chore: add pac pipeline

l-qing · l-qing · commit d39c33e599c4 · 2025-11-08T16:08:02.000+08:00
diff --git a/.builds/doc-pr-build.yaml b/.builds/doc-pr-build.yaml
diff --git a/.tekton/doc-pr-build.yaml b/.tekton/doc-pr-build.yaml
@@ -0,0 +1,94 @@
+# 3. 创建 pr 触发的流水线以运行文档构建任务
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  name: doc-pr-build
+  annotations:
+    pipelinesascode.tekton.dev/on-comment: "^(/doc-pr)$"
+    pipelinesascode.tekton.dev/cancel-in-progress: "true"
+    pipelinesascode.tekton.dev/max-keep-runs: "20"
+    pipelinesascode.tekton.dev/on-cel-expression: |-
+      (
+        event == "pull_request" && (
+          target_branch.matches("^(main|master|release-.*)$")
+        )
+      )
+spec:
+  timeouts:
+    pipeline: 1h
+    tasks: 1h
+
+  params:
+    - name: doc-base
+      value: container_platform
+
+    # 下面这些变量都是 pac 触发时自动注入的
+    - name: git-url
+      value: "{{ repo_url }}"
+    - name: git-revision
+      value: "{{ source_branch }}"
+    - name: git-commit
+      value: "{{ revision }}"
+    - name: pull-request-number
+      value: "{{ pull_request_number }}"
+    - name: pull-request-target
+      value: "{{ target_branch }}"
+
+  pipelineRef:
+    resolver: cluster
+    params:
+      - name: kind
+        value: pipeline
+      - name: name
+        value: product-docs-pr-pipeline
+      - name: namespace
+        value: idp-dev
+
+  workspaces:
+    - name: source
+      volumeClaimTemplate:
+        spec:
+          storageClassName: topolvm
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 25Gi
+    - name: cache
+      persistentVolumeClaim:
+        claimName: build-cache
+      subPath: yarn_cache
+
+    # This secret will be replaced by the pac controller
+    - name: basic-auth
+      secret:
+        secretName: "{{ git_auth_secret }}"
+
+  taskRunTemplate:
+    # Default: run tasks as root (UID 0) since most build tasks require root privileges.
+    # Individual tasks can override this as needed (see taskRunSpecs below).
+    podTemplate:
+      securityContext:
+        runAsUser: 0
+        runAsGroup: 0
+        fsGroup: 0
+        fsGroupChangePolicy: "OnRootMismatch"
+
+  taskRunSpecs:
+    - pipelineTaskName: git-clone
+      # Override: run git-clone as non-root user for security.
+      podTemplate:
+        securityContext:
+          runAsUser: 65532
+          runAsGroup: 65532
+          fsGroup: 65532
+          fsGroupChangePolicy: "OnRootMismatch"
+
+    - pipelineTaskName: build-docs
+      computeResources:
+        requests:
+          cpu: 2
+          memory: 6Gi
+        limits:
+          cpu: 4
+          memory: 12Gi
diff --git a/.tekton/pr-manage.yaml b/.tekton/pr-manage.yaml
@@ -0,0 +1,72 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  name: pr-manage
+  annotations:
+    pipelinesascode.tekton.dev/pipeline: "https://raw.githubusercontent.com/AlaudaDevops/toolbox/main/pr-cli/pipeline/pr-manage.yaml"
+    pipelinesascode.tekton.dev/on-comment: "^/(help|rebase|lgtm|remove-lgtm|cherry-?pick|assign|merge|ready|unassign|label|unlabel|check|retest|close|batch|checkbox|checkbox-issue)($|\\s.*)"
+    pipelinesascode.tekton.dev/max-keep-runs: "5"
+spec:
+  pipelineRef:
+    name: pr-manage
+  params:
+    - name: trigger_comment
+      value: "{{ trigger_comment }}"
+    - name: repo_owner
+      value: "{{ repo_owner }}"
+    - name: repo_name
+      value: "{{ repo_name }}"
+    - name: pull_request_number
+      value: "{{ pull_request_number }}"
+    - name: comment_sender
+      value: "{{ sender }}"
+    - name: git_auth_secret
+      value: "{{ git_auth_secret }}"
+    #
+    # Optional parameters (value is the default):
+    #
+    # The key in git_auth_secret that contains the token (default: git-provider-token)
+    # - name: git_auth_secret_key
+    #   value: "git-provider-token"
+    #
+    # Container image for pr-cli tool (default: registry.alauda.cn:60070/devops/toolbox/pr-cli:latest)
+    # - name: image
+    #   value: "registry.alauda.cn:60070/devops/toolbox/pr-cli:latest"
+    #
+    # The /lgtm threshold needed of approvers for a PR to be approved (default: 1)
+    # - name: lgtm_threshold
+    #   value: "1"
+    #
+    # The permissions the user need to trigger a lgtm (default: admin,write)
+    # - name: lgtm_permissions
+    #   value: "admin,write"
+    #
+    # The review event when lgtm is triggered, can be APPROVE,
+    # REQUEST_CHANGES, or COMMENT if setting to empty string it will be set as
+    # PENDING (default: APPROVE)
+    # - name: lgtm_review_event
+    #   value: "APPROVE"
+    #
+    # The merge method to use. Can be one of: merge, squash, rebase (default: squash)
+    # - name: merge_method
+    #   value: "squash"
+    #
+    # The name used for self-check status (default: pr-manage)
+    # - name: self_check_name
+    #   value: "pr-manage"
+    #
+    # Enable debug mode (skip validation, allow PR creator self-approval) (default: false)
+    # - name: debug
+    #   value: "false"
+    #
+    # Enable verbose logging (debug level logs) (default: false)
+    # - name: verbose
+    #   value: "false"
+    #
+    # The platform to use, can be one of: github, gitlab, gitee (default: github)
+    # - name: platform
+    #   value: "github"
+    #
+    # The robot accounts for managing bot approval reviews.
+    # - name: robot_accounts
+    #   value: "alaudabot,dependabot,renovate"
