From 023d21c5a92cb70c8516cef8df175d74279b5ee3 Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Wed, 26 Jul 2023 15:34:29 +0300 Subject: [PATCH 01/17] WIP: comment out repo restriction. --- .github/workflows/release.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 27cee3adbcf4..1da5fc46e043 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -23,7 +23,7 @@ permissions: jobs: build-linux-amd64: name: Build & push linux/amd64 - if: github.repository == 'codefresh-io/argo-workflows' + # if: github.repository == 'codefresh-io/argo-workflows' runs-on: ubuntu-latest strategy: matrix: @@ -93,7 +93,7 @@ jobs: build-linux-arm64: name: Build & push linux/arm64 - if: github.repository == 'codefresh-io/argo-workflows' + #if: github.repository == 'codefresh-io/argo-workflows' runs-on: ubuntu-latest strategy: matrix: @@ -168,7 +168,7 @@ jobs: build-windows: name: Build & push windows - if: github.repository == 'codefresh-io/argo-workflows' + #if: github.repository == 'codefresh-io/argo-workflows' runs-on: windows-2019 steps: - uses: actions/checkout@v2 @@ -210,7 +210,7 @@ jobs: push-images: name: Push manifest with all images - if: github.repository == 'codefresh-io/argo-workflows' + #if: github.repository == 'codefresh-io/argo-workflows' runs-on: ubuntu-latest needs: [ build-linux-amd64, build-linux-arm64, build-windows ] steps: @@ -263,7 +263,7 @@ jobs: test-images-linux-amd64: name: Try pulling linux/amd64 - if: github.repository == 'codefresh-io/argo-workflows' + #if: github.repository == 'codefresh-io/argo-workflows' runs-on: ubuntu-latest needs: [ push-images ] strategy: @@ -303,7 +303,7 @@ jobs: test-images-windows: name: Try pulling windows - if: github.repository == 'codefresh-io/argo-workflows' + #if: github.repository == 'codefresh-io/argo-workflows' runs-on: windows-2019 needs: [ push-images ] steps: @@ -342,7 +342,7 @@ jobs: permissions: contents: write # for softprops/action-gh-release to create GitHub release runs-on: ubuntu-latest - if: github.repository == 'codefresh-io/argo-workflows' + #if: github.repository == 'codefresh-io/argo-workflows' needs: [ push-images, test-images-linux-amd64, test-images-windows ] env: NODE_OPTIONS: --max-old-space-size=4096 From 0e5ca1ebd3b9a0ce23c77e8fc1b334809d6ea5a7 Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Wed, 26 Jul 2023 15:47:55 +0300 Subject: [PATCH 02/17] Empty commit. From 12303ebf45725adc16da18d40c36c4ce1da96909 Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Wed, 26 Jul 2023 15:54:50 +0300 Subject: [PATCH 03/17] Fix QUAYIO_ORG substitution. --- .github/workflows/release.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 1da5fc46e043..055c34b9ae3c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -63,6 +63,7 @@ jobs: - name: Docker Buildx env: DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }} + QUAYIO_ORG: ${{ secrets.QUAYIO_ORG }} PLATFORM: ${{ matrix.platform }} TARGET: ${{ matrix.target }} run: | @@ -72,7 +73,7 @@ jobs: fi tag_suffix=$(echo $PLATFORM | sed -r "s/\//-/g") - image_name="${DOCKERIO_ORG}/${TARGET}:${tag}-${tag_suffix}" + image_name="${DOCKERIO_ORG:-$QUAYIO_ORG}/${TARGET}:${tag}-${tag_suffix}" ## Codefresh - remove dockerhub # docker buildx build \ From 6b7f81320804df4297010613aee870b270a54016 Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Sun, 30 Jul 2023 11:29:01 +0300 Subject: [PATCH 04/17] Clean up release workflow. --- .github/workflows/release.yaml | 183 ++++++++++----------------------- 1 file changed, 57 insertions(+), 126 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 055c34b9ae3c..c1acc5a3096d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -20,6 +20,12 @@ defaults: permissions: contents: read +env: + OCI_REGISTRY: quay.io + OCI_REGISTRY_REPO: ${{ env.QUAYIO_ORG }} + OCI_REGISTRY_USERNAME: ${{ secrets.QUAYIO_USERNAME }} + OCI_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_PASSWORD }} + jobs: build-linux-amd64: name: Build & push linux/amd64 @@ -46,24 +52,15 @@ jobs: restore-keys: | ${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx- - ## Codefresh - remove dockerhub - # - name: Docker Login - # uses: docker/login-action@v1 - # with: - # username: ${{ secrets.DOCKERIO_USERNAME }} - # password: ${{ secrets.DOCKERIO_PASSWORD }} - - name: Docker Login uses: docker/login-action@v2 with: - registry: quay.io - username: ${{ secrets.QUAYIO_USERNAME }} - password: ${{ secrets.QUAYIO_PASSWORD }} + registry: ${{ env.OCI_REGISTRY }} + username: ${{ env.OCI_REGISTRY_USERNAME }} + password: ${{ env.OCI_REGISTRY_PASSWORD }} - name: Docker Buildx env: - DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }} - QUAYIO_ORG: ${{ secrets.QUAYIO_ORG }} PLATFORM: ${{ matrix.platform }} TARGET: ${{ matrix.target }} run: | @@ -73,16 +70,8 @@ jobs: fi tag_suffix=$(echo $PLATFORM | sed -r "s/\//-/g") - image_name="${DOCKERIO_ORG:-$QUAYIO_ORG}/${TARGET}:${tag}-${tag_suffix}" - - ## Codefresh - remove dockerhub - # docker buildx build \ - # --cache-from "type=local,src=/tmp/.buildx-cache" \ - # --cache-to "type=local,dest=/tmp/.buildx-cache" \ - # --output "type=image,push=true" \ - # --platform="${PLATFORM}" \ - # --target $TARGET \ - # --tag $image_name . + image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${TARGET}:${tag}-${tag_suffix}" + image_name="${image_name#/}" # remove leading slash if OCI_REGISTRY is empty docker buildx build \ --cache-from "type=local,src=/tmp/.buildx-cache" \ @@ -90,7 +79,7 @@ jobs: --output "type=image,push=true" \ --platform="${PLATFORM}" \ --target $TARGET \ - --tag quay.io/$image_name . + --tag $image_name . build-linux-arm64: name: Build & push linux/arm64 @@ -122,23 +111,15 @@ jobs: restore-keys: | ${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx- - ## Codefresh - remove dockerhub - # - name: Docker Login - # uses: docker/login-action@v1 - # with: - # username: ${{ secrets.DOCKERIO_USERNAME }} - # password: ${{ secrets.DOCKERIO_PASSWORD }} - - name: Docker Login uses: docker/login-action@v2 with: - registry: quay.io - username: ${{ secrets.QUAYIO_USERNAME }} - password: ${{ secrets.QUAYIO_PASSWORD }} + registry: ${{ env.OCI_REGISTRY }} + username: ${{ env.OCI_REGISTRY_USERNAME }} + password: ${{ env.OCI_REGISTRY_PASSWORD }} - name: Docker Buildx env: - DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }} PLATFORM: ${{ matrix.platform }} TARGET: ${{ matrix.target }} run: | @@ -148,16 +129,8 @@ jobs: fi tag_suffix=$(echo $PLATFORM | sed -r "s/\//-/g") - image_name="${DOCKERIO_ORG}/${TARGET}:${tag}-${tag_suffix}" - - ## Codefresh - remove dockerhub - # docker buildx build \ - # --cache-from "type=local,src=/tmp/.buildx-cache" \ - # --cache-to "type=local,dest=/tmp/.buildx-cache" \ - # --output "type=image,push=true" \ - # --platform="${PLATFORM}" \ - # --target $TARGET \ - # --tag $image_name . + image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${TARGET}:${tag}-${tag_suffix}" + image_name="${image_name#/}" # remove leading slash if OCI_REGISTRY is empty docker buildx build \ --cache-from "type=local,src=/tmp/.buildx-cache" \ @@ -165,7 +138,7 @@ jobs: --output "type=image,push=true" \ --platform="${PLATFORM}" \ --target $TARGET \ - --tag quay.io/$image_name . + --tag $image_name . build-windows: name: Build & push windows @@ -173,26 +146,16 @@ jobs: runs-on: windows-2019 steps: - uses: actions/checkout@v2 - ## Codefresh - remove dockerhub - # - name: Docker Login - # uses: Azure/docker-login@v1 - # with: - # username: ${{ secrets.DOCKERIO_USERNAME }} - # password: ${{ secrets.DOCKERIO_PASSWORD }} - - - name: Login to Quay - uses: Azure/docker-login@v1 + + - name: Docker Login + uses: docker/login-action@v2 with: - login-server: quay.io - username: ${{ secrets.QUAYIO_USERNAME }} - password: ${{ secrets.QUAYIO_PASSWORD }} + registry: ${{ env.OCI_REGISTRY }} + username: ${{ env.OCI_REGISTRY_USERNAME }} + password: ${{ env.OCI_REGISTRY_PASSWORD }} - name: Build & Push Windows Docker Images - env: - DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }} run: | - docker_org=$DOCKERIO_ORG - tag=$(basename $GITHUB_REF) if [ $tag = "master" ]; then tag="latest" @@ -200,13 +163,11 @@ jobs: targets="argoexec" for target in $targets; do - image_name="${docker_org}/${target}:${tag}-windows" - docker build --target $target -t $image_name -f Dockerfile.windows . - ## Codefresh - remove dockerhub - # docker push $image_name + image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${TARGET}:${tag}-windows" + image_name="${image_name#/}" # remove leading slash if OCI_REGISTRY is empty - docker tag $image_name quay.io/$image_name - docker push quay.io/$image_name + docker build --target $target -t $image_name -f Dockerfile.windows . + docker push image_name done push-images: @@ -216,28 +177,18 @@ jobs: needs: [ build-linux-amd64, build-linux-arm64, build-windows ] steps: - uses: actions/checkout@v2 - ## Codefresh - remove dockerhub - # - name: Docker Login - # uses: Azure/docker-login@v1 - # with: - # username: ${{ secrets.DOCKERIO_USERNAME }} - # password: ${{ secrets.DOCKERIO_PASSWORD }} - - - name: Login to Quay - uses: Azure/docker-login@v1 + + - name: Docker Login + uses: docker/login-action@v2 with: - login-server: quay.io - username: ${{ secrets.QUAYIO_USERNAME }} - password: ${{ secrets.QUAYIO_PASSWORD }} + registry: ${{ env.OCI_REGISTRY }} + username: ${{ env.OCI_REGISTRY_USERNAME }} + password: ${{ env.OCI_REGISTRY_PASSWORD }} - name: Push Multiarch Image - env: - DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }} run: | echo $(jq -c '. + { "experimental": "enabled" }' ${DOCKER_CONFIG}/config.json) > ${DOCKER_CONFIG}/config.json - docker_org=$DOCKERIO_ORG - tag=$(basename $GITHUB_REF) if [ $tag = "master" ]; then tag="latest" @@ -245,21 +196,16 @@ jobs: targets="workflow-controller argoexec argocli" for target in $targets; do - image_name="${docker_org}/${target}:${tag}" + image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${TARGET}:${tag}" + image_name="${image_name#/}" # remove leading slash if OCI_REGISTRY is empty if [ $target = "argoexec" ]; then - ## Codefresh - remove dockerhub - # docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64 ${image_name}-windows - docker manifest create quay.io/$image_name quay.io/${image_name}-linux-arm64 quay.io/${image_name}-linux-amd64 quay.io/${image_name}-windows + docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64 ${image_name}-windows else - ## Codefresh - remove dockerhub - # docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64 - docker manifest create quay.io/$image_name quay.io/${image_name}-linux-arm64 quay.io/${image_name}-linux-amd64 + docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64 fi - ## Codefresh - remove dockerhub - # docker manifest push $image_name - docker manifest push quay.io/$image_name + docker manifest push $image_name done test-images-linux-amd64: @@ -272,23 +218,15 @@ jobs: platform: [ linux/amd64 ] target: [ workflow-controller, argocli, argoexec ] steps: - ## Codefresh - remove dockerhub - # - name: Docker Login - # uses: Azure/docker-login@v1 - # with: - # username: ${{ secrets.DOCKERIO_USERNAME }} - # password: ${{ secrets.DOCKERIO_PASSWORD }} - - - name: Login to Quay - uses: Azure/docker-login@v1 + - name: Docker Login + uses: docker/login-action@v2 with: - login-server: quay.io - username: ${{ secrets.QUAYIO_USERNAME }} - password: ${{ secrets.QUAYIO_PASSWORD }} + registry: ${{ env.OCI_REGISTRY }} + username: ${{ env.OCI_REGISTRY_USERNAME }} + password: ${{ env.OCI_REGISTRY_PASSWORD }} - name: Docker Buildx env: - DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }} PLATFORM: ${{ matrix.platform }} TARGET: ${{ matrix.target }} run: | @@ -297,10 +235,9 @@ jobs: tag="latest" fi - image_name="${DOCKERIO_ORG}/${TARGET}:${tag}" - ## Codefresh - remove dockerhub - # docker pull $image_name - docker pull quay.io/$image_name + image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${TARGET}:${tag}" + image_name="${image_name#/}" # remove leading slash if OCI_REGISTRY is empty + docker pull $image_name test-images-windows: name: Try pulling windows @@ -308,19 +245,14 @@ jobs: runs-on: windows-2019 needs: [ push-images ] steps: - ## Codefresh - remove dockerhub - # - name: Docker Login - # uses: Azure/docker-login@v1 - # with: - # username: ${{ secrets.DOCKERIO_USERNAME }} - # password: ${{ secrets.DOCKERIO_PASSWORD }} - - - name: Login to Quay - uses: Azure/docker-login@v1 + + - name: Docker Login + uses: docker/login-action@v2 with: - login-server: quay.io - username: ${{ secrets.QUAYIO_USERNAME }} - password: ${{ secrets.QUAYIO_PASSWORD }} + registry: ${{ env.OCI_REGISTRY }} + username: ${{ env.OCI_REGISTRY_USERNAME }} + password: ${{ env.OCI_REGISTRY_PASSWORD }} + - name: Try pulling env: DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }} @@ -333,10 +265,9 @@ jobs: targets="argoexec" for target in $targets; do - image_name="${docker_org}/${target}:${tag}" - ## Codefresh - remove dockerhub - # docker pull $image_name - docker pull quay.io/$image_name + image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${target}:${tag}" + image_name="${image_name#/}" # remove leading slash if OCI_REGISTRY is empty + docker pull $image_name done publish-release: From 3fbbd771d494ec07f9376f403e1a76cb8c56cfc9 Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Sun, 30 Jul 2023 11:31:08 +0300 Subject: [PATCH 05/17] Fix var reference. --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c1acc5a3096d..fdb6c534efb0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -22,7 +22,7 @@ permissions: env: OCI_REGISTRY: quay.io - OCI_REGISTRY_REPO: ${{ env.QUAYIO_ORG }} + OCI_REGISTRY_REPO: ${{ vars.QUAYIO_ORG }} OCI_REGISTRY_USERNAME: ${{ secrets.QUAYIO_USERNAME }} OCI_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_PASSWORD }} From aa2c9421a67d15b8ae05e2bd3693e0d913803d32 Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Sun, 30 Jul 2023 11:44:46 +0300 Subject: [PATCH 06/17] Fix windows build. --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index fdb6c534efb0..eaab1d0f599d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -163,7 +163,7 @@ jobs: targets="argoexec" for target in $targets; do - image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${TARGET}:${tag}-windows" + image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${target}:${tag}-windows" image_name="${image_name#/}" # remove leading slash if OCI_REGISTRY is empty docker build --target $target -t $image_name -f Dockerfile.windows . From 7dc287d844e7360df5a68eac6aec69dacc18e866 Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Sun, 30 Jul 2023 11:58:02 +0300 Subject: [PATCH 07/17] Bump windows version. --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index eaab1d0f599d..82038b2a0fc6 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -143,7 +143,7 @@ jobs: build-windows: name: Build & push windows #if: github.repository == 'codefresh-io/argo-workflows' - runs-on: windows-2019 + runs-on: windows-2022 steps: - uses: actions/checkout@v2 From 95d827a52fb151cbbb83f18074de7f18195bbcd8 Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Sun, 30 Jul 2023 12:17:16 +0300 Subject: [PATCH 08/17] Revert windows runner bump. --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 82038b2a0fc6..eaab1d0f599d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -143,7 +143,7 @@ jobs: build-windows: name: Build & push windows #if: github.repository == 'codefresh-io/argo-workflows' - runs-on: windows-2022 + runs-on: windows-2019 steps: - uses: actions/checkout@v2 From 64cf26de4ed3da89e011374f16b121ed6c364741 Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Sun, 30 Jul 2023 12:53:18 +0300 Subject: [PATCH 09/17] Sync windows container image build with upstream. --- .github/workflows/release.yaml | 4 ++-- Dockerfile.windows | 25 +++++++++++-------------- 2 files changed, 13 insertions(+), 16 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index eaab1d0f599d..634a1deefcf8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -143,7 +143,7 @@ jobs: build-windows: name: Build & push windows #if: github.repository == 'codefresh-io/argo-workflows' - runs-on: windows-2019 + runs-on: windows-2022 steps: - uses: actions/checkout@v2 @@ -242,7 +242,7 @@ jobs: test-images-windows: name: Try pulling windows #if: github.repository == 'codefresh-io/argo-workflows' - runs-on: windows-2019 + runs-on: windows-2022 needs: [ push-images ] steps: diff --git a/Dockerfile.windows b/Dockerfile.windows index fcdc1aa06e55..2ef3382b3ebb 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -4,11 +4,14 @@ # Also used as the image in CI jobs so needs all dependencies #################################################################################################### -ARG IMAGE_OS_VERSION=1809 +ARG IMAGE_OS_VERSION=ltsc2022-amd64 +ARG GIT_COMMIT=unknown +ARG GIT_TAG=unknown +ARG GIT_TREE_STATE=unknown # had issues with official golange image for windows so I'm using plain servercore FROM mcr.microsoft.com/windows/servercore:${IMAGE_OS_VERSION} as builder -ENV GOLANG_VERSION=1.18 +ENV GOLANG_VERSION=1.20 SHELL ["powershell", "-Command"] # install chocolatey package manager @@ -28,14 +31,6 @@ RUN choco install golang --version=$env:GOLANG_VERSION ; \ FROM mcr.microsoft.com/windows/nanoserver:${IMAGE_OS_VERSION} as argoexec-base COPY --from=builder /windows/system32/netapi32.dll /windows/system32/netapi32.dll -# NOTE: kubectl version should be one minor version less than https://storage.googleapis.com/kubernetes-release/release/stable.txt -ENV KUBECTL_VERSION=1.22.3 -ENV JQ_VERSION=1.6 - -RUN mkdir C:\app && \ - curl -L -o C:\app\kubectl.exe "https://storage.googleapis.com/kubernetes-release/release/v%KUBECTL_VERSION%/bin/windows/amd64/kubectl.exe" && \ - curl -L -o C:\app\jq.exe "https://github.com/stedolan/jq/releases/download/jq-%JQ_VERSION%/jq-win64.exe" - COPY --from=builder C:/ProgramData/chocolatey/lib/7zip.portable/tools/7z-extra/x64/7za.exe C:/app/7za.exe # add binaries to path @@ -47,13 +42,15 @@ RUN SETX /m path C:\app;%path% #################################################################################################### FROM builder as argo-build +ARG GIT_COMMIT +ARG GIT_TAG +ARG GIT_TREE_STATE + # Perform the build WORKDIR C:/Users/ContainerAdministrator/go/src/github.com/argoproj/argo-workflows COPY . . -# check we can use Git -RUN git rev-parse HEAD # run in git bash for all the shell commands in Makefile to work -RUN bash -c 'make dist/argoexec' +RUN bash -c 'make dist/argoexec GIT_COMMIT=${GIT_COMMIT} GIT_TAG=${GIT_TAG} GIT_TREE_STATE=${GIT_TREE_STATE}' #################################################################################################### # argoexec @@ -61,4 +58,4 @@ RUN bash -c 'make dist/argoexec' FROM argoexec-base as argoexec COPY --from=argo-build C:/Users/ContainerAdministrator/go/src/github.com/argoproj/argo-workflows/dist/argoexec C:/app/argoexec.exe RUN argoexec version -ENTRYPOINT [ "argoexec" ] +ENTRYPOINT [ "argoexec" ] \ No newline at end of file From 4dc8ebfaef45253a41838c3ffae5eae52363cebc Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Sun, 30 Jul 2023 13:10:14 +0300 Subject: [PATCH 10/17] Fix windows image push. --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 634a1deefcf8..8cafda999104 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -167,7 +167,7 @@ jobs: image_name="${image_name#/}" # remove leading slash if OCI_REGISTRY is empty docker build --target $target -t $image_name -f Dockerfile.windows . - docker push image_name + docker push $image_name done push-images: From 838046830f2fe50c84b4b2a5c1487cbddb6abd59 Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Sun, 30 Jul 2023 17:41:39 +0300 Subject: [PATCH 11/17] Fix push multiarch. --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8cafda999104..0b61098c5449 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -187,7 +187,7 @@ jobs: - name: Push Multiarch Image run: | - echo $(jq -c '. + { "experimental": "enabled" }' ${DOCKER_CONFIG}/config.json) > ${DOCKER_CONFIG}/config.json + echo $(jq -c '. + { "experimental": "enabled" }' ${HOME}/.docker/config.json) > ${HOME}/.docker/config.json tag=$(basename $GITHUB_REF) if [ $tag = "master" ]; then From b7311196487f2ee424512a88fb1d5ba0444b09f3 Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Sun, 30 Jul 2023 21:48:29 +0300 Subject: [PATCH 12/17] Fix tag interpolation in final push. --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0b61098c5449..cdac706b02a7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -196,7 +196,7 @@ jobs: targets="workflow-controller argoexec argocli" for target in $targets; do - image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${TARGET}:${tag}" + image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${target}:${tag}" image_name="${image_name#/}" # remove leading slash if OCI_REGISTRY is empty if [ $target = "argoexec" ]; then From 2bc3fad81b123e2b465a06be702e7803bab2ddc1 Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Sun, 30 Jul 2023 22:21:26 +0300 Subject: [PATCH 13/17] Add cosign. --- .github/workflows/release.yaml | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index cdac706b02a7..e3e35bc2d1f0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -175,6 +175,9 @@ jobs: #if: github.repository == 'codefresh-io/argo-workflows' runs-on: ubuntu-latest needs: [ build-linux-amd64, build-linux-arm64, build-windows ] + permissions: + contents: read + id-token: write # Needed to create an OIDC token for keyless signing steps: - uses: actions/checkout@v2 @@ -185,6 +188,11 @@ jobs: username: ${{ env.OCI_REGISTRY_USERNAME }} password: ${{ env.OCI_REGISTRY_PASSWORD }} + - name: Install cosign + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1 + with: + cosign-release: 'v2.1.1' + - name: Push Multiarch Image run: | echo $(jq -c '. + { "experimental": "enabled" }' ${HOME}/.docker/config.json) > ${HOME}/.docker/config.json @@ -206,6 +214,16 @@ jobs: fi docker manifest push $image_name + + repo="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}" + repo="${repo#/}" # remove leading slash if OCI_REGISTRY is empty + digest=$(skopeo inspect docker://$image_name | jq -r '.Digest') + cosign sign \ + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "sha=${{ github.sha }}" \ + -y \ + "${repo}@${digest}" done test-images-linux-amd64: @@ -273,6 +291,7 @@ jobs: publish-release: permissions: contents: write # for softprops/action-gh-release to create GitHub release + id-token: write # Needed to create an OIDC token for keyless signing runs-on: ubuntu-latest #if: github.repository == 'codefresh-io/argo-workflows' needs: [ push-images, test-images-linux-amd64, test-images-windows ] @@ -298,6 +317,10 @@ jobs: with: path: /home/runner/go/pkg/mod key: GOMODCACHE-v2-${{ hashFiles('**/go.mod') }} + - name: Install cosign + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1 + with: + cosign-release: 'v2.1.1' # https://stackoverflow.com/questions/58033366/how-to-get-current-branch-within-github-actions - run: make release-notes VERSION=${GITHUB_REF##*/} - run: cat release-notes @@ -310,6 +333,9 @@ jobs: - name: Print version (please check it is not dirty) run: dist/argo-linux-amd64 version - run: make checksums + - name: Sign checksums and create public key for release assets + run: | + cosign sign-blob ./dist/argo-workflows-cli-checksums.txt > ./dist/argo-workflows-cli-checksums.sig # https://github.com/softprops/action-gh-release # This will publish the release and upload assets. # If a conflict occurs (because you are not on a tag), the release will not be updated. This is a short coming @@ -322,7 +348,8 @@ jobs: body_path: release-notes files: | dist/argo-*.gz - dist/argo-*.gz.sha256 + dist/argo-workflows-cli-checksums.txt + dist/argo-workflows-cli-checksums.sig dist/manifests/*.yaml dist/sbom.tar.gz env: From ffd98f725cb02bb74a43f9a1ec9636ee5936eacf Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Mon, 31 Jul 2023 01:35:49 +0300 Subject: [PATCH 14/17] Fix signing. --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e3e35bc2d1f0..6b3fa733a8d1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -223,7 +223,7 @@ jobs: -a "workflow=${{ github.workflow }}" \ -a "sha=${{ github.sha }}" \ -y \ - "${repo}@${digest}" + "${repo}/${target}@${digest}" done test-images-linux-amd64: From 4565dfc52e8dd6793bde668a763fa4e6df4be6f5 Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Mon, 31 Jul 2023 09:53:59 +0300 Subject: [PATCH 15/17] Fix checksums. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 1a269afbc773..0404211eb09c 100644 --- a/Makefile +++ b/Makefile @@ -677,4 +677,4 @@ release-notes: /dev/null .PHONY: checksums checksums: - for f in ./dist/argo-*.gz; do openssl dgst -sha256 "$$f" | awk ' { print $$2 }' > "$$f".sha256 ; done + sha256sum ./dist/argo-*.gz | awk -F './dist/' '{print $$1 $$2}' > ./dist/argo-workflows-cli-checksums.txt From 38c8b6b58a24add006ce3f18cd9c6ac9b3c14368 Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Mon, 31 Jul 2023 13:04:46 +0300 Subject: [PATCH 16/17] Fix cosign interactive prompt. --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6b3fa733a8d1..ccae8e4b09e7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -335,7 +335,7 @@ jobs: - run: make checksums - name: Sign checksums and create public key for release assets run: | - cosign sign-blob ./dist/argo-workflows-cli-checksums.txt > ./dist/argo-workflows-cli-checksums.sig + cosign sign-blob -y ./dist/argo-workflows-cli-checksums.txt > ./dist/argo-workflows-cli-checksums.sig # https://github.com/softprops/action-gh-release # This will publish the release and upload assets. # If a conflict occurs (because you are not on a tag), the release will not be updated. This is a short coming From bb17f046a7f6521a4c8b04f67931e41fbf38f0b9 Mon Sep 17 00:00:00 2001 From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com> Date: Tue, 1 Aug 2023 01:15:33 +0300 Subject: [PATCH 17/17] Uncomment-out job conditions. --- .github/workflows/release.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ccae8e4b09e7..752d18149b8e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -29,7 +29,7 @@ env: jobs: build-linux-amd64: name: Build & push linux/amd64 - # if: github.repository == 'codefresh-io/argo-workflows' + if: github.repository == 'codefresh-io/argo-workflows' runs-on: ubuntu-latest strategy: matrix: @@ -83,7 +83,7 @@ jobs: build-linux-arm64: name: Build & push linux/arm64 - #if: github.repository == 'codefresh-io/argo-workflows' + if: github.repository == 'codefresh-io/argo-workflows' runs-on: ubuntu-latest strategy: matrix: @@ -142,7 +142,7 @@ jobs: build-windows: name: Build & push windows - #if: github.repository == 'codefresh-io/argo-workflows' + if: github.repository == 'codefresh-io/argo-workflows' runs-on: windows-2022 steps: - uses: actions/checkout@v2 @@ -172,7 +172,7 @@ jobs: push-images: name: Push manifest with all images - #if: github.repository == 'codefresh-io/argo-workflows' + if: github.repository == 'codefresh-io/argo-workflows' runs-on: ubuntu-latest needs: [ build-linux-amd64, build-linux-arm64, build-windows ] permissions: @@ -228,7 +228,7 @@ jobs: test-images-linux-amd64: name: Try pulling linux/amd64 - #if: github.repository == 'codefresh-io/argo-workflows' + if: github.repository == 'codefresh-io/argo-workflows' runs-on: ubuntu-latest needs: [ push-images ] strategy: @@ -259,7 +259,7 @@ jobs: test-images-windows: name: Try pulling windows - #if: github.repository == 'codefresh-io/argo-workflows' + if: github.repository == 'codefresh-io/argo-workflows' runs-on: windows-2022 needs: [ push-images ] steps: @@ -293,7 +293,7 @@ jobs: contents: write # for softprops/action-gh-release to create GitHub release id-token: write # Needed to create an OIDC token for keyless signing runs-on: ubuntu-latest - #if: github.repository == 'codefresh-io/argo-workflows' + if: github.repository == 'codefresh-io/argo-workflows' needs: [ push-images, test-images-linux-amd64, test-images-windows ] env: NODE_OPTIONS: --max-old-space-size=4096