ci(e2e): workflow fixes and cleanups for SDS-only PR

yachmenevas · yachmenevas · commit 22b75f5e1431 · 2025-11-16T16:22:38.000+03:00
- use DEV_REGISTRY_DOCKER_CFG only; inject into values; login via docker cfg
- fix GitHub Actions 'if' expressions (no secrets.* in if; use env)
- add Apache-2.0 headers to helper scripts (dmtlint)
- format ci/dvp-e2e/Taskfile.yaml with repo Prettier (prettier)
- trim push triggers to ci-e2e-nested-sds only; remove noisy comments
- keep setup/prepare/cleanup only (tests/report moved to next PR)

Signed-off-by: Anton Yachmenev &lt;anton.yachmenev@flant.com&gt;
diff --git a/.github/workflows/e2e-matrix.yml b/.github/workflows/e2e-matrix.yml
@@ -18,6 +18,7 @@ on:
   push:
     branches:
       - chore/ci/e2e-matrix-skeleton
+      - ci-e2e-nested-sds
   pull_request:
     types: [opened, reopened, synchronize, labeled, unlabeled]
     branches:
@@ -180,47 +181,39 @@ jobs:
             RUN_DIR="${{ env.TMP_ROOT }}/runs/${{ env.RUN_ID }}"
           echo "VALUES_TEMPLATE_FILE=${{ env.TMP_ROOT }}/runs/${{ env.RUN_ID }}/values.yaml" >> $GITHUB_ENV
 
-      - name: Configure registry auth (REGISTRY_DOCKER_CFG)
+      - name: Configure registry auth (DEV_REGISTRY_DOCKER_CFG)
         run: |
-          prod_user="${{ secrets.PROD_READ_REGISTRY_USER }}"
-          prod_pass="${{ secrets.PROD_READ_REGISTRY_PASSWORD }}"
-          dev_user="${{ secrets.BOOTSTRAP_DEV_REGISTRY_LOGIN }}"
-          dev_pass="${{ secrets.BOOTSTRAP_DEV_REGISTRY_PASSWORD }}"
-          echo "::add-mask::$prod_user"
-          echo "::add-mask::$prod_pass"
-          echo "::add-mask::$dev_user"
-          echo "::add-mask::$dev_pass"
-          prod_auth_b64=$(printf '%s:%s' "$prod_user" "$prod_pass" | base64 | tr -d '\n')
-          dev_auth_b64=$(printf '%s:%s' "$dev_user" "$dev_pass" | base64 | tr -d '\n')
-          docker_cfg=$(printf '{"auths":{"registry.deckhouse.io":{"auth":"%s"},"dev-registry.deckhouse.io":{"auth":"%s"}}}' "$prod_auth_b64" "$dev_auth_b64")
-          docker_cfg_b64=$(printf '%s' "$docker_cfg" | base64 | tr -d '\n')
-          echo "::add-mask::$docker_cfg_b64"
-          {
-            echo "REGISTRY_DOCKER_CFG=$docker_cfg_b64"
-            echo "DECKHOUSE_REGISTRY_USER=$prod_user"
-            echo "DECKHOUSE_REGISTRY_PASSWORD=$prod_pass"
-          } >> "$GITHUB_ENV"
+          dev_cfg_b64='${{ secrets.DEV_REGISTRY_DOCKER_CFG }}'
+          if [ -n "$dev_cfg_b64" ]; then
+            echo "::add-mask::$dev_cfg_b64"
+            echo "REGISTRY_DOCKER_CFG=$dev_cfg_b64" >> "$GITHUB_ENV"
+          else
+            echo "[WARN] DEV_REGISTRY_DOCKER_CFG is empty; proceeding without registry cfg"
+          fi
 
       - name: Inject REGISTRY_DOCKER_CFG into values.yaml
+        if: ${{ env.REGISTRY_DOCKER_CFG != '' }}
         working-directory: ci/dvp-e2e
         run: |
           chmod +x scripts/inject_registry_cfg.sh
           VALS="${{ env.TMP_ROOT }}/runs/${{ env.RUN_ID }}/values.yaml"
           REGISTRY_DOCKER_CFG="${REGISTRY_DOCKER_CFG}" scripts/inject_registry_cfg.sh -f "$VALS" -v "$REGISTRY_DOCKER_CFG"
 
-      - name: Docker login to Deckhouse registry
-        uses: docker/login-action@v3
-        with:
-          registry: registry.deckhouse.io
-          username: ${{ env.DECKHOUSE_REGISTRY_USER }}
-          password: ${{ env.DECKHOUSE_REGISTRY_PASSWORD }}
-
-      - name: Docker login to dev-registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ vars.DEV_REGISTRY }}
-          username: ${{ secrets.BOOTSTRAP_DEV_REGISTRY_LOGIN }}
-          password: ${{ secrets.BOOTSTRAP_DEV_REGISTRY_PASSWORD }}
+      - name: Docker login from DEV_REGISTRY_DOCKER_CFG (optional)
+        if: ${{ secrets.DEV_REGISTRY_DOCKER_CFG != '' }}
+        run: |
+          set -euo pipefail
+          cfg=$(printf '%s' '${{ secrets.DEV_REGISTRY_DOCKER_CFG }}' | base64 -d)
+          reg_list=$(printf '%s' "$cfg" | jq -r '.auths | keys[]')
+          for reg in $reg_list; do
+            auth=$(printf '%s' "$cfg" | jq -r --arg r "$reg" '.auths[$r].auth // ""')
+            [ -z "$auth" ] && continue
+            creds=$(printf '%s' "$auth" | base64 -d)
+            user=${creds%%:*}
+            pass=${creds#*:}
+            echo "Logging into $reg"
+            echo "$pass" | docker login "$reg" -u "$user" --password-stdin
+          done
 
       - name: Configure storage profile
         working-directory: ci/dvp-e2e
diff --git a/ci/dvp-e2e/Taskfile.yaml b/ci/dvp-e2e/Taskfile.yaml
@@ -682,8 +682,6 @@ tasks:
           task dhctl-bootstrap VALUES_FILE='{{ .VALUES_FILE }}' TMP_DIR='{{ .TMP_DIR }}' SSH_FILE_NAME='id_ed'
         } 2>&1 | tee '{{ .LOG_FILE }}'
 
-  
-
   # ------------------------------------------------------------
   # Nested cluster helpers (SC + kubeconfig)
   # ------------------------------------------------------------
diff --git a/ci/dvp-e2e/scripts/build_parent_kubeconfig.sh b/ci/dvp-e2e/scripts/build_parent_kubeconfig.sh
@@ -1,4 +1,18 @@
 #!/usr/bin/env bash
+
+# Copyright 2025 Flant JSC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 set -euo pipefail
 
 # Usage:
@@ -44,4 +58,3 @@ users:
 EOF
 chmod 600 "$out"
 echo "KUBECONFIG=$out"
-
diff --git a/ci/dvp-e2e/scripts/inject_registry_cfg.sh b/ci/dvp-e2e/scripts/inject_registry_cfg.sh
@@ -1,4 +1,18 @@
 #!/usr/bin/env bash
+
+# Copyright 2025 Flant JSC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 set -euo pipefail
 
 # Usage:
