Fleet release #43

Summary
Jobs
- build-fleet
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/release.yml at 1d759dd

	# Fleet release workflow
	name: Fleet release

	on:
	push:
	tags:
	- v**
	workflow_dispatch:

	permissions:
	contents: write
	packages: write
	id-token: write # this is important, it's how we authenticate with Vault

	env:
	GOARCH: amd64
	CGO_ENABLED: 0
	SETUP_K3D_VERSION: 'v5.5.1'

	jobs:
	build-fleet:
	runs-on: runs-on,runner=8cpu-linux-x64,mem=16,run-id=${{ github.run_id }}

	env:
	IS_HOTFIX: ${{ contains(github.ref, '-hotfix-') }}
	REGISTRY: "${{ contains(github.ref, '-hotfix-') && 'stgregistry.suse.com' \|\| 'docker.io' }}"

	if: github.repository == 'rancher/fleet'
	steps:
	- name: Check out Fleet
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: 'go.mod'
	check-latest: true

	- name: "Read Vault Secrets"
	uses: rancher-eio/read-vault-secrets@main
	with:
	secrets: \|
	secret/data/github/repo/${{ github.repository }}/fossa/credential token \| FOSSA_API_KEY

	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Install Cosign
	uses: sigstore/[email protected]
	- uses: rancherlabs/slsactl/actions/[email protected]

	- name: "Read Vault Secrets"
	uses: rancher-eio/read-vault-secrets@main
	with:
	secrets: \|
	secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username \| DOCKER_USERNAME ;
	secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password \| DOCKER_PASSWORD ;
	secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username \| STAGE_REGISTRY_USERNAME ;
	secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password \| STAGE_REGISTRY_PASSWORD ;
	secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username \| PRIME_REGISTRY_USERNAME ;
	secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password \| PRIME_REGISTRY_PASSWORD ;
	secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry \| PRIME_REGISTRY;

	- name: Prepare Docker environment to support sbom/provenance parameters
	run: \|
	sudo bash -c 'echo "{\"features\": {\"containerd-snapshotter\": true}}" > /etc/docker/daemon.json'
	sudo systemctl restart docker

	- name: Log into Docker Container registry
	uses: docker/login-action@v3
	if: ${{ env.IS_HOTFIX == 'false' }}
	with:
	username: ${{ env.DOCKER_USERNAME }}
	password: ${{ env.DOCKER_PASSWORD }}

	- name: Log into Staging registry
	uses: docker/login-action@v3
	if: ${{ env.IS_HOTFIX == 'true' }}
	with:
	username: ${{ env.STAGE_REGISTRY_USERNAME }}
	password: ${{ env.STAGE_REGISTRY_PASSWORD }}
	registry: ${{ env.REGISTRY }}

	- name: Log into Prime registry
	uses: docker/login-action@v3
	with:
	username: ${{ env.PRIME_REGISTRY_USERNAME }}
	password: ${{ env.PRIME_REGISTRY_PASSWORD }}
	registry: ${{ env.PRIME_REGISTRY }}

	- name: Run GoReleaser
	uses: goreleaser/goreleaser-action@v6
	id: goreleaser
	with:
	distribution: goreleaser
	version: '~> v2'
	args: release --clean --verbose
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	GORELEASER_CURRENT_TAG: v0.12.0-alpha.8
	PRIME_REGISTRY: ${{ env.PRIME_REGISTRY }}

	# Workaround until `docker manifest create` supports provenance meta data
	- name: Create Docker manifest for Prime and sign it
	shell: bash
	run: \|
	for IMAGE in fleet fleet-agent; do
	URL="${{ env.PRIME_REGISTRY }}/rancher/${IMAGE}:v0.12.0-alpha.8"
	docker buildx imagetools create -t "${URL}" \
	"${URL}-linux-amd64" \
	"${URL}-linux-arm64"

	cosign sign --oidc-provider=github-actions --yes "${URL}"
	done

	- name: Attest provenance
	shell: bash
	run: \|
	for IMG_NAME in $(yq e '.dockers[].image_templates[0]' .goreleaser.yaml \| grep PRIME_REGISTRY \| sed "s/{{ .Env.PRIME_REGISTRY }}/${{ env.PRIME_REGISTRY }}/g" \| sed "s/{{ .Tag }}/v0.12.0-alpha.8/g"); do
	# Extract Docker image reference plus digest from local image
	URL=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMG_NAME})

	max_retries=3
	retry_delay=5
	i=0

	while [ "${i}" -lt "${max_retries}" ]; do
	if slsactl download provenance --format=slsav1 "${URL}" > provenance-slsav1.json; then
	break
	fi
	if [ "${i}" -eq "$(( max_retries - 1 ))" ]; then
	echo "ERROR: Failed to generate slsav1 provenance. Check whether the image is present in the Prime registry."
	exit 1
	fi
	i=$(( i + 1 ))
	sleep "${retry_delay}"
	done

	cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${URL}"
	done

	- name: Upload charts to release
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	repo: "rancher"
	run: \|
	version=$(echo '${{ steps.goreleaser.outputs.metadata }}' \| jq -r '.version')
	tag=$(echo '${{ steps.goreleaser.outputs.metadata }}' \| jq -r '.tag')
	echo "publishing helm chart for (repo: $repo, tag: $tag, version: $version)"

	# Replace rancher/fleet, rancher/fleet-agent and rancher/gitjob image names, but not eg. rancher/kubectl
	sed -i \
	-e "s@repository: rancher/$fleet.\\|gitjob$.@repository: $repo/\\1@" \
	-e "s/tag:.*/tag: $tag/" \
	charts/fleet/values.yaml

	sed -i \
	-e "s@repository: rancher/$fleet.\\|gitjob$.@repository: $repo/\\1@" \
	-e "s/tag: dev/tag: $tag/" \
	charts/fleet-agent/values.yaml

	helm package --version="$version" --app-version="$version" -d ./dist ./charts/fleet
	helm package --version="$version" --app-version="$version" -d ./dist ./charts/fleet-crd
	helm package --version="$version" --app-version="$version" -d ./dist ./charts/fleet-agent

	for f in $(find dist/ -name '*.tgz'); do
	gh release upload $tag $f
	done

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fleet release #43

Workflow file

Fleet release #43

Jobs

Run details

Workflow file for this run