Merge pull request #209 from salasberryfin/fix-cr-token-release-action #9
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 | |
| permissions: | |
| contents: write # Allow to create a release. | |
| jobs: | |
| build-ghcr: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| outputs: | |
| multiarch_image: ${{ steps.ghcr-images.outputs.multiarch_image }} | |
| multiarch_digest: ${{ steps.ghcr-images.outputs.multiarch_digest }} | |
| amd64_image: ${{ steps.ghcr-images.outputs.amd64_image }} | |
| amd64_digest: ${{ steps.ghcr-images.outputs.amd64_digest }} | |
| arm64_digest: ${{ steps.ghcr-images.outputs.arm64_digest }} | |
| arm64_image: ${{ steps.ghcr-images.outputs.arm64_image }} | |
| s390x_image: ${{ steps.ghcr-images.outputs.s390x_image }} | |
| s390x_digest: ${{ steps.ghcr-images.outputs.s390x_digest }} | |
| env: | |
| TAG: ${{ github.ref_name }} | |
| REGISTRY: ghcr.io | |
| USERNAME: ${{ github.actor }} | |
| ORG: rancher-sandbox | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: setupGo | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: '=1.20.7' | |
| - name: Docker login to ghcr registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ env.USERNAME }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build docker image for gh registry | |
| run: make docker-build-all TAG=${{ env.TAG }} REGISTRY=${{ env.REGISTRY }} | |
| - name: Push docker image to gh registry | |
| run: make docker-push-all TAG=${{ env.TAG }} REGISTRY=${{ env.REGISTRY }} | |
| - name: Store list of ghcr images and digests | |
| id: ghcr-images | |
| run: | | |
| ./scripts/image-digest.sh ${{ env.REGISTRY }} ${{ env.ORG }} ${{ env.TAG }} | |
| ghcr-sign: | |
| runs-on: ubuntu-latest | |
| needs: [build-ghcr] | |
| permissions: | |
| packages: write | |
| id-token: write | |
| strategy: | |
| matrix: | |
| images: [ | |
| { | |
| "image":"${{ needs.build-ghcr.outputs.multiarch_image }}", | |
| }, | |
| { | |
| "image":"${{ needs.build-ghcr.outputs.amd64_image }}", | |
| }, | |
| { | |
| "image":"${{ needs.build-ghcr.outputs.arm64_image }}", | |
| }, | |
| { | |
| "image":"${{ needs.build-ghcr.outputs.s390x_image }}", | |
| } | |
| ] | |
| env: | |
| TAG: ${{ github.ref_name }} | |
| REGISTRY: ghcr.io | |
| USERNAME: ${{ github.actor }} | |
| ORG: rancher-sandbox | |
| steps: | |
| - name: Docker login to ghcr registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ env.USERNAME }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: sigstore/cosign-installer@v3.1.2 | |
| - name: Sign manifests | |
| env: | |
| COSIGN_EXPERIMENTAL: 1 | |
| run: | | |
| cosign sign --yes ${{ matrix.images.image }} | |
| - name: Verify pushed ghcr images | |
| env: | |
| COSIGN_EXPERIMENTAL: 1 | |
| run: | | |
| cosign verify ${{ matrix.images.image }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com | |
| ghcr-provenance: | |
| needs: [build-ghcr, ghcr-sign] | |
| permissions: | |
| actions: read | |
| id-token: write | |
| packages: write | |
| strategy: | |
| matrix: | |
| images: [ | |
| { | |
| "image":"${{ needs.build-ghcr.outputs.multiarch_image }}", | |
| "digest":"${{ needs.build-ghcr.outputs.multiarch_digest }}" | |
| }, | |
| { | |
| "image":"${{ needs.build-ghcr.outputs.amd64_image }}", | |
| "digest":"${{ needs.build-ghcr.outputs.amd64_digest }}" | |
| }, | |
| { | |
| "image":"${{ needs.build-ghcr.outputs.arm64_image }}", | |
| "digest":"${{ needs.build-ghcr.outputs.arm64_digest }}" | |
| }, | |
| { | |
| "image":"${{ needs.build-ghcr.outputs.s390x_image }}", | |
| "digest":"${{ needs.build-ghcr.outputs.s390x_digest }}" | |
| } | |
| ] | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 | |
| with: | |
| image: ${{ matrix.images.image }} | |
| digest: ${{ matrix.images.digest }} | |
| secrets: | |
| registry-username: ${{ github.actor }} | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| build-prod: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| outputs: | |
| multiarch_image: ${{ steps.prod-images.outputs.multiarch_image }} | |
| multiarch_digest: ${{ steps.prod-images.outputs.multiarch_digest }} | |
| amd64_image: ${{ steps.prod-images.outputs.amd64_image }} | |
| amd64_digest: ${{ steps.prod-images.outputs.amd64_digest }} | |
| arm64_digest: ${{ steps.prod-images.outputs.arm64_digest }} | |
| arm64_image: ${{ steps.prod-images.outputs.arm64_image }} | |
| s390x_image: ${{ steps.prod-images.outputs.s390x_image }} | |
| s390x_digest: ${{ steps.prod-images.outputs.s390x_digest }} | |
| env: | |
| TAG: ${{ github.ref_name }} | |
| PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }} | |
| PROD_USERNAME: ${{ secrets.REGISTRY_USERNAME }} | |
| PROD_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} | |
