diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..1645efb --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,137 @@ +# Creates a GitHub Release. +# Workflow is manually run. +# Preselect branch or tag before running this workflow. +name: release + +on: + workflow_dispatch: + inputs: + # Defaults to publishing draft releases. + # Review draft before formally releasing! + draft: + description: "Create a release draft" + required: false + default: true + type: boolean + prerelease: + description: "Mark this release as a prerelease" + required: false + default: "auto" + type: choice + # auto follows semver. Prerelease versions are hyphenated with a label. ex. 0.0.0-alpha, 1.0.0-rc1 + options: + - auto + - "true" + - "false" + make-latest: + description: "Latest release" + required: false + default: true + type: boolean + +permissions: + contents: write + id-token: write + packages: write + +jobs: + release: + runs-on: self-hosted + env: + DOCKER_CLI_EXPERIMENTAL: "enabled" + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Required by GoRelease + + - name: Golang Setup + uses: actions/setup-go@v5 + with: + go-version: stable + check-latest: true + + - name: go-check + run: go version + + # Supports Buildx + - name: Qemu Setup + uses: docker/setup-qemu-action@v3 + + - name: Buildx Setup + uses: docker/setup-buildx-action@v3 + + - name: Cosign Install + uses: sigstore/cosign-installer@v3 + + - name: GPG Import + id: gpg-import + uses: crazy-max/ghaction-import-gpg@v6 + with: + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.GPG_PASSWORD }} + + - name: Cache Setup + uses: actions/cache@v4 + with: + path: | + ./dist/** + key: ${{ github.ref }} + + - name: "Docker Login: ghcr.io" + if: startsWith(github.ref, 'refs/tags/') + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: "Docker Login: docker.io" + if: startsWith(github.ref, 'refs/tags/') + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_TOKEN }} + + - name: "Docker Login: quay.io" + if: startsWith(github.ref, 'refs/tags/') + uses: docker/login-action@v3 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_TOKEN }} + + # Needed for nPFM + - name: Create GPG Signing Key File + if: startsWith(github.ref, 'refs/tags/') + run: | + GPG_KEY_FILE=/tmp/signing-key.gpg + echo "${{ secrets.GPG_PRIVATE_KEY_BASE64 }}" | base64 -di > "${GPG_KEY_FILE}" + echo "GPG_KEY_FILE=${GPG_KEY_FILE}" >> "${GITHUB_ENV}" + env: + GPG_TTY: /dev/ttys000 # Set the GPG_TTY to avoid issues with pinentry + + - name: "GoReleaser: Release" + if: startsWith(github.ref, 'refs/tags/') + uses: goreleaser/goreleaser-action@v5 + with: + distribution: goreleaser + version: latest + args: release --clean --timeout=60m --verbose --debug + env: + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GPG_FINGERPRINT: ${{ steps.gpg-import.outputs.fingerprint }} + GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }} + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + GITHUB_RELEASE_PRERELEASE: ${{ inputs.prerelease }} + GITHUB_RELEASE_MAKE_LATEST: ${{ inputs.make-latest }} + NFPM_DEFAULT_PASSPHRASE: ${{ secrets.GPG_PASSWORD }} + + - name: Remove GPG Signing Key File + if: always() + run: | + if [ -n "${GPG_KEY_FILE}" ]; then + rm -rf "${GPG_KEY_FILE}" + fi diff --git a/Makefile b/Makefile index 8be520c..8ef19fa 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ IMAGE_NAME=openbao-csi-provider VERSION?=0.0.0-dev IMAGE_TAG=$(REGISTRY_NAME)/$(IMAGE_NAME):$(VERSION) # commented because it may not be in use -# IMAGE_TAG_LATEST=$(REGISTRY_NAME)/$(IMAGE_NAME):latest +IMAGE_TAG_LATEST=$(REGISTRY_NAME)/$(IMAGE_NAME):latest # https://reproducible-builds.org/docs/source-date-epoch/ DATE_FMT=+%Y-%m-%d-%H:%M SOURCE_DATE_EPOCH ?= $(shell git log -1 --pretty=%ct)