Publish Release #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| chart: | |
| description: 'Chart version (e.g. 2.11.3)' | |
| required: true | |
| type: string | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| env: | |
| controller_dockerhub_image_name: docker.io/bitnami/sealed-secrets-controller | |
| controller_ghcr_image_name: ghcr.io/bitnami-labs/sealed-secrets-controller | |
| kubeseal_dockerhub_image_name: docker.io/bitnami/sealed-secrets-kubeseal | |
| kubeseal_ghcr_image_name: ghcr.io/bitnami-labs/sealed-secrets-kubeseal | |
| steps: | |
| # Checkout and set env | |
| - name: Checkout | |
| uses: actions/checkout@v3.1.0 | |
| with: | |
| fetch-depth: 0 | |
| - id: load-version | |
| run: | | |
| source $GITHUB_WORKSPACE/versions.env | |
| echo "GO_VERSION=$GO_VERSION" >> $GITHUB_ENV | |
| - name: Set up Go | |
| uses: actions/setup-go@v3.3.1 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Setup kubecfg | |
| run: | | |
| mkdir -p ~/bin | |
| curl -sLf https://github.com/kubecfg/kubecfg/releases/download/v0.26.0/kubecfg_Linux_X64 >~/bin/kubecfg | |
| chmod +x ~/bin/kubecfg | |
| - name: Install dependencies | |
| run: | | |
| go install gotest.tools/gotestsum@v1.8.1 | |
| # Setup env tools to copy images | |
| - name: Set up regctl | |
| uses: iarekylew00t/regctl-installer@v1 | |
| with: | |
| regctl-release: v0.4.7 | |
| # Check Release | |
| - name: Check Release | |
| run: | | |
| VERSION_TAG=$(git describe --tags --match "v[0-9]*" --abbrev=0 | tr -d v) | |
| echo "Tag looking for $VERSION_TAG" | |
| CHECK_CONTROLLER=$(./scripts/release-check ${{ env.controller_dockerhub_image_name }} $VERSION_TAG) | |
| CHECK_KUBESEAL=$(./scripts/release-check ${{ env.kubeseal_dockerhub_image_name }} $VERSION_TAG) | |
| echo "RELEASE=$(($CHECK_CONTROLLER * $CHECK_KUBESEAL))" >> $GITHUB_ENV | |
| echo "VERSION_TAG=$VERSION_TAG" >> $GITHUB_ENV | |
| echo "GORELEASER_CURRENT_TAG=v$VERSION_TAG" >> $GITHUB_ENV | |
| # Run tests | |
| - name: Tests | |
| if: env.RELEASE == 1 | |
| run: make test | |
| # Generate K8s manifests | |
| - name: K8s manifests | |
| if: env.RELEASE == 1 | |
| run: | | |
| export PATH=~/bin:$PATH | |
| make CONTROLLER_IMAGE=${{ env.controller_dockerhub_image_name }}:${VERSION_TAG} controller.yaml controller-norbac.yaml | |
| # Setup Cosign | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3.4.0 | |
| with: | |
| cosign-release: v2.2.3 | |
| if: env.RELEASE == 1 | |
| - name: Write Cosign key | |
| if: env.RELEASE == 1 | |
| run: echo "$COSIGN_KEY" > /tmp/cosign.key | |
| env: | |
| COSIGN_KEY: ${{ secrets.COSIGN_KEY }} | |
| - name: Checkout version | |
| run: git checkout "$GORELEASER_CURRENT_TAG" | |
| # Build & Release binaries | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@v3.1.0 | |
| if: success() && startsWith(github.ref, 'refs/heads/') && env.RELEASE == 1 | |
| with: | |
| version: v1.10.3 | |
| args: release --rm-dist | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| # Build & Publish multi-arch image | |
| - name: Login to Docker Hub | |
| if: env.RELEASE == 1 | |
| uses: docker/login-action@v2.0.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| - name: Login to GHRC | |
| if: env.RELEASE == 1 | |
| uses: docker/login-action@v2.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker controller image | |
