早前，GitHub 发布GitHub Actions项目，开发者可通过 GitHub Actions 存储和搜索代码，部分代码可直接运行。本文尝试使用AWS Lambda和API Gateway作为基本API，编写应用程序原型并用名为gourmet的容器运行函数，虽然这可能不会让代码易于管理，但至少不需要写API或者Web应用程序。

正如Lambda函数在AWS中运行一样，Github Actions是一种强大的管理方式，可直接扩展应用。使用AWS Lambda，可将代码挂接到几乎任何事件上，比如EC2创建、终止、DNS记录更改等，不需要运行服务器，只需加载代码就能正常工作。

本文作者针对此做了一些尝试，但需要CI服务器。为了拥有可测试的kubernetes集群，作者自建私有存储库，目前因内部有些混乱暂不准备开源。

无论如何，以下是项目文件夹:

├── .github
│   ├── actions
│   │   ├── deploy
│   │   │   ├── deploy
│   │   │   └── Dockerfile
│   │   └── dryrun
│   │       ├── Dockerfile
│   │       └── dryrun
│   └── main.workflow
└── kubernetes
    ├── digitalocean.yaml
    ├── external-dns.yaml
    ├── micro.yaml
    ├── namespaces.yaml
    ├── nginx.yaml
    └── openvpn.yaml

kubernetes目录包含集群安装的所有东西。对于此存储库的每次新推送，需要检查是否可用命令kubectl apply -f./kubernetes --dryrun将其应用于kubernetes集群，并且当合并PR时，应用更改。

因此，作者在.github/main.workflow中创办了工作流：

## Workflow defines what we want to call a set of actions.
## For every new push check if the changes can be applied to kubernetes ## using the action called: kubectl dryrun
workflow "after a push check if they apply to kubernetes" {
  on = "push"
  resolves = ["kubectl dryrun"]
}
## When a PR is merged trigger the action: kubectl deploy. To apply the new code to master.
workflow "on merge to master deploy on kubernetes" {
  on = "pull_request"
  resolves = ["kubectl deploy"]
}
## This is the action that checks if the push can be applied to kubernetes
action "kubectl dryrun" {
  uses = "./.github/actions/dryrun"
  secrets = ["KUBECONFIG"]
}
## This is the action that applies the change to kubernetes
action "kubectl deploy" {
  uses = "./.github/actions/deploy"
  secrets = ["KUBECONFIG"]
}

secrets是一组环境变量，可从外部设置值。如果帐户启用GitHub Action，则每个存储库的Setting都会有一个名为secrets的新标签。

本例，作者将KUBECONFIG设置为kubeconfig文件的base64，允许GitHub Action授权给Kubernetes集群。

两个操作类似，第一个操作位于 .github/actions/dryrun目录：

├── .github
    ├── actions
        └── dryrun
            ├── Dockerfile
            └── dryrun

包含一个 Dockerfile

FROM alpine:latest

## The action name displayed by GitHub
LABEL "com.github.actions.name"="kubectl dryrun"
## The description for the action
LABEL "com.github.actions.description"="Check the kubernetes change to apply."
## https://developer.github.com/actions/creating-github-actions/creating-a-docker-container/#supported-feather-icons
LABEL "com.github.actions.icon"="check"
## The color of the action icon
LABEL "com.github.actions.color"="blue"

RUN     apk add --no-cache \
        bash \
        ca-certificates \
        curl \
        git \
        jq

RUN curl -L -o /usr/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.13.0/bin/linux/amd64/kubectl && \
  chmod +x /usr/bin/kubectl && \
  kubectl version --client

COPY dryrun /usr/bin/dryrun
CMD ["dryrun"]

如上所示，只需要一个 Dockerfile，工作原理和 docker类似。Cmd dryrun 在这里是复制的 bash 脚本:

#!/bin/bash

main(){
    echo ">>>> Action started"
    # Decode the secret passed by the action and paste the config in a file.
    echo $KUBECONFIG | base64 -d > ./kubeconfig.yaml
    echo ">>>> kubeconfig created"
    # Check if the kubernetes directory has change
    diff=$(git diff --exit-code HEAD~1 HEAD ./kubernetes)
    if [ $? -eq 1 ]; then
        echo ">>>> Detected a change inside the kubernetes directory"
        # Apply the changes with --dryrun just to validate them
        kubectl apply --kubeconfig ./kubeconfig.yaml --dry-run -f ./kubernetes
    else
        echo ">>>> No changed detected inside the ./kubernetes folder. Nothing to do."
    fi
}

main "$@"

第二个操作和此几乎一样，Dockerfile是相同的，但CMD看起来是这样的:

#!/bin/bash

main(){
    # Decode the secret passed by the action and paste the config in a file.
    echo $KUBECONFIG | base64 -d > ./kubeconfig.yaml
     # Check if it is an event generated by the PR is a merge
    merged=$(jq --raw-output .pull_request.merged "$GITHUB_EVENT_PATH")
    # Retrieve the base branch for the PR because I would like to apply only PR merged to master
    baseRef=$(jq --raw-output .pull_request.base.ref "$GITHUB_EVENT_PATH")

    if [[ "$merged" == "true" ]] && [[ "$baseRef" == "master" ]]; then
        echo ">>>> PR merged into master. Shipping to k8s!"
        kubectl apply --kubeconfig ./kubeconfig.yaml -f ./kubernetes
    else
        echo ">>>> Nothing to do here!"
    fi
}

main "$@"

除此之外，工作流文件还有一个生成器，似乎效果不错。secrets允许开箱即用，并与第三方服务集成，也可用bash做任何想做的事情！

参考链接：https://gianarb.it/blog/kubernetes-github-action

创作场景

如何尝试用 GitHub Actions 项目编写容器应用？