Update Github Actions Workflows

.github/workflows/_build-image-to-registry.yml

@@ -0,0 +1,43 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: Call - Build Images to Registry
+permissions: read-all
+on:
+  workflow_call:
+    inputs:
+      node:
+        default: "xeon"
+        required: true
+        type: string
+      tag:
+        default: "latest"
+        required: false
+        type: string
+
+jobs:
+  call-build-image-to-registry:
+    runs-on: "docker-build-${{ inputs.node }}"
+    steps:
+      - name: Clean Up Working Directory
+        run: sudo rm -rf ${{github.workspace}}/*
+
+      - name: Get Checkout Ref
+        run: |
+          if [ "${{ github.event_name }}" == "pull_request" ] || [ "${{ github.event_name }}" == "pull_request_target" ]; then
+          echo "CHECKOUT_REF=refs/pull/${{ github.event.number }}/merge" >> $GITHUB_ENV
+          else
+            echo "CHECKOUT_REF=${{ github.ref }}" >> $GITHUB_ENV
+          fi
+
+      - name: Checkout out Repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.CHECKOUT_REF }}
+          fetch-depth: 0
+
+      - name: Build Image and Push Image
+        run: |
+          sudo apt install ansible -y
+          ansible-playbook build-image-to-registry.yml -e "container_registry=${OPEA_IMAGE_REPO}opea" -e "container_tag=${{ inputs.tag }}"
+        working-directory: ${{ github.workspace }}/setup-scripts/build-image-to-registry/

.github/workflows/_e2e-test.yml

@@ -0,0 +1,97 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: Call - E2E Test
+permissions: read-all
+on:
+  workflow_call:
+    inputs:
+      node:
+        default: "xeon"
+        required: true
+        type: string
+      tag:
+        default: "latest"
+        required: false
+        type: string
+
+jobs:
+  call-e2e-test:
+    runs-on: "k8s-${{ inputs.node }}"
+    steps:
+      - name: Clean Up Working Directory
+        run: sudo rm -rf ${{github.workspace}}/*
+
+      - name: Get Checkout Ref
+        run: |
+          if [ "${{ github.event_name }}" == "pull_request" ] || [ "${{ github.event_name }}" == "pull_request_target" ]; then
+          echo "CHECKOUT_REF=refs/pull/${{ github.event.number }}/merge" >> $GITHUB_ENV
+          else
+            echo "CHECKOUT_REF=${{ github.ref }}" >> $GITHUB_ENV
+          fi
+
+      - name: Checkout out Repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.CHECKOUT_REF }}
+          fetch-depth: 0
+
+      - name: Update Manifest
+        run: |
+          find . -type f -name 'studio-manifest.yaml' -exec sed -i 's/value: opea/value: ${REGISTRY}/g' {} \;
+        working-directory: ${{ github.workspace }}/setup-scripts/setup-genai-studio/manifests/
+
+      - name: Deploy GenAI Studio
+        run: |
+          if kubectl get namespace studio; then
+            kubectl delete -f manifests/studio-manifest.yaml || true
+            kubectl wait --for=delete pod --all --namespace=studio --timeout=300s
+          fi
+          if kubectl get namespace monitoring; then
+            kubectl delete -f manifests/monitoring-manifest.yaml || true
+            kubectl wait --for=delete pod --all --namespace=monitoring --timeout=300s
+          fi
+          sleep 5
+          sudo apt install ansible -y
+          ansible-playbook genai-studio.yml -e "container_registry=${OPEA_IMAGE_REPO}opea" -e "container_tag=${{ inputs.tag }}"
+          sleep 5
+          kubectl wait --for=condition=ready pod --all --namespace=studio --timeout=300s --field-selector=status.phase!=Succeeded
+          kubectl wait --for=condition=ready pod --all --namespace=monitoring --timeout=300s --field-selector=status.phase!=Succeeded
+        working-directory: ${{ github.workspace }}/setup-scripts/setup-genai-studio/
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v2
+        with:
+          node-version: '20.18.0'
+
+      - name: Install Dependencies
+        run: |
+          npm install
+          npx playwright install
+          npx playwright install-deps
+        working-directory: ${{ github.workspace }}/tests/playwright
+
+      - name: Update Playwright Config
+        run: |
+          NODE_IP=$(kubectl get nodes -o jsonpath='{.items[0].status.addresses[?(@.type=="InternalIP")].address}')
+          sed -i "s|baseURL:.*|baseURL: \"http://$NODE_IP:30007\",|" playwright.config.js
+        working-directory: ${{ github.workspace }}/tests/playwright
+
+      - name: Run Playwright Tests
+        run: npx playwright test
+        working-directory: ${{ github.workspace }}/tests/playwright
+
+      - name: Upload Test Results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: playwright-test-results
+          path: ${{ github.workspace }}/tests/playwright/playwright-report
+
+      - name: Cleanup sandbox namespaces
+        if: always()
+        run: |
+          for ns in $(kubectl get namespaces -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | grep '^sandbox-'); do
+            kubectl delete namespace $ns || true
+          done
+

.github/workflows/manual-docker-build.yml

@@ -0,0 +1,42 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: Manual - Docker Build and Test
+on:
+  workflow_dispatch:
+    inputs:
+      nodes:
+        default: "xeon"
+        description: "Hardware to run test"
+        required: true
+        type: string
+      tag:
+        default: "latest"
+        description: "Tag to apply to images"
+        required: true
+        type: string
+      e2e_test:
+        default: true
+        description: "Run E2E test after build"
+        required: false
+        type: boolean
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-on-manual-dispatch
+  cancel-in-progress: true
+
+jobs:
+  manual-build-images:
+    uses: ./.github/workflows/_build-image-to-registry.yml
+    with:
+      node: ${{ inputs.nodes }}
+      tag: ${{ inputs.tag }}
+    secrets: inherit
+  manual-run-e2e-test:
+    if: ${{ inputs.e2e_test }}
+    uses: ./.github/workflows/_e2e-test.yml
+    needs: manual-build-images
+    with:
+      node: ${{ inputs.nodes }}
+      tag: ${{ inputs.tag }}
+    secrets: inherit

