-
Notifications
You must be signed in to change notification settings - Fork 661
155 lines (143 loc) · 5.75 KB
/
publish-release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: Publish Release
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
env:
controller_dockerhub_image_name: docker.io/bitnami/sealed-secrets-controller
controller_ghcr_image_name: ghcr.io/bitnami-labs/sealed-secrets-controller
kubeseal_dockerhub_image_name: docker.io/bitnami/sealed-secrets-kubeseal
kubeseal_ghcr_image_name: ghcr.io/bitnami-labs/sealed-secrets-kubeseal
steps:
# Checkout and set env
- name: Checkout
uses: actions/checkout@v3.1.0
with:
fetch-depth: 0
- id: load-version
run: |
source $GITHUB_WORKSPACE/versions.env
echo "GO_VERSION=$GO_VERSION" >> $GITHUB_ENV
- name: Set up Go
uses: actions/setup-go@v3.3.1
with:
go-version: ${{ env.GO_VERSION }}
- name: Setup kubecfg
run: |
mkdir -p ~/bin
curl -sLf https://github.com/kubecfg/kubecfg/releases/download/v0.26.0/kubecfg_Linux_X64 >~/bin/kubecfg
chmod +x ~/bin/kubecfg
- name: Install dependencies
run: |
go install gotest.tools/gotestsum@v1.8.1
# Setup env tools to copy images
- name: Set up regctl
uses: iarekylew00t/regctl-installer@v1
with:
regctl-release: v0.4.7
# Check Release
- name: Check Release
run: |
VERSION_TAG=$(git describe --tags --match "v[0-9]*" --abbrev=0 | tr -d v)
echo "Tag looking for $VERSION_TAG"
CHECK_CONTROLLER=$(./scripts/release-check ${{ env.controller_dockerhub_image_name }} $VERSION_TAG)
CHECK_KUBESEAL=$(./scripts/release-check ${{ env.kubeseal_dockerhub_image_name }} $VERSION_TAG)
echo "RELEASE=$(($CHECK_CONTROLLER * $CHECK_KUBESEAL))" >> $GITHUB_ENV
echo "VERSION_TAG=$VERSION_TAG" >> $GITHUB_ENV
echo "GORELEASER_CURRENT_TAG=v$VERSION_TAG" >> $GITHUB_ENV
# Run tests
- name: Tests
if: env.RELEASE == 1
run: make test
# Generate K8s manifests
- name: K8s manifests
if: env.RELEASE == 1
run: |
export PATH=~/bin:$PATH
make CONTROLLER_IMAGE=${{ env.controller_dockerhub_image_name }}:${VERSION_TAG} controller.yaml controller-norbac.yaml
# Setup Cosign
- name: Install Cosign
uses: sigstore/cosign-installer@v3.4.0
with:
cosign-release: v2.2.3
if: env.RELEASE == 1
- name: Write Cosign key
if: env.RELEASE == 1
run: echo "$COSIGN_KEY" > /tmp/cosign.key
env:
COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
- name: Checkout version
run: git checkout "$GORELEASER_CURRENT_TAG"
# Build & Release binaries
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v3.1.0
if: success() && startsWith(github.ref, 'refs/heads/') && env.RELEASE == 1
with:
version: v1.10.3
args: release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
# Build & Publish multi-arch image
- name: Login to Docker Hub
if: env.RELEASE == 1
uses: docker/login-action@v2.0.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Login to GHRC
if: env.RELEASE == 1
uses: docker/login-action@v2.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker controller image
if: env.RELEASE == 1
id: meta_controller
uses: docker/metadata-action@v4.0.1
with:
images: |
${{ env.controller_dockerhub_image_name }}
${{ env.controller_ghcr_image_name }}
tags: |
type=raw,value=${{ env.VERSION_TAG }}
type=raw,value=latest
- name: Copy controller image
if: env.RELEASE == 1
run: |
regctl image copy ${{ env.controller_dockerhub_image_name }}:latest ${{ env.controller_ghcr_image_name }}:latest
regctl image copy ${{ env.controller_dockerhub_image_name }}:${VERSION_TAG} ${{ env.controller_ghcr_image_name }}:${VERSION_TAG}
- name: Extract metadata (tags, labels) for Docker kubeseal image
if: env.RELEASE == 1
id: meta_kubeseal
uses: docker/metadata-action@v4.0.1
with:
images: |
${{ env.kubeseal_dockerhub_image_name }}
${{ env.kubeseal_ghcr_image_name }}
tags: |
type=raw,value=${{ env.VERSION_TAG }}
type=raw,value=latest
- name: Copy kubeseal image
if: env.RELEASE == 1
run: |
regctl image copy ${{ env.kubeseal_dockerhub_image_name }}:latest ${{ env.kubeseal_ghcr_image_name }}:latest
regctl image copy ${{ env.kubeseal_dockerhub_image_name }}:${VERSION_TAG} ${{ env.kubeseal_ghcr_image_name }}:${VERSION_TAG}
- name: Sign controller image with a key in GHCR
if: env.RELEASE == 1
run: |
echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
TAG_CURRENT: ${{ steps.meta_controller.outputs.tags }}
COSIGN_REPOSITORY: ${{ env.controller_ghcr_image_name }}/signs
- name: Sign kubeseal image with a key in GHCR
if: env.RELEASE == 1
run: |
echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
TAG_CURRENT: ${{ steps.meta_kubeseal.outputs.tags }}
COSIGN_REPOSITORY: ${{ env.kubeseal_ghcr_image_name }}/signs