Release 2.6.1 (#2029) #1337
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# GitHub workflow for creating release. | |
# Trigger release branch should be merge into main | |
# TODO add e2e/smoke test for autogen configuration | |
name: Create Release | |
on: | |
push: | |
tags: | |
- 'v*' | |
workflow_call: | |
inputs: | |
tag: | |
type: string | |
description: "Name of existing tag to release (format should be 'v*')" | |
required: true | |
workflow_dispatch: | |
inputs: | |
tag: | |
type: string | |
description: "Name of existing tag (or branch) to release (format should be 'v*')" | |
required: true | |
image_repo: | |
type: choice | |
description: "Target image repository for built images" | |
default: mongodb/mongodb-atlas-kubernetes-operator-prerelease | |
required: true | |
options: | |
- mongodb/mongodb-atlas-kubernetes-operator-prerelease | |
- mongodb/mongodb-atlas-kubernetes-operator | |
release_helm: | |
type: choice | |
description: "Whether or not to trigger the Helm release as well. Skip by default for tests" | |
default: 'false' | |
required: true | |
options: | |
- true | |
- false | |
certify: | |
type: choice | |
description: "Whether or not to certify the OpenShift images. Skip by default for tests" | |
default: 'false' | |
required: true | |
options: | |
- true | |
- false | |
release_to_github: | |
type: choice | |
description: "Whether or not to create the GitHub release. Skip by default for tests" | |
default: 'false' | |
required: true | |
options: | |
- true | |
- false | |
jobs: | |
create-release: | |
environment: release | |
name: Create Release | |
runs-on: ubuntu-latest | |
env: | |
RELEASE_HELM: ${{ github.event.inputs.release_helm || 'true' }} | |
CERTIFY: ${{ github.event.inputs.certify || 'true' }} | |
RELEASE_TO_GITHUB: ${{ github.event.inputs.release_to_github || 'true' }} | |
TAG: ${{ inputs.tag || github.head_ref || github.ref_name }} | |
outputs: | |
version: ${{ steps.tag.outputs.version }} | |
steps: | |
- name: Free disk space | |
run: | | |
sudo swapoff -a | |
sudo rm -f /swapfile | |
sudo apt clean | |
docker rmi $(docker image ls -aq) &> /dev/null || true | |
df -h | |
- name: Compute release tag and options | |
id: tag | |
run: | | |
version=$(echo "${TAG}" |awk -F'^v' '{print $2}') | |
prerelease_tail=$(echo "${version}" | awk -F'-' '{print $2}') | |
if [[ "$prerelease_tail" == "" ]]; then | |
echo "Releasing version $version..." | |
repo="mongodb/mongodb-atlas-kubernetes-operator" | |
else | |
echo "Pre-releasing version $version..." | |
repo="mongodb/mongodb-atlas-kubernetes-operator-prerelease" | |
RELEASE_HELM=false | |
CERTIFY=false | |
RELEASE_TO_GITHUB=false | |
fi | |
echo "release_helm=${RELEASE_HELM}" >> "$GITHUB_OUTPUT" | |
echo "certify=${CERTIFY}" >> "$GITHUB_OUTPUT" | |
echo "release_to_github=${RELEASE_TO_GITHUB}" >> "$GITHUB_OUTPUT" | |
echo "repo=${repo}" >> "$GITHUB_OUTPUT" | |
echo "version=${version}" >> "$GITHUB_OUTPUT" | |
echo "certified_version=${version}-certified" >> "$GITHUB_OUTPUT" | |
cat "$GITHUB_OUTPUT" | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
submodules: true | |
fetch-depth: 0 | |
ref: ${{ env.TAG }} | |
- name: Install devbox | |
uses: jetify-com/[email protected] | |
with: | |
enable-cache: 'true' | |
- name: Trigger helm post release workflow | |
if: ${{ steps.tag.outputs.release_helm == 'true' }} | |
run: | | |
devbox run -- 'make release-helm JWT_RSA_PEM_KEY_BASE64="${{ secrets.AKO_RELEASER_RSA_KEY_BASE64 }}" \ | |
JWT_APP_ID="${{ secrets.AKO_RELEASER_APP_ID }}" \ | |
VERSION="${{ steps.tag.outputs.version }}"' | |
- name: Choose Dockerfile | |
id: pick-dockerfile | |
run: | | |
if test -f "fast.Dockerfile"; then | |
echo "dockerfile=fast.Dockerfile" >> $GITHUB_OUTPUT | |
else | |
echo "dockerfile=Dockerfile" >> $GITHUB_OUTPUT | |
fi | |
- name: Check signing supported | |
id: check-signing-support | |
run: | | |
if test -f "./scripts/sign-multiarch.sh"; then | |
echo "sign=true" >> $GITHUB_OUTPUT | |
else | |
echo "sign=false" >> $GITHUB_OUTPUT | |
fi | |
- name: Build all platforms & check version | |
if: steps.pick-dockerfile.outputs.dockerfile == 'fast.Dockerfile' | |
run: | | |
devbox run -- 'make all-platforms VERSION=${{ steps.tag.outputs.version }} | |
