release #53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: release | |
on: | |
push: | |
tags: | |
- 'v*' | |
workflow_dispatch: | |
inputs: | |
tag: | |
description: 'image tag prefix' | |
default: 'rc' | |
required: true | |
permissions: | |
contents: read | |
env: | |
IMAGE: "ghcr.io/fluxcd/${{ github.event.repository.name }}" | |
jobs: | |
release-flagger: | |
outputs: | |
hashes: ${{ steps.slsa.outputs.hashes }} | |
runs-on: | |
group: "Default Larger Runners" | |
permissions: | |
contents: write # needed to write releases | |
id-token: write # needed for keyless signing | |
packages: write # needed for ghcr access | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: fluxcd/flux2/action@main | |
- uses: sigstore/cosign-installer@v3.2.0 | |
- name: Prepare | |
id: prep | |
run: | | |
if [[ ${GITHUB_EVENT_NAME} = "workflow_dispatch" ]]; then | |
VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}" | |
else | |
VERSION=$(grep 'VERSION' pkg/version/version.go | awk '{ print $4 }' | tr -d '"') | |
fi | |
CHANGELOG="https://github.com/fluxcd/flagger/blob/main/CHANGELOG.md#$(echo $VERSION | tr -d '.')" | |
echo "[CHANGELOG](${CHANGELOG})" > notes.md | |
echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT | |
echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT | |
- name: Setup QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Setup Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: fluxcdbot | |
password: ${{ secrets.GHCR_TOKEN }} | |
- name: Generate image meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: | | |
${{ env.IMAGE }} | |
tags: | | |
type=raw,value=${{ steps.prep.outputs.VERSION }} | |
- name: Publish image | |
id: build-push | |
uses: docker/build-push-action@v5 | |
with: | |
sbom: true | |
provenance: true | |
push: true | |
builder: ${{ steps.buildx.outputs.name }} | |
context: . | |
file: ./Dockerfile | |
platforms: linux/amd64,linux/arm64,linux/arm/v7 | |
build-args: | | |
REVISON=${{ github.sha }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
- name: Sign image | |
env: | |
COSIGN_EXPERIMENTAL: 1 | |
run: | | |
cosign sign --yes ${{ env.IMAGE }}@${{ steps.build-push.outputs.digest }} | |
- name: Publish signed manifests to GHCR | |
if: startsWith(github.ref, 'refs/tags/v') | |
env: | |
COSIGN_EXPERIMENTAL: 1 | |
run: | | |
OCI_URL=$(flux push artifact \ | |
oci://ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }} \ | |
--path="./kustomize" \ | |
--source="$(git config --get remote.origin.url)" \ | |
--revision="${{ steps.prep.outputs.VERSION }}/$(git rev-parse HEAD)" \ | |
--output json | \ | |
jq -r '. | .repository + "@" + .digest') | |
cosign sign --yes ${OCI_URL} | |
- name: Publish Helm charts | |
if: startsWith(github.ref, 'refs/tags/v') | |
uses: stefanprodan/helm-gh-pages@v1.7.0 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
charts_url: https://flagger.app | |
linting: off | |
- uses: fluxcd/pkg/actions/helm@main | |
with: | |
version: 3.12.3 | |
- name: Publish signed Helm chart to GHCR | |
if: startsWith(github.ref, 'refs/tags/v') | |
env: | |
COSIGN_EXPERIMENTAL: 1 | |
run: | | |
helm package charts/flagger | |
helm push flagger-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/fluxcd/charts |& tee .digest | |
cosign sign --yes ghcr.io/fluxcd/charts/flagger@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}') | |
rm flagger-${{ steps.prep.outputs.VERSION }}.tgz | |
rm .digest | |
- uses: anchore/sbom-action/download-syft@v0 | |
- name: Create release and SBOM | |
id: run-goreleaser | |
uses: goreleaser/goreleaser-action@v5 | |
if: startsWith(github.ref, 'refs/tags/v') | |
with: | |
version: latest | |
args: release --release-notes=notes.md --rm-dist --skip-validate | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Generate SLSA metadata | |
id: slsa | |
if: startsWith(github.ref, 'refs/tags/v') | |
env: | |
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" | |
run: | | |
set -euo pipefail | |
hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0) | |
echo "hashes=$hashes" >> $GITHUB_OUTPUT | |
release-provenance: | |
needs: [release-flagger] | |
if: startsWith(github.ref, 'refs/tags/v') | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
contents: write # for uploading attestations to GitHub releases. | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 | |
with: | |
provenance-name: "provenance.intoto.jsonl" | |
base64-subjects: "${{ needs.release-flagger.outputs.hashes }}" | |
upload-assets: true |