Bump the security group with 8 updates (#4970) #2371
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: release | |
on: | |
push: | |
tags: | |
- "v*.*.*" | |
branches: | |
- main | |
permissions: | |
contents: write | |
jobs: | |
generate-tag: | |
runs-on: ubuntu-20.04 | |
outputs: | |
tag: ${{ github.ref_type == 'branch' && steps.get_tag.outputs.GIT_TAG || github.ref_name }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Get tags | |
id: get_tag | |
uses: ./.github/actions/version-tag | |
- name: Push tag | |
if: github.ref_type == 'branch' | |
env: | |
GIT_TAG: ${{ steps.get_tag.outputs.GIT_TAG }} | |
run: | | |
git tag "$GIT_TAG" | |
git push origin "$GIT_TAG" | |
build-migrations-melange-packages: | |
needs: [generate-tag] | |
strategy: | |
fail-fast: true | |
matrix: | |
runner: [ | |
{name: ubuntu-20.04, arch: amd64}, | |
{name: arm64-runner-set, arch: arm64} | |
] | |
runs-on: ${{ matrix.runner.name }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/build-custom-melange-package | |
with: | |
context: migrations/deploy | |
component: kotsadm-migrations | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
arch: ${{ matrix.runner.arch }} | |
build-migrations: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag, build-migrations-melange-packages] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/build-custom-image-with-apko | |
with: | |
context: migrations/deploy | |
component: kotsadm-migrations | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
image-name: index.docker.io/kotsadm/kotsadm-migrations:${{ needs.generate-tag.outputs.tag }} | |
registry-username: ${{ secrets.DOCKERHUB_USER }} | |
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
build-web: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup Node.js environment | |
uses: actions/setup-node@v4 | |
with: | |
node-version: '18.x' | |
- name: Build web | |
env: | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make -C web deps build-kotsadm | |
- name: Upload web artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: web | |
path: ./web/dist | |
build-kurl-proxy-melange-packages: | |
needs: [generate-tag] | |
strategy: | |
fail-fast: true | |
matrix: | |
runner: [ | |
{name: ubuntu-20.04, arch: amd64}, | |
{name: arm64-runner-set, arch: arm64} | |
] | |
runs-on: ${{ matrix.runner.name }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/build-custom-melange-package | |
with: | |
context: kurl_proxy/deploy | |
component: kurl-proxy | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
arch: ${{ matrix.runner.arch }} | |
build-kurl-proxy: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag, build-kurl-proxy-melange-packages] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/build-custom-image-with-apko | |
with: | |
context: kurl_proxy/deploy | |
component: kurl-proxy | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
image-name: index.docker.io/kotsadm/kurl-proxy:${{ needs.generate-tag.outputs.tag }} | |
registry-username: ${{ secrets.DOCKERHUB_USER }} | |
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
build-kots: | |
runs-on: ubuntu-20.04 | |
needs: [build-web, generate-tag] | |
steps: | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: '^1.20.0' | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Cache Go modules | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cache/go-build | |
~/go/pkg/mod | |
key: ${{ runner.os }}-go-kots-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go-kots- | |
- name: Download web artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: web | |
path: ./web/dist | |
- name: Build KOTS | |
env: | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
SCOPE_DSN_PUBLIC: "" | |
run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make ci-test kots | |
- name: Upload Go API artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: kots | |
path: ./bin/kots | |
build-kotsadm-melange-packages: | |
needs: [generate-tag] | |
strategy: | |
fail-fast: true | |
matrix: | |
runner: [ | |
{name: ubuntu-20.04, arch: amd64}, | |
{name: arm64-runner-set, arch: arm64} | |
] | |
runs-on: ${{ matrix.runner.name }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/build-custom-melange-package | |
with: | |
context: deploy | |
component: kotsadm | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
arch: ${{ matrix.runner.arch }} | |
build-kotsadm: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag, build-kotsadm-melange-packages] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/build-custom-image-with-apko | |
with: | |
context: deploy | |
component: kotsadm | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
image-name: index.docker.io/kotsadm/kotsadm:${{ needs.generate-tag.outputs.tag }} | |
registry-username: ${{ secrets.DOCKERHUB_USER }} | |
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
build-kotsadm-bundle: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag, build-migrations, build-kotsadm] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: '^1.20.0' | |
- name: Run bundle registry | |
run: | | |
mkdir -p kotsadm-bundle/images | |
mkdir -p kotsadm-bundle-nominio/images | |
docker run -d -p 5000:5000 --restart=always --name registry -v "$(pwd)/kotsadm-bundle/images":/var/lib/registry registry:2 | |
docker run -d -p 5001:5000 --restart=always --name registry-nominio -v "$(pwd)/kotsadm-bundle-nominio/images":/var/lib/registry registry:2 | |
- name: Build kotsadm bundle | |
env: | |
BUNDLE_DIR: kotsadm-bundle | |
BUNDLE_REGISTRY: localhost:5000 | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make kotsadm-bundle | |
- name: Build kotsadm bundle without minio | |
env: | |
BUNDLE_DIR: kotsadm-bundle-nominio | |
BUNDLE_REGISTRY: localhost:5001 | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make kotsadm-bundle-nominio | |
- name: Upload kotsadm bundle | |
uses: actions/upload-artifact@v4 | |
with: | |
name: kotsadm-bundle | |
path: kotsadm-bundle | |
- name: Upload kotsadm bundle without minio | |
uses: actions/upload-artifact@v4 | |
with: | |
name: kotsadm-bundle-nominio | |
path: kotsadm-bundle-nominio | |
goreleaser: | |
runs-on: ubuntu-20.04 | |
if: github.ref_type != 'branch' | |
needs: [generate-tag, build-web] | |
steps: | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: '^1.20.0' | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Cache Go modules | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cache/go-build | |
~/go/pkg/mod | |
key: ${{ runner.os }}-go-goreleaser-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go-goreleaser- | |
- name: Unshallow | |
run: git fetch --prune --unshallow | |
- run: sudo apt-get update -y | |
- run: sudo apt-get -qq -y install gnupg2 libdevmapper-dev libgpgme-dev libc6-dev-i386 btrfs-progs libbtrfs-dev pkg-config | |
- name: set previous release tag for goreleaser | |
run: | | |
TAG="$(curl --silent "https://api.github.com/repos/replicatedhq/kots/releases/latest" | grep -Po '"tag_name": "\K.*?(?=")')" | |
export TAG | |
echo "GORELEASER_PREVIOUS_TAG=${TAG}" >> "$GITHUB_ENV" | |
- uses: sigstore/cosign-installer@main | |
with: | |
cosign-release: 'v1.2.1' | |
- name: Get Cosign Key | |
run: | | |
echo "$COSIGN_KEY" | base64 -d > ./cosign.key | |
env: | |
COSIGN_KEY: ${{ secrets.COSIGN_KEY }} | |
- name: Download web artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: web | |
path: ./web/dist | |
- name: Generate SBOM | |
run: | | |
set -x | |
make sbom | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
- name: Run GoReleaser | |
uses: goreleaser/goreleaser-action@v6 | |
with: | |
version: "v1.2.5" | |
args: release --rm-dist --config deploy/.goreleaser.yaml | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GORELEASER_CURRENT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
publish-pact-contracts: | |
runs-on: ubuntu-20.04 | |
needs: [ generate-tag, goreleaser ] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: '^1.20.0' | |
- uses: replicatedhq/action-install-pact@main | |
- name: Publish pact contracts | |
env: | |
PACT_BROKER_BASE_URL: ${{ vars.PACT_BROKER_BASE_URL }} | |
PACT_BROKER_TOKEN: ${{ secrets.PACT_BROKER_TOKEN }} | |
PACT_PUBLISH_CONTRACT: true | |
PACT_VERSION: ${{ github.sha }} | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
run: | | |
set -x | |
make pact-consumer | |
generate-kurl-addon: | |
runs-on: ubuntu-20.04 | |
needs: [ generate-tag, build-kurl-proxy, build-kots, build-kotsadm-bundle ] | |
outputs: | |
addon_package_url: ${{ steps.addon-generate.outputs.addon_package_url }} | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.KURL_ADDONS_AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.KURL_ADDONS_AWS_SECRET_ACCESS_KEY }} | |
AWS_DEFAULT_REGION: us-east-1 | |
steps: | |
- name: checkout | |
uses: actions/checkout@v4 | |
- name: set outputs | |
id: vars | |
run: | | |
addon_version=${{ needs.generate-tag.outputs.tag }} | |
echo "addon_version=${addon_version#v}" >> "$GITHUB_OUTPUT" | |
- name: download kots binary | |
uses: actions/download-artifact@v4 | |
with: | |
name: kots | |
path: bin/ | |
- name: prepare kots binary executable | |
run: | | |
chmod +x bin/* | |
tar -C bin/ -czvf bin/kots.tar.gz kots | |
- uses: ./.github/actions/kurl-addon-kots-generate | |
id: addon-generate | |
with: | |
addon_version: ${{ steps.vars.outputs.addon_version }} | |
s3_prefix: "${{ github.ref_type != 'branch' && '' || 'test/' }}" | |
kotsadm_binary_override: bin/kots.tar.gz | |
# only run validate-kurl-addon if changes to "deploy/kurl/kotsadm/template/**" | |
kurl-addon-changes-filter: | |
runs-on: ubuntu-20.04 | |
outputs: | |
ok-to-test: ${{ steps.filter.outputs.kurl-addon }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: dorny/paths-filter@v3 | |
id: filter | |
with: | |
filters: | | |
kurl-addon: | |
- 'deploy/kurl/kotsadm/template/**' | |
- 'deploy/kurl/kotsadm/testgrid-os-spec.yaml' | |
validate-kurl-addon: | |
runs-on: ubuntu-20.04 | |
if: ${{ github.ref_type != 'branch' || needs.kurl-addon-changes-filter.outputs.ok-to-test == 'true' }} | |
needs: [ generate-tag, generate-kurl-addon, kurl-addon-changes-filter ] | |
steps: | |
- name: checkout | |
uses: actions/checkout@v4 | |
- name: set outputs | |
id: vars | |
run: | | |
addon_version=${{ needs.generate-tag.outputs.tag }} | |
echo "addon_version=${addon_version#v}" >> "$GITHUB_OUTPUT" | |
- uses: ./.github/actions/kurl-addon-kots-test | |
with: | |
addon_version: ${{ steps.vars.outputs.addon_version }} | |
addon_package_url: "${{ needs.generate-kurl-addon.outputs.addon_package_url }}" | |
priority: ${{ github.ref_type != 'branch' && '1' || '0' }} | |
testgrid_api_token: ${{ secrets.TESTGRID_PROD_API_TOKEN }} | |
publish-kurl-addon: | |
runs-on: ubuntu-20.04 | |
if: ${{ github.ref_type != 'branch' }} | |
needs: [ generate-tag, generate-kurl-addon ] | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.KURL_ADDONS_AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.KURL_ADDONS_AWS_SECRET_ACCESS_KEY }} | |
AWS_DEFAULT_REGION: us-east-1 | |
steps: | |
- name: checkout | |
uses: actions/checkout@v4 | |
- name: set outputs | |