# Not all versions of Makefiles support the version check | |
if make -n | grep -q check-version; then | |
echo "Checking version..." | |
make check-version VERSION=${{ steps.tag.outputs.version }} | |
else | |
echo "Skipped version check" | |
fi' | |
- name: Build and Push image | |
uses: ./.github/actions/build-push-image | |
with: | |
repository: ${{ steps.tag.outputs.repo }} | |
file: ${{ steps.pick-dockerfile.outputs.dockerfile }} | |
version: ${{ steps.tag.outputs.version }} | |
certified_version: ${{ steps.tag.outputs.certified_version }} | |
platforms: linux/amd64,linux/arm64 | |
docker_username: ${{ secrets.DOCKER_USERNAME }} | |
docker_password: ${{ secrets.DOCKER_PASSWORD }} | |
push_to_quay: true | |
quay_username: mongodb+mongodb_atlas_kubernetes | |
quay_password: ${{ secrets.QUAY_PASSWORD }} | |
tags: | | |
${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }} | |
quay.io/${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }} | |
quay.io/${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}-certified | |
- name: Certify Openshift images | |
if: ${{ steps.tag.outputs.certify == 'true' }} | |
uses: ./.github/actions/certify-openshift-images | |
with: | |
registry: quay.io | |
registry_password: ${{ secrets.QUAY_PASSWORD }} | |
repository: ${{ steps.tag.outputs.repo }} | |
version: ${{ steps.tag.outputs.certified_version }} | |
rhcc_token: ${{ secrets.RH_CERTIFICATION_PYXIS_API_TOKEN }} | |
rhcc_project: ${{ secrets.RH_CERTIFICATION_OSPID }} | |
submit: true | |
- name: Login to artifactory.corp.mongodb.com | |
if: steps.check-signing-support.outputs.sign == 'true' | |
uses: docker/login-action@v3 | |
with: | |
registry: artifactory.corp.mongodb.com | |
username: ${{ secrets.MDB_ARTIFACTORY_USERNAME }} | |
password: ${{ secrets.MDB_ARTIFACTORY_PASSWORD }} | |
- name: Sign images | |
if: steps.check-signing-support.outputs.sign == 'true' | |
env: | |
PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
IMAGE_REPOSITORY: ${{ steps.tag.outputs.repo }} | |
run: | | |
devbox run -- 'make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}' | |
devbox run -- 'make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}' | |
devbox run -- 'make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}' | |
devbox run -- 'make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=mongodb/signatures' | |
devbox run -- 'make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=mongodb/signatures' | |
- name: Self-verify images | |
if: steps.check-signing-support.outputs.sign == 'true' | |
env: | |
PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
IMAGE_REPOSITORY: ${{ steps.tag.outputs.repo }} | |
run: | | |
devbox run -- 'make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}' | |
devbox run -- 'make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}' | |
devbox run -- 'make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}' | |
devbox run -- 'make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=mongodb/signatures' | |
devbox run -- 'make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=mongodb/signatures' | |
- name: Create configuration package | |
run: | | |
devbox run -- 'set -x' | |
devbox run -- 'tar czvf atlas-operator-all-in-one-${{ steps.tag.outputs.version }}.tar.gz -C deploy all-in-one.yaml' | |
- name: Create Release | |
if: steps.tag.outputs.release_to_github == 'true' | |
id: create_release | |
uses: actions/create-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: ${{ env.TAG }} | |
release_name: ${{ env.TAG }} | |
body_path: docs/release-notes/release-notes-template.md | |
draft: true | |
prerelease: false | |
- name: Upload Release Asset | |
if: steps.tag.outputs.release_to_github == 'true' | |
id: upload-release-asset | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
asset_path: ./atlas-operator-all-in-one-${{ steps.tag.outputs.version }}.tar.gz | |
asset_name: atlas-operator-all-in-one-${{ steps.tag.outputs.version }}.tar.gz | |
asset_content_type: application/tgz | |
sboms-pr: | |
needs: | |
- create-release | |
uses: ./.github/workflows/sboms-pr.yaml | |
secrets: inherit | |
with: | |
version: ${{ needs.create-release.outputs.version }} |