fix getting publish key #1644
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: release | |
on: | |
push: | |
tags: | |
- "v*.*.*" | |
branches: | |
- main | |
- integration-chainguard | |
jobs: | |
generate-tag: | |
runs-on: ubuntu-20.04 | |
outputs: | |
tag: ${{ github.ref_type == 'branch' && steps.get_tag.outputs.GIT_TAG || github.ref_name }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Get tags | |
id: get_tag | |
uses: ./.github/actions/version-tag | |
- name: Push tag | |
if: github.ref_type == 'branch' | |
env: | |
GIT_TAG: ${{ steps.get_tag.outputs.GIT_TAG }} | |
run: | | |
git tag "$GIT_TAG" | |
git push origin "$GIT_TAG" | |
image-deps-updater: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup Go | |
uses: actions/setup-go@v4 | |
with: | |
go-version: '^1.20.0' | |
- name: Run Update Script | |
env: | |
GITHUB_AUTH_TOKEN: ${{ secrets.NIGHTLY_GH_PAT }} | |
run: | | |
go run ./cmd/imagedeps | |
- name: Create Pull Request # creates a PR if there are differences | |
uses: peter-evans/create-pull-request@v5 | |
id: cpr | |
with: | |
token: ${{ secrets.NIGHTLY_GH_PAT }} | |
commit-message: update kots image dependency tags | |
title: 'Automated Kots Image Dependency Tag Update' | |
branch: automation/image-dependencies | |
delete-branch: true | |
labels: | | |
automated-pr | |
images | |
type::security | |
draft: false | |
base: "main" | |
body: "Automated changes by the [release](https://github.com/replicatedhq/kots/blob/main/.github/workflows/release.yaml) GitHub action" | |
- name: Check outputs | |
run: | | |
echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" | |
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" | |
build-schema-migrations: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- uses: azure/docker-login@v1 | |
env: | |
DOCKER_CONFIG: ./migrations/.docker | |
with: | |
username: ${{ secrets.DOCKERHUB_USER }} | |
password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
- name: "Release schema migrations on tag" | |
env: | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
DOCKER_CONFIG: ./.docker | |
run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make -C migrations schema-release | |
- name: Upload airgap image | |
uses: actions/upload-artifact@v3 | |
with: | |
name: migrations-image | |
path: ./migrations/bin/docker-archive | |
build-web: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup Node.js environment | |
uses: actions/setup-node@v3 | |
with: | |
node-version: '18.x' | |
- name: Build web | |
env: | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make -C web deps build-kotsadm | |
- name: Upload web artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: web | |
path: ./web/dist | |
build-kurl-proxy: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag] | |
env: | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
steps: | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: '^1.20.0' | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Cache Go modules | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.cache/go-build | |
~/go/pkg/mod | |
key: ${{ runner.os }}-go-kurlproxy-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go-kurlproxy- | |
- name: Build kurl_proxy | |
env: | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
SCOPE_DSN_PUBLIC: "" | |
run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make -C kurl_proxy test build | |
- name: Upload kurl_proxy artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: kurl_proxy | |
path: ./kurl_proxy/bin | |
- uses: azure/docker-login@v1 | |
with: | |
username: ${{ secrets.DOCKERHUB_USER }} | |
password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
- name: Build tagged release | |
working-directory: ./kurl_proxy | |
run: | | |
docker build --pull -f deploy/Dockerfile -t "kotsadm/kurl-proxy:$GIT_TAG" . | |
docker push "kotsadm/kurl-proxy:$GIT_TAG" | |
build-kots: | |
runs-on: ubuntu-20.04 | |
needs: [build-web, generate-tag] | |
steps: | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: '^1.20.0' | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Cache Go modules | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.cache/go-build | |
~/go/pkg/mod | |
key: ${{ runner.os }}-go-kots-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go-kots- | |
- name: Download web artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: web | |
path: ./web/dist | |
- name: Build KOTS | |
env: | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
SCOPE_DSN_PUBLIC: "" | |
run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make ci-test kots | |
- name: Upload Go API artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: kots | |
path: ./bin/kots | |
