Add GH Workflow that spins up/tears down OCP clusters on IBM Cloud

This is work-in-progress and committed to test the pull-request_target
workflow on approved (manually or automatically) PRs.

.github/workflows/ci-remote-clusters.yaml

@@ -0,0 +1,110 @@
+name: CI (Remote Clusters)
+
+on:
+  # /!\ Warning: using the pull_request_target event to be able to read secrets. But using this event without the cautionary measures described below
+  # may allow unauthorized GitHub users to open a “pwn request” and exfiltrate secrets.
+  # As recommended in https://iterative.ai/blog/testing-external-contributions-using-github-actions-secrets,
+  # we are adding an 'authorize' job that checks if the workflow was triggered from a fork PR. In that case, the "external" environment
+  # will prevent the job from running until it's approved manually by human intervention.
+  pull_request_target:
+    branches: [ main ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number }}
+  cancel-in-progress: true
+
+env:
+  IBM_CLOUD_API_KEY: ${{ secrets.IC_API_KEY }}
+  IBM_CLOUD_REGION: 'eu-de'
+  CLUSTER_NAME: "odo-tests-openshift-cluster-tmp-pr-${{ github.event.number }}"
+  PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+  PR_NUMBER: ${{ github.event.number }}
+
+jobs:
+  authorize:
+    # The 'external' environment is configured with the odo-maintainers team as required reviewers.
+    # All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks.
+    # TODO(rm3l): list of authorized users that do not require manual review comes from the maintainers team and various robot accounts that handle automation in the repo => find a better way not to hardcode this list!
+    environment:
+      ${{ (github.event.pull_request.head.repo.full_name == github.repository ||
+      contains(fromJSON('["odo-robot[bot]", "openshift-ci[bot]", "openshift-merge-robot", "openshift-ci-robot", "kadel", "rm3l"]'), github.actor)) &&
+      'internal' || 'external' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo ✓
+
+  build_odo:
+    runs-on: ubuntu-latest
+    needs: authorize
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: 'go.mod'
+      - name: Build odo
+        run: make bin
+      - run: |
+          chmod +x ./odo
+          ./odo version
+      - name: 'Upload odo'
+        uses: actions/upload-artifact@v3
+        with:
+          name: odo_bin
+          path: odo
+          retention-days: 1
+          if-no-files-found: error
+
+  openshift_tests:
+    # TODO(rm3l): Test on Windows and test unauth as well?
+    runs-on: ubuntu-latest
+    needs: [authorize, build_odo]
+    env:
+      KUBERNETES: "false"
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: 'go.mod'
+      - name: Install IBM Cloud CLI
+        run: |
+          curl -fsSL https://clis.cloud.ibm.com/install/linux | sh
+          ibmcloud --version
+          ibmcloud config --check-version=false
+          ibmcloud plugin install -f kubernetes-service
+      - name: Authenticate with IBM Cloud CLI
+        run: ibmcloud login --apikey "${IBM_CLOUD_API_KEY}" -r "$IBM_CLOUD_REGION" --quiet
+      - name: Download odo from previous job
+        uses: actions/download-artifact@v3
+        with:
+          name: odo_bin
+      - name: Set odo in system path
+        run: |
+          chmod a+x ./odo
+          sudo mv ./odo /usr/local/bin/odo
+      - run: ibmcloud ks infra-permissions get --region "$IBM_CLOUD_REGION"
+      - name: Create OpenShift Cluster
+        run: |
+          ibmcloud oc cluster create classic --name "${CLUSTER_NAME}" \
+            --location wdc04 \
+            --version "4.13_openshift" \
+            --flavor b3c.4x16 \
+            --workers 1 \
+            --public-service-endpoint
+      - name: Generate Kubeconfig
+        run: |
+          ibmcloud ks cluster config --cluster "${CLUSTER_NAME}"
+          kubectl config current-context
+      - name: Cluster Integration Tests
+        run: make test-integration-cluster
+      - name: End-to-end Tests
+        run: test-e2e
+      - name: Teardown cluster
+        if: ${{ always() }}
+        run: |
+          ibmcloud oc cluster rm --cluster "${CLUSTER_NAME}" -f --force-delete-storage