release #45
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: release | |
on: | |
push: | |
tags: | |
- 'v*' | |
workflow_dispatch: | |
inputs: | |
tag: | |
description: 'image tag prefix' | |
default: 'rc' | |
required: true | |
permissions: | |
contents: read | |
env: | |
IMAGE: "ghcr.io/fluxcd/${{ github.event.repository.name }}" | |
jobs: | |
release-flagger: | |
outputs: | |
hashes: ${{ steps.slsa.outputs.hashes }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write # needed to write releases | |
id-token: write # needed for keyless signing | |
packages: write # needed for ghcr access | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: fluxcd/flux2/action@main | |
- uses: sigstore/[email protected] | |
- name: Prepare | |
id: prep | |
run: | | |
if [[ ${GITHUB_EVENT_NAME} = "workflow_dispatch" ]]; then | |
VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}" | |
else | |
VERSION=$(grep 'VERSION' pkg/version/version.go | awk '{ print $4 }' | tr -d '"') | |
fi | |
CHANGELOG="https://github.com/fluxcd/flagger/blob/main/CHANGELOG.md#$(echo $VERSION | tr -d '.')" | |
echo "[CHANGELOG](${CHANGELOG})" > notes.md | |
echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT | |
echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT | |
- name: Setup QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Setup Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: fluxcdbot | |
password: ${{ secrets.GHCR_TOKEN }} | |
- name: Generate image meta | |
id: meta | |
uses: docker/metadata-action@v4 | |
with: | |
images: | | |
${{ env.IMAGE }} | |
tags: | | |
type=raw,value=${{ steps.prep.outputs.VERSION }} | |
- name: Publish image | |
id: build-push | |
uses: docker/build-push-action@v4 | |
with: | |
sbom: true | |
provenance: true | |
push: true | |
builder: ${{ steps.buildx.outputs.name }} | |
context: . | |
file: ./Dockerfile | |
platforms: linux/amd64,linux/arm64,linux/arm/v7 | |
build-args: | | |
REVISON=${{ github.sha }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
- name: Sign image | |
env: | |
COSIGN_EXPERIMENTAL: 1 | |
run: | | |
cosign sign --yes ${{ env.IMAGE }}@${{ steps.build-push.outputs.digest }} | |
- name: Publish Helm charts | |
if: startsWith(github.ref, 'refs/tags/v') | |
uses: stefanprodan/[email protected] | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
charts_url: https://flagger.app | |
linting: off | |
- uses: fluxcd/pkg/actions/helm@main | |
with: | |
version: 3.10.1 | |
- name: Publish signed Helm chart to GHCR | |
if: startsWith(github.ref, 'refs/tags/v') | |
env: | |
COSIGN_EXPERIMENTAL: 1 | |
run: | | |
helm package charts/flagger | |
echo "DIGEST=$(helm push flagger-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/fluxcd/charts | awk '/Digest:/ {print $2}' | tr -d '\n' | xargs)" >> $GITHUB_ENV | |
cosign sign --yes ghcr.io/fluxcd/charts/flagger@$DIGEST | |
rm flagger-${{ steps.prep.outputs.VERSION }}.tgz | |
- name: Publish signed manifests to GHCR | |
if: startsWith(github.ref, 'refs/tags/v') | |
env: | |
COSIGN_EXPERIMENTAL: 1 | |
run: | | |
echo "DIGEST_URL=$(flux push artifact \ | |
oci://ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }} \ | |
--path="./kustomize" \ | |
--source="$(git config --get remote.origin.url)" \ | |
--revision="${{ steps.prep.outputs.VERSION }}/$(git rev-parse HEAD)" | |
--output json | \ | |
jq -r '. | .repository + "@" + .digest')" >> $GITHUB_ENV | |
cosign sign --yes $DIGEST_URL | |
- uses: anchore/sbom-action/download-syft@v0 | |
- name: Create release and SBOM | |
id: run-goreleaser | |
uses: goreleaser/goreleaser-action@v4 | |
if: startsWith(github.ref, 'refs/tags/v') | |
with: | |
version: latest | |
args: release --release-notes=notes.md --rm-dist --skip-validate | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Generate SLSA metadata | |
id: slsa | |
if: startsWith(github.ref, 'refs/tags/v') | |
env: | |
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" | |
run: | | |
set -euo pipefail | |
hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0) | |
echo "hashes=$hashes" >> $GITHUB_OUTPUT | |
release-provenance: | |
needs: [release-flagger] | |
if: startsWith(github.ref, 'refs/tags/v') | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
contents: write # for uploading attestations to GitHub releases. | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
provenance-name: "provenance.intoto.jsonl" | |
base64-subjects: "${{ needs.release-flagger.outputs.hashes }}" | |
upload-assets: true |