diff --git a/README.md b/README.md index b9bd6ca..2b45644 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ This repository contains the common Actions and config files for developing the - [action-io-generator](./action-io-generator) is an NPM package and (soon to be) Docker Action that makes sure your JavaScript action uses the same Inputs and Outputs defined in your `action.yml`. - [bundle-verifier](./bundle-verifier) is a JavaScript Action that makes sure your JavaScript action's committed distribution bundle is up-to-date. - [commit-data](./commit-data) is a Docker Action that outputs some commonly needed data about the current workflow's HEAD commit. +- [podman-entitlement](./podman-entitlement) is a composite Action which enables subsequent `podman build`s to consume Red Hat entitlements. - [config-files](./config-files) contains our shared TypeScript, ESLint, and Webpack configs. It is also used for tracking issues that don't fit into another, more specific repository. diff --git a/podman-entitlement/README.md b/podman-entitlement/README.md new file mode 100644 index 0000000..3492dc1 --- /dev/null +++ b/podman-entitlement/README.md @@ -0,0 +1,43 @@ +## Podman Entitlement GitHub Action + +When building container images that install Red Hat content +which is not part of Universal Base Image repositories, +Red Hat entitlements are needed to access the full Red Hat Enterprise Linux +repositories. + +To avoid modifying the Dockerfiles with extra steps that would +handle the registration, this Action registers a temporary system +using organization's activation key, and uses `/etc/containers/mounts.conf` +to configure subsequent `podman build` invocations to have access +to the entitlements. + +## Inputs + +| Input | Description | +| --- | --- | +| `org` | Red Hat account organization | +| `activationkey` | Red Hat account activation key | +| `image` | Container image to use to run `subscription-manager register` with the above parameters
Optional, defaults to `registry.access.redhat.com/ubi9` | + +## Usage + +On https://access.redhat.com/management/activation_keys, create +new Subscription Manager activation key. + +Set up secrets in your repository, for example `redhat_org` for your +Red Hat account organization and `redhat_activationkey` for your Red Hat +account activation key. Your Organization ID is shown on the above-mentioned +Activation Keys page on Red Hat portal. + +In your workflow YAML which calls `podman build`, add invocation +of `redhat-actions/common/podman-entitlement` before that `podman build` +step: + +```yaml + - uses: redhat-actions/common/podman-entitlement + with: + org: ${{ secrets.redhat_org }} + activationkey: ${{ secrets.redhat_activationkey }} + - run: podman build -t localhost/the-image:the-tag src +``` + diff --git a/podman-entitlement/action.yml b/podman-entitlement/action.yml new file mode 100644 index 0000000..c25a51d --- /dev/null +++ b/podman-entitlement/action.yml @@ -0,0 +1,32 @@ +name: 'Enable Red Hat entitled podman builds' +inputs: + org: + description: 'Red Hat account organization' + activationkey: + description: 'Red Hat account activation key' + image: + description: 'Container image to use to run subscription-manager register' + default: 'registry.access.redhat.com/ubi9' +runs: + using: 'composite' + steps: + - run: mkdir -p /tmp/{etc-pki-entitlement,rhsm}-${{ github.run_id }} + shell: bash + - run: | + NAME=$( echo "$run_url" | sed 's#^https://##;s#/#-#g' ) + podman run --rm --name="$NAME" \ + -v "/tmp/etc-pki-entitlement-${{ github.run_id }}":/etc/pki/entitlement-out:z \ + -v "/tmp/rhsm-${{ github.run_id }}":/etc/rhsm-out:z \ + "${{ inputs.image }}" \ + bash -c '/usr/sbin/subscription-manager register \ + --org="${{ inputs.org }}" \ + --activationkey="${{ inputs.activationkey }}" \ + --name="'$NAME'" \ + && cp /etc/pki/entitlement/* /etc/pki/entitlement-out/ \ + && cp -r /etc/rhsm/ca /etc/rhsm/rhsm.conf /etc/rhsm-out \ + && /usr/sbin/subscription-manager unregister' + env: + run_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + shell: bash + - run: for i in etc-pki-entitlement rhsm ; do echo "/tmp/$i-${{ github.run_id }}:/run/secrets/$i" ; done | sudo tee -a /etc/containers/mounts.conf + shell: bash