add fix for nightly workflow #66
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: release_v21 | |
on: | |
push: | |
tags: | |
- v2.1.* | |
jobs: | |
nightly-tag: | |
outputs: | |
nightly: ${{ steps.version.outputs.nightly }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: version | |
id: version | |
shell: bash | |
run: | | |
if [[ "${{ github.ref }}" == refs/tags/v*.nightly* ]]; then | |
echo "nightly=true" >> $GITHUB_OUTPUT | |
else | |
echo "nightly=false" >> $GITHUB_OUTPUT | |
fi | |
exit 0 | |
release-source-controller: | |
needs: [nightly-tag] | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
uses: ./.github/workflows/controller_release.yaml | |
with: | |
controller: source-controller | |
version: v21 | |
nightly: ${{ needs.nightly-tag.outputs.nightly }} | |
secrets: | |
ghcrToken: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} | |
release-kustomize-controller: | |
needs: [nightly-tag] | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
uses: ./.github/workflows/controller_release.yaml | |
with: | |
controller: kustomize-controller | |
version: v21 | |
nightly: ${{ needs.nightly-tag.outputs.nightly }} | |
secrets: | |
ghcrToken: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} | |
release-helm-controller: | |
needs: [nightly-tag] | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
uses: ./.github/workflows/controller_release.yaml | |
with: | |
controller: helm-controller | |
version: v21 | |
nightly: ${{ needs.nightly-tag.outputs.nightly }} | |
secrets: | |
ghcrToken: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} | |
release-image-reflector-controller: | |
needs: [nightly-tag] | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
uses: ./.github/workflows/controller_release.yaml | |
with: | |
controller: image-reflector-controller | |
version: v21 | |
nightly: ${{ needs.nightly-tag.outputs.nightly }} | |
secrets: | |
ghcrToken: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} | |
release-image-automation-controller: | |
needs: [nightly-tag] | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
uses: ./.github/workflows/controller_release.yaml | |
with: | |
controller: image-automation-controller | |
version: v21 | |
nightly: ${{ needs.nightly-tag.outputs.nightly }} | |
secrets: | |
ghcrToken: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} | |
release-notification-controller: | |
needs: [nightly-tag] | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
uses: ./.github/workflows/controller_release.yaml | |
with: | |
controller: notification-controller | |
version: v21 | |
nightly: ${{ needs.nightly-tag.outputs.nightly }} | |
secrets: | |
ghcrToken: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} | |
sc-ghcr-provenance: | |
needs: [release-source-controller] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. | |
if: startsWith(github.ref, 'refs/tags/v') | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 | |
with: | |
image: ghcr.io/${{ needs.release-source-controller.outputs.image_url }} | |
digest: ${{ needs.release-source-controller.outputs.image_digest }} | |
registry-username: weave-ghcr-bot | |
private-repository: true | |
secrets: | |
registry-password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} | |
kc-ghcr-provenance: | |
needs: [release-kustomize-controller] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. | |
if: startsWith(github.ref, 'refs/tags/v') | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 | |
with: | |
image: ghcr.io/${{ needs.release-kustomize-controller.outputs.image_url }} | |
digest: ${{ needs.release-kustomize-controller.outputs.image_digest }} | |
registry-username: weave-ghcr-bot | |
private-repository: true | |
secrets: | |
registry-password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} | |
hc-ghcr-provenance: | |
needs: [release-helm-controller] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. | |
