From 9b1e751a4cceeb8eb4c693dd27750274ff00d7d2 Mon Sep 17 00:00:00 2001 From: Tal Haim Date: Wed, 3 Dec 2025 16:17:35 +0200 Subject: [PATCH 01/10] CEML-381: Add GitHub Actions workflow for triggering private deployments --- .../workflows/deploy_ce_onprem_public.yaml | 54 +++++++++++++++++++ .github/workflows/release.yml | 23 ++++++++ 2 files changed, 77 insertions(+) create mode 100644 .github/workflows/deploy_ce_onprem_public.yaml diff --git a/.github/workflows/deploy_ce_onprem_public.yaml b/.github/workflows/deploy_ce_onprem_public.yaml new file mode 100644 index 00000000..fe7ec5b9 --- /dev/null +++ b/.github/workflows/deploy_ce_onprem_public.yaml @@ -0,0 +1,54 @@ +name: Trigger Private Deployment + +on: + workflow_call: + inputs: + version: + description: 'MLRun CE Chart version (e.g. 0.9.2)' + required: true + type: string + secrets: + DEPLOYMENT_TRIGGER_TOKEN: + required: true + DEPLOYMENT_REPO: + required: false + SYSTEM_ID: + required: true + TEST_PARAMS: + required: false + +jobs: + trigger-deployment: + name: Trigger Deployment in Private Repo + runs-on: ubuntu-latest + steps: + - name: Send Repository Dispatch to Private Deployment Repo + run: | + # Resolve target repo from secret + DEPLOYMENT_REPO="${{ secrets.DEPLOYMENT_REPO }}" + if [ -z "$DEPLOYMENT_REPO" ]; then + echo "::error::DEPLOYMENT_REPO secret is required but not set." + exit 1 + fi + + curl -X POST \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: token ${{ secrets.DEPLOYMENT_TRIGGER_TOKEN }}" \ + https://api.github.com/repos/${DEPLOYMENT_REPO}/dispatches \ + -d "$(jq -n \ + --arg version "${{ inputs.version }}" \ + --arg system_id "${{ secrets.SYSTEM_ID }}" \ + --arg naipi_params "${{ secrets.TEST_PARAMS }}" \ + '{ + event_type: "deploy-ce-onprem", + client_payload: { + version: $version, + system_id: $system_id, + run_naipi: true, + naipi_params: $naipi_params, + source_repo: "ce", + triggered_by: "${{ github.actor }}" + } + }')" + + echo "Deployment triggered in private repository: ${DEPLOYMENT_REPO}" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2a28171a..5f012586 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,6 +38,19 @@ jobs: env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + - name: Extract Chart Version from Chart.yaml + id: extract_version + run: | + CHART_VERSION=$(grep '^version:' charts/mlrun-ce/Chart.yaml | awk '{print $2}') + if [[ -z "$CHART_VERSION" ]]; then + echo "Error: Failed to extract version from Chart.yaml" >&2 + exit 1 + fi + echo "version=$CHART_VERSION" >> $GITHUB_OUTPUT + + outputs: + version: ${{ steps.extract_version.outputs.version }} + notify_mlefi: runs-on: ubuntu-latest needs: release # Ensure this runs after the release job @@ -73,3 +86,13 @@ jobs: -H "Authorization: token ${{ secrets.MLEFIGHTRIGGER }}" \ https://api.github.com/repos/iguazio/mlefi/dispatches \ -d "$JSON_PAYLOAD" + + deploy_ce_onprem: + needs: release + uses: ./.github/workflows/deploy_ce_onprem_public.yaml + with: + version: ${{ needs.release.outputs.version }} + secrets: + DEPLOYMENT_TRIGGER_TOKEN: ${{ secrets.DEPLOYMENT_TRIGGER_TOKEN }} + SYSTEM_ID: ${{ secrets.SYSTEM_ID }} + TEST_PARAMS: ${{ secrets.TEST_PARAMS }} \ No newline at end of file From e80a3c269a1649d776faebd69856eb6a79da4bfe Mon Sep 17 00:00:00 2001 From: Tal Haim Date: Wed, 3 Dec 2025 16:49:15 +0200 Subject: [PATCH 02/10] GH actuions- adding manual trigger support --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5f012586..a7f5ccaf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,7 @@ on: branches: - development - "[0-9]+.