Skip to content

Commit

Permalink
Refactor release workflow to be "partially" reusable
Browse files Browse the repository at this point in the history
  • Loading branch information
@Danil-Grigorev
Danil-Grigorev committed Oct 24, 2023
1 parent a06f1d6 commit a7518f5
Show file tree
Hide file tree
Showing 3 changed files with 214 additions and 175 deletions.
267 changes: 92 additions & 175 deletions .github/workflows/release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,200 +3,123 @@ name: release
on:
push:
tags:
- 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10

permissions:
contents: write # Allow to create a release.
- "v*" # Push events to matching v*, i.e. v1.0, v20.15.10

jobs:

build-ghcr:
build:
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
packages: write
outputs:
multiarch_image: ${{ steps.ghcr-images.outputs.multiarch_image }}
multiarch_digest: ${{ steps.ghcr-images.outputs.multiarch_digest }}
amd64_image: ${{ steps.ghcr-images.outputs.amd64_image }}
amd64_digest: ${{ steps.ghcr-images.outputs.amd64_digest }}
arm64_digest: ${{ steps.ghcr-images.outputs.arm64_digest }}
arm64_image: ${{ steps.ghcr-images.outputs.arm64_image }}
s390x_image: ${{ steps.ghcr-images.outputs.s390x_image }}
s390x_digest: ${{ steps.ghcr-images.outputs.s390x_digest }}
env:
TAG: ${{ github.ref_name }}
REGISTRY: ghcr.io
USERNAME: ${{ github.actor }}
ORG: rancher-sandbox
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: setupGo
uses: actions/setup-go@v4
with:
go-version: '=1.20.7'
- name: Docker login to ghcr registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ env.USERNAME }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build docker image for gh registry
run: make docker-build-all TAG=${{ env.TAG }} REGISTRY=${{ env.REGISTRY }}
- name: Push docker image to gh registry
run: make docker-push-all TAG=${{ env.TAG }} REGISTRY=${{ env.REGISTRY }}
- name: Store list of ghcr images and digests
id: ghcr-images
run: |
./scripts/image-digest.sh ${{ env.REGISTRY }} ${{ env.ORG }} ${{ env.TAG }}
ghcr-sign:
runs-on: ubuntu-latest
needs: [build-ghcr]
permissions:
packages: write
id-token: write
strategy:
matrix:
images: [
{
"image":"${{ needs.build-ghcr.outputs.multiarch_image }}",
},
{
"image":"${{ needs.build-ghcr.outputs.amd64_image }}",
},
{
"image":"${{ needs.build-ghcr.outputs.arm64_image }}",
},
{
"image":"${{ needs.build-ghcr.outputs.s390x_image }}",
}
]
env:
TAG: ${{ github.ref_name }}
REGISTRY: ghcr.io
USERNAME: ${{ github.actor }}
ORG: rancher-sandbox
destination: [ghcr, prod]
arch: [amd64, arm64, s390x]
org: [rancher-sandbox]
include:
- destination: ghcr
tag: ${{ github.ref_name }}
registry: ghcr.io
username: ${{ github.actor }}
password: GITHUB_TOKEN
- destination: prod
tag: ${{ github.ref_name }}
registry: registry.rancher.com
username: rancher
password: REGISTRY_PASSWORD
steps:
- name: Docker login to ghcr registry
uses: docker/login-action@v3
- name: Checkout
uses: actions/checkout@v4
with:
registry: ${{ env.REGISTRY }}
username: ${{ env.USERNAME }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: sigstore/cosign-installer@v3.1.2
- name: Sign manifests
env:
COSIGN_EXPERIMENTAL: 1
run: |
image=$(echo ${{ matrix.images.image }} | base64 -d | base64 -d)
cosign sign --yes ${image}
- name: Verify pushed ghcr images
env:
COSIGN_EXPERIMENTAL: 1
run: |
image=$(echo ${{ matrix.images.image }} | base64 -d | base64 -d)
cosign verify ${image} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
fetch-depth: 0
- name: Build and sign the image
id: image
uses: ./.github/workflows/release_build
with:
arch: ${{ matrix.arch }}
tag: ${{ github.ref_name }}
org: ${{ matrix.org }}
registry: ${{ matrix.registry }}
username: ${{ matrix.username }}
password: ${{ secrets[matrix.password] }}
- uses: cloudposse/github-action-matrix-outputs-write@main
id: out
with:
matrix-step-name: ${{ github.job }}
matrix-key: ${{ matrix.destination }}-${{ matrix.arch }}
outputs: |-
image: ${{ steps.image.outputs.image }}
digest: ${{ steps.image.outputs.digest }}
username: ${{ matrix.username }}
password: ${{ matrix.password }}
registry: ${{ matrix.registry }}
tag: ${{ matrix.tag }}
build-prod:
build-result:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
outputs:
multiarch_image: ${{ steps.prod-images.outputs.multiarch_image }}
multiarch_digest: ${{ steps.prod-images.outputs.multiarch_digest }}
amd64_image: ${{ steps.prod-images.outputs.amd64_image }}
amd64_digest: ${{ steps.prod-images.outputs.amd64_digest }}
arm64_digest: ${{ steps.prod-images.outputs.arm64_digest }}
arm64_image: ${{ steps.prod-images.outputs.arm64_image }}
s390x_image: ${{ steps.prod-images.outputs.s390x_image }}
s390x_digest: ${{ steps.prod-images.outputs.s390x_digest }}
env:
TAG: ${{ github.ref_name }}
PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }}
PROD_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
PROD_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
PROD_ORG: rancher-sandbox
needs: [build]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: setupGo
uses: actions/setup-go@v4
with:
go-version: '=1.20.7'
- name: Docker login to prod registry
uses: docker/login-action@v3
with:
registry: ${{ env.PROD_REGISTRY }}
username: ${{ env.PROD_USERNAME }}
password: ${{ env.PROD_PASSWORD }}
- name: Build docker image for prod registry
run: make docker-build-all TAG=${{ env.TAG }} REGISTRY=${{ env.PROD_REGISTRY }} ORG=${{ env.PROD_ORG }}
- name: Push docker image to prod registry
run: make docker-push-all TAG=${{ env.TAG }} REGISTRY=${{ env.PROD_REGISTRY }} ORG=${{ env.PROD_ORG }}
- name: Store list of prod images and digests
id: prod-images
run: |
./scripts/image-digest.sh ${{ env.PROD_REGISTRY }} ${{ env.PROD_ORG }} ${{ env.TAG }}
- uses: cloudposse/github-action-matrix-outputs-read@main
id: read
with:
matrix-step-name: build
outputs:
result: "${{ steps.read.outputs.result }}"