if: startsWith(github.ref, 'refs/tags/v') | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 | |
with: | |
image: ghcr.io/${{ needs.release-helm-controller.outputs.image_url }} | |
digest: ${{ needs.release-helm-controller.outputs.image_digest }} | |
registry-username: weave-ghcr-bot | |
private-repository: true | |
secrets: | |
registry-password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} | |
irc-ghcr-provenance: | |
needs: [release-image-reflector-controller] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. | |
if: startsWith(github.ref, 'refs/tags/v') | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 | |
with: | |
image: ghcr.io/${{ needs.release-image-reflector-controller.outputs.image_url }} | |
digest: ${{ needs.release-image-reflector-controller.outputs.image_digest }} | |
registry-username: weave-ghcr-bot | |
private-repository: true | |
secrets: | |
registry-password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} | |
iac-ghcr-provenance: | |
needs: [release-image-automation-controller] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. | |
if: startsWith(github.ref, 'refs/tags/v') | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 | |
with: | |
image: ghcr.io/${{ needs.release-image-automation-controller.outputs.image_url }} | |
digest: ${{ needs.release-image-automation-controller.outputs.image_digest }} | |
registry-username: weave-ghcr-bot | |
private-repository: true | |
secrets: | |
registry-password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} | |
nc-ghcr-provenance: | |
needs: [release-notification-controller] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. | |
if: startsWith(github.ref, 'refs/tags/v') | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 | |
with: | |
image: ghcr.io/${{ needs.release-notification-controller.outputs.image_url }} | |
digest: ${{ needs.release-notification-controller.outputs.image_digest }} | |
registry-username: weave-ghcr-bot | |
private-repository: true | |
secrets: | |
registry-password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} | |
release-flux-cli: | |
outputs: | |
hashes: ${{ steps.slsa.outputs.hashes }} | |
image_url: ${{ steps.slsa.outputs.image_url }} | |
image_digest: ${{ steps.slsa.outputs.image_digest }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write # needed to write releases | |
id-token: write # needed for keyless signing | |
packages: write # needed for ghcr access | |
needs: [nightly-tag,sc-ghcr-provenance, kc-ghcr-provenance, hc-ghcr-provenance, irc-ghcr-provenance, iac-ghcr-provenance, nc-ghcr-provenance] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup Kustomize | |
uses: fluxcd/pkg/actions/kustomize@main | |
- name: install stgit | |
shell: bash | |
run: | | |
sudo apt-get install -y stgit | |
git config --global user.name "Soule BA" | |
git config --global user.email "soule@weave.works" | |
- name: Setup Go | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
with: | |
go-version: 1.20.x | |
cache: false | |
- name: Setup QEMU | |
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | |
- name: Setup Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
- name: Setup Syft | |
uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 | |
- name: Setup Cosign | |
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v1 | |
with: | |
registry: ghcr.io | |
username: weave-ghcr-bot | |
password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} | |
- name: Clone and patch repo | |
id: patch | |
run: | | |
ln -s patches-flux-v21 patches-flux | |
rm -rf flux2 || true | |
source ./patches-flux/VERSION | |
# set LATEST_RELEASE to true by default | |
# it will be set to false if the release is a nightly build | |
LATEST_RELEASE=true | |
if [[ "$FLUX2_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then | |
VERSION=${FLUX2_BASE_VERSION}-${FLUX2_SUFFIX_VERSION} | |
else | |