[0-9]+.x" + workflow_dispatch: jobs: release: From 610fc749a6bdc7ac4086b89ee7e7a92b25556d9a Mon Sep 17 00:00:00 2001 From: Tal Haim Date: Wed, 3 Dec 2025 17:55:01 +0200 Subject: [PATCH 03/10] Add DEPLOYMENT_REPO secret to GitHub Actions --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a7f5ccaf..02bd4b88 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -95,5 +95,6 @@ jobs: version: ${{ needs.release.outputs.version }} secrets: DEPLOYMENT_TRIGGER_TOKEN: ${{ secrets.DEPLOYMENT_TRIGGER_TOKEN }} + DEPLOYMENT_REPO: ${{ secrets.DEPLOYMENT_REPO }} SYSTEM_ID: ${{ secrets.SYSTEM_ID }} TEST_PARAMS: ${{ secrets.TEST_PARAMS }} \ No newline at end of file From adf4cfbd407c7eb3387312ca83070581b0ebc856 Mon Sep 17 00:00:00 2001 From: Tal Haim Date: Thu, 4 Dec 2025 19:42:56 +0200 Subject: [PATCH 04/10] Update GitHub Actions workflows to use GitHub App for deployment authentication --- .github/workflows/deploy_ce_onprem_public.yaml | 15 ++++++++++++--- .github/workflows/release.yml | 3 ++- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deploy_ce_onprem_public.yaml b/.github/workflows/deploy_ce_onprem_public.yaml index fe7ec5b9..fcefc113 100644 --- a/.github/workflows/deploy_ce_onprem_public.yaml +++ b/.github/workflows/deploy_ce_onprem_public.yaml @@ -8,7 +8,9 @@ on: required: true type: string secrets: - DEPLOYMENT_TRIGGER_TOKEN: + GH_APP_ID: + required: true + GH_APP_PRIVATE_KEY: required: true DEPLOYMENT_REPO: required: false @@ -22,6 +24,13 @@ jobs: name: Trigger Deployment in Private Repo runs-on: ubuntu-latest steps: + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - name: Send Repository Dispatch to Private Deployment Repo run: | # Resolve target repo from secret @@ -33,7 +42,7 @@ jobs: curl -X POST \ -H "Accept: application/vnd.github+json" \ - -H "Authorization: token ${{ secrets.DEPLOYMENT_TRIGGER_TOKEN }}" \ + -H "Authorization: token ${{ steps.app-token.outputs.token }}" \ https://api.github.com/repos/${DEPLOYMENT_REPO}/dispatches \ -d "$(jq -n \ --arg version "${{ inputs.version }}" \ @@ -51,4 +60,4 @@ jobs: } }')" - echo "Deployment triggered in private repository: ${DEPLOYMENT_REPO}" + echo "Deployment triggered in private repository" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 02bd4b88..dbc6d08f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -94,7 +94,8 @@ jobs: with: version: ${{ needs.release.outputs.version }} secrets: - DEPLOYMENT_TRIGGER_TOKEN: ${{ secrets.DEPLOYMENT_TRIGGER_TOKEN }} + GH_APP_ID: ${{ secrets.GH_APP_ID }} + GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }} DEPLOYMENT_REPO: ${{ secrets.DEPLOYMENT_REPO }} SYSTEM_ID: ${{ secrets.SYSTEM_ID }} TEST_PARAMS: ${{ secrets.TEST_PARAMS }} \ No newline at end of file From bc82f3c003e21d6da3a4c4e413a30f1cdd622a9e Mon Sep 17 00:00:00 2001 From: Tal Haim Date: Thu, 4 Dec 2025 19:59:29 +0200 Subject: [PATCH 05/10] Update deployment workflow --- .../workflows/deploy_ce_onprem_public.yaml | 29 ++++++++++++++----- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/.github/workflows/deploy_ce_onprem_public.yaml b/.github/workflows/deploy_ce_onprem_public.yaml index fcefc113..9b4ae1cf 100644 --- a/.github/workflows/deploy_ce_onprem_public.yaml +++ b/.github/workflows/deploy_ce_onprem_public.yaml @@ -13,7 +13,7 @@ on: GH_APP_PRIVATE_KEY: required: true DEPLOYMENT_REPO: - required: false + required: true SYSTEM_ID: required: true TEST_PARAMS: @@ -24,22 +24,35 @@ jobs: name: Trigger Deployment in Private Repo runs-on: ubuntu-latest steps: + - name: Resolve target repository + id: repo-info + run: | + DEPLOYMENT_REPO="${{ secrets.DEPLOYMENT_REPO }}" + + if [[ "$DEPLOYMENT_REPO" != */* ]]; then + echo "::error::DEPLOYMENT_REPO must be in the form owner/repo." + exit 1 + fi + + OWNER="${DEPLOYMENT_REPO%%/*}" + REPO="${DEPLOYMENT_REPO#*/}" + + echo "owner=$OWNER" >> $GITHUB_OUTPUT + echo "repo=$REPO" >> $GITHUB_OUTPUT + echo "full_name=$DEPLOYMENT_REPO" >> $GITHUB_OUTPUT + - name: Generate GitHub App Token id: app-token uses: actions/create-github-app-token@v1 with: app-id: ${{ secrets.GH_APP_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ steps.repo-info.outputs.owner }} + repositories: ${{ steps.repo-info.outputs.repo }} - name: Send Repository Dispatch to Private Deployment Repo run: | - # Resolve target repo from secret - DEPLOYMENT_REPO="${{ secrets.DEPLOYMENT_REPO }}" - if [ -z "$DEPLOYMENT_REPO" ]; then - echo "::error::DEPLOYMENT_REPO secret is required but not set." - exit 1 - fi - + DEPLOYMENT_REPO="${{ steps.repo-info.outputs.full_name }}" curl -X POST \ -H "Accept: application/vnd.github+json" \ -H "Authorization: token ${{ steps.app-token.outputs.token }}" \ From de9c698809a2776951762b6dac17ca2d8abdb1f1 Mon Sep 17 00:00:00 2001 From: Tal Haim Date: Sun, 7 Dec 2025 13:41:28 +0200 Subject: [PATCH 06/10] Remove TEST_PARAMS from deployment and release workflows --- .github/workflows/deploy_ce_onprem_public.yaml | 2 -- .github/workflows/release.yml | 3 +-- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/deploy_ce_onprem_public.yaml b/.github/workflows/deploy_ce_onprem_public.yaml index 9b4ae1cf..3e562f51 100644 --- a/.github/workflows/deploy_ce_onprem_public.yaml +++ b/.github/workflows/deploy_ce_onprem_public.yaml @@ -16,8 +16,6 @@ on: required: true SYSTEM_ID: required: true - TEST_PARAMS: - required: false jobs: trigger-deployment: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dbc6d08f..e044d146 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -97,5 +97,4 @@ jobs: GH_APP_ID: ${{ secrets.GH_APP_ID }} GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }} DEPLOYMENT_REPO: ${{ secrets.DEPLOYMENT_REPO }} - SYSTEM_ID: ${{ secrets.SYSTEM_ID }} - TEST_PARAMS: ${{ secrets.TEST_PARAMS }} \ No newline at end of file + SYSTEM_ID: ${{ secrets.SYSTEM_ID }} \ No newline at end of file From 3a059f758e57b5c71c81efd9d0d0b7097175bb07 Mon Sep 17 00:00:00 2001 From: Tal Haim Date: Sun, 7 Dec 2025 13:48:42 +0200 Subject: [PATCH 07/10] Remove naipi_params from deployment workflow payload --- .github/workflows/deploy_ce_onprem_public.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/deploy_ce_onprem_public.yaml b/.github/workflows/deploy_ce_onprem_public.yaml index 3e562f51..8da54aad 100644 --- a/.github/workflows/deploy_ce_onprem_public.yaml +++ b/.github/workflows/deploy_ce_onprem_public.yaml @@ -58,14 +58,12 @@ jobs: -d "$(jq -n \ --arg version "${{ inputs.version }}" \ --arg system_id "${{ secrets.SYSTEM_ID }}" \ - --arg naipi_params "${{ secrets.TEST_PARAMS }}" \ '{ event_type: "deploy-ce-onprem", client_payload: { version: $version, system_id: $system_id, run_naipi: true, - naipi_params: $naipi_params, source_repo: "ce", triggered_by: "${{ github.actor }}" } From 1dba114b04f713eb955c92525c228376f9de1444 Mon Sep 17 00:00:00 2001 From: Tal Haim Date: Wed, 10 Dec 2025 15:38:20 +0200 Subject: [PATCH 08/10] Update GitHub Actions workflow to use v2 of the create-github-app-token action --- .github/workflows/deploy_ce_onprem_public.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy_ce_onprem_public.yaml b/.github/workflows/deploy_ce_onprem_public.yaml index 8da54aad..1af6bd2e 100644 --- a/.github/workflows/deploy_ce_onprem_public.yaml +++ b/.github/workflows/deploy_ce_onprem_public.yaml @@ -41,7 +41,7 @@ jobs: - name: Generate GitHub App Token id: app-token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@v2 with: app-id: ${{ secrets.GH_APP_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} From db8b149593a60deaa693796eb7d45d97644cf5d0 Mon Sep 17 00:00:00 2001 From: Tal Haim Date: Wed, 10 Dec 2025 15:43:45 +0200 Subject: [PATCH 09/10] Add empty permissions block to deployment workflow --- .github/workflows/deploy_ce_onprem_public.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy_ce_onprem_public.yaml b/.github/workflows/deploy_ce_onprem_public.yaml index 1af6bd2e..472f593a 100644 --- a/.github/workflows/deploy_ce_onprem_public.yaml +++ b/.github/workflows/deploy_ce_onprem_public.yaml @@ -17,6 +17,8 @@ on: SYSTEM_ID: required: true +permissions: {} + jobs: trigger-deployment: name: Trigger Deployment in Private Repo From 055aeccc3595ae37ccd338fe8a80ec8485eaa864 Mon Sep 17 00:00:00 2001 From: Tal Haim Date: Wed, 10 Dec 2025 16:01:33 +0200 Subject: [PATCH 10/10] Update release workflow permissions for content access --- .github/workflows/release.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e044d146..09fec8f6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,5 +1,8 @@ name: Release Charts +permissions: + contents: read + on: push: branches: @@ -10,6 +13,8 @@ on: jobs: release: runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Checkout