Add Github Actions (#156)

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>

Author: Frawless

.azure/build-pipeline.yaml

@@ -32,18 +32,19 @@ stages:
           artifactRunVersion: ''
           artifactRunId: ''
           architectures: ['amd64', 'arm64', 's390x', 'ppc64le']
-  - stage: container_publish
-    displayName: Publish Container
-    dependsOn:
-      - container_build
-    condition: and(succeeded(), eq(variables['build.sourceBranch'], 'refs/heads/main'))
-    jobs:
-      - template: 'templates/jobs/push_container.yaml'
-        parameters:
-          dockerTag: 'latest'
-          artifactSource: 'current'
-          artifactProject: 'strimzi'
-          artifactPipeline: ''
-          artifactRunVersion: ''
-          artifactRunId: ''
-          architectures: ['amd64', 'arm64', 's390x', 'ppc64le']
+  # Push is now done by GitHub Actions
+  # - stage: container_publish
+  #   displayName: Publish Container
+  #   dependsOn:
+  #     - container_build
+  #   condition: and(succeeded(), eq(variables['build.sourceBranch'], 'refs/heads/main'))
+  #   jobs:
+  #     - template: 'templates/jobs/push_container.yaml'
+  #       parameters:
+  #         dockerTag: 'latest'
+  #         artifactSource: 'current'
+  #         artifactProject: 'strimzi'
+  #         artifactPipeline: ''
+  #         artifactRunVersion: ''
+  #         artifactRunId: ''
+  #         architectures: ['amd64', 'arm64', 's390x', 'ppc64le']

.github/actions/build/build-binaries/action.yml

@@ -0,0 +1,87 @@
+name: "Build Client Examples Binaries"
+description: "Build and archive client examples binaries"
+
+inputs:
+  javaVersion:
+    description: "Java version"
+    required: false
+    default: "17"
+  runnerArch:
+    description: "Architecture of GitHub runner"
+    required: false
+    default: "amd64"
+  mainBuild:
+    description: "Whether this is the main build"
+    required: false
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Java
+      uses: strimzi/strimzi-kafka-operator/.github/actions/dependencies/setup-java@main
+      with:
+        javaVersion: ${{ inputs.javaVersion }}
+
+    - name: Setup Yq
+      uses: strimzi/strimzi-kafka-operator/.github/actions/dependencies/install-yq@main
+
+    - name: Restore Maven cache
+      uses: actions/cache/restore@v5
+      with:
+        path: ~/.m2/repository
+        key: maven-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          maven-
+
+    - name: Build Java code
+      shell: bash
+      run: make java_install
+      env:
+        MVN_ARGS: "-DskipTests -e -V -B"
+
+    - name: Run Spotbugs
+      shell: bash
+      run: make spotbugs
+      env:
+        MVN_ARGS: "-e -V -B"
+
+    - name: Build & Test Java code
+      shell: bash
+      run: mvn verify
+      env:
+        MVN_ARGS: "-e -V -B"
+
+    - name: Create tarball with binaries
+      shell: bash
+      run: |
+        # Create tarball with all Java module targets
+        tar -cvpf client-examples-binaries.tar $(find . -type d -print | grep target)
+
+    - name: Upload binaries artifact (main build)
+      if: ${{ inputs.mainBuild == 'true' }}
+      uses: actions/upload-artifact@v5
+      with:
+        name: client-examples-binaries.tar
+        path: client-examples-binaries.tar
+
+    - name: Upload binaries artifact with Java version
+      uses: actions/upload-artifact@v5
+      with:
+        name: client-examples-binaries-java-${{ inputs.javaVersion }}.tar
+        path: client-examples-binaries.tar
+
+    - name: Clean external SNAPSHOT dependencies from Maven repository
+      if: github.ref == 'refs/heads/main'
+      shell: bash
+      run: |
+        mvn dependency:purge-local-repository \
+        -DsnapshotsOnly=true \
+        -DreResolve=false || true
+
+    - name: Save Maven cache
+      if: github.ref == 'refs/heads/main' && inputs.mainBuild == 'true'
+      uses: actions/cache/save@v5
+      with:
+        path: ~/.m2/repository
+        key: maven-${{ hashFiles('**/pom.xml') }}

