-
Notifications
You must be signed in to change notification settings - Fork 5
188 lines (163 loc) · 6.46 KB
/
publish.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
name: publish
on:
push:
tags:
- '[0-9]+.[0-9]+.[0-9]+'
- '[0-9]+.[0-9]+.[0-9]+\-beta'
- '[0-9]+.[0-9]+.[0-9]+\-beta\.[0-9]+'
- '[0-9]+.[0-9]+.[0-9]+\-alpha'
- '[0-9]+.[0-9]+.[0-9]+\-alpha\.[0-9]+'
env:
PACT_VERSION: ${{ github.ref_name }}
PACT_BROKER_BASE_URL: ${{ vars.PACT_BROKER_BASE_URL }}
PACT_BROKER_TOKEN: ${{ secrets.PACT_BROKER_TOKEN }}
GIT_TAG: ${{ github.ref_name }}
jobs:
get-tags:
runs-on: ubuntu-22.04
outputs:
previous-tag: ${{ steps.get-tags.outputs.previous-tag }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Get tags
id: get-tags
uses: actions/github-script@v7
with:
script: |
const {
data: [previous],
} = await github.rest.repos.listReleases({
...context.repo,
per_page: 1,
page: 1,
});
core.setOutput("previous-tag", previous.tag_name.replace(/^v/, ''));
generate-release-notes-pr:
runs-on: ubuntu-22.04
needs: [get-tags]
if: github.ref_type != 'branch'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Generate Release Notes PR
env:
GIT_PREV_TAG: ${{ needs.get-tags.outputs.previous-tag }}
GH_PAT: ${{ secrets.GH_PAT }}
run: |
curl -H "Authorization: token $GH_PAT" \
-H 'Accept: application/json' \
-d "{\"event_type\": \"replicated-sdk-release-notes\", \"client_payload\": {\"version\": \"${GIT_TAG}\", \"prev_version\": \"${GIT_PREV_TAG}\" }}" \
"https://api.github.com/repos/replicatedhq/replicated-docs/dispatches"
make-tests:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '^1.22'
- uses: replicatedhq/action-install-pact@v1
- run: make test
- run: make publish-pact
make-build:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '^1.22'
- run: make build
- run: gh release create ${{ github.ref_name }} --generate-notes
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
package-and-publish:
runs-on: 'ubuntu-22.04'
needs:
- get-tags
- make-tests
- make-build
outputs:
# digest of the image pushed to the registry. This is used for the provenance generation
digest: ${{ steps.trim-and-save-digest.outputs.digest }}
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: replicatedhq/action-install-pact@v1
- name: Pact can-i-deploy
run: |
make can-i-deploy || echo "::warning:: can-i-deploy says no; provider(s) must successfully verify before release"
- uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- uses: ./.github/actions/build-push-action
id: build-push-action
with:
context: deploy
image-name: index.docker.io/replicated/replicated-sdk:${{ github.ref_name }}
git-tag: ${{ github.ref_name }}
registry-username: ${{ secrets.DOCKERHUB_USER }}
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: 'Trim and Save Digest'
# build-push-action outputs the full image name and digest, but we need to save just the sha256 part
id: trim-and-save-digest
uses: actions/github-script@v7
with:
script: |
const fullDigest = "${{ steps.build-push-action.outputs.digest }}";
const digest = fullDigest.split('@')[1];
core.setOutput("digest", digest);
- name: Run Package and Publish
env:
REPLICATED_TAG: ${{ github.ref_name }}
REPLICATED_REGISTRY: docker.io
REPLICATED_CHART_NAME: replicated
REPLICATED_CHART_VERSION: ${{ github.ref_name }}
REPLICATED_USER_STAGING: ${{secrets.REPLICATED_USER_STAGING}}
REPLICATED_PASS_STAGING: ${{secrets.REPLICATED_PASS_STAGING}}
REPLICATED_USER_PROD: ${{secrets.REPLICATED_USER_PROD}}
REPLICATED_PASS_PROD: ${{secrets.REPLICATED_PASS_PROD}}
run: |
# TEMPORARY: for backwards compatibility, create another directory to use for the "replicated-sdk" chart
cp -R chart chart-sdk
cd chart
envsubst < Chart.yaml.tmpl > Chart.yaml
envsubst < values.yaml.tmpl > values.yaml
rm -f *.tmpl
export CHART_NAME=`helm package . | rev | cut -d/ -f1 | rev`
echo pushing ${CHART_NAME} to staging
helm registry login registry.staging.replicated.com --username $REPLICATED_USER_STAGING --password $REPLICATED_PASS_STAGING
helm push $CHART_NAME oci://registry.staging.replicated.com/library
echo pushing ${CHART_NAME} to production
helm registry login registry.replicated.com --username $REPLICATED_USER_PROD --password $REPLICATED_PASS_PROD
helm push $CHART_NAME oci://registry.replicated.com/library
# TEMPORARY: for backwards compatibility, package and push chart with "replicated-sdk" name
cd ../chart-sdk
REPLICATED_CHART_NAME=replicated-sdk
envsubst < Chart.yaml.tmpl > Chart.yaml
envsubst < values.yaml.tmpl > values.yaml
rm -f *.tmpl
export CHART_NAME=`helm package . | rev | cut -d/ -f1 | rev`
echo pushing ${CHART_NAME} to staging
helm push $CHART_NAME oci://registry.staging.replicated.com/library
echo pushing ${CHART_NAME} to production
helm push $CHART_NAME oci://registry.replicated.com/library
- name: Pact record-release
run: make record-release
provenance:
# This job is responsible for generating the SLSA provenance for the image that was pushed to the registry.
needs:
- package-and-publish
- get-tags
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
if: success() && needs.package-and-publish.result == 'success'
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: index.docker.io/replicated/replicated-sdk:${{ github.ref_name }}
digest: ${{ needs.package-and-publish.outputs.digest }}
secrets:
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
registry-username: ${{ secrets.DOCKERHUB_USER }}