prod-sign:
sign:
runs-on: ubuntu-latest
needs: [build-prod]
needs: [build-result]
permissions:
packages: write
actions: read
id-token: write
packages: write
strategy:
matrix:
images: [
{
"image":"${{ needs.build-prod.outputs.multiarch_image }}",
},
{
"image":"${{ needs.build-prod.outputs.amd64_image }}",
},
{
"image":"${{ needs.build-prod.outputs.arm64_image }}",
},
{
"image":"${{ needs.build-prod.outputs.s390x_image }}",
}
]
destination: [ghcr, prod]
arch: [amd64, arm64, s390x]
env:
TAG: ${{ github.ref_name }}
PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }}
PROD_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
PROD_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
key: ${{ matrix.destination }}-${{ matrix.arch }}
data: ${{ needs.build-result.outputs.result }}
steps:
- name: Docker login to prod registry
uses: docker/login-action@v3
- name: Checkout
uses: actions/checkout@v4
with:
registry: ${{ env.PROD_REGISTRY }}
username: ${{ env.PROD_USERNAME }}
password: ${{ env.PROD_PASSWORD }}
- uses: sigstore/cosign-installer@v3.1.2
- name: Sign manifests
env:
COSIGN_EXPERIMENTAL: 1
run: |
image=$(echo ${{ matrix.images.image }} | base64 -d | base64 -d)
cosign sign --yes ${image}
- name: Verify pushed ghcr images
env:
COSIGN_EXPERIMENTAL: 1
run: |
image=$(echo ${{ matrix.images.image }} | base64 -d | base64 -d)
cosign verify ${image} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
fetch-depth: 0
- name: Sign image with cosign
uses: ./.github/workflows/release_sign
with:
image: ${{ fromJson(env.data).image[env.key] }}
digest: ${{ fromJson(env.data).digest[env.key] }}
identity: https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ fromJson(env.data).tag[env.key] }}
oids-issuer: https://token.actions.githubusercontent.com
registry: ${{ fromJson(env.data).registry[env.key] }}
username: ${{ fromJson(env.data).username[env.key] }}
password: ${{ secrets[fromJson(env.data).password[env.key]] }}

