Merge pull request #1504 from flux-iac/fix/release-workflow #129
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: release | |
on: | |
push: | |
tags: | |
- 'v*' | |
workflow_dispatch: | |
inputs: | |
tag: | |
description: 'image tag prefix' | |
default: 'rc' | |
required: true | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
env: | |
CONTROLLER: ${{ github.event.repository.name }} | |
LIBCRYPTO_VERSION: "3.3.2-r4" | |
jobs: | |
build-push: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write # needed to write releases | |
id-token: write # needed for keyless signing | |
packages: write # needed for ghcr access | |
steps: | |
- name: Check out | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.0.0 | |
- name: Set up yq | |
uses: frenck/action-setup-yq@c4b5be8b4a215c536a41d436757d9feb92836d4f # v1.0.2 | |
with: | |
version: 4.14.1 | |
- name: Setup Kustomize | |
uses: fluxcd/pkg/actions/kustomize@30c101fc7c9fac4d84937ff4890a3da46a9db2dd # main | |
- name: Setup Cosign | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
- name: Setup Syft | |
uses: anchore/sbom-action/download-syft@f5e124a5e5e1d497a692818ae907d3c45829d033 # v0.17.3 | |
- name: Prepare | |
id: prep | |
run: | | |
VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}" | |
if [[ $GITHUB_REF == refs/tags/* ]]; then | |
VERSION=${GITHUB_REF/refs\/tags\//} | |
fi | |
echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> "$GITHUB_OUTPUT" | |
echo "VERSION=${VERSION}" >> "$GITHUB_OUTPUT" | |
- name: Setup QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
with: | |
platforms: all | |
- name: Setup Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
with: | |
buildkitd-flags: "--debug" | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish multi-arch tofu-controller container image | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
push: true | |
no-cache: true | |
builder: ${{ steps.buildx.outputs.name }} | |
context: . | |
file: ./Dockerfile | |
build-args: | | |
LIBCRYPTO_VERSION=${{ env.LIBCRYPTO_VERSION }} | |
platforms: linux/amd64,linux/arm64 #,linux/arm/v7 | |
tags: | | |
ghcr.io/flux-iac/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} | |
ghcr.io/flux-iac/${{ env.CONTROLLER }}:latest | |
labels: | | |
org.opencontainers.image.title=${{ github.event.repository.name }} | |
org.opencontainers.image.description=${{ github.event.repository.description }} | |
org.opencontainers.image.url=${{ github.event.repository.html_url }} | |
org.opencontainers.image.revision=${{ github.sha }} | |
org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }} | |
org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }} | |
- name: Publish multi-arch tf-runner base image | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
push: true | |
builder: ${{ steps.buildx.outputs.name }} | |
context: . | |
file: ./runner-base.Dockerfile | |
build-args: | | |
LIBCRYPTO_VERSION=${{ env.LIBCRYPTO_VERSION }} | |
platforms: linux/amd64,linux/arm64 #,linux/arm/v7 | |
tags: | | |
ghcr.io/flux-iac/tf-runner:${{ steps.prep.outputs.VERSION }}-base | |
labels: | | |
org.opencontainers.image.title=${{ github.event.repository.name }} | |
org.opencontainers.image.description=${{ github.event.repository.description }} | |
org.opencontainers.image.url=${{ github.event.repository.html_url }} | |
org.opencontainers.image.revision=${{ github.sha }} | |
org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }} | |
org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }} | |
- name: Publish multi-arch tf-runner container image | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
push: true | |
no-cache: true | |
builder: ${{ steps.buildx.outputs.name }} | |
context: . | |
file: ./runner.Dockerfile | |
platforms: linux/amd64,linux/arm64 #,linux/arm/v7 | |
build-args: | | |
BASE_IMAGE=ghcr.io/flux-iac/tf-runner:${{ steps.prep.outputs.VERSION }}-base | |
tags: | | |
ghcr.io/flux-iac/tf-runner:${{ steps.prep.outputs.VERSION }} | |
ghcr.io/flux-iac/tf-runner:latest | |
labels: | | |
org.opencontainers.image.title=${{ github.event.repository.name }} | |
org.opencontainers.image.description=${{ github.event.repository.description }} | |
org.opencontainers.image.url=${{ github.event.repository.html_url }} | |
org.opencontainers.image.revision=${{ github.sha }} | |
org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }} | |
org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }} | |
- name: Publish multi-arch tf-runner-azure container image | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
push: true | |
no-cache: true | |
builder: ${{ steps.buildx.outputs.name }} | |
context: . | |
file: ./runner-azure.Dockerfile | |
platforms: linux/amd64,linux/arm64 #,linux/arm/v7 - azure-cli does not install correctly on 32 bit arm | |
