Skip to content

Commit

Permalink
Refactor release workflow to be reusable
Browse files Browse the repository at this point in the history
Signed-off-by: Danil Grigorev <danil.grigorev@suse.com>
  • Loading branch information
Danil-Grigorev committed Oct 26, 2023
1 parent a06f1d6 commit 9f6059a
Show file tree
Hide file tree
Showing 4 changed files with 255 additions and 186 deletions.
106 changes: 106 additions & 0 deletions .github/workflows/release-workflow.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
on:
workflow_call:
inputs:
secret_registry:
type: boolean
description: All registry related inputs should be treated as secret values
required: true

image:
type: string
description: Static image value for the build
required: true

password:
type: string
description: Registry password key to lookup in secrets
required: true

username:
type: string
description: Username for the registry login
required: true

registry:
type: string
description: Destination registry for image push
required: true


tag:
type: string
description: Tag for the built image
required: true

arch:
type: string
description: Architecture for the image
required: true

org:
type: string
description: Organization part of the image name
required: false
default: "rancher-sandbox"

jobs:
build:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
packages: write
outputs:
digest: ${{ steps.image.outputs.digest }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Build the image
id: image
uses: ./.github/workflows/release_build
with:
arch: ${{ inputs.arch }}
tag: ${{ inputs.tag }}
org: ${{ inputs.org }}
registry: ${{ inputs.secret_registry && secrets[inputs.registry] || inputs.registry }}
username: ${{ inputs.secret_registry && secrets[inputs.username] || inputs.username }}
password: ${{ secrets[inputs.password] }}

sign:
runs-on: ubuntu-latest
needs: [build]
permissions:
actions: read
id-token: write
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Sign image with cosign
uses: ./.github/workflows/release_sign
with:
image: ${{ inputs.secret_registry && secrets[inputs.image] || inputs.image }}-${{ inputs.arch }}
digest: ${{ needs.build.outputs.digest }}
identity: https://github.com/${{ inputs.org }}/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ inputs.tag }}
oids-issuer: https://token.actions.githubusercontent.com
registry: ${{ inputs.secret_registry && secrets[inputs.registry] || inputs.registry }}
username: ${{ inputs.secret_registry && secrets[inputs.username] || inputs.username }}
password: ${{ secrets[inputs.password] }}

provenance:
needs: [sign, build]
permissions:
actions: read
id-token: write
packages: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
with:
image: ${{ inputs.secret_registry && secrets[inputs.image] || inputs.image }}-${{ inputs.arch }}
digest: ${{ needs.build.outputs.digest }}
secrets:
registry-username: ${{ inputs.secret_registry && secrets[inputs.username] || inputs.username }}
registry-password: ${{ secrets[inputs.password] }}
219 changes: 33 additions & 186 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
@@ -1,205 +1,54 @@

name: release

on:
workflow_dispatch:
push:
tags:
- 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10

permissions:
contents: write # Allow to create a release.
- "v*" # Push events to matching v*, i.e. v1.0, v20.15.10

jobs:

build-ghcr:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
outputs:
multiarch_image: ${{ steps.ghcr-images.outputs.multiarch_image }}
multiarch_digest: ${{ steps.ghcr-images.outputs.multiarch_digest }}
amd64_image: ${{ steps.ghcr-images.outputs.amd64_image }}
amd64_digest: ${{ steps.ghcr-images.outputs.amd64_digest }}
arm64_digest: ${{ steps.ghcr-images.outputs.arm64_digest }}
arm64_image: ${{ steps.ghcr-images.outputs.arm64_image }}
s390x_image: ${{ steps.ghcr-images.outputs.s390x_image }}
s390x_digest: ${{ steps.ghcr-images.outputs.s390x_digest }}
env:
TAG: ${{ github.ref_name }}
REGISTRY: ghcr.io
USERNAME: ${{ github.actor }}
ORG: rancher-sandbox
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: setupGo
uses: actions/setup-go@v4
with:
go-version: '=1.20.7'
- name: Docker login to ghcr registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ env.USERNAME }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build docker image for gh registry
run: make docker-build-all TAG=${{ env.TAG }} REGISTRY=${{ env.REGISTRY }}
- name: Push docker image to gh registry
run: make docker-push-all TAG=${{ env.TAG }} REGISTRY=${{ env.REGISTRY }}
- name: Store list of ghcr images and digests
id: ghcr-images
run: |
./scripts/image-digest.sh ${{ env.REGISTRY }} ${{ env.ORG }} ${{ env.TAG }}
ghcr-sign:
runs-on: ubuntu-latest
needs: [build-ghcr]
permissions:
packages: write
id-token: write
strategy:
matrix:
images: [
{
"image":"${{ needs.build-ghcr.outputs.multiarch_image }}",
},
{
"image":"${{ needs.build-ghcr.outputs.amd64_image }}",
},
{
"image":"${{ needs.build-ghcr.outputs.arm64_image }}",
},
{
"image":"${{ needs.build-ghcr.outputs.s390x_image }}",
}
]
env:
TAG: ${{ github.ref_name }}
REGISTRY: ghcr.io
USERNAME: ${{ github.actor }}
ORG: rancher-sandbox
steps:
- name: Docker login to ghcr registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ env.USERNAME }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: sigstore/cosign-installer@v3.1.2
- name: Sign manifests
env:
COSIGN_EXPERIMENTAL: 1
run: |
image=$(echo ${{ matrix.images.image }} | base64 -d | base64 -d)
cosign sign --yes ${image}
- name: Verify pushed ghcr images
env:
COSIGN_EXPERIMENTAL: 1
run: |
image=$(echo ${{ matrix.images.image }} | base64 -d | base64 -d)
cosign verify ${image} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
build-prod:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
outputs:
multiarch_image: ${{ steps.prod-images.outputs.multiarch_image }}
multiarch_digest: ${{ steps.prod-images.outputs.multiarch_digest }}
amd64_image: ${{ steps.prod-images.outputs.amd64_image }}
amd64_digest: ${{ steps.prod-images.outputs.amd64_digest }}
arm64_digest: ${{ steps.prod-images.outputs.arm64_digest }}
arm64_image: ${{ steps.prod-images.outputs.arm64_image }}
s390x_image: ${{ steps.prod-images.outputs.s390x_image }}
s390x_digest: ${{ steps.prod-images.outputs.s390x_digest }}
env:
TAG: ${{ github.ref_name }}
PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }}
PROD_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
PROD_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
PROD_ORG: rancher-sandbox
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: setupGo
uses: actions/setup-go@v4
with:
go-version: '=1.20.7'
- name: Docker login to prod registry
uses: docker/login-action@v3
with:
registry: ${{ env.PROD_REGISTRY }}
username: ${{ env.PROD_USERNAME }}
password: ${{ env.PROD_PASSWORD }}
- name: Build docker image for prod registry
run: make docker-build-all TAG=${{ env.TAG }} REGISTRY=${{ env.PROD_REGISTRY }} ORG=${{ env.PROD_ORG }}
- name: Push docker image to prod registry
run: make docker-push-all TAG=${{ env.TAG }} REGISTRY=${{ env.PROD_REGISTRY }} ORG=${{ env.PROD_ORG }}
- name: Store list of prod images and digests
id: prod-images
run: |
./scripts/image-digest.sh ${{ env.PROD_REGISTRY }} ${{ env.PROD_ORG }} ${{ env.TAG }}
prod-sign:
runs-on: ubuntu-latest
needs: [build-prod]
build-push-services:
permissions:
actions: read
contents: write
packages: write
id-token: write
strategy:
matrix:
images: [
{
"image":"${{ needs.build-prod.outputs.multiarch_image }}",
},
{
"image":"${{ needs.build-prod.outputs.amd64_image }}",
},
{
"image":"${{ needs.build-prod.outputs.arm64_image }}",
},
{
"image":"${{ needs.build-prod.outputs.s390x_image }}",
}
]
env:
TAG: ${{ github.ref_name }}
PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }}
PROD_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
PROD_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
steps:
- name: Docker login to prod registry
uses: docker/login-action@v3
with:
registry: ${{ env.PROD_REGISTRY }}
username: ${{ env.PROD_USERNAME }}
password: ${{ env.PROD_PASSWORD }}
- uses: sigstore/cosign-installer@v3.1.2
- name: Sign manifests
env:
COSIGN_EXPERIMENTAL: 1
run: |
image=$(echo ${{ matrix.images.image }} | base64 -d | base64 -d)
cosign sign --yes ${image}
- name: Verify pushed ghcr images
env:
COSIGN_EXPERIMENTAL: 1
run: |
image=$(echo ${{ matrix.images.image }} | base64 -d | base64 -d)
cosign verify ${image} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
destination: [ghcr, prod]
arch: [amd64, arm64, s390x]
include:
- destination: ghcr
registry: ghcr.io
username: ${{ github.actor }}
image: ghcr.io/rancher-sandbox/rancher-turtles
password: GITHUB_TOKEN
secret_registry: false
- destination: prod
registry: REGISTRY_ENDPOINT
username: REGISTRY_USERNAME
password: REGISTRY_PASSWORD
image: REGISTRY_IMAGE
secret_registry: true
name: Release
uses: ./.github/workflows/release-workflow.yml
with:
password: ${{ matrix.password }}
username: ${{ matrix.username }}
registry: ${{ matrix.registry }}
tag: ${{ github.ref_name }}
arch: ${{ matrix.arch }}
image: ${{ matrix.image }}
secret_registry: ${{ matrix.secret_registry }}
secrets: inherit

release:
name: Create helm release
needs: [prod-sign]
needs: [build-push-services]
runs-on: ubuntu-latest
env:
TAG: ${{ github.ref_name }}
PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }}
PROD_ORG: rancher-sandbox
RELEASE_DIR: .cr-release-packages
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
Expand All @@ -208,12 +57,10 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Package operator chart
run: RELEASE_TAG=${GITHUB_REF##*/} CHART_PACKAGE_DIR=${RELEASE_DIR} REGISTRY=${{ env.PROD_REGISTRY }} ORG=${{ env.PROD_ORG }} make release

Expand Down
Loading

0 comments on commit 9f6059a

Please sign in to comment.