diff --git a/README.md b/README.md index b9bd6ca..2b45644 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ This repository contains the common Actions and config files for developing the - [action-io-generator](./action-io-generator) is an NPM package and (soon to be) Docker Action that makes sure your JavaScript action uses the same Inputs and Outputs defined in your `action.yml`. - [bundle-verifier](./bundle-verifier) is a JavaScript Action that makes sure your JavaScript action's committed distribution bundle is up-to-date. - [commit-data](./commit-data) is a Docker Action that outputs some commonly needed data about the current workflow's HEAD commit. +- [podman-entitlement](./podman-entitlement) is a composite Action which enables subsequent `podman build`s to consume Red Hat entitlements. - [config-files](./config-files) contains our shared TypeScript, ESLint, and Webpack configs. It is also used for tracking issues that don't fit into another, more specific repository. diff --git a/podman-entitlement/README.md b/podman-entitlement/README.md new file mode 100644 index 0000000..3492dc1 --- /dev/null +++ b/podman-entitlement/README.md @@ -0,0 +1,43 @@ +## Podman Entitlement GitHub Action + +When building container images that install Red Hat content +which is not part of Universal Base Image repositories, +Red Hat entitlements are needed to access the full Red Hat Enterprise Linux +repositories. + +To avoid modifying the Dockerfiles with extra steps that would +handle the registration, this Action registers a temporary system +using organization's activation key, and uses `/etc/containers/mounts.conf` +to configure subsequent `podman build` invocations to have access +to the entitlements. + +## Inputs + +| Input | Description | +| --- | --- | +| `org` | Red Hat account organization | +| `activationkey` | Red Hat account activation key | +| `image` | Container image to use to run `subscription-manager register` with the above parameters
Optional, defaults to `registry.access.redhat.com/ubi9` | + +## Usage + +On https://access.redhat.com/management/activation_keys, create +new Subscription Manager activation key. + +Set up secrets in your repository, for example `redhat_org` for your +Red Hat account organization and `redhat_activationkey` for your Red Hat +account activation key. Your Organization ID is shown on the above-mentioned +Activation Keys page on Red Hat portal. + +In your workflow YAML which calls `podman build`, add invocation +of `redhat-actions/common/podman-entitlement` before that `podman build` +step: + +```yaml + - uses: redhat-actions/common/podman-entitlement + with: + org: ${{ secrets.redhat_org }} + activationkey: ${{ secrets.redhat_activationkey }} + - run: podman build -t localhost/the-image:the-tag src +``` + diff --git a/podman-entitlement/action.yml b/podman-entitlement/action.yml new file mode 100644 index 0000000..38c8e11 --- /dev/null +++ b/podman-entitlement/action.yml @@ -0,0 +1,23 @@ +name: 'Enable Red Hat entitled podman builds' +inputs: + org: + description: 'Red Hat account organization' + activationkey: + description: 'Red Hat account activation key' + image: + description: 'Container image to use to run subscription-manager register' + default: 'registry.access.redhat.com/ubi9' +runs: + using: 'composite' + steps: + - run: | + NAME="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + NAME="${NAME#https://}" + NAME="${NAME////-}" + EDIR=/tmp/etc-pki-entitlement-${{ github.run_id }} + CDIR=/tmp/rhsm--${{ github.run_id }} + rm -rf "$EDIR" "$CDIR" + mkdir -p "$EDIR" "$CDIR" + podman run --name="$NAME" -v "$EDIR":/etc/pki/entitlement-out:z -v "$CDIR":/etc/rhsm-out:z -e SMDEV_CONTAINER_OFF=1 --rm "${{ inputs.image }}" bash -c '/usr/sbin/subscription-manager register --org="${{ inputs.org }}" --activationkey="${{ inputs.activationkey }}" --name="'$NAME'" && cp /etc/pki/entitlement/* /etc/pki/entitlement-out/ && cp -r /etc/rhsm/ca /etc/rhsm/rhsm.conf /etc/rhsm-out && /usr/sbin/subscription-manager unregister' + ( echo "$EDIR:/run/secrets/etc-pki-entitlement" ; echo "$CDIR:/run/secrets/rhsm" ) | sudo tee /etc/containers/mounts.conf + shell: bash