This repository has been archived by the owner on Aug 3, 2023. It is now read-only.
Merge pull request #40 from epinio/updating-node-releaseyaml #39
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
push: | |
tags: | |
- "v*" | |
workflow_dispatch: | |
inputs: | |
ui_bundle_url: | |
description: "ui_bundle_url" | |
required: false | |
type: string | |
env: | |
SETUP_GO_VERSION: '1.18' | |
SETUP_NODE_VERSION: '16' | |
jobs: | |
release: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write # This is the key for OIDC! | |
contents: write | |
packages: write | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
fetch-depth: 0 | |
- | |
name: Set up Go | |
uses: actions/setup-go@v4 | |
with: | |
cache: false | |
go-version: ${{ env.SETUP_GO_VERSION }} | |
- | |
name: Set up Node | |
uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ env.SETUP_NODE_VERSION }} | |
- | |
name: Install yarn | |
run: npm install --global yarn | |
- | |
uses: anchore/sbom-action/download-syft@v0.13.1 | |
- | |
uses: sigstore/cosign-installer@v2.8.1 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- | |
name: Login to GitHub Docker Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- | |
name: Get current tag | |
id: get_tag | |
run: echo "TAG=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT | |
# if the ui_bundle_url is defined download and unpack the dashboard | |
- | |
name: Download dashboard | |
if: ${{ github.event.inputs.ui_bundle_url != '' }} | |
run: | | |
mkdir ui | |
wget "${{ github.event.inputs.ui_bundle_url }}" | |
tar xfz *.tar.gz -C ui | |
# otherwise fetch and build the latest dashboard from the repository | |
- | |
name: Checkout Rancher Dashboard UI | |
if: ${{ github.event.inputs.ui_bundle_url == '' }} | |
uses: actions/checkout@v3 | |
with: | |
repository: epinio/ui | |
ref: ${{ steps.get_tag.outputs.TAG }} | |
submodules: recursive | |
fetch-depth: 0 | |
path: epinio-ui | |
- | |
name: Build Epinio dashboard | |
if: ${{ github.event.inputs.ui_bundle_url == '' }} | |
# go to the repo's directory, build the ui, move the build to `ui` in the workflow root (as per location when downloading from url) | |
run: | | |
pushd epinio-ui | |
./.github/workflows/scripts/build-ui.sh | |
mv dashboard/$OUTPUT_DIR/$ARTIFACT_NAME ../ui | |
popd | |
rm -rf epinio-ui | |
env: | |
RANCHER_ENV: epinio | |
EXCLUDES_PKG: rancher-components,harvester | |
EXCLUDE_OPERATOR_PKG: true | |
OUTPUT_DIR: dist | |
RELEASE_DIR: release | |
ARTIFACT_NAME: rancher-dashboard-epinio-standalone | |
NODE_OPTIONS: "--max-old-space-size=4096" | |
LOGIN_LOCALE_SELECTOR: false | |
- | |
name: Run GoReleaser Cross | |
run: ./build/bk-release.sh release --rm-dist | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
UI_BUNDLE_URL: "${{ github.event.inputs.ui_bundle_url }}" | |
# The "id-token: write" permission for the OIDC will set the ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN | |
# environment variables. Since we are running goreleaser-cross from a Docker image we need to pass those to the script and the container. | |
# See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#updating-your-actions-for-oidc | |
ACTIONS_ID_TOKEN_REQUEST_URL: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }} | |
ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN }} | |
- | |
name: Verify signatures on the generated docker images and manifests | |
id: verify_signatures | |
run: | | |
cosign verify ghcr.io/epinio/epinio-ui:${{ steps.get_tag.outputs.TAG }} | |
cosign verify ghcr.io/epinio/epinio-ui:latest | |
env: | |
DOCKER_CLI_EXPERIMENTAL: enabled | |
COSIGN_EXPERIMENTAL: 1 | |
# Allow to release Epinio UI Helm chart automatically when we release Epinio. | |
# The tag is sent to the Helm chart repo. | |
- | |
name: Repository Dispatch | |
uses: peter-evans/repository-dispatch@v1 | |
with: | |
token: ${{ secrets.CHART_REPO_ACCESS_TOKEN }} | |
repository: epinio/helm-charts | |
event-type: epinio-ui-release | |
client-payload: '{"ref": "${{ steps.get_tag.outputs.TAG }}"}' |