VERSION=${FLUX2_BASE_VERSION}-wa | |
fi | |
if [[ "${{ needs.nightly-tag.outputs.nightly }}" == "true" ]]; then | |
VERSION=${VERSION}-nightly.$(date +%y%m%d%H%M%S) | |
LATEST_RELEASE=false | |
else | |
VERSION=${VERSION}.$(date +%y%m%d%H%M%S) | |
fi | |
bash -x ./scripts/patch_repo.sh "https://github.com/fluxcd/flux2.git" flux2 ${FLUX2_BASE_VERSION} | |
unlink patches-flux | |
RAW_VERSION=$(echo $VERSION | cut -c2-) | |
echo "version=${VERSION}" >> $GITHUB_OUTPUT | |
echo "raw_version=${RAW_VERSION}" >> $GITHUB_OUTPUT | |
echo "latest_release=${LATEST_RELEASE}" >> $GITHUB_OUTPUT | |
- name: Download all controllers release artifacts | |
uses: actions/download-artifact@v3 | |
with: | |
path: ./flux2 | |
- name: Place yamls in the right place | |
run: | | |
# source-controller yamls | |
cp -p ./flux2/source-controller/source-controller.crds.yaml ./flux2/manifests/bases/source-controller/ | |
cp -p ./flux2/source-controller/source-controller.crds.yaml ./flux2/manifests/crds/ | |
cp -p ./flux2/source-controller/source-controller.deployment.yaml ./flux2/manifests/bases/source-controller/ | |
# kustomize-controller yamls | |
cp -p ./flux2/kustomize-controller/kustomize-controller.crds.yaml ./flux2/manifests/bases/kustomize-controller/ | |
cp -p ./flux2/kustomize-controller/kustomize-controller.crds.yaml ./flux2/manifests/crds/ | |
cp -p ./flux2/kustomize-controller/kustomize-controller.deployment.yaml ./flux2/manifests/bases/kustomize-controller/ | |
# helm-controller yamls | |
cp -p ./flux2/helm-controller/helm-controller.crds.yaml ./flux2/manifests/bases/helm-controller/ | |
cp -p ./flux2/helm-controller/helm-controller.crds.yaml ./flux2/manifests/crds/ | |
cp -p ./flux2/helm-controller/helm-controller.deployment.yaml ./flux2/manifests/bases/helm-controller/ | |
# image-reflector-controller yamls | |
cp -p ./flux2/image-reflector-controller/image-reflector-controller.crds.yaml ./flux2/manifests/bases/image-reflector-controller/ | |
cp -p ./flux2/image-reflector-controller/image-reflector-controller.crds.yaml ./flux2/manifests/crds/ | |
cp -p ./flux2/image-reflector-controller/image-reflector-controller.deployment.yaml ./flux2/manifests/bases/image-reflector-controller/ | |
# image-automation-controller yamls | |
cp -p ./flux2/image-automation-controller/image-automation-controller.crds.yaml ./flux2/manifests/bases/image-automation-controller/ | |
cp -p ./flux2/image-automation-controller/image-automation-controller.crds.yaml ./flux2/manifests/crds/ | |
cp -p ./flux2/image-automation-controller/image-automation-controller.deployment.yaml ./flux2/manifests/bases/image-automation-controller/ | |
# notification-controller yamls | |
cp -p ./flux2/notification-controller/notification-controller.crds.yaml ./flux2/manifests/bases/notification-controller/ | |
cp -p ./flux2/notification-controller/notification-controller.crds.yaml ./flux2/manifests/crds/ | |
cp -p ./flux2/notification-controller/notification-controller.deployment.yaml ./flux2/manifests/bases/notification-controller/ | |
- name: Generate manifests | |
run: | | |
cd ./flux2 | |
make cmd/flux/.manifests.done | |
./manifests/scripts/bundle.sh "" ../output manifests.tar.gz | |
kustomize build ./manifests/install > ../output/install.yaml | |
- name: Build CRDs | |
run: | | |
kustomize build ./flux2/manifests/crds > all-crds.yaml | |
- name: Generate OpenAPI JSON schemas from CRDs | |
uses: fluxcd/pkg/actions/crdjsonschema@main | |
with: | |
crd: all-crds.yaml | |
output: schemas | |
- name: Archive the OpenAPI JSON schemas | |
run: | | |
tar -czvf ./output/crd-schemas.tar.gz -C schemas . | |
- name: Run GoReleaser | |
id: run-goreleaser | |
if: startsWith(github.ref, 'refs/tags/v') | |
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 | |
with: | |
version: latest | |
args: release --clean --skip=validate | |
env: | |
GITHUB_TOKEN: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} | |
