-
Notifications
You must be signed in to change notification settings - Fork 17
76 lines (75 loc) · 2.5 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
name: Release
on:
workflow_dispatch:
inputs:
release:
description: 'Desired tag'
required: true
previous-tag:
description: 'Previous tag'
required: false
git-ref:
description: 'Git reference for the release. Use an appropriate release-v* branch, tag, or commit SHA.'
required: true
jobs:
release:
# if: ${{ github.repository == 'shipwright-io/build' }}
runs-on: ubuntu-latest
permissions:
id-token: write # To be able to get OIDC ID token to sign images.
contents: write # To be able to update releases.
packages: write # To be able to push images and signatures.
env:
IMAGE_HOST: ghcr.io
IMAGE_NAMESPACE: ${{ github.repository }}
VERSION: ${{ inputs.release }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.git-ref }}
fetch-depth: 0 # Fetch all history, needed for release note generation.
# Install tools
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: 1.21.x
cache: true
check-latest: true
- uses: sigstore/cosign-installer@v3
- name: Build Release Images
env:
REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
REGISTRY_USERNAME: ${{ github.repository_owner }}
run:
make release
- name: Sign released images
env:
# This enables keyless mode
# (https://github.com/sigstore/cosign/blob/main/KEYLESS.md) which signs
# images using an ephemeral key tied to the GitHub Actions identity via
# OIDC.
COSIGN_EXPERIMENTAL: "true"
run: |
grep -o "ghcr.io[^\"]*" "${GITHUB_WORKSPACE}/_output/olm/bundle/manifests/shipwright-operator.clusterserviceversion.yaml" | uniq | xargs -n 1 cosign sign \
-a sha=${{ github.sha }} \
-a run_id=${{ github.run_id }} \
-a run_attempt=${{ github.run_attempt }} \
--yes
- name: Build Release Changelog
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PREVIOUS_TAG: ${{ inputs.previous-tag }}
REPOSITORY: ${{ github.repository }}
run: |
"${GITHUB_WORKSPACE}/.github/draft_release_notes.sh"
- name: Draft release
id: draft_release
uses: actions/create-release@v1
with:
release_name: ${{ inputs.release }}
tag_name: ${{ inputs.release }}
draft: true
prerelease: true
body_path: Changes.md
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}