Refactor the Pipeline (#228)

Refactor main, pr and release workflow, the Pipeline, Dagger. --------- Signed-off-by: Vadim Bauer <vb@container-registry.com>
goharbor · Oct 29, 2024 · 15a43d2 · 15a43d2
1 parent 66dd629
commit 15a43d2
Show file tree

Hide file tree

Showing 6 changed files with 248 additions and 194 deletions.
diff --git a/.github/actions/publish-and-sign/action.yaml b/.github/actions/publish-and-sign/action.yaml
@@ -0,0 +1,54 @@
+name: Publish and Sign Snapshot Image
+description: Publishes and signs a snapshot image using Dagger.
+
+inputs:
+  IMAGE_TAGS:
+    description: 'Tags for the image, e.g. "latest, v1.0.0"'
+    required: true
+  GITHUB_TOKEN:
+    description: 'GitHub token'
+    required: true
+  REGISTRY_PASSWORD:
+    description: 'Registry password'
+    required: true
+  REGISTRY_ADDRESS:
+    description: 'Registry address'
+    required: true
+  REGISTRY_USERNAME:
+    description: 'Registry username'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Dagger Version
+      uses: sagikazarmark/dagger-version-action@v0.0.1
+
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3.7.0
+
+    - name: Check Env Variables
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }}
+      run: cosign env
+
+    - name: Publish and Sign Snapshot Image
+      uses: dagger/dagger-for-github@v6
+      env:
+        GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }}
+        REGISTRY_ADDRESS: ${{ inputs.REGISTRY_ADDRESS }}
+        REGISTRY_USERNAME: ${{ inputs.REGISTRY_USERNAME }}
+        REGISTRY_PASSWORD: ${{ inputs.REGISTRY_PASSWORD }}
+        IMAGE_TAGS: ${{ inputs.IMAGE_TAGS }}
+      with:
+        version: ${{ steps.dagger_version.outputs.version }}
+        verb: call
+        args: "publish-image-and-sign \
+          --registry='${{ env.REGISTRY_ADDRESS }}' \
+          --registry-username='${{ env.REGISTRY_USERNAME }}' \
+          --registry-password=env:REGISTRY_PASSWORD \
+          --image-tags='${{ env.IMAGE_TAGS}}' \
+          --github-token=env:GITHUB_TOKEN \
+          --actions-id-token-request-url=$ACTIONS_ID_TOKEN_REQUEST_URL \
+          --actions-id-token-request-token=env:ACTIONS_ID_TOKEN_REQUEST_TOKEN"
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -3,4 +3,4 @@ updates:
   - package-ecosystem: gomod
     directory: "/"
     schedule:
-      interval: daily
+      interval: weekly
diff --git a/.github/workflows/default.yaml b/.github/workflows/default.yaml
@@ -3,6 +3,8 @@ name: Main and Pull Request Pipeline
 on:
   push:
     branches: [main]
+    tags:
+      - "v*.*.*"
   pull_request:
     paths-ignore:
       - '*.md'
@@ -31,7 +33,7 @@ jobs:
       - name: Run Reviewdog
         env:
           REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |          
+        run: |
           reviewdog -f=sarif -name="Golang Linter Report" -reporter=github-check -filter-mode nofilter -fail-level any -tee < golangci-lint-report.sarif
 
   test-code:
@@ -56,28 +58,63 @@ jobs:
           verb: call
           args: build-dev --platform linux/amd64
 
-  push-snapshop-release:
-    permissions:
-      contents: write
-      packages: write
-
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-    runs-on: ubuntu-latest
+  push-latest-images:
+    if: github.event.pull_request == null && !startsWith(github.ref, 'refs/tags/v')
     needs:
       - lint
       - test-code
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - name: Dagger Version
-        uses: sagikazarmark/dagger-version-action@v0.0.1
+      - name: Publish and Sign Snapshot Image
+        uses: ./.github/actions/publish-and-sign
+        with:
+          IMAGE_TAGS: latest
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          REGISTRY_ADDRESS: ${{ vars.REGISTRY_ADDRESS }}
+          REGISTRY_USERNAME: ${{ vars.REGISTRY_USERNAME }}
+
 
-      - name: Push Release
+  publish-release:
+    if: startsWith(github.ref, 'refs/tags/v')
+    needs:
+      - lint
+      - test-code
+      - push-latest-images
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Create Release
         uses: dagger/dagger-for-github@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          version: ${{ steps.dagger_version.outputs.version }}
+          version: "latest"
           verb: call
-          args: snapshot-release --github-token=${{ env.GITHUB_TOKEN }}
+          args: "release --github-token=env:GITHUB_TOKEN"
+
+      - name: Publish and Sign Tagged Image
+        if: success()
+        uses: ./.github/actions/publish-and-sign
+        with:
+          IMAGE_TAGS: "latest, ${{ github.ref_name }}"
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          REGISTRY_ADDRESS: ${{ vars.REGISTRY_ADDRESS }}
+          REGISTRY_USERNAME: ${{ vars.REGISTRY_USERNAME }}
+
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -1,13 +1,12 @@
 version: 2
-project_name: harbor-cli
+project_name: harbor
 
 before:
   hooks:
     - go mod tidy
 
 builds:
 - main: ./cmd/harbor/main.go
-
   env:
     - CGO_ENABLED=0
   ldflags:
@@ -25,17 +24,18 @@ builds:
     - goos: windows
       goarch: arm64
   mod_timestamp: "{{ .CommitTimestamp }}"
+
 archives:
   - format: tar.gz
     format_overrides:
       - goos: windows
         format: zip
 nfpms:
-  - package_name: harbor
+  -
     homepage: https://github.com/goharbor/harbor-cli/
-    maintainer: Vadim Bauer
+    maintainer: Harbor Community
     description: |-
-      [Sandbox] Official Harbor CLI
+      CLI for Harbor Container Registry
     formats:
       - rpm
       - deb
@@ -49,30 +49,28 @@ checksum:
   name_template: 'checksums.txt'
 
 snapshot:
-  name_template: "HarborCLI Snapshot {{.Commit}}"
-  publish: true
+  version_template: "{{ incpatch .Version }}-next"
 
 release:
   name_template: "HarborCLI {{.Tag}}"
-  draft: false               # Set to false to ensure that releases are published, not kept as drafts
+  draft: true                 # Set to false to ensure that releases are published, not kept as drafts
   prerelease: auto            # Auto-detect prereleases based on tag
+  replace_existing_draft: true
+  replace_existing_artifacts: true
   disable: false              # Ensure release publishing is enabled
   github:
     owner: goharbor           # Your GitHub repository owner
     name: harbor-cli          # Your GitHub repository name
 
 changelog:
   use: github
-  format: "{{.SHA}}: {{.Message}} (@{{.AuthorUsername}})"
-  sort: asc
   filters:
     exclude:
       - "^docs:"
       - "^test:"
       - "merge conflict"
-
   groups:
-    - title: Dependency updates
+    - title: "Dependency updates"
       regexp: '^.*?(.+)\(deps\)!?:.+$'
       order: 300
     - title: "New Features"
@@ -90,5 +88,5 @@ changelog:
     - title: "Build process updates"
       regexp: ^.*?(build|ci)(\(.+\))??!?:.+$
       order: 400
-    - title: Other work
+    - title: "Other work"
       order: 9999