Skip to content

Commit

Permalink
WIP
Browse files Browse the repository at this point in the history
  • Loading branch information
@thardeck
thardeck committed Feb 3, 2025
1 parent e7d888f commit 1d759dd
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 60 deletions.
73 changes: 26 additions & 47 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,37 +44,6 @@ jobs:
secrets: |
secret/data/github/repo/${{ github.repository }}/fossa/credential token | FOSSA_API_KEY
- name: Run FOSSA scan
uses: fossas/[email protected]
with:
api-key: ${{ env.FOSSA_API_KEY }}

- name: Run FOSSA tests
uses: fossas/[email protected]
with:
api-key: ${{ env.FOSSA_API_KEY }}
run-tests: false

- name: Check for code changes
continue-on-error: ${{ contains(github.ref, 'rc') }}
run: |
./.github/scripts/check-for-auto-generated-changes.sh
go mod verify
- name: Run unit tests
continue-on-error: ${{ contains(github.ref, 'rc') }}
run: go test -cover -tags=test $(go list ./... | grep -v -e /e2e -e /integrationtests -e /benchmarks)

- name: Install Ginkgo CLI
run: go install github.com/onsi/ginkgo/v2/ginkgo

- name: Run integration tests
continue-on-error: ${{ contains(github.ref, 'rc') }}
env:
SETUP_ENVTEST_VER: v0.0.0-20240115093953-9e6e3b144a69
ENVTEST_K8S_VERSION: 1.28
run: ./.github/scripts/run-integration-tests.sh

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

Expand Down Expand Up @@ -133,36 +102,46 @@ jobs:
args: release --clean --verbose
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: ${{ github.ref_name }}
GORELEASER_CURRENT_TAG: v0.12.0-alpha.8
PRIME_REGISTRY: ${{ env.PRIME_REGISTRY }}

# Workaround until `docker manifest create` supports provenance meta data
- name: Create Docker manifest for Prime and sign it
shell: bash
run: |
for IMAGE in fleet fleet-agent; do
URL="${{ env.PRIME_REGISTRY }}/rancher/${IMAGE}:v0.12.0-alpha.8"
docker buildx imagetools create -t "${URL}" \
"${URL}-linux-amd64" \
"${URL}-linux-arm64"
cosign sign --oidc-provider=github-actions --yes "${URL}"
done
- name: Attest provenance
shell: bash
env:
PRIME_REGISTRY: ${{ env.PRIME_REGISTRY }}
CURRENT_TAG: ${{ github.ref_name }}
run: |
for IMG_NAME in $(yq e '.dockers[].image_templates[0]' .goreleaser.yaml | grep PRIME_REGISTRY | sed "s/{{ .Env.PRIME_REGISTRY }}/${PRIME_REGISTRY}/g" | sed "s/{{ .Tag }}/${CURRENT_TAG}/g"); do
for IMG_NAME in $(yq e '.dockers[].image_templates[0]' .goreleaser.yaml | grep PRIME_REGISTRY | sed "s/{{ .Env.PRIME_REGISTRY }}/${{ env.PRIME_REGISTRY }}/g" | sed "s/{{ .Tag }}/v0.12.0-alpha.8/g"); do
# Extract Docker image reference plus digest from local image
IMAGE=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMG_NAME})
URL=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMG_NAME})
max_retries=3
retry_delay=5
i=0
while [ "${i}" -lt "${max_retries}" ]; do
if slsactl download provenance --format=slsav1 "${IMAGE}" > provenance-slsav1.json; then
break
fi
if [ "${i}" -eq "$(( max_retries - 1 ))" ]; then
echo "ERROR: Failed to generate slsav1 provenance. Check whether the image is present in the Prime registry."
exit 1
fi
i=$(( i + 1 ))
sleep "${retry_delay}"
if slsactl download provenance --format=slsav1 "${URL}" > provenance-slsav1.json; then
break
fi
if [ "${i}" -eq "$(( max_retries - 1 ))" ]; then
echo "ERROR: Failed to generate slsav1 provenance. Check whether the image is present in the Prime registry."
exit 1
fi
i=$(( i + 1 ))
sleep "${retry_delay}"
done
cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${IMAGE}"
cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${URL}"
done
- name: Upload charts to release
Expand Down
30 changes: 17 additions & 13 deletions .goreleaser.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -310,17 +310,20 @@ docker_manifests:
- "{{ .Env.REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-amd64"
- "{{ .Env.REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-arm64"

- name_template: "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}"
id: fleet-manifest-private
image_templates:
- "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}-linux-amd64"
- "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}-linux-arm64"

- name_template: "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}"
id: fleet-agent-manifest-private
image_templates:
- "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-amd64"
- "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-arm64"
# docker manifest create has issues with provenance which results in the error:
# ... is a manifest list
# we need to use buildx in a separate step instead
# - name_template: "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}"
# id: fleet-manifest-private
# image_templates:
# - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}-linux-amd64"
# - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}-linux-arm64"
#
# - name_template: "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}"
# id: fleet-agent-manifest-private
# image_templates:
# - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-amd64"
# - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-arm64"

docker_signs:
- # ID of the sign config, must be unique.
Expand Down Expand Up @@ -360,5 +363,6 @@ docker_signs:
- fleet-arm64-private
- fleet-agent-amd64-private
- fleet-agent-arm64-private
- fleet-manifest-private
- fleet-agent-manifest-private
# docker manifest create has issues with provenance that's why we can not create them here
# - fleet-manifest-private
# - fleet-agent-manifest-private

0 comments on commit 1d759dd

Please sign in to comment.