| PROD_ORG: rancher-sandbox | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: setupGo | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: '=1.20.7' | |
| - name: Prepare environment for prod registry | |
| run: | | |
| echo "PROD_REGISTRY=${PROD_REGISTRY/https:\/\//}" >> $GITHUB_ENV | |
| - name: Docker login to prod registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.PROD_REGISTRY }} | |
| username: ${{ env.PROD_USERNAME }} | |
| password: ${{ env.PROD_PASSWORD }} | |
| - name: Build docker image for prod registry | |
| run: make docker-build-all TAG=${{ env.TAG }} REGISTRY=${{ env.PROD_REGISTRY }} ORG=${{ env.PROD_ORG }} | |
| - name: Push docker image to prod registry | |
| run: make docker-push-all TAG=${{ env.TAG }} REGISTRY=${{ env.PROD_REGISTRY }} ORG=${{ env.PROD_ORG }} | |
| - name: Store list of prod images and digests | |
| id: prod-images | |
| run: | | |
| ./scripts/image-digest.sh ${{ env.PROD_REGISTRY }} ${{ env.PROD_ORG }} ${{ env.TAG }} | |
| prod-sign: | |
| runs-on: ubuntu-latest | |
| needs: [build-prod] | |
| strategy: | |
| matrix: | |
| images: [ | |
| { | |
| "image":"${{ needs.build-prod.outputs.multiarch_image }}", | |
| }, | |
| { | |
| "image":"${{ needs.build-prod.outputs.amd64_image }}", | |
| }, | |
| { | |
| "image":"${{ needs.build-prod.outputs.arm64_image }}", | |
| }, | |
| { | |
| "image":"${{ needs.build-prod.outputs.s390x_image }}", | |
| } | |
| ] | |
| env: | |
| TAG: ${{ github.ref_name }} | |
| PROD_REGISTRY: registry.rancher.com/rancher | |
| PROD_USERNAME: ${{ secrets.REGISTRY_USERNAME }} | |
| PROD_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} | |
| steps: | |
| - name: Docker login to prod registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.PROD_REGISTRY }} | |
| username: ${{ env.PROD_USERNAME }} | |
| password: ${{ env.PROD_PASSWORD }} | |
| - uses: sigstore/cosign-installer@v3.1.2 | |
| - name: Sign manifests | |
| env: | |
| COSIGN_EXPERIMENTAL: 1 | |
| run: | | |
| cosign sign --yes ${{ matrix.images.image }} | |
| - name: Verify pushed ghcr images | |
| env: | |
| COSIGN_EXPERIMENTAL: 1 | |
| run: | | |
| cosign verify ${{ matrix.images.image }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com | |
| prod-provenance: | |
| needs: [build-prod, prod-sign] | |
| permissions: | |
| actions: read | |
| id-token: write | |
| packages: write | |
| strategy: | |
| matrix: | |
| images: [ | |
| { | |
| "image":"${{ needs.build-prod.outputs.multiarch_image }}", | |
| "digest":"${{ needs.build-prod.outputs.multiarch_digest }}" | |
| }, | |
| { | |
| "image":"${{ needs.build-prod.outputs.amd64_image }}", | |
| "digest":"${{ needs.build-prod.outputs.amd64_digest }}" | |
| }, | |
| { | |
| "image":"${{ needs.build-prod.outputs.arm64_image }}", | |
| "digest":"${{ needs.build-prod.outputs.arm64_digest }}" | |
| }, | |
| { | |
| "image":"${{ needs.build-prod.outputs.s390x_image }}", | |
| "digest":"${{ needs.build-prod.outputs.s390x_digest }}" | |
| } | |
| ] | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 | |
| with: | |
| image: ${{ matrix.images.image }} | |
| digest: ${{ matrix.images.digest }} | |
| secrets: | |
| registry-username: ${{ secrets.REGISTRY_USERNAME }} | |
| registry-password: ${{ secrets.REGISTRY_PASSWORD }} | |
| release: | |
| name: Create helm release | |
| needs: [prod-provenance] | |
| runs-on: ubuntu-latest | |
| env: | |
| TAG: ${{ github.ref_name }} | |
| PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }} | |
| PROD_ORG: rancher-sandbox | |
| RELEASE_DIR: .cr-release-packages | |
| CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Configure Git | |
| run: | | |
| git config user.name "$GITHUB_ACTOR" | |
| git config user.email "$GITHUB_ACTOR@users.noreply.github.com" | |
| - name: Prepare environment for prod registry | |
| run: | | |
| echo "PROD_REGISTRY=${PROD_REGISTRY/https:\/\//}" >> $GITHUB_ENV | |
| - name: Package operator chart | |
| run: RELEASE_TAG=${GITHUB_REF##*/} CHART_PACKAGE_DIR=${RELEASE_DIR} REGISTRY=${{ env.PROD_REGISTRY }} ORG=${{ env.PROD_ORG }} make release | |
| - name: Install chart-releaser | |
| uses: helm/chart-releaser-action@v1.5.0 | |
| with: | |
| install_only: true | |
| - name: Prepare environment for the chart releaser | |
| run: | | |
| echo "CR_OWNER=$(cut -d '/' -f 1 <<< $GITHUB_REPOSITORY)" >> $GITHUB_ENV | |
| echo "CR_GIT_REPO=$(cut -d '/' -f 2 <<< $GITHUB_REPOSITORY)" >> $GITHUB_ENV | |
| rm -rf .cr-index | |
| mkdir -p .cr-index | |
| - name: Run chart-releaser upload | |
| run: cr upload --skip-existing -c "$(git rev-parse HEAD)" --generate-release-notes --release-name-template "${{ env.TAG }}" --make-release-latest=false | |
| - name: Run chart-releaser index | |
| run: cr index --push --release-name-template "${{ env.TAG }}" |