Prepare for Fleet v4.62.0 (#25091) #177
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: goreleaser | |
| on: | |
| push: | |
| tags: | |
| - "fleet-*" | |
| # This allows a subsequently queued workflow run to interrupt previous runs | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}} | |
| cancel-in-progress: true | |
| defaults: | |
| run: | |
| # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference | |
| shell: bash | |
| permissions: | |
| contents: read | |
| jobs: | |
| goreleaser: | |
| runs-on: ubuntu-20.04-4-cores | |
| environment: Docker Hub | |
| permissions: | |
| contents: write | |
| id-token: write | |
| attestations: write | |
| packages: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| with: | |
| fetch-depth: 0 # Needed for goreleaser | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} | |
| - name: Set up Go | |
| uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Set up Node.js | |
| uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 | |
| with: | |
| node-version-file: package.json | |
| - name: Install JS Dependencies | |
| run: make deps-js | |
| - name: Install Go Dependencies | |
| run: make deps-go | |
| - name: Install macOS signing + notarization tools | |
| run: | | |
| pushd /tmp | |
| readonly version="0.27.0" | |
| readonly codesign_package="apple-codesign-${version}-x86_64-unknown-linux-musl.tar.gz" | |
| curl -O -L "https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${version}/${codesign_package}" | |
| curl -O -L "https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${version}/${codesign_package}.sha256" | |
| echo "$(cat $codesign_package.sha256) $codesign_package" | sha256sum --quiet --strict --check - | |
| tar --extract --strip-components 1 --file "$codesign_package" | |
| mkdir -p $HOME/.bin | |
| mv rcodesign $HOME/.bin/ | |
| echo "$HOME/.bin" >> $GITHUB_PATH | |
| popd | |
| - name: Run GoReleaser | |
| id: goreleaser | |
| uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b | |
| with: | |
| distribution: goreleaser-pro | |
| version: "~> 2" | |
| args: release --clean -f .goreleaser.yml | |
| env: | |
| GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }} | |
| APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }} | |
| APPLE_APP_STORE_CONNECT_KEY: ${{ secrets.APPLE_APP_STORE_CONNECT_KEY }} | |
| APPLE_APP_STORE_CONNECT_KEY_ID: ${{ secrets.APPLE_APP_STORE_CONNECT_KEY_ID }} | |
| APPLE_APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APPLE_APP_STORE_CONNECT_ISSUER_ID }} | |
| - name: Attest binaries and archives | |
| uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0 | |
| with: | |
| subject-path: "dist/**" | |
| # Get the commit hash so we can get image digests | |
| - name: Get the short commit hash | |
| id: commit | |
| run: echo "short_commit=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" | |
| # Get the image digests from the goreleaser artifacts | |
| # Adapted from https://github.com/goreleaser/goreleaser/issues/4852#issuecomment-2122790132 | |
| - name: Get image digests | |
| continue-on-error: true | |
| id: image_digests | |
| run: | | |
| echo "digest_fleet=$(cat ./dist/artifact.json | jq -r '.[]|select(.type == "Published Docker Image" and (.name | contains("fleetdm/fleet:${{ steps.commit.outputs.short_commit }}"))) | select(. != null)|.extra.Digest')" >> "$GITHUB_OUTPUT" | |
| echo "digest_fleetctl=$(cat ./dist/artifact.json | jq -r '.[]|select(.type == "Published Docker Image" and (.name | contains("fleetdm/fleetctl:${{ steps.commit.outputs.short_commit }}"))) | select(. != null)|.extra.Digest')" >> "$GITHUB_OUTPUT" | |
| - name: Attest Fleet image | |
| uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0 | |
| continue-on-error: true | |
| with: | |
| subject-digest: ${{steps.image_digests.outputs.digest_fleet}} | |
| subject-name: "fleetdm/fleet" | |
| push-to-registry: true | |
| - name: Attest FleetCtl image | |
| uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0 | |
| continue-on-error: true | |
| with: | |
| subject-digest: ${{steps.image_digests.outputs.digest_fleetctl}} | |
| subject-name: "fleetdm/fleetctl" | |
| push-to-registry: true | |
| - name: Get tag | |
| run: | | |
| echo "TAG=$(git describe --tags | sed -e "s/^fleet-//")" >> $GITHUB_OUTPUT | |
| id: docker | |
| - name: List tags for push | |
| run: | | |
| echo "The following TAGs are to be pushed: ${{ steps.docker.outputs.TAG }}" | |
| - name: Login to quay.io | |
| uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a | |
| with: | |
| registry: quay.io | |
| username: fleetdm+fleetreleaser | |
| password: ${{ secrets.QUAY_REGISTRY_PASSWORD }} | |
| - name: Tag and push to quay.io | |
| run: | | |
| for TAG in ${{ steps.docker.outputs.TAG }}; do | |
| docker tag fleetdm/fleet:${TAG} quay.io/fleetdm/fleet:${TAG} | |
| docker push quay.io/fleetdm/fleet:${TAG} | |
| done |