diff --git a/.github/workflows/nightly-test-release.yaml b/.github/workflows/nightly-test-release.yaml new file mode 100644 index 00000000..21f73799 --- /dev/null +++ b/.github/workflows/nightly-test-release.yaml @@ -0,0 +1,203 @@ +name: Test release process nightly + +on: + schedule: + - cron: "0 0 * * *" # Run every day at midnight (UTC) + workflow_dispatch: # Allow running manually on demand + +env: + RELEASE_TAG: t9.9.9-fake + +jobs: + nightly-test-release: + name: Test release + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@v4 + with: + ref: main + fetch-depth: 0 + - name: Set and push fake tag for release + run: | + git tag ${{ env.RELEASE_TAG }} + - name: Push changes + uses: ad-m/github-push-action@master + with: + tags: true + github_token: ${{ secrets.GITHUB_TOKEN }} + + build: + runs-on: ubuntu-latest + needs: [nightly-test-release] + permissions: + actions: read + packages: write + strategy: + matrix: + destination: [ghcr] + arch: [amd64, arm64, s390x] + org: [rancher-sandbox] + include: + - destination: ghcr + tag: t9.9.9-fake + registry: ghcr.io + username: ${{ github.actor }} + password: GITHUB_TOKEN + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ env.RELEASE_TAG }} + fetch-depth: 0 + - name: Build the image + id: image + uses: ./.github/workflows/release_build + with: + arch: ${{ matrix.arch }} + tag: ${{ env.RELEASE_TAG }} + org: ${{ matrix.org }} + registry: ${{ matrix.registry }} + username: ${{ matrix.username }} + password: ${{ secrets[matrix.password] }} + - uses: cloudposse/github-action-matrix-outputs-write@main + id: out + with: + matrix-step-name: ${{ github.job }} + matrix-key: ${{ matrix.destination }}-${{ matrix.arch }} + outputs: |- + image: ${{ steps.image.outputs.image }} + digest: ${{ steps.image.outputs.digest }} + username: ${{ matrix.username }} + password: ${{ matrix.password }} + registry: ${{ matrix.registry }} + tag: ${{ matrix.tag }} + + build-result: + runs-on: ubuntu-latest + needs: [build] + steps: + - uses: cloudposse/github-action-matrix-outputs-read@main + id: read + with: + matrix-step-name: build + outputs: + result: "${{ steps.read.outputs.result }}" + + sign: + runs-on: ubuntu-latest + needs: [build-result] + permissions: + actions: read + id-token: write + packages: write + strategy: + matrix: + destination: [ghcr] + arch: [amd64, arm64, s390x] + env: + key: ${{ matrix.destination }}-${{ matrix.arch }} + data: ${{ needs.build-result.outputs.result }} + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ env.RELEASE_TAG }} + fetch-depth: 0 + - name: Sign image with cosign + uses: ./.github/workflows/release_sign + with: + image: ${{ fromJson(env.data).image[env.key] }} + digest: ${{ fromJson(env.data).digest[env.key] }} + identity: https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ fromJson(env.data).tag[env.key] }} + oids-issuer: https://token.actions.githubusercontent.com + registry: ${{ fromJson(env.data).registry[env.key] }} + username: ${{ fromJson(env.data).username[env.key] }} + password: ${{ secrets[fromJson(env.data).password[env.key]] }} + + provenance: + needs: [build-result, sign] + permissions: + actions: read + id-token: write + packages: write + strategy: + matrix: + destination: [ghcr] + arch: [amd64, arm64, s390x] + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + with: + image: ${{ fromJson(needs.build-result.outputs.result).image[format('{0}-{1}', matrix.destination, matrix.arch)] }} + digest: ${{ fromJson(needs.build-result.outputs.result).digest[format('{0}-{1}', matrix.destination, matrix.arch)] }} + secrets: + registry-username: ${{ fromJson(needs.build-result.outputs.result).username[format('{0}-{1}', matrix.destination, matrix.arch)] }} + registry-password: ${{ secrets[fromJson(needs.build-result.outputs.result).password[format('{0}-{1}', matrix.destination, matrix.arch)] ] }} + + release: + name: Create helm release + needs: [provenance] + runs-on: ubuntu-latest + env: + PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }} + PROD_ORG: rancher-sandbox + RELEASE_DIR: .cr-release-packages + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ env.RELEASE_TAG }} + fetch-tags: true + fetch-depth: 0 + - name: Package operator chart + run: RELEASE_TAG=${{ env.RELEASE_TAG }} CHART_PACKAGE_DIR=${RELEASE_DIR} REGISTRY=${{ env.PROD_REGISTRY }} ORG=${{ env.PROD_ORG }} make release + + notify-failure: + name: Notify failure in Slack + needs: [release] + if: failure() + runs-on: ubuntu-latest + steps: + - uses: slackapi/slack-github-action@v1.24.0 + with: + payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "Rancher turtles RELEASE test failed." + }, + "accessory": { + "type": "button", + "text": { + "type": "plain_text", + "text": ":github:", + "emoji": true + }, + "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + } + } + ] + } + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK + + clean-up: + name: Release testing clean up + needs: [release] + if: always() + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: dev-drprasad/delete-tag-and-release@v1.0 + with: + tag_name: ${{ env.RELEASE_TAG }} + github_token: ${{ secrets.GITHUB_TOKEN }} + delete_release: false