.github/actions/build/build-containers/action.yml

@@ -0,0 +1,69 @@
+name: "Build Client Examples Containers"
+description: "Build and archive client examples container images"
+
+inputs:
+  architecture:
+    description: "Architecture to build (amd64, arm64, s390x, ppc64le)"
+    required: false
+    default: "amd64"
+  runnerArch:
+    description: "Architecture of GitHub runner"
+    required: false
+    default: "amd64"
+  buildRunId:
+    description: "Build workflow run ID for artifact download"
+    required: false
+    default: ""
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Docker
+      uses: strimzi/strimzi-kafka-operator/.github/actions/dependencies/install-docker@main
+
+    - name: Download binaries from this workflow
+      if: ${{ inputs.buildRunId == '' }}
+      uses: actions/download-artifact@v7
+      with:
+        name: client-examples-binaries.tar
+
+    - name: Download binaries from external build
+      if: ${{ inputs.buildRunId != '' }}
+      uses: actions/download-artifact@v7
+      with:
+        name: client-examples-binaries.tar
+        run-id: ${{ inputs.buildRunId }}
+        github-token: ${{ github.token }}
+
+    - name: Untar binaries
+      shell: bash
+      run: tar -xvf client-examples-binaries.tar
+
+    - name: Build and save containers
+      shell: bash
+      run: make docker_build docker_save
+      env:
+        DOCKER_BUILDKIT: 1
+        BUILD_REASON: "IndividualCI"
+        BRANCH: ${{ github.ref }}
+        DOCKER_REGISTRY: "quay.io"
+        DOCKER_ORG: "strimzi-examples"
+        DOCKER_ARCHITECTURE: ${{ inputs.architecture }}
+
+    - name: Create tarball with containers
+      shell: bash
+      run: |
+        tar -cvpf containers-${{ inputs.architecture }}.tar *-${{ inputs.architecture }}.tar.gz
+
+    - name: Upload container artifact
+      uses: actions/upload-artifact@v5
+      with:
+        name: containers-${{ inputs.architecture }}.tar
+        path: containers-${{ inputs.architecture }}.tar
+
+    - name: List built images
+      if: ${{ always() }}
+      shell: bash
+      run: docker images -a
+
+# Made with Bob

.github/actions/build/push-containers/action.yml

@@ -0,0 +1,147 @@
+name: "Push Client Examples Containers"
+description: "Push Client Examples container images with signing and SBOM"
+
+inputs:
+  architectures:
+    description: "Comma-separated list of architectures (e.g., 'amd64,arm64,s390x,ppc64le')"
+    required: true
+  runnerArch:
+    description: "Runner architecture (amd64, arm64)"
+    required: false
+    default: "amd64"
+  quayUser:
+    description: "Quay.io username"
+    required: true
+  quayPass:
+    description: "Quay.io password"
+    required: true
+  buildRunId:
+    description: "Build workflow run ID for artifact download"
+    required: false
+    default: ""
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install Syft
+      shell: bash
+      run: |
+        ARCH="${{ inputs.runnerArch }}"
+        VERSION="0.90.0"
+        wget https://github.com/anchore/syft/releases/download/v${VERSION}/syft_${VERSION}_linux_${ARCH}.tar.gz -O syft.tar.gz
+        tar xf syft.tar.gz -C /tmp
+        chmod +x /tmp/syft
+        sudo mv /tmp/syft /usr/bin
+
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v4.0.0
+
+    - name: Setup Docker
+      uses: strimzi/strimzi-kafka-operator/.github/actions/dependencies/install-docker@main
+
+    - name: Download container artifacts from external build
+      if: ${{ inputs.buildRunId != '' }}
+      uses: actions/download-artifact@v7
+      with:
+        pattern: containers-*
+        path: ./
+        merge-multiple: true
+        run-id: ${{ inputs.buildRunId }}
+        github-token: ${{ github.token }}
+
+    - name: Download container artifacts from this workflow
+      if: ${{ inputs.buildRunId == '' }}
+      uses: actions/download-artifact@v7
+      with:
+        pattern: containers-*
+        path: ./
+        merge-multiple: true
+
+    - name: Extract container archives
+      shell: bash
+      run: |
+        IFS=',' read -ra ARCH_ARRAY <<< "${{ inputs.architectures }}"
+        for arch in "${ARCH_ARRAY[@]}"; do
+          echo "Extracting containers-${arch}.tar"
+          tar -xvf "containers-${arch}.tar"
+          rm "containers-${arch}.tar"
+        done
+
+    - name: Login to container registry
+      shell: bash
+      run: docker login -u ${{ inputs.quayUser }} -p ${{ inputs.quayPass }} ${{ env.DOCKER_REGISTRY }}
+
+    - name: Delete existing container manifests
+      shell: bash
+      run: make docker_delete_manifest
+      env:
+        BUILD_REASON: "IndividualCI"
+        BRANCH: ${{ github.ref }}
+
+    - name: Push containers and create manifests
+      shell: bash
+      run: |
+        IFS=',' read -ra ARCH_ARRAY <<< "${{ inputs.architectures }}"
+        for arch in "${ARCH_ARRAY[@]}"; do
+          echo "Processing architecture: ${arch}"
+          export DOCKER_ARCHITECTURE="${arch}"
+          make docker_load docker_tag docker_push docker_amend_manifest docker_delete_archive
+        done
+      env:
+        BUILD_REASON: "IndividualCI"
+        BRANCH: ${{ github.ref }}
+
+    - name: Push container manifests
+      shell: bash
+      run: make docker_push_manifest
+      env:
+        BUILD_REASON: "IndividualCI"
+        BRANCH: ${{ github.ref }}
+
+    - name: Sign container manifests
+      shell: bash
+      run: make docker_gha_sign_manifest
+      env:
+        BUILD_REASON: "IndividualCI"
+        BRANCH: ${{ github.ref }}
+        BUILD_ID: ${{ github.run_number }}
+        BUILD_COMMIT: ${{ github.sha }}
+
+    - name: Generate and sign SBOMs
+      shell: bash
+      run: |
+        IFS=',' read -ra ARCH_ARRAY <<< "${{ inputs.architectures }}"
+        for arch in "${ARCH_ARRAY[@]}"; do
+          echo "Generating SBOM for architecture: ${arch}"
+          export DOCKER_ARCHITECTURE="${arch}"
+          make docker_gha_sbom
+        done
+      env:
+        BUILD_REASON: "IndividualCI"
+        BRANCH: ${{ github.ref }}
+
+    - name: Create SBOM archive
+      shell: bash
+      run: tar -z -C ./sbom/ -cvpf sbom.tar.gz ./
+
+    - name: Upload SBOM artifact
+      uses: actions/upload-artifact@v5
+      with:
+        name: SBOMs-${{ env.DOCKER_TAG }}
+        path: sbom.tar.gz
+
+    - name: Push SBOMs to registry
+      if: ${{ startsWith(github.ref, 'refs/heads/release-') }}
+      shell: bash
+      run: |
+        IFS=',' read -ra ARCH_ARRAY <<< "${{ inputs.architectures }}"
+        for arch in "${ARCH_ARRAY[@]}"; do
+          echo "Pushing SBOM for architecture: ${arch}"
+          export DOCKER_ARCHITECTURE="${arch}"
+          make docker_gha_push_sbom
+        done
+      env:
+        BUILD_REASON: "IndividualCI"
+        BRANCH: ${{ github.ref }}
+        BUILD_ID: ${{ github.run_number }}
+        BUILD_COMMIT: ${{ github.sha }}