| if: env.RELEASE == 1 | |
| id: meta_controller | |
| uses: docker/metadata-action@v4.0.1 | |
| with: | |
| images: | | |
| ${{ env.controller_dockerhub_image_name }} | |
| ${{ env.controller_ghcr_image_name }} | |
| tags: | | |
| type=raw,value=${{ env.VERSION_TAG }} | |
| type=raw,value=latest | |
| - name: Copy controller image | |
| if: env.RELEASE == 1 | |
| run: | | |
| regctl image copy ${{ env.controller_dockerhub_image_name }}:latest ${{ env.controller_ghcr_image_name }}:latest | |
| regctl image copy ${{ env.controller_dockerhub_image_name }}:${VERSION_TAG} ${{ env.controller_ghcr_image_name }}:${VERSION_TAG} | |
| - name: Extract metadata (tags, labels) for Docker kubeseal image | |
| if: env.RELEASE == 1 | |
| id: meta_kubeseal | |
| uses: docker/metadata-action@v4.0.1 | |
| with: | |
| images: | | |
| ${{ env.kubeseal_dockerhub_image_name }} | |
| ${{ env.kubeseal_ghcr_image_name }} | |
| tags: | | |
| type=raw,value=${{ env.VERSION_TAG }} | |
| type=raw,value=latest | |
| - name: Copy kubeseal image | |
| if: env.RELEASE == 1 | |
| run: | | |
| regctl image copy ${{ env.kubeseal_dockerhub_image_name }}:latest ${{ env.kubeseal_ghcr_image_name }}:latest | |
| regctl image copy ${{ env.kubeseal_dockerhub_image_name }}:${VERSION_TAG} ${{ env.kubeseal_ghcr_image_name }}:${VERSION_TAG} | |
| - name: Sign controller image with a key in GHCR | |
| if: env.RELEASE == 1 | |
| run: | | |
| echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT | |
| env: | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| TAG_CURRENT: ${{ steps.meta_controller.outputs.tags }} | |
| COSIGN_REPOSITORY: ${{ env.controller_ghcr_image_name }}/signs | |
| - name: Sign kubeseal image with a key in GHCR | |
| if: env.RELEASE == 1 | |
| run: | | |
| echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT | |
| env: | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| TAG_CURRENT: ${{ steps.meta_kubeseal.outputs.tags }} | |
| COSIGN_REPOSITORY: ${{ env.kubeseal_ghcr_image_name }}/signs | |
| chart-pr: | |
| needs: release | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Config Git | |
| run: | | |
| git config user.name "$GITHUB_ACTOR" | |
| git config user.email "$GITHUB_ACTOR@users.noreply.github.com" | |
| - name: Fetch Versions | |
| run: | | |
| echo NEW_VERSION=$(git describe --tags --match "v[0-9]*" --abbrev=0 | tr -d v) >> "$GITHUB_ENV" | |
| echo PREV_VERSION=$(grep appVersion helm/sealed-secrets/Chart.yaml | grep -o '[0-9.]*') >> "$GITHUB_ENV" | |
| - name: Update Version | |
| run: | | |
| sed -i "s/version: .*/version: ${{ inputs.chart }}/" helm/sealed-secrets/Chart.yaml | |
| sed -i "s/appVersion: .*/appVersion: $NEW_VERSION/" helm/sealed-secrets/Chart.yaml | |
| sed -i "s/tag: .*/tag: $NEW_VERSION/" helm/sealed-secrets/values.yaml | |
| sed -i "s/\`$PREV_VERSION\`/\`$NEW_VERSION\`/" helm/sealed-secrets/README.md | |
| git checkout -B 'release-chart-${{ inputs.chart }}' | |
| git add helm/sealed-secrets/Chart.yaml helm/sealed-secrets/values.yaml helm/sealed-secrets/README.md | |
| git commit -sm 'Release chart ${{ inputs.chart }}' | |
| git push origin 'release-chart-${{ inputs.chart }}' | |
| - name: Create PR | |
| run: gh pr create --fill --base main --repo $GITHUB_REPOSITORY | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |