Publish Release #2

Summary
Jobs
- build
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/publish-release.yaml at c4985c0

	name: Publish Release

	on:
	workflow_dispatch:

	jobs:
	build:
	runs-on: ubuntu-latest
	env:
	controller_dockerhub_image_name: docker.io/bitnami/sealed-secrets-controller
	controller_ghcr_image_name: ghcr.io/bitnami-labs/sealed-secrets-controller
	kubeseal_dockerhub_image_name: docker.io/bitnami/sealed-secrets-kubeseal
	kubeseal_ghcr_image_name: ghcr.io/bitnami-labs/sealed-secrets-kubeseal
	steps:
	# Checkout and set env
	- name: Checkout
	uses: actions/[email protected]
	with:
	fetch-depth: 0
	- id: load-version
	run: \|
	source $GITHUB_WORKSPACE/versions.env
	echo "GO_VERSION=$GO_VERSION" >> $GITHUB_ENV
	- name: Set up Go
	uses: actions/[email protected]
	with:
	go-version: ${{ env.GO_VERSION }}
	- name: Setup kubecfg
	run: \|
	mkdir -p ~/bin
	curl -sLf https://github.com/kubecfg/kubecfg/releases/download/v0.26.0/kubecfg_Linux_X64 >~/bin/kubecfg
	chmod +x ~/bin/kubecfg

	- name: Install dependencies
	run: \|
	go install gotest.tools/[email protected]

	# Setup env tools to copy images
	- name: Set up regctl
	uses: iarekylew00t/regctl-installer@v1
	with:
	regctl-release: v0.4.7

	# Check Release
	- name: Check Release
	run: \|
	VERSION_TAG=$(git describe --tags --match "v[0-9]*" --abbrev=0 \| tr -d v)
	echo "Tag looking for $VERSION_TAG"
	CHECK=$(./scripts/release-check ${{ env.controller_dockerhub_image_name }} $VERSION_TAG)
	echo "RELEASE=$CHECK" >> $GITHUB_ENV
	echo "VERSION_TAG=$VERSION_TAG" >> $GITHUB_ENV
	echo "GORELEASER_CURRENT_TAG=v$VERSION_TAG" >> $GITHUB_ENV

	# Run tests
	- name: Tests
	if: env.RELEASE == 1
	run: make test

	# Generate K8s manifests
	- name: K8s manifests
	if: env.RELEASE == 1
	run: \|
	export PATH=~/bin:$PATH
	make CONTROLLER_IMAGE=${{ env.controller_dockerhub_image_name }}:${VERSION_TAG} controller.yaml controller-norbac.yaml

	# Setup Cosign
	- name: Install Cosign
	uses: sigstore/[email protected]
	if: env.RELEASE == 1
	- name: Write Cosign key
	if: env.RELEASE == 1
	run: echo "$COSIGN_KEY" > /tmp/cosign.key
	env:
	COSIGN_KEY: ${{ secrets.COSIGN_KEY }}

	- name: Checkout version
	run: git checkout "$GORELEASER_CURRENT_TAG"

	# Build & Release binaries
	- name: Run GoReleaser
	uses: goreleaser/[email protected]
	if: success() && startsWith(github.ref, 'refs/heads/') && env.RELEASE == 1
	with:
	version: v1.10.3
	args: release --rm-dist
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

	# Build & Publish multi-arch image
	- name: Login to Docker Hub
	if: env.RELEASE == 1
	uses: docker/[email protected]
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_PASSWORD }}
	- name: Login to GHRC
	if: env.RELEASE == 1
	uses: docker/[email protected]
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Extract metadata (tags, labels) for Docker controller image
	if: env.RELEASE == 1
	id: meta_controller
	uses: docker/[email protected]
	with:
	images: \|
	${{ env.controller_dockerhub_image_name }}
	${{ env.controller_ghcr_image_name }}
	tags: \|
	type=raw,value=${{ env.VERSION_TAG }}
	type=raw,value=latest
	- name: Copy controller image
	if: env.RELEASE == 1
	run: \|
	regctl image copy ${{ env.controller_dockerhub_image_name }}:latest ${{ env.controller_ghcr_image_name }}:latest
	regctl image copy ${{ env.controller_dockerhub_image_name }}:${VERSION_TAG} ${{ env.controller_ghcr_image_name }}:${VERSION_TAG}
	- name: Extract metadata (tags, labels) for Docker kubeseal image
	if: env.RELEASE == 1
	id: meta_kubeseal
	uses: docker/[email protected]
	with:
	images: \|
	${{ env.kubeseal_dockerhub_image_name }}
	${{ env.kubeseal_ghcr_image_name }}
	tags: \|
	type=raw,value=${{ env.VERSION_TAG }}
	type=raw,value=latest
	- name: Copy kubeseal image
	if: env.RELEASE == 1
	run: \|
	regctl image copy ${{ env.kubeseal_dockerhub_image_name }}:latest ${{ env.kubeseal_ghcr_image_name }}:latest
	regctl image copy ${{ env.kubeseal_dockerhub_image_name }}:${VERSION_TAG} ${{ env.kubeseal_ghcr_image_name }}:${VERSION_TAG}
	- name: Sign controller image with a key in GHCR
	if: env.RELEASE == 1
	run: \|
	echo -n "$COSIGN_PASSWORD" \| cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT
	env:
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	TAG_CURRENT: ${{ steps.meta_controller.outputs.tags }}
	COSIGN_REPOSITORY: ${{ env.controller_ghcr_image_name }}/signs
	- name: Sign kubeseal image with a key in GHCR
	if: env.RELEASE == 1
	run: \|
	echo -n "$COSIGN_PASSWORD" \| cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT
	env:
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	TAG_CURRENT: ${{ steps.meta_kubeseal.outputs.tags }}
	COSIGN_REPOSITORY: ${{ env.kubeseal_ghcr_image_name }}/signs

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Publish Release #2

Workflow file

Publish Release #2

Jobs

Run details

Workflow file for this run