provenance:
needs: [build-result, sign]
permissions:
actions: read
id-token: write
packages: write
strategy:
matrix:
destination: [ghcr, prod]
arch: [amd64, arm64, s390x]
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
with:
image: ${{ fromJson(needs.build-result.outputs.result).image[format('{0}-{1}', matrix.destination, matrix.arch)] }}
digest: ${{ fromJson(needs.build-result.outputs.result).digest[format('{0}-{1}', matrix.destination, matrix.arch)] }}
secrets:
registry-username: ${{ fromJson(needs.build-result.outputs.result).username[format('{0}-{1}', matrix.destination, matrix.arch)] }}
registry-password: ${{ secrets[fromJson(needs.build-result.outputs.result).password[format('{0}-{1}', matrix.destination, matrix.arch)] ] }}

release:
name: Create helm release
needs: [prod-sign]
needs: [provenance]
runs-on: ubuntu-latest
permissions:
contents: write # Allow to create a release.
env:
TAG: ${{ github.ref_name }}
PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }}
Expand All @@ -208,29 +131,23 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Package operator chart
run: RELEASE_TAG=${GITHUB_REF##*/} CHART_PACKAGE_DIR=${RELEASE_DIR} REGISTRY=${{ env.PROD_REGISTRY }} ORG=${{ env.PROD_ORG }} make release

- name: Install chart-releaser
uses: helm/chart-releaser-action@v1.5.0
with:
install_only: true

- name: Prepare environment for the chart releaser
run: |
echo "CR_OWNER=$(cut -d '/' -f 1 <<< $GITHUB_REPOSITORY)" >> $GITHUB_ENV
echo "CR_GIT_REPO=$(cut -d '/' -f 2 <<< $GITHUB_REPOSITORY)" >> $GITHUB_ENV
rm -rf .cr-index
mkdir -p .cr-index
- name: Run chart-releaser upload
run: cr upload --skip-existing -c "$(git rev-parse HEAD)" --generate-release-notes --release-name-template "${{ env.TAG }}" --make-release-latest=false

- name: Run chart-releaser index
run: cr index --push --release-name-template "${{ env.TAG }}"
64 changes: 64 additions & 0 deletions .github/workflows/release_build/action.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: 'Build release'
description: 'Builds release image and pushes to the registry'
inputs:
arch:
description: 'Architecture of the built image'
required: true
type: string
tag:
description: 'Image tag'
type: string
default: 'github-actions'
org:
description: 'Organization part of the image path'
required: false
default: 'rancher-sandbox'
type: string
registry:
description: 'The registry to login'
required: true
type: string
username:
description: 'The username to registry'
required: true
type: string
password:
required: true
description: 'The password for registry login'
type: string
outputs:
image:
description: 'Full image name'
value: ${{ steps.image_info.outputs.image_name }}
digest:
description: 'Image digest'
value: ${{ steps.image_info.outputs.digest }}

runs:
using: 'composite'
steps:
- name: setupGo
uses: actions/setup-go@v4
with:
go-version: '=1.20.7'
- name: Docker login to ghcr registry
uses: docker/login-action@v3
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ inputs.password }}
- name: Build docker image for gh registry
shell: bash
run: make docker-build-${{ inputs.arch }} TAG=${{ inputs.tag }} REGISTRY=${{ inputs.registry }} ORG=${{ inputs.org }}
- name: Push docker image to gh registry
shell: bash
run: make docker-push-${{ inputs.arch }} TAG=${{ inputs.tag }} REGISTRY=${{ inputs.registry }} ORG=${{ inputs.org }}
- name: Store image and digest
shell: bash
id: image_info
run: |
img=${{ inputs.registry }}/${{ inputs.org }}/rancher-turtles-${{ inputs.arch }}:${{ inputs.tag }}
out=$( docker buildx imagetools inspect ${img} --format '{{json .}}' )
digest=$( echo $out | jq .manifest.digest )
echo "digest=${digest}" >> $GITHUB_OUTPUT
echo "image_name=${img%:*}" >> $GITHUB_OUTPUT
Loading

0 comments on commit a7518f5

Please sign in to comment.