Skip to content

Ability to specify additional CA using a secret name/key (#215) #73

Ability to specify additional CA using a secret name/key (#215)

Ability to specify additional CA using a secret name/key (#215) #73

Workflow file for this run

name: publish
on:
push:
tags:
- '[0-9]+.[0-9]+.[0-9]+'
- '[0-9]+.[0-9]+.[0-9]+\-beta'
- '[0-9]+.[0-9]+.[0-9]+\-beta\.[0-9]+'
- '[0-9]+.[0-9]+.[0-9]+\-alpha'
- '[0-9]+.[0-9]+.[0-9]+\-alpha\.[0-9]+'
env:
PACT_VERSION: ${{ github.ref_name }}
PACT_BROKER_BASE_URL: ${{ vars.PACT_BROKER_BASE_URL }}
PACT_BROKER_TOKEN: ${{ secrets.PACT_BROKER_TOKEN }}
GIT_TAG: ${{ github.ref_name }}
jobs:
get-tags:
runs-on: ubuntu-22.04
outputs:
previous-tag: ${{ steps.get-tags.outputs.previous-tag }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Get tags
id: get-tags
uses: actions/github-script@v7
with:
script: |
const {
data: [previous],
} = await github.rest.repos.listReleases({
...context.repo,
per_page: 1,
page: 1,
});
core.setOutput("previous-tag", previous.tag_name.replace(/^v/, ''));
generate-release-notes-pr:
runs-on: ubuntu-22.04
needs: [get-tags]
if: github.ref_type != 'branch'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Generate Release Notes PR
env:
GIT_PREV_TAG: ${{ needs.get-tags.outputs.previous-tag }}
GH_PAT: ${{ secrets.GH_PAT }}
run: |
curl -H "Authorization: token $GH_PAT" \
-H 'Accept: application/json' \
-d "{\"event_type\": \"replicated-sdk-release-notes\", \"client_payload\": {\"version\": \"${GIT_TAG}\", \"prev_version\": \"${GIT_PREV_TAG}\" }}" \
"https://api.github.com/repos/replicatedhq/replicated-docs/dispatches"
make-tests:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '^1.22'
- uses: replicatedhq/action-install-pact@v1
- run: make test
- run: make publish-pact
make-build:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '^1.22'
- run: make build
- run: gh release create ${{ github.ref_name }} --generate-notes
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
package-and-publish:
runs-on: 'ubuntu-22.04'
needs:
- get-tags
- make-tests
- make-build
outputs:
# digest of the image pushed to the registry. This is used for the provenance generation
digest: ${{ steps.trim-and-save-digest.outputs.digest }}
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: replicatedhq/action-install-pact@v1
- name: Pact can-i-deploy
run: |
make can-i-deploy || echo "::warning:: can-i-deploy says no; provider(s) must successfully verify before release"
- uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- uses: ./.github/actions/build-push-action
id: build-push-action
with:
context: deploy
image-name: index.docker.io/replicated/replicated-sdk:${{ github.ref_name }}
git-tag: ${{ github.ref_name }}
registry-username: ${{ secrets.DOCKERHUB_USER }}
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: 'Trim and Save Digest'
# build-push-action outputs the full image name and digest, but we need to save just the sha256 part
id: trim-and-save-digest
uses: actions/github-script@v7
with:
script: |
const fullDigest = "${{ steps.build-push-action.outputs.digest }}";
const digest = fullDigest.split('@')[1];
core.setOutput("digest", digest);
- name: Run Package and Publish
env:
REPLICATED_TAG: ${{ github.ref_name }}
REPLICATED_REGISTRY: docker.io
REPLICATED_CHART_NAME: replicated
REPLICATED_CHART_VERSION: ${{ github.ref_name }}
REPLICATED_USER_STAGING: ${{secrets.REPLICATED_USER_STAGING}}
REPLICATED_PASS_STAGING: ${{secrets.REPLICATED_PASS_STAGING}}
REPLICATED_USER_PROD: ${{secrets.REPLICATED_USER_PROD}}
REPLICATED_PASS_PROD: ${{secrets.REPLICATED_PASS_PROD}}
run: |
# TEMPORARY: for backwards compatibility, create another directory to use for the "replicated-sdk" chart
cp -R chart chart-sdk
cd chart
envsubst < Chart.yaml.tmpl > Chart.yaml
envsubst < values.yaml.tmpl > values.yaml
rm -f *.tmpl
export CHART_NAME=`helm package . | rev | cut -d/ -f1 | rev`
echo pushing ${CHART_NAME} to staging
helm registry login registry.staging.replicated.com --username $REPLICATED_USER_STAGING --password $REPLICATED_PASS_STAGING
helm push $CHART_NAME oci://registry.staging.replicated.com/library
echo pushing ${CHART_NAME} to production
helm registry login registry.replicated.com --username $REPLICATED_USER_PROD --password $REPLICATED_PASS_PROD
helm push $CHART_NAME oci://registry.replicated.com/library
# TEMPORARY: for backwards compatibility, package and push chart with "replicated-sdk" name
cd ../chart-sdk
REPLICATED_CHART_NAME=replicated-sdk
envsubst < Chart.yaml.tmpl > Chart.yaml
envsubst < values.yaml.tmpl > values.yaml
rm -f *.tmpl
export CHART_NAME=`helm package . | rev | cut -d/ -f1 | rev`
echo pushing ${CHART_NAME} to staging
helm push $CHART_NAME oci://registry.staging.replicated.com/library
echo pushing ${CHART_NAME} to production
helm push $CHART_NAME oci://registry.replicated.com/library
- name: Pact record-release
run: make record-release
provenance:
# This job is responsible for generating the SLSA provenance for the image that was pushed to the registry.
needs:
- package-and-publish
- get-tags
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
if: success() && needs.package-and-publish.result == 'success'
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: index.docker.io/replicated/replicated-sdk:${{ github.ref_name }}
digest: ${{ needs.package-and-publish.outputs.digest }}
secrets:
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
registry-username: ${{ secrets.DOCKERHUB_USER }}