Update, simplify and remove redundant steps in CI config

.github/mergify.yml

@@ -1,27 +1,41 @@
+# The `check-success` should be specifying the final job in the CI workflow assuming it depends
+# directly or indirectly on all other jobs passing.
+
+shared:
+  # Rules applicable to both queueing and merge requests.
+  compulsory: &compulsory
+
+    # Ensure the minimal CI checks have passed.
+    - check-success=DCO
+    - check-success=Package
+
+    # Ensure we're targetting the default branch.
+    - base=main
+
+    # Ensure we have adequete reviews.
+    - "#approved-reviews-by>=1"
+    - "#changes-requested-reviews-by=0"
+
+    # Ensure we aren't being explicitly blocked with a label.
+    - label!=do-not-merge
+
 queue_rules:
   - name: default
     conditions:
-      # Conditions to get out of the queue (= merged)
-      - check-success=DCO
-      - check-success~=docker-images.*tink-server
-      - check-success~=docker-images.*tink-worker
+      - and: *compulsory
+
 pull_request_rules:
-  - name: Automatic merge on approval
+  - name: Automatic merge
     conditions:
-      - base=main
-      - "#approved-reviews-by>=1"
-      - "#changes-requested-reviews-by=0"
-      - "#review-requested=0"
-      - check-success=DCO
-      - check-success~=docker-images.*tink-server
-      - check-success~=docker-images.*tink-worker
-      - check-success=crosscompile
-      - label!=do-not-merge
+      - and: *compulsory
+
+      # Ensure the review is opted in using labels.
       - label=ready-to-merge
+
     actions:
       queue:
-        method: merge
         name: default
+        method: merge
         commit_message_template: |
           {{ title }} (#{{ number }})
 

.github/workflows/ci.yaml

@@ -1,4 +1,4 @@
-name: For each commit and PR
+name: Tink
 on:
   push:
     branches:
@@ -8,80 +8,72 @@ on:
   pull_request:
 env:
   CGO_ENABLED: 0
+  GO_VERSION: 1.18
 jobs:
   verify:
+    name: Verify
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Install Go
-        uses: actions/setup-go@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
         with:
-          go-version: "1.18.5"
-      - name: make verify
-        run: make verify
+          go-version: "${{ env.GO_VERSION }}"
+      - run: make verify
   test:
+    name: Test
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Install Go
-        uses: actions/setup-go@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
         with:
-          go-version: "1.18.5"
+          go-version: "${{ env.GO_VERSION }}"
       - name: Install nix
         uses: cachix/install-nix-action@v16
         with:
           nix_path: nixpkgs=channel:nixos-unstable
-      - name: Fetch Nix Packages
+      - name: Install required nix packages
         run: nix-shell --run 'true'
-      - name: Generate
-        run: nix-shell --run 'make generate'
-      - name: go test
-        run: make test
-      - name: upload codecov
+      - run: make test
+      - name: Upload codecov
         run: bash <(curl -s https://codecov.io/bash)
-  ci-checks:
+  checks:
+    name: CI Checks
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Install nix
         uses: cachix/install-nix-action@v16
         with:
           nix_path: nixpkgs=channel:nixos-unstable
-      - name: Fetch Nix Packages
-        run: nix-shell --run 'true'
+      - run: nix-shell --run 'true'
       - run: PATH=$PWD/bin/:$PATH ./ci-checks.sh
   # We preemptively build the binaries for efficiency instead of waiting on unit tests to pass
   # hence this doesn't depend on anything.
-  crosscompile:
+  build:
+    name: Build
     runs-on: ubuntu-latest
     strategy:
       matrix:
         platform: [amd64, arm64]
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Install Go
-        uses: actions/setup-go@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
         with:
-          go-version: "1.18.5"
+          go-version: "${{ env.GO_VERSION }}"
       - name: Build linux/${{ matrix.platform }}
-        run: |
-          make build -j$(nproc) GOOS=linux GOARCH=${{ matrix.platform }}
-      - name: Upload binaries
-        uses: actions/upload-artifact@v2
+        run: make build -j$(nproc) GOOS=linux GOARCH=${{ matrix.platform }}
+      - uses: actions/upload-artifact@v3
         with:
           name: binaries
           path: bin/*
-  docker-images:
+  package:
+    name: Package
     runs-on: ubuntu-latest
     needs:
       - verify
       - test
-      - ci-checks
-      - crosscompile
+      - checks
+      - build
     strategy:
       matrix:
         include:
@@ -92,36 +84,32 @@ jobs:
           - repository: quay.io/tinkerbell/tink-controller
             binary: tink-controller
     steps:
-      - name: Docker Image Tag for Sha
+      - name: Create docker image tags
         id: docker-image-tag
-        run: |
-          echo ::set-output name=tags::${{ matrix.repository }}:latest,${{ matrix.repository }}:sha-${GITHUB_SHA::8}
-      - name: Checkout code
-        uses: actions/checkout@v2
+        run: echo ::set-output name=tags::${{ matrix.repository }}:latest,${{ matrix.repository }}:sha-${GITHUB_SHA::8}
+      - uses: actions/checkout@v3
       - name: Login to quay.io
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         if: ${{ startsWith(github.ref, 'refs/heads/main') }}
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_PASSWORD }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+      # - name: Set up QEMU
+      #   uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Download binaries
+        uses: docker/setup-buildx-action@v2
+      - name: Download all binaries
         uses: actions/download-artifact@v2
         with:
           name: binaries
           path: ./bin
-      - run: |
-          ls -l .
-          ls -l bin/
-          file bin/
-      - name: Fix Permissions
+      # Artifact upload doesn't preserve permissions so we need to fix them before use in
+      # the Dockerfiles.
+      - name: Fix permissions
         run: chmod +x bin/*
-      - name: ${{ matrix.repository }}
-        uses: docker/build-push-action@v2
+      - name: Build ${{ matrix.repository }} and push
+        uses: docker/build-push-action@v3
         with:
           context: .
           file: cmd/${{ matrix.binary }}/Dockerfile

