Daily build #49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Github workflow that rebuilds already released images | |
name: Daily build | |
on: | |
schedule: | |
- cron: "0 1 * * 1-5" | |
workflow_dispatch: | |
inputs: | |
image_repo: | |
type: choice | |
description: "Target image repository for built images" | |
default: mongodb/mongodb-atlas-kubernetes-operator-prerelease | |
required: true | |
options: | |
- mongodb/mongodb-atlas-kubernetes-operator-prerelease | |
- mongodb/mongodb-atlas-kubernetes-operator | |
releases: | |
type: string | |
description: "Custom list of releases to rebuild" | |
default: "" | |
required: false | |
jobs: | |
read-versions: | |
name: Read config file | |
runs-on: ubuntu-latest | |
outputs: | |
date: ${{ steps.set-date.outputs.date }} | |
releases: ${{ steps.releases.outputs.releases }} | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
submodules: true | |
fetch-depth: 0 | |
- name: Set date | |
id: set-date | |
run: | | |
DATE=$(date +'%Y-%m-%d') | |
echo date=${DATE} >> $GITHUB_OUTPUT | |
- name: Releases | |
id: releases | |
run: | | |
if [ "${{ github.event.inputs.releases }}" == "" ]; then | |
echo "Computing supported releases..." | |
git fetch --tags | |
echo "releases=$(./scripts/supported-releases.sh)" | tee -a $GITHUB_OUTPUT | |
else | |
echo "Formatting ${{ github.event.inputs.releases }} as JSON array" | |
json_releases=$(echo "${{ github.event.inputs.releases }}" |tr "," "\n" |xargs -n1 |awk '{print "\""$1"\""}' |tr "\n" "," |sed 's/,$//' |awk '{print "["$1"]"}') | |
echo "releases=$json_releases" | tee -a $GITHUB_OUTPUT | |
fi | |
build-and-publish-image: | |
environment: release | |
runs-on: ubuntu-latest | |
needs: | |
- read-versions | |
env: | |
IMAGE_REPOSITORY: ${{ github.event.inputs.image_repo || 'mongodb/mongodb-atlas-kubernetes-operator' }} | |
QUAY_ROBOT_NAME: mongodb+mongodb_atlas_kubernetes | |
PLATFORMS: "linux/arm64,linux/amd64" | |
strategy: | |
matrix: | |
version: ${{ fromJSON(needs.read-versions.outputs.releases) }} | |
steps: | |
- name: Print daily tag | |
id: daily-tag | |
run: | | |
DAILY_TAG="${{ matrix.version }}-${{needs.read-versions.outputs.date}}" | |
echo "daily-tag=${DAILY_TAG}" >> $GITHUB_OUTPUT | |
- name: Rebuild ${{matrix.version}} | |
run: | | |
echo "Building ${{matrix.version}} version" | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
ref: "v${{ matrix.version }}" | |
submodules: true | |
fetch-depth: 0 | |
- name: Choose Dockerfile | |
id: pick-dockerfile | |
run: | | |
if test -f "fast.Dockerfile"; then | |
echo "dockerfile=fast.Dockerfile" >> $GITHUB_OUTPUT | |
else | |
echo "dockerfile=Dockerfile" >> $GITHUB_OUTPUT | |
fi | |
- name: Check signing supported | |
id: check-signing-support | |
run: | | |
if test -f "./scripts/sign-multiarch.sh"; then | |
echo "sign=true" >> $GITHUB_OUTPUT | |
else | |
echo "sign=false" >> $GITHUB_OUTPUT | |
fi | |
- name: Check for devbox | |
id: check-devbox | |
run: | | |
if test -f "devbox.json"; then | |
echo "devbox-build=true" >> $GITHUB_OUTPUT | |
else | |
echo "devbox-build=false" >> $GITHUB_OUTPUT | |
fi | |
- name: Set up Go (Non Devbox) | |
uses: actions/setup-go@v5 | |
if: steps.check-devbox.outputs.devbox-build == 'false' | |
with: | |
go-version-file: "${{ github.workspace }}/go.mod" | |
cache: false | |
- name: Setup cache (Non Dexbox) | |
uses: actions/cache@v4 | |
if: steps.check-devbox.outputs.devbox-build == 'false' | |
with: | |
path: | | |
~/.cache/go-build | |
~/go/pkg/mod | |
key: ${{ runner.os }}-build-${{ hashFiles('**/go.sum', '**/go.mod') }} | |
- name: Download go build dependencies (Non Devbox) | |
