Skip to content

remove fallback to default sa #1

remove fallback to default sa

remove fallback to default sa #1

Workflow file for this run

name: Release
on:
push:
tags:
- v*
branches:
- main
- dev-*
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
defaults:
run:
shell: bash
permissions:
contents: read
jobs:
build-linux:
name: Build & push linux
if: github.repository == 'argoproj/argo-workflows'
runs-on: ubuntu-latest
strategy:
matrix:
platform: [ linux/amd64, linux/arm64 ]
target: [ workflow-controller, argocli, argoexec ]
steps:
- uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
version: v0.10.4
- name: Cache Docker layers
uses: actions/cache@v3
id: cache
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx-
- name: Docker Login
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}
- name: Docker Login
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
- name: Docker Buildx
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
PLATFORM: ${{ matrix.platform }}
TARGET: ${{ matrix.target }}
run: |
set -eux
tag=$(basename $GITHUB_REF)
if [ $tag = "main" ]; then
tag="latest"
fi
# copied verbatim from Makefile
GIT_COMMIT=$(git rev-parse HEAD || echo unknown)
GIT_TAG=$(git describe --exact-match --tags --abbrev=0 2> /dev/null || echo untagged)
GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)
tag_suffix=$(echo $PLATFORM | sed -r "s/\//-/g")
image_name="${DOCKERIO_ORG}/${TARGET}:${tag}-${tag_suffix}"
docker buildx build \
--cache-from "type=local,src=/tmp/.buildx-cache" \
--cache-to "type=local,dest=/tmp/.buildx-cache" \
--output "type=image,push=true" \
--build-arg GIT_COMMIT=$GIT_COMMIT \
--build-arg GIT_TAG=$GIT_TAG \
