-
Notifications
You must be signed in to change notification settings - Fork 0
226 lines (194 loc) · 7.83 KB
/
Copy pathrelease.yml
File metadata and controls
226 lines (194 loc) · 7.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
# Copyright 2026 Undermountain Coding Company
# SPDX-License-Identifier: Apache-2.0
name: Release
# Triggered by pushing a semver tag (v0.1.0, v0.1.1, v1.0.0, etc.).
# Builds multi-arch container image via parallel per-arch jobs, combines them
# into a single manifest with docker buildx imagetools, pushes to ghcr.io,
# and attaches changelog to a GitHub Release.
on:
push:
tags:
- 'v[0-9]+.[0-9]+.[0-9]+*'
permissions:
contents: write # Create GitHub Releases
packages: write # Push to ghcr.io
id-token: write # Sigstore signing
env:
REGISTRY: ghcr.io
# IMAGE_NAME must be all-lowercase for Docker registry compatibility.
# github.repository = "UndermountainCC/hermes-operator" (mixed case),
# so we hardcode the lowercase form here.
IMAGE_NAME: undermountaincc/hermes-operator
jobs:
# ── amd64 build ─────────────────────────────────────────────────────────────
build-amd64:
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
contents: read
packages: write
id-token: write
outputs:
digest: ${{ steps.build.outputs.digest }}
steps:
- uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Log in to GitHub Container Registry
uses: docker/login-action@v4
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build + push amd64 image
id: build
uses: docker/build-push-action@v7
with:
context: .
platforms: linux/amd64
push: true
# Push to a per-arch tag; the multi-arch manifest is assembled later.
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64
cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache-amd64
cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache-amd64,mode=max
# ── arm64 build ─────────────────────────────────────────────────────────────
build-arm64:
runs-on: ubuntu-latest
timeout-minutes: 45
permissions:
contents: read
packages: write
id-token: write
outputs:
digest: ${{ steps.build.outputs.digest }}
steps:
- uses: actions/checkout@v6
- name: Set up QEMU (arm64 emulation)
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Log in to GitHub Container Registry
uses: docker/login-action@v4
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build + push arm64 image
id: build
uses: docker/build-push-action@v7
with:
context: .
platforms: linux/arm64
push: true
# Push to a per-arch tag; the multi-arch manifest is assembled later.
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64
cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache-arm64
cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache-arm64,mode=max
# ── manifest assembly + signing + GitHub Release ────────────────────────────
release:
runs-on: ubuntu-latest
needs: [build-amd64, build-arm64]
timeout-minutes: 15
steps:
- uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Log in to GitHub Container Registry
uses: docker/login-action@v4
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (semver tags + labels)
id: meta
uses: docker/metadata-action@v6
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
- name: Assemble multi-arch manifest
id: manifest
env:
TAGS: ${{ steps.meta.outputs.tags }}
SHA: ${{ github.sha }}
run: |
AMD64_REF="${REGISTRY}/${IMAGE_NAME}:${SHA}-amd64"
ARM64_REF="${REGISTRY}/${IMAGE_NAME}:${SHA}-arm64"
# Create or update each semver tag as a multi-arch manifest list.
while IFS= read -r tag; do
[ -z "$tag" ] && continue
echo "Creating manifest for: $tag"
docker buildx imagetools create \
--tag "$tag" \
"$AMD64_REF" \
"$ARM64_REF"
done <<< "$TAGS"
# Capture the digest of the first (most-specific) tag for signing.
# imagetools inspect prints "Digest: sha256:..." in its human output.
FIRST_TAG=$(echo "$TAGS" | head -n1)
DIGEST=$(docker buildx imagetools inspect "$FIRST_TAG" 2>&1 | awk '/^Digest:/{print $2}')
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
echo "first_tag=${FIRST_TAG}" >> "$GITHUB_OUTPUT"
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Sign multi-arch manifest (keyless via OIDC)
env:
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.manifest.outputs.digest }}
run: |
while IFS= read -r tag; do
[ -z "$tag" ] && continue
cosign sign --yes "${tag}@${DIGEST}"
done <<< "$TAGS"
- name: Install kustomize
run: |
curl -fsSL https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh -o install_kustomize.sh
bash install_kustomize.sh
sudo mv kustomize /usr/local/bin/
- name: Generate kustomize release bundle
run: |
mkdir -p dist
cd config/default
kustomize build > ../../dist/install.yaml
cd ../..
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
generate_release_notes: true
files: |
dist/install.yaml
fail_on_unmatched_files: true
# ── Helm chart publish ───────────────────────────────────────────────────────
publish-chart:
runs-on: ubuntu-latest
needs: release
timeout-minutes: 10
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v6
- name: Install Helm
uses: azure/setup-helm@v5
with:
version: 'v3.16.0'
- name: Log in to GHCR
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io \
--username ${{ github.actor }} --password-stdin
- name: Sync Chart.yaml appVersion to release tag
env:
REF_NAME: ${{ github.ref_name }}
run: |
VERSION="${REF_NAME#v}"
sed -i "s|^appVersion:.*|appVersion: \"${VERSION}\"|" charts/hermes-operator/Chart.yaml
sed -i "s|^version:.*|version: ${VERSION}|" charts/hermes-operator/Chart.yaml
- name: Render manifests + package chart
run: |
make manifests helm-render
helm package charts/hermes-operator -d dist/
- name: Push chart to GHCR OCI registry
run: |
helm push dist/hermes-operator-*.tgz oci://ghcr.io/undermountaincc/charts