.github/workflows/release.yaml

name: Publish Kata release artifacts
on:
  push:
    tags:
      - '[0-9]+.[0-9]+.[0-9]+*'

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  build-and-push-assets-amd64:
    uses: ./.github/workflows/release-amd64.yaml
    with:
      target-arch: amd64
    secrets: inherit

  build-and-push-assets-arm64:
    uses: ./.github/workflows/release-arm64.yaml
    with:
      target-arch: arm64
    secrets: inherit

  build-and-push-assets-s390x:
    uses: ./.github/workflows/release-s390x.yaml
    with:
      target-arch: s390x
    secrets: inherit

  build-and-push-assets-ppc64le:
    uses: ./.github/workflows/release-ppc64le.yaml
    with:
      target-arch: ppc64le
    secrets: inherit

  publish-multi-arch-images:
    runs-on: ubuntu-latest
    needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le]
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Login to Kata Containers docker.io
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Login to Kata Containers quay.io
        uses: docker/login-action@v2
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

      - name: Push multi-arch manifest
        run: |
          # tag the container image we created and push to DockerHub
          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
          tags=($tag)
          tags+=($([[ "$tag" =~ "alpha"|"rc" ]] && echo "latest" || echo "stable"))
          # push to quay.io and docker.io
          for tag in ${tags[@]}; do
            docker manifest create quay.io/kata-containers/kata-deploy:${tag} \
              --amend quay.io/kata-containers/kata-deploy:${tag}-amd64 \
              --amend quay.io/kata-containers/kata-deploy:${tag}-arm64 \
              --amend quay.io/kata-containers/kata-deploy:${tag}-s390x \
              --amend quay.io/kata-containers/kata-deploy:${tag}-ppc64le

            docker manifest create docker.io/katadocker/kata-deploy:${tag} \
              --amend docker.io/katadocker/kata-deploy:${tag}-amd64 \
              --amend docker.io/katadocker/kata-deploy:${tag}-arm64 \
              --amend docker.io/katadocker/kata-deploy:${tag}-s390x \
              --amend docker.io/katadocker/kata-deploy:${tag}-ppc64le

            docker manifest push quay.io/kata-containers/kata-deploy:${tag}
            docker manifest push docker.io/katadocker/kata-deploy:${tag}
          done

  upload-multi-arch-static-tarball:
    needs: publish-multi-arch-images
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: download-artifacts-amd64
        uses: actions/download-artifact@v3
        with:
          name: kata-static-tarball-amd64
      - name: push amd64 static tarball to github
        run: |
          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
          tarball="kata-static-$tag-amd64.tar.xz"
          mv kata-static.tar.xz "$GITHUB_WORKSPACE/${tarball}"
          pushd $GITHUB_WORKSPACE
          echo "uploading asset '${tarball}' for tag: ${tag}"
          GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} gh release upload "${tag}" "${tarball}"
          popd

      - name: download-artifacts-arm64
        uses: actions/download-artifact@v3
        with:
          name: kata-static-tarball-arm64
      - name: push arm64 static tarball to github
        run: |
          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
          tarball="kata-static-$tag-arm64.tar.xz"
          mv kata-static.tar.xz "$GITHUB_WORKSPACE/${tarball}"
          pushd $GITHUB_WORKSPACE
          echo "uploading asset '${tarball}' for tag: ${tag}"
          GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} gh release upload "${tag}" "${tarball}"
          popd

      - name: download-artifacts-s390x
        uses: actions/download-artifact@v3
        with:
          name: kata-static-tarball-s390x
      - name: push s390x static tarball to github
        run: |
          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
          tarball="kata-static-$tag-s390x.tar.xz"
          mv kata-static.tar.xz "$GITHUB_WORKSPACE/${tarball}"
          pushd $GITHUB_WORKSPACE
          echo "uploading asset '${tarball}' for tag: ${tag}"
          GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} gh release upload "${tag}" "${tarball}"
          popd

      - name: download-artifacts-ppc64le
        uses: actions/download-artifact@v3
        with:
          name: kata-static-tarball-ppc64le
      - name: push ppc64le static tarball to github
        run: |
          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
          tarball="kata-static-$tag-ppc64le.tar.xz"
          mv kata-static.tar.xz "$GITHUB_WORKSPACE/${tarball}"
          pushd $GITHUB_WORKSPACE
          echo "uploading asset '${tarball}' for tag: ${tag}"
          GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} hub release edit -m "" -a "${tarball}" "${tag}"
          popd

  upload-versions-yaml:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: upload versions.yaml
        env:
          GITHUB_TOKEN: ${{ secrets.GIT_UPLOAD_TOKEN }}
        run: |
          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
          pushd $GITHUB_WORKSPACE
          versions_file="kata-containers-$tag-versions.yaml"
          cp versions.yaml ${versions_file}
          gh release upload "${tag}" "${versions_file}"
          popd

  upload-cargo-vendored-tarball:
    needs: upload-multi-arch-static-tarball
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: generate-and-upload-tarball
        run: |
          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
          tarball="kata-containers-$tag-vendor.tar.gz"
          pushd $GITHUB_WORKSPACE
          bash -c "tools/packaging/release/generate_vendor.sh ${tarball}"
          GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} gh release upload "${tag}" "${tarball}"
          popd

  upload-libseccomp-tarball:
    needs: upload-cargo-vendored-tarball
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: download-and-upload-tarball
        env:
          GITHUB_TOKEN: ${{ secrets.GIT_UPLOAD_TOKEN }}
          GOPATH: ${HOME}/go
        run: |
          pushd $GITHUB_WORKSPACE
          ./ci/install_yq.sh
          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
          versions_yaml="versions.yaml"
          version=$(${GOPATH}/bin/yq read ${versions_yaml} "externals.libseccomp.version")
          repo_url=$(${GOPATH}/bin/yq read ${versions_yaml} "externals.libseccomp.url")
          download_url="${repo_url}/releases/download/v${version}"
          tarball="libseccomp-${version}.tar.gz"
          asc="${tarball}.asc"
          curl -sSLO "${download_url}/${tarball}"
          curl -sSLO "${download_url}/${asc}"
          gh release upload "${tag}" "${tarball}"
          gh release upload "${tag}" "${asc}"
          popd