build-kotsadm: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag] | |
permissions: | |
id-token: write # required to be able to assume the GCP SA identity to pull Chainguard packages. | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- uses: ./.github/actions/build-push-kotsadm-image | |
with: | |
chainguard-gcp-wif-pool: ${{ secrets.CHAINGUARD_GCP_WIF_POOL }} | |
chainguard-gcp-sa: ${{ secrets.CHAINGUARD_GCP_SA }} | |
chainguard-gcp-project-id: ${{ secrets.CHAINGUARD_GCP_PROJECT_ID }} | |
image-name: index.docker.io/kotsadm/kotsadm:${{ needs.generate-tag.outputs.tag }} | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
registry-username: ${{ secrets.DOCKERHUB_USER }} | |
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
- uses: azure/docker-login@v1 | |
env: | |
DOCKER_CONFIG: ./.docker | |
with: | |
username: ${{ secrets.DOCKERHUB_USER }} | |
password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
- name: Build tagged release | |
env: | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
DOCKER_CONFIG: ./.docker | |
run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make build-release | |
- name: Upload airgap image | |
uses: actions/upload-artifact@v3 | |
with: | |
name: kotsadm-image | |
path: ./bin/docker-archive | |
goreleaser: | |
runs-on: ubuntu-20.04 | |
if: github.ref_type != 'branch' | |
needs: [build-web] | |
steps: | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: '^1.20.0' | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Cache Go modules | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.cache/go-build | |
~/go/pkg/mod | |
key: ${{ runner.os }}-go-goreleaser-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go-goreleaser- | |
- name: Unshallow | |
run: git fetch --prune --unshallow | |
- run: sudo apt-get update -y | |
- run: sudo apt-get -qq -y install gnupg2 libdevmapper-dev libgpgme-dev libc6-dev-i386 btrfs-progs libbtrfs-dev pkg-config | |
- name: set previous release tag for goreleaser | |
run: | | |
TAG="$(curl --silent "https://api.github.com/repos/replicatedhq/kots/releases/latest" | grep -Po '"tag_name": "\K.*?(?=")')" | |
export TAG | |
echo "GORELEASER_PREVIOUS_TAG=${TAG}" >> "$GITHUB_ENV" | |
- uses: sigstore/cosign-installer@main | |
with: | |
cosign-release: 'v1.2.1' | |
- name: Get Cosign Key | |
run: | | |
echo "$COSIGN_KEY" | base64 -d > ./cosign.key | |
env: | |
COSIGN_KEY: ${{ secrets.COSIGN_KEY }} | |
- name: Download web artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: web | |
path: ./web/dist | |
- name: Generate SBOM | |
run: | | |
set -x | |
make sbom | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
- name: Run GoReleaser | |
uses: goreleaser/goreleaser-action@v5 | |
with: | |
version: "v1.2.5" | |
args: release --rm-dist --config deploy/.goreleaser.yaml | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
generate-kurl-addon: | |
runs-on: ubuntu-20.04 | |
needs: [ generate-tag, build-kurl-proxy, build-schema-migrations, build-kots, build-kotsadm ] | |
outputs: | |
addon_package_url: ${{ steps.addon-generate.outputs.addon_package_url }} | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.KURL_ADDONS_AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.KURL_ADDONS_AWS_SECRET_ACCESS_KEY }} | |
AWS_DEFAULT_REGION: us-east-1 | |
steps: | |
- name: checkout | |
uses: actions/checkout@v4 | |
- name: set outputs | |
id: vars | |
run: | | |
addon_version=${{ needs.generate-tag.outputs.tag }} | |
echo "addon_version=${addon_version#v}" >> "$GITHUB_OUTPUT" | |
- name: download kots binary | |
uses: actions/download-artifact@v3 | |
with: | |
name: kots | |
path: bin/ | |
- name: prepare kots binary executable | |
run: | | |
chmod +x bin/* | |
tar -C bin/ -czvf bin/kots.tar.gz kots | |
- uses: ./.github/actions/kurl-addon-kots-generate | |
id: addon-generate | |
with: | |
addon_version: ${{ steps.vars.outputs.addon_version }} | |
s3_prefix: "${{ github.ref_type != 'branch' && '' || 'test/' }}" | |
kotsadm_binary_override: bin/kots.tar.gz | |
# only run validate-kurl-addon if changes to "deploy/kurl/kotsadm/template/**" | |
kurl-addon-changes-filter: | |
runs-on: ubuntu-20.04 | |
outputs: | |
ok-to-test: ${{ steps.filter.outputs.kurl-addon }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: dorny/paths-filter@v2 | |
id: filter | |
with: | |
filters: | | |
kurl-addon: | |
- 'deploy/kurl/kotsadm/template/**' | |
- 'deploy/kurl/kotsadm/testgrid-os-spec.yaml' | |
validate-kurl-addon: | |
runs-on: ubuntu-20.04 | |
if: ${{ github.ref_type != 'branch' || needs.kurl-addon-changes-filter.outputs.ok-to-test == 'true' }} | |
needs: [ generate-tag, generate-kurl-addon, kurl-addon-changes-filter ] | |
steps: | |
- name: checkout | |
