This repository has been archived by the owner on Aug 3, 2023. It is now read-only.
forked from SUSE/stratos
-
Notifications
You must be signed in to change notification settings - Fork 1
132 lines (128 loc) · 4.49 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Release
on:
push:
tags:
- "v*"
workflow_dispatch:
inputs:
ui_bundle_url:
description: "ui_bundle_url"
required: false
type: string
env:
SETUP_GO_VERSION: '1.18'
SETUP_NODE_VERSION: '16'
jobs:
release:
runs-on: ubuntu-latest
permissions:
id-token: write # This is the key for OIDC!
contents: write
packages: write
steps:
-
name: Checkout
uses: actions/checkout@v3
with:
submodules: recursive
fetch-depth: 0
-
name: Set up Go
uses: actions/setup-go@v4
with:
cache: false
go-version: ${{ env.SETUP_GO_VERSION }}
-
name: Set up Node
uses: actions/setup-node@v3
with:
node-version: ${{ env.SETUP_NODE_VERSION }}
-
name: Install yarn
run: npm install --global yarn
-
uses: anchore/sbom-action/download-syft@v0.13.1
-
uses: sigstore/cosign-installer@v2.8.1
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Login to GitHub Docker Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Get current tag
id: get_tag
run: echo "TAG=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
# if the ui_bundle_url is defined download and unpack the dashboard
-
name: Download dashboard
if: ${{ github.event.inputs.ui_bundle_url != '' }}
run: |
mkdir ui
wget "${{ github.event.inputs.ui_bundle_url }}"
tar xfz *.tar.gz -C ui
# otherwise fetch and build the latest dashboard from the repository
-
name: Checkout Rancher Dashboard UI
if: ${{ github.event.inputs.ui_bundle_url == '' }}
uses: actions/checkout@v3
with:
repository: epinio/ui
ref: ${{ steps.get_tag.outputs.TAG }}
submodules: recursive
fetch-depth: 0
path: epinio-ui
-
name: Build Epinio dashboard
if: ${{ github.event.inputs.ui_bundle_url == '' }}
# go to the repo's directory, build the ui, move the build to `ui` in the workflow root (as per location when downloading from url)
run: |
pushd epinio-ui
./.github/workflows/scripts/build-ui.sh
mv dashboard/$OUTPUT_DIR/$ARTIFACT_NAME ../ui
popd
rm -rf epinio-ui
env:
RANCHER_ENV: epinio
EXCLUDES_PKG: rancher-components,harvester
EXCLUDE_OPERATOR_PKG: true
OUTPUT_DIR: dist
RELEASE_DIR: release
ARTIFACT_NAME: rancher-dashboard-epinio-standalone
NODE_OPTIONS: "--max-old-space-size=4096"
LOGIN_LOCALE_SELECTOR: false
-
name: Run GoReleaser Cross
run: ./build/bk-release.sh release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
UI_BUNDLE_URL: "${{ github.event.inputs.ui_bundle_url }}"
# The "id-token: write" permission for the OIDC will set the ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN
# environment variables. Since we are running goreleaser-cross from a Docker image we need to pass those to the script and the container.
# See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#updating-your-actions-for-oidc
ACTIONS_ID_TOKEN_REQUEST_URL: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }}
ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN }}
-
name: Verify signatures on the generated docker images and manifests
id: verify_signatures
run: |
cosign verify ghcr.io/epinio/epinio-ui:${{ steps.get_tag.outputs.TAG }}
cosign verify ghcr.io/epinio/epinio-ui:latest
env:
DOCKER_CLI_EXPERIMENTAL: enabled
COSIGN_EXPERIMENTAL: 1
# Allow to release Epinio UI Helm chart automatically when we release Epinio.
# The tag is sent to the Helm chart repo.
-
name: Repository Dispatch
uses: peter-evans/repository-dispatch@v1
with:
token: ${{ secrets.CHART_REPO_ACCESS_TOKEN }}
repository: epinio/helm-charts
event-type: epinio-ui-release
client-payload: '{"ref": "${{ steps.get_tag.outputs.TAG }}"}'