build-args: | | |
BASE_IMAGE=ghcr.io/flux-iac/tf-runner:${{ steps.prep.outputs.VERSION }}-base | |
tags: | | |
ghcr.io/flux-iac/tf-runner-azure:${{ steps.prep.outputs.VERSION }} | |
ghcr.io/flux-iac/tf-runner-azure:latest | |
labels: | | |
org.opencontainers.image.title=${{ github.event.repository.name }} | |
org.opencontainers.image.description=${{ github.event.repository.description }} | |
org.opencontainers.image.url=${{ github.event.repository.html_url }} | |
org.opencontainers.image.revision=${{ github.sha }} | |
org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }} | |
org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }} | |
- name: Publish multi-arch branch-planner container image | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
push: true | |
no-cache: true | |
builder: ${{ steps.buildx.outputs.name }} | |
context: . | |
file: ./planner.Dockerfile | |
build-args: | | |
LIBCRYPTO_VERSION=${{ env.LIBCRYPTO_VERSION }} | |
platforms: linux/amd64,linux/arm64 #,linux/arm/v7 - azure-cli does not install correctly on 32 bit arm | |
tags: | | |
ghcr.io/flux-iac/branch-planner:${{ steps.prep.outputs.VERSION }} | |
ghcr.io/flux-iac/branch-planner:latest | |
labels: | | |
org.opencontainers.image.title=${{ github.event.repository.name }} | |
org.opencontainers.image.description=${{ github.event.repository.description }} | |
org.opencontainers.image.url=${{ github.event.repository.html_url }} | |
org.opencontainers.image.revision=${{ github.sha }} | |
org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }} | |
org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }} | |
- name: Check images | |
run: | | |
docker buildx imagetools inspect ghcr.io/flux-iac/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} | |
docker pull ghcr.io/flux-iac/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} | |
docker buildx imagetools inspect ghcr.io/flux-iac/tf-runner:${{ steps.prep.outputs.VERSION }} | |
docker pull ghcr.io/flux-iac/tf-runner:${{ steps.prep.outputs.VERSION }} | |
docker buildx imagetools inspect ghcr.io/flux-iac/tf-runner-azure:${{ steps.prep.outputs.VERSION }} | |
docker pull ghcr.io/flux-iac/tf-runner-azure:${{ steps.prep.outputs.VERSION }} | |
docker buildx imagetools inspect ghcr.io/flux-iac/branch-planner:${{ steps.prep.outputs.VERSION }} | |
docker pull ghcr.io/flux-iac/branch-planner:${{ steps.prep.outputs.VERSION }} | |
- name: Sign images | |
env: | |
COSIGN_EXPERIMENTAL: 1 | |
run: | | |
cosign sign --yes ghcr.io/flux-iac/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} | |
cosign sign --yes ghcr.io/flux-iac/tf-runner:${{ steps.prep.outputs.VERSION }}-base | |
cosign sign --yes ghcr.io/flux-iac/tf-runner:${{ steps.prep.outputs.VERSION }} | |
cosign sign --yes ghcr.io/flux-iac/tf-runner-azure:${{ steps.prep.outputs.VERSION }} | |
cosign sign --yes ghcr.io/flux-iac/branch-planner:${{ steps.prep.outputs.VERSION }} | |
- name: Generate release manifests | |
if: startsWith(github.ref, 'refs/tags/v') | |
run: | | |
mkdir -p config/release | |
kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml | |
kustomize build ./config/rbac > ./config/release/${{ env.CONTROLLER }}.rbac.yaml | |
kustomize build ./config/manager | yq e '.spec.template.spec.containers[0].env[1].value="ghcr.io/flux-iac/tf-runner:${{ steps.prep.outputs.VERSION }}"' - > ./config/release/${{ env.CONTROLLER }}.deployment.yaml | |
kustomize build ./config/package > ./config/release/${{ env.CONTROLLER }}.packages.yaml | |
echo '[CHANGELOG](https://github.com/flux-iac/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)' > ./config/release/notes.md | |
- name: Setup Go | |
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
with: | |
go-version-file: go.mod | |
- name: Create release | |
if: startsWith(github.ref, 'refs/tags/v') | |
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 | |
with: | |
version: '~> v2' | |
args: release --release-notes=./config/release/notes.md --skip=validate | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.TF_CONTROLLER_WEAVEWORKSBOT }} | |
- name: Publish Helm chart | |
uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Trigger the release-runners workflow | |
run: | | |
curl -XPOST -u "${{ secrets.GITHUB_TOKEN }}:" \ | |
-H "Accept: application/vnd.github.everest-preview+json" \ | |
"https://api.github.com/repos/${{ github.repository }}/dispatches" \ | |
-d '{ | |
"event_type": "release-runners", | |
"client_payload": { | |
"controller": "${{ env.CONTROLLER }}", | |
"version": "${{ steps.prep.outputs.VERSION }}", | |
"build_date": "${{ steps.prep.outputs.BUILD_DATE }}", | |
"sha": "${{ github.sha }}", | |
"repo_desc": "${{ github.event.repository.description }}", | |
"repo_url": "${{ github.event.repository.html_url }}" | |
} | |
}' |