.github/workflows/tags.yaml

@@ -2,17 +2,16 @@ on:
   push:
     tags:
       - "v*"
-name: Create release
+name: Release
 env:
   REGISTRY: quay.io
   IMAGE_NAME: ${{ github.repository }}
 jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Generate Release Notes
+      - uses: actions/checkout@v3
+      - name: Generate release notes
         run: |
           release_notes=$(gh api repos/{owner}/{repo}/releases/generate-notes -F tag_name=${{ github.ref }} --jq .body)
           echo 'RELEASE_NOTES<<EOF' >> $GITHUB_ENV
@@ -22,39 +21,38 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           OWNER: ${{ github.repository_owner }}
           REPO: ${{ github.event.repository.name }}
-      - name: Docker manager metadata
+      - name: Generate Docker image metadata
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: latest=false
           tags: type=ref,event=tag
-      - name: Set the from image tag
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set the FROM_TAG variable
         run: echo "FROM_TAG=sha-${GITHUB_SHA::8}" >> $GITHUB_ENV
-      # This is for tink server. quay.io/tinkerbell/tink
-      - name: Copy the image using skopeo
+      - name: Create tink-server image
         run: skopeo copy --all --dest-creds="${DST_REG_USER}":"${DST_REG_PASS}" docker://"${SRC_IMAGE}" docker://"${DST_IMAGE}"
         env:
           SRC_IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.FROM_TAG }}
           DST_IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
           DST_REG_USER: ${{ secrets.QUAY_USERNAME }}
           DST_REG_PASS: ${{ secrets.QUAY_PASSWORD }}
-      - name: Copy the tink-controller image using skopeo
+      - name: Create tink-controller image
         run: skopeo copy --all --dest-creds="${DST_REG_USER}":"${DST_REG_PASS}" docker://"${SRC_IMAGE}" docker://"${DST_IMAGE}"
         env:
           SRC_IMAGE: ${{ env.REGISTRY }}/tinkerbell/tink-controller:${{ env.FROM_TAG }}
           DST_IMAGE: ${{ env.REGISTRY }}/tinkerbell/tink-controller:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
           DST_REG_USER: ${{ secrets.QUAY_USERNAME }}
           DST_REG_PASS: ${{ secrets.QUAY_PASSWORD }}
-      - name: Copy the tink-worker image using skopeo
+      - name: Create tink-worker image
         run: skopeo copy --all --dest-creds="${DST_REG_USER}":"${DST_REG_PASS}" docker://"${SRC_IMAGE}" docker://"${DST_IMAGE}"
         env:
           SRC_IMAGE: ${{ env.REGISTRY }}/tinkerbell/tink-worker:${{ env.FROM_TAG }}
           DST_IMAGE: ${{ env.REGISTRY }}/tinkerbell/tink-worker:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
           DST_REG_USER: ${{ secrets.QUAY_USERNAME }}
           DST_REG_PASS: ${{ secrets.QUAY_PASSWORD }}
-      - name: Create Release
-        id: create_release
+      - name: Create release
         uses: actions/create-release@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.yamlfmt

@@ -0,0 +1,2 @@
+exclude:
+  - .github/**