.github/workflows/manual-docker-publish.yml

@@ -0,0 +1,68 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: Manual - Publish Docker Images
+on:
+  workflow_dispatch:
+    inputs:
+      node:
+        default: "xeon"
+        description: "Hardware to run test"
+        required: true
+        type: string
+      studio_frontend:
+        description: "Publish studio-frontend image?"
+        required: true
+        type: boolean
+        default: true
+      studio_backend:
+        description: "Publish studio-backend image?"
+        required: true
+        type: boolean
+        default: true
+      app_frontend:
+        description: "Publish app-frontend image?"
+        required: true
+        type: boolean
+        default: true
+      app_backend:
+        description: "Publish app-backend image?"
+        required: true
+        type: boolean
+        default: true
+      tag:
+        default: "rc"
+        description: "Tag to publish, like [1.0rc]"
+        required: true
+        type: string
+      publish_tags:
+        default: "latest,1.x"
+        description: "Comma-separated tag list to apply to published images, like [latest,1.0]"
+        required: false
+        type: string
+
+permissions: read-all
+jobs:
+  publish:
+    strategy:
+      matrix:
+        image: ${{ fromJson('[ "studio-frontend", "studio-backend", "app-frontend", "app-backend" ]') }}
+      fail-fast: false
+    runs-on: "docker-build-${{ inputs.node }}"
+    steps:
+      - uses: docker/[email protected]
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Check if image should be published
+        if: ${{ github.event.inputs[ matrix.image ] == 'true' }}
+        run: echo "Publishing ${{ matrix.image }} image"
+
+      - name: Image Publish
+        if: ${{ github.event.inputs[ matrix.image ] == 'true' }}
+        uses: opea-project/validation/actions/image-publish@main
+        with:
+          local_image_ref: ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
+          image_name: opea/${{ matrix.image }}
+          publish_tags: ${{ inputs.publish_tags }}

.github/workflows/manual-docker-scan.yml

@@ -0,0 +1,103 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: Manual - Docker Scan (SBOM and CVE)
+on:
+  workflow_dispatch:
+    inputs:
+      node:
+        default: "xeon"
+        description: "Hardware to run scan"
+        required: true
+        type: string
+      tag:
+        default: "latest"
+        description: "Tag for images to scan"
+        required: true
+        type: string
+      sbom_scan:
+        default: true
+        description: 'Scan images for BoM'
+        required: false
+        type: boolean
+      trivy_scan:
+        default: true
+        description: 'Scan images for CVE'
+        required: false
+        type: boolean
+
+permissions: read-all
+jobs:
+  clean-workspace:
+    runs-on: "docker-build-${{ inputs.node }}"
+    steps:
+      - name: Clean up Working Directory
+        run: |
+          sudo rm -rf ${{github.workspace}}/* || true
+          # docker system prune -f
+
+  manual-docker-scan:
+    needs: clean-workspace
+    runs-on: "docker-build-${{ inputs.node }}"
+    strategy:
+      matrix:
+        image: ["studio-frontend", "studio-backend", "app-frontend", "app-backend"]
+      fail-fast: false
+      max-parallel: 2
+    steps:
+      - name: Pull Image
+        run: |
+          docker pull ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
+          echo "OPEA_IMAGE_REPO=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV
+
+      - name: SBOM Scan Container
+        uses: anchore/[email protected]
+        if: ${{ inputs.sbom_scan }}
+        with:
+          image: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
+          output-file: ${{ matrix.image }}-sbom-scan.txt
+          format: 'spdx-json'
+
+      - name: Security Scan Container
+        uses: aquasecurity/[email protected]
+        if: ${{ inputs.trivy_scan }}
+        with:
+          image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
+          output: ${{ matrix.image }}-trivy-scan.txt
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Cleanup
+        if: always()
+        run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }} || true
+
+      - name: Collect Logs
+        if: always()
+        run: |
+          mkdir -p /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}
+          mv ${{ matrix.image }}-*-scan.txt /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}
+
+  upload-artifacts:
+    needs: manual-docker-scan
+    runs-on: "docker-build-${{ inputs.node }}"
+    if: always()
+    steps:
+      - name: Upload SBOM Artifacts
+        uses: actions/[email protected]
+        with:
+          name: sbom-scan-${{ inputs.tag }}-${{ github.run_number }}
+          path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-sbom-scan.txt
+          overwrite: true
+
+      - name: Upload Trivy Artifacts
+        uses: actions/[email protected]
+        with:
+          name: trivy-scan-${{ inputs.tag }}-${{ github.run_number }}
+          path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-trivy-scan.txt
+          overwrite: true
+
+      - name: Remove Logs
+        run: rm -rf /tmp/scan-${{ inputs.tag }}-${{ github.run_number }} && rm -rf /tmp/sbom-action-*

.github/workflows/nightly-e2e-test.yml

@@ -0,0 +1,24 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: Nightly - E2E test
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "5 18 * * *" # UTC time
+
+jobs:
+  nightly-build-images:
+    uses: ./.github/workflows/_build-image-to-registry.yml
+    with:
+      node: xeon
+      tag: latest
+    secrets: inherit
+  nightly-run-e2e-test:
+    uses: ./.github/workflows/_e2e-test.yml
+    needs: nightly-build-images
+    with:
+      node: xeon
+      tag: latest
+    secrets: inherit