STEP_SUMMARY

	push-dockerhub:
	if: github.ref == 'refs/heads/main'
	needs: [build]
	runs-on: ubuntu-latest
	name: push-dockerhub
	steps:
	- name: Login to GHCR
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Pull from GHCR
	run: docker pull "${{ needs.build.outputs.image-tag }}"

	- name: Login to Docker Hub
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKER_HUB_USERNAME }}
	password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

	- name: Push to Docker Hub
	run: \|
	docker tag \
	"${{ needs.build.outputs.image-tag }}" \
	"docker.io/${{ env.DOCKER_HUB_ORG }}/ptd-team-operator:latest"
	docker tag \
	"${{ needs.build.outputs.image-tag }}" \
	"docker.io/${{ env.DOCKER_HUB_ORG }}/ptd-team-operator:${{ needs.build.outputs.version }}"
	docker push "docker.io/${{ env.DOCKER_HUB_ORG }}/ptd-team-operator:latest"
	docker push "docker.io/${{ env.DOCKER_HUB_ORG }}/ptd-team-operator:${{ needs.build.outputs.version }}"

	- name: Display Docker Hub image tags
	run: \|
	echo "### Docker Hub Images Pushed" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "- \`docker.io/${{ env.DOCKER_HUB_ORG }}/ptd-team-operator:${{ needs.build.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
	echo "- \`docker.io/${{ env.DOCKER_HUB_ORG }}/ptd-team-operator:latest\`" >> $GITHUB_STEP_SUMMARY

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add PPM OIDC/SSO web UI configuration #242

Workflow file

feat: add PPM OIDC/SSO web UI configuration #242

Uh oh!

Workflow file for this run