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }} | |
BUILD_VERSION: ${{ steps.patch.outputs.version }} | |
BUILD_VERSION_RAW: ${{ steps.patch.outputs.raw_version }} | |
LATEST_RELEASE: ${{ steps.patch.outputs.latest_release }} | |
- name: Generate SLSA metadata | |
id: slsa | |
env: | |
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" | |
run: | | |
set -euo pipefail | |
hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0) | |
echo "hashes=$hashes" >> $GITHUB_OUTPUT | |
image_url=ghcr.io/weaveworks/flux-cli:${{ steps.patch.outputs.version }} | |
echo "image_url=$image_url" >> $GITHUB_OUTPUT | |
image_digest=$(docker buildx imagetools inspect ${image_url} --format '{{json .}}' | jq -r .manifest.digest) | |
echo "image_digest=$image_digest" >> $GITHUB_OUTPUT | |
release-flux-manifests: | |
runs-on: ubuntu-latest | |
needs: [nightly-tag, release-flux-cli] | |
permissions: | |
id-token: write | |
packages: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup Kustomize | |
uses: fluxcd/pkg/actions/kustomize@main | |
- name: install stgit | |
shell: bash | |
run: | | |
sudo apt-get install -y stgit | |
git config --global user.name "Soule BA" | |
git config --global user.email "soule@weave.works" | |
- name: Clone and patch repo | |
id: patch | |
run: | | |
ln -s patches-flux-v21 patches-flux | |
rm -rf flux2 || true | |
source ./patches-flux/VERSION | |
if [[ "$FLUX2_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then | |
VERSION=${FLUX2_BASE_VERSION}-${FLUX2_SUFFIX_VERSION} | |
else | |
VERSION=${FLUX2_BASE_VERSION}-wa | |
fi | |
if [[ "${{ needs.nightly-tag.outputs.nightly }}" == "true" ]]; then | |
VERSION=${VERSION}-nightly.$(date +%y%m%d%H%M%S) | |
else | |
VERSION=${VERSION}.$(date +%y%m%d%H%M%S) | |
fi | |
bash -x ./scripts/patch_repo.sh "https://github.com/fluxcd/flux2.git" flux2 ${FLUX2_BASE_VERSION} | |
unlink patches-flux | |
echo "version=${VERSION}" >> $GITHUB_OUTPUT | |
- name: Setup Flux CLI | |
uses: ./flux2/action/ | |
- name: Login to GHCR | |
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 | |
with: | |
registry: ghcr.io | |
username: weave-ghcr-bot | |
password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} | |
- name: Push manifests to GHCR | |
run: | | |
mkdir -p ./ghcr.io/flux-system | |
flux install --registry=ghcr.io/weaveworks \ | |
--components-extra=image-reflector-controller,image-automation-controller \ | |
--export > ./ghcr.io/flux-system/gotk-components.yaml | |
cd ./ghcr.io && flux push artifact \ | |
oci://ghcr.io/weaveworks/flux-manifests:${{ steps.patch.outputs.version }} \ | |
--path="./flux-system" \ | |
--source=${{ github.repositoryUrl }} \ | |
--revision="${{ github.ref_name }}@sha1:${{ github.sha }}" | |
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
- name: Sign manifests | |
env: | |
COSIGN_EXPERIMENTAL: 1 | |
run: | | |
cosign sign --yes ghcr.io/weaveworks/flux-manifests:${{ steps.patch.outputs.version }} | |
- name: Tag manifests | |
run: | | |
flux tag artifact oci://ghcr.io/weaveworks/flux-manifests:${{ steps.patch.outputs.version }} \ | |
--tag latest | |
release-provenance: | |
needs: [release-flux-cli] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
contents: write # for uploading attestations to GitHub releases. | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 | |
with: | |
provenance-name: "provenance.intoto.jsonl" | |
base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}" | |
upload-assets: true | |
private-repository: true | |
ghcr-provenance: | |
needs: [release-flux-cli] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 | |
with: | |
image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }} | |
digest: ${{ needs.release-flux-cli.outputs.image_digest }} | |
registry-username: weave-ghcr-bot | |
private-repository: true | |
secrets: | |
registry-password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }} |