release-script/.github/workflows/image-transfer.yml at release-1.2.0.1 · mosip/release-script · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
name: Manual workflow to transfer images

on:
  workflow_dispatch:
    inputs:
      USERNAME:
        description: 'provide docker hub username'
        required: true
        default: ''
        type: string
      SECRET_NAME:
        description: 'Select the GitHub secret name for Docker registry token'
        required: true
        default: 'MOSIPDEV2_DOCKER_TOKEN'
        type: choice
        options:
          - MOSIPDEV2_DOCKER_TOKEN
          - MOSIPQA_DOCKER_TOKEN
          - MOSIPID_DOCKER_TOKEN
          - MOSIPINT_DOCKER_TOKEN
          - INJISTACK_DOCKER_TOKEN
          - custom
      CUSTOM_SECRET_NAME:
        description: 'If SECRET_NAME is "custom", enter the GitHub secret name here'
        required: false
        default: ''
        type: string
      DESTINATION_ORGANIZATION:
        description: 'provide docker hub destination org'
        required: true
        default: ''
        type: string
      REGISTRY_URL:
        description: 'provide destination registry URL (http://harbor.example.com or https://registry.example.com)'
        required: true
        default: 'https://index.docker.io/v1/'
        type: string
      REGISTRY_TYPE:
        description: 'Select destination registry type'
        required: true
        default: 'dockerhub'
        type: choice
        options:
          - dockerhub
          - harbor
          - other
      ENABLE_WIREGUARD:
        description: 'Enable WireGuard VPN (required for private Harbor networks)'
        required: false
        default: false
        type: boolean

jobs:
  chk_token:
    runs-on: ubuntu-latest
    outputs:
      TOKEN: ${{ steps.ORG_TOKEN.outputs.TOKEN }}
    steps:
      - name: Resolve secret name
        id: ORG_TOKEN
        env:
          SELECTED_SECRET: ${{ inputs.SECRET_NAME }}
          CUSTOM_SECRET: ${{ inputs.CUSTOM_SECRET_NAME }}
        run: |
          if [ "$SELECTED_SECRET" = "custom" ]; then
            # User selected custom — CUSTOM_SECRET_NAME is required
            if [ -z "$CUSTOM_SECRET" ]; then
              printf '❌ ERROR: CUSTOM_SECRET_NAME is required when SECRET_NAME is set to "custom"\n' >&2
              printf 'Please provide the GitHub secret name in the CUSTOM_SECRET_NAME field\n' >&2
              exit 1
            fi

            # Validate custom secret name format (GitHub only allows [A-Z0-9_], must start with [A-Z_])
            if ! printf '%s' "$CUSTOM_SECRET" | grep -qE '^[A-Za-z_][A-Za-z0-9_]*$'; then
              printf '❌ ERROR: Invalid secret name: "%s"\n' "$CUSTOM_SECRET" >&2
              printf 'GitHub secret names must:\n' >&2
              printf '  - Start with a letter or underscore\n' >&2
              printf '  - Contain only letters, numbers, and underscores\n' >&2
              printf '  - No spaces, hyphens, or special characters\n' >&2
              printf 'Example: MY_ORG_DOCKER_TOKEN\n' >&2
              exit 1
            fi

            TOKEN_SECRET="$CUSTOM_SECRET"
            printf 'Using custom secret name: %s\n' "$TOKEN_SECRET"
          else
            TOKEN_SECRET="$SELECTED_SECRET"
            printf 'Using predefined secret name: %s\n' "$TOKEN_SECRET"
          fi

          printf 'TOKEN=%s\n' "$TOKEN_SECRET" >> "$GITHUB_OUTPUT"

      - name: Validate secret configuration
        env:
          TOKEN_EXISTS: ${{ secrets[steps.ORG_TOKEN.outputs.TOKEN] != '' }}
          SECRET_NAME: ${{ steps.ORG_TOKEN.outputs.TOKEN }}
          DESTINATION_ORGANIZATION: ${{ inputs.DESTINATION_ORGANIZATION }}
        run: |
          if [ "$TOKEN_EXISTS" != "true" ]; then
            printf '❌ ERROR: Secret '\''%s'\'' is not configured or is empty\n' "$SECRET_NAME"
            printf '\n'
            printf 'Please configure the following secret in GitHub repository settings:\n'
            printf '  Secret name: %s\n' "$SECRET_NAME"
            printf '  Path: Settings → Secrets and variables → Actions → New repository secret\n'
            printf '\n'
            printf 'For organization '\''%s'\'', you need:\n' "$DESTINATION_ORGANIZATION"
            printf '  - Secret: %s\n' "$SECRET_NAME"
            printf '  - Value: Your Docker registry token/password\n'
            exit 1
          fi

          printf '✅ Secret '\''%s'\'' is configured\n' "$SECRET_NAME"
  Image-transfer:
    needs: chk_token
    uses: mosip/kattu/.github/workflows/image-transfer.yml@master
    with:
      DESTINATION_ORGANIZATION: ${{ inputs.DESTINATION_ORGANIZATION }}
      REGISTRY_URL: ${{ inputs.REGISTRY_URL }}
      REGISTRY_TYPE: ${{ inputs.REGISTRY_TYPE }}
      ENABLE_WIREGUARD: ${{ inputs.ENABLE_WIREGUARD }}
      USERNAME: ${{ inputs.USERNAME }}
    secrets:
      TOKEN: "${{ secrets[needs.chk_token.outputs.TOKEN] }}"
      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_DEVOPS }}
      WIREGUARD_CONFIG: ${{ secrets.WIREGUARD_CONFIG }}