-
Notifications
You must be signed in to change notification settings - Fork 691
151 lines (140 loc) · 5.56 KB
/
publish-release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: Publish Release
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
env:
controller_dockerhub_image_name: docker.io/bitnami/sealed-secrets-controller
controller_ghcr_image_name: ghcr.io/bitnami-labs/sealed-secrets-controller
kubeseal_dockerhub_image_name: docker.io/bitnami/sealed-secrets-kubeseal
kubeseal_ghcr_image_name: ghcr.io/bitnami-labs/sealed-secrets-kubeseal
steps:
# Checkout and set env
- name: Checkout
uses: actions/[email protected]
with:
fetch-depth: 0
- id: load-version
run: |
source $GITHUB_WORKSPACE/versions.env
echo "GO_VERSION=$GO_VERSION" >> $GITHUB_ENV
- name: Set up Go
uses: actions/[email protected]
with:
go-version: ${{ env.GO_VERSION }}
- name: Setup kubecfg
run: |
mkdir -p ~/bin
curl -sLf https://github.com/kubecfg/kubecfg/releases/download/v0.26.0/kubecfg_Linux_X64 >~/bin/kubecfg
chmod +x ~/bin/kubecfg
- name: Install dependencies
run: |
go install gotest.tools/[email protected]
# Setup env tools to copy images
- name: Set up regctl
uses: iarekylew00t/regctl-installer@v1
with:
regctl-release: v0.4.7
# Check Release
- name: Check Release
run: |
VERSION_TAG=$(git describe --tags --match "v[0-9]*" --abbrev=0 | tr -d v)
echo "Tag looking for $VERSION_TAG"
CHECK=$(./scripts/release-check ${{ env.controller_dockerhub_image_name }} $VERSION_TAG)
echo "RELEASE=$CHECK" >> $GITHUB_ENV
echo "VERSION_TAG=$VERSION_TAG" >> $GITHUB_ENV
echo "GORELEASER_CURRENT_TAG=v$VERSION_TAG" >> $GITHUB_ENV
# Run tests
- name: Tests
if: env.RELEASE == 1
run: make test
# Generate K8s manifests
- name: K8s manifests
if: env.RELEASE == 1
run: |
export PATH=~/bin:$PATH
make CONTROLLER_IMAGE=${{ env.controller_dockerhub_image_name }}:${VERSION_TAG} controller.yaml controller-norbac.yaml
# Setup Cosign
- name: Install Cosign
uses: sigstore/[email protected]
if: env.RELEASE == 1
- name: Write Cosign key
if: env.RELEASE == 1
run: echo "$COSIGN_KEY" > /tmp/cosign.key
env:
COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
- name: Checkout version
run: git checkout "$GORELEASER_CURRENT_TAG"
# Build & Release binaries
- name: Run GoReleaser
uses: goreleaser/[email protected]
if: success() && startsWith(github.ref, 'refs/heads/') && env.RELEASE == 1
with:
version: v1.10.3
args: release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
# Build & Publish multi-arch image
- name: Login to Docker Hub
if: env.RELEASE == 1
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Login to GHRC
if: env.RELEASE == 1
uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker controller image
if: env.RELEASE == 1
id: meta_controller
uses: docker/[email protected]
with:
images: |
${{ env.controller_dockerhub_image_name }}
${{ env.controller_ghcr_image_name }}
tags: |
type=raw,value=${{ env.VERSION_TAG }}
type=raw,value=latest
- name: Copy controller image
if: env.RELEASE == 1
run: |
regctl image copy ${{ env.controller_dockerhub_image_name }}:latest ${{ env.controller_ghcr_image_name }}:latest
regctl image copy ${{ env.controller_dockerhub_image_name }}:${VERSION_TAG} ${{ env.controller_ghcr_image_name }}:${VERSION_TAG}
- name: Extract metadata (tags, labels) for Docker kubeseal image
if: env.RELEASE == 1
id: meta_kubeseal
uses: docker/[email protected]
with:
images: |
${{ env.kubeseal_dockerhub_image_name }}
${{ env.kubeseal_ghcr_image_name }}
tags: |
type=raw,value=${{ env.VERSION_TAG }}
type=raw,value=latest
- name: Copy kubeseal image
if: env.RELEASE == 1
run: |
regctl image copy ${{ env.kubeseal_dockerhub_image_name }}:latest ${{ env.kubeseal_ghcr_image_name }}:latest
regctl image copy ${{ env.kubeseal_dockerhub_image_name }}:${VERSION_TAG} ${{ env.kubeseal_ghcr_image_name }}:${VERSION_TAG}
- name: Sign controller image with a key in GHCR
if: env.RELEASE == 1
run: |
echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
TAG_CURRENT: ${{ steps.meta_controller.outputs.tags }}
COSIGN_REPOSITORY: ${{ env.controller_ghcr_image_name }}/signs
- name: Sign kubeseal image with a key in GHCR
if: env.RELEASE == 1
run: |
echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
TAG_CURRENT: ${{ steps.meta_kubeseal.outputs.tags }}
COSIGN_REPOSITORY: ${{ env.kubeseal_ghcr_image_name }}/signs