if: steps.check-devbox.outputs.devbox-build == 'false' | |
shell: bash | |
run: | | |
go mod download | |
- name: Build all platforms & check version (Non Devbox) | |
if: steps.pick-dockerfile.outputs.dockerfile == 'fast.Dockerfile' && steps.check-devbox.outputs.devbox-build == 'false' | |
run: | | |
make all-platforms VERSION=${{ matrix.version }} | |
# not all versiions Makefiles support the version check | |
if make |grep -q check-version; then | |
echo "Checking version..." | |
make check-version VERSION=${{ matrix.version }} | |
else | |
echo "Skipped version check" | |
fi | |
- name: Install devbox | |
uses: jetify-com/[email protected] | |
with: | |
enable-cache: 'true' | |
if: steps.check-devbox.outputs.devbox-build == 'true' | |
- name: Download Go build dependencies (Devbox) | |
run: devbox run -- 'go mod download' | |
if: steps.check-devbox.outputs.devbox-build == 'true' | |
shell: bash | |
- name: Build all platforms & check version (Devbox) | |
run: | | |
devbox run -- ' | |
make all-platforms VERSION=${{ matrix.version }} | |
# Not all versions of Makefiles support the version check | |
if make -n | grep -q check-version; then | |
echo "Checking version..." | |
make check-version VERSION=${{ matrix.version }} | |
else | |
echo "Skipped version check" | |
fi' | |
if: steps.check-devbox.outputs.devbox-build == 'true' | |
shell: bash | |
- name: "Set up Docker Buildx" | |
uses: docker/setup-buildx-action@v3 | |
with: | |
platforms: ${{ env.PLATFORMS }} | |
- name: Login to docker registry | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Login to quay.io registry | |
uses: docker/login-action@v3 | |
with: | |
registry: quay.io | |
username: ${{ env.QUAY_ROBOT_NAME }} | |
password: ${{ secrets.QUAY_PASSWORD }} | |
- name: Build and push operator to the DockerHub (daily-tag & release-tag) | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ${{ steps.pick-dockerfile.outputs.dockerfile }} | |
build-args: VERSION=${{ matrix.version }} | |
platforms: ${{ env.PLATFORMS }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
push: true | |
sbom: true | |
tags: | | |
${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }} | |
${{ env.IMAGE_REPOSITORY }}:${{ matrix.version }} | |
quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }} | |
quay.io/${{ env.IMAGE_REPOSITORY }}:${{ matrix.version }} | |
- name: Login to artifactory.corp.mongodb.com | |
if: steps.check-signing-support.outputs.sign == 'true' | |
uses: docker/login-action@v3 | |
with: | |
registry: artifactory.corp.mongodb.com | |
username: ${{ secrets.MDB_ARTIFACTORY_USERNAME }} | |
password: ${{ secrets.MDB_ARTIFACTORY_PASSWORD }} | |
- name: Sign images (Non Devbox) | |
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'false' | |
env: | |
PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
run: | | |
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures | |
- name: Self-verify images (Non Devbox) | |
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'false' | |
env: | |
PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
run: | | |
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures | |
- name: Sign images (Devbox) | |
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'true' | |
env: | |
PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
run: | | |
devbox run -- ' | |
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures | |
' | |
- name: Self-verify images (Devbox) | |
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'true' | |
env: | |
PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
run: | | |
devbox run -- ' | |
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures | |
' |