id: vars | |
run: | | |
addon_version=${{ needs.generate-tag.outputs.tag }} | |
echo "addon_version=${addon_version#v}" >> "$GITHUB_OUTPUT" | |
- uses: ./.github/actions/kurl-addon-kots-publisher | |
with: | |
ADDON_VERSION: ${{ steps.vars.outputs.addon_version }} | |
ADDON_PACKAGE_URL: ${{ needs.generate-kurl-addon.outputs.addon_package_url }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- run: aws s3 cp ./deploy/kurl/versions.json s3://kots-kurl-addons-production-1658439274 | |
generate-kots-release-notes-pr: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag] | |
if: github.ref_type != 'branch' | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Generate KOTS Release Notes PR | |
env: | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
GH_PAT: ${{ secrets.GH_PAT }} | |
run: | | |
curl -H "Authorization: token $GH_PAT" \ | |
-H 'Accept: application/json' \ | |
-d "{\"event_type\": \"app-manager-release-notes\", \"client_payload\": {\"version\": \"${GIT_TAG}\" }}" \ | |
"https://api.github.com/repos/replicatedhq/replicated-docs/dispatches" | |
build-airgap: | |
runs-on: ubuntu-20.04 | |
if: github.ref_type != 'branch' | |
needs: [goreleaser, generate-tag, build-kotsadm-bundle] | |
steps: | |
- name: Download kotsadm bundle | |
uses: actions/download-artifact@v4 | |
with: | |
name: kotsadm-bundle | |
path: kotsadm-bundle | |
- name: Download kotsadm bundle without minio | |
uses: actions/download-artifact@v4 | |
with: | |
name: kotsadm-bundle-nominio | |
path: kotsadm-bundle-nominio | |
- name: Make kotsadm airgap archive | |
working-directory: kotsadm-bundle | |
run: tar -czvf ../kotsadm.tar.gz -- * | |
- name: Make kotsadm airgap archive without minio | |
working-directory: kotsadm-bundle-nominio | |
run: tar -czvf ../kotsadm-nominio.tar.gz -- * | |
- name: Upload airgap archive | |
uses: softprops/action-gh-release@v2 | |
with: | |
tag_name: ${{ needs.generate-tag.outputs.tag }} | |
files: ./kotsadm.tar.gz | |
- name: Upload airgap archive without minio | |
uses: softprops/action-gh-release@v2 | |
with: | |
tag_name: ${{ needs.generate-tag.outputs.tag }} | |
files: ./kotsadm-nominio.tar.gz | |
regression-test-setup: | |
name: Run regression testing | |
if: github.ref_type == 'branch' | |
runs-on: ubuntu-latest | |
needs: [ generate-tag ] | |
outputs: | |
last_release_tag: ${{ steps.get_latest_release_tag.outputs.release }} | |
automation_id: ${{ steps.get_id.outputs.id }} | |
steps: | |
- name: Get latest release tag | |
id: get_latest_release_tag | |
uses: actions/github-script@v7 | |
with: | |
script: | | |
const { | |
data: { tag_name }, | |
} = await github.rest.repos.getLatestRelease({ | |
...context.repo, | |
}); | |
core.setOutput("release", tag_name); | |
- id: get_id | |
run: | | |
id=${{ github.sha }} | |
echo "id=${id:0:7}" >> "$GITHUB_OUTPUT" | |
regression-test: | |
if: github.ref_type == 'branch' | |
needs: [ regression-test-setup, generate-tag, build-kots, generate-kurl-addon, build-kotsadm-bundle ] | |
uses: ./.github/workflows/regression.yaml | |
with: | |
version_tag_old: ${{ needs.regression-test-setup.outputs.last_release_tag }} | |
version_tag_new: ${{ needs.generate-tag.outputs.tag }} | |
addon_package_url: ${{ needs.generate-kurl-addon.outputs.addon_package_url }} | |
id: ${{ needs.regression-test-setup.outputs.automation_id }} | |
secrets: | |
E2E_TESTIM_AWS_ACCESS_KEY_ID: ${{ secrets.E2E_TESTIM_AWS_ACCESS_KEY_ID }} | |
E2E_TESTIM_AWS_SECRET_ACCESS_KEY: ${{ secrets.E2E_TESTIM_AWS_SECRET_ACCESS_KEY }} | |
TESTIM_ACCESS_TOKEN: ${{ secrets.TESTIM_ACCESS_TOKEN }} | |
E2E_GH_PAT: ${{ secrets.E2E_GH_PAT }} | |
KOTS_BUILD_STATUS_SLACK_WEBHOOK_URL: ${{ secrets.KOTS_BUILD_STATUS_SLACK_WEBHOOK_URL }} |