uses: actions/checkout@v4 | |
- name: set outputs | |
id: vars | |
run: | | |
addon_version=${{ needs.generate-tag.outputs.tag }} | |
echo "addon_version=${addon_version#v}" >> "$GITHUB_OUTPUT" | |
- uses: ./.github/actions/kurl-addon-kots-test | |
with: | |
addon_version: ${{ steps.vars.outputs.addon_version }} | |
addon_package_url: "${{ needs.generate-kurl-addon.outputs.addon_package_url }}" | |
priority: ${{ github.ref_type != 'branch' && '1' || '0' }} | |
testgrid_api_token: ${{ secrets.TESTGRID_PROD_API_TOKEN }} | |
publish-kurl-addon: | |
runs-on: ubuntu-20.04 | |
if: ${{ github.ref_type != 'branch' }} | |
needs: [ generate-tag, generate-kurl-addon ] | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.KURL_ADDONS_AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.KURL_ADDONS_AWS_SECRET_ACCESS_KEY }} | |
AWS_DEFAULT_REGION: us-east-1 | |
steps: | |
- name: checkout | |
uses: actions/checkout@v4 | |
- name: set outputs | |
id: vars | |
run: | | |
addon_version=${{ needs.generate-tag.outputs.tag }} | |
echo "addon_version=${addon_version#v}" >> "$GITHUB_OUTPUT" | |
- uses: ./.github/actions/kurl-addon-kots-publisher | |
with: | |
ADDON_VERSION: ${{ steps.vars.outputs.addon_version }} | |
ADDON_PACKAGE_URL: ${{ needs.generate-kurl-addon.outputs.addon_package_url }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- run: aws s3 cp ./deploy/kurl/versions.json s3://kots-kurl-addons-production-1658439274 | |
generate-kots-release-notes-pr: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag] | |
if: github.ref_type != 'branch' | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Generate KOTS Release Notes PR | |
env: | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
GH_PAT: ${{ secrets.GH_PAT }} | |
run: | | |
curl -H "Authorization: token $GH_PAT" \ | |
-H 'Accept: application/json' \ | |
-d "{\"event_type\": \"app-manager-release-notes\", \"client_payload\": {\"version\": \"${GIT_TAG}\" }}" \ | |
"https://api.github.com/repos/replicatedhq/replicated-docs/dispatches" | |
build-airgap: | |
runs-on: ubuntu-20.04 | |
if: github.ref_type != 'branch' | |
needs: [build-kotsadm, goreleaser, build-schema-migrations, generate-tag] | |
steps: | |
- name: Download migrations | |
uses: actions/download-artifact@v3 | |
with: | |
name: migrations-image | |
path: ./docker-archive | |
- name: Download kotsadm image | |
uses: actions/download-artifact@v3 | |
with: | |
name: kotsadm-image | |
path: ./docker-archive | |
- name: Make kotsadm airgap archive with minio image | |
run: | | |
tar czf ./kotsadm.tar.gz -C ./ ./docker-archive | |
- name: Upload airgap bundle with minio image | |
uses: softprops/action-gh-release@v1 | |
with: | |
tag_name: ${{ needs.generate-tag.outputs.tag }} | |
files: ./kotsadm.tar.gz | |
- name: Make kotsadm airgap archive without minio image | |
run: | | |
rm -rf ./docker-archive/minio | |
rm -f ./kotsadm.tar.gz | |
tar czf ./kotsadm-nominio.tar.gz -C ./ ./docker-archive | |
- name: Upload airgap bundle without minio image | |
uses: softprops/action-gh-release@v1 | |
with: | |
tag_name: ${{ needs.generate-tag.outputs.tag }} | |
files: ./kotsadm-nominio.tar.gz | |
regression-test-setup: | |
name: Run regression testing | |
if: github.ref_type == 'branch' | |
runs-on: ubuntu-latest | |
needs: [ generate-tag ] | |
outputs: | |
last_release_tag: ${{ steps.get_latest_release_tag.outputs.release }} | |
automation_id: ${{ steps.get_id.outputs.id }} | |
steps: | |
- name: Get latest release tag | |
id: get_latest_release_tag | |
uses: actions/github-script@v6 | |
with: | |
script: | | |
const { | |
data: { tag_name }, | |
} = await github.rest.repos.getLatestRelease({ | |
...context.repo, | |
}); | |
core.setOutput("release", tag_name); | |
- id: get_id | |
run: | | |
id=${{ github.sha }} | |
echo "id=${id:0:7}" >> "$GITHUB_OUTPUT" | |
regression-test: | |
if: github.ref_type == 'branch' | |
needs: [ regression-test-setup, generate-tag, build-kots, build-kotsadm, generate-kurl-addon ] | |
uses: ./.github/workflows/regression.yaml | |
with: | |
version_tag_old: ${{ needs.regression-test-setup.outputs.last_release_tag }} | |
version_tag_new: ${{ needs.generate-tag.outputs.tag }} | |
addon_package_url: ${{ needs.generate-kurl-addon.outputs.addon_package_url }} | |
id: ${{ needs.regression-test-setup.outputs.automation_id }} | |
secrets: | |
E2E_TESTIM_AWS_ACCESS_KEY_ID: ${{ secrets.E2E_TESTIM_AWS_ACCESS_KEY_ID }} | |
E2E_TESTIM_AWS_SECRET_ACCESS_KEY: ${{ secrets.E2E_TESTIM_AWS_SECRET_ACCESS_KEY }} | |
TESTIM_ACCESS_TOKEN: ${{ secrets.TESTIM_ACCESS_TOKEN }} | |
E2E_GH_PAT: ${{ secrets.E2E_GH_PAT }} | |
KOTS_BUILD_STATUS_SLACK_WEBHOOK_URL: ${{ secrets.KOTS_BUILD_STATUS_SLACK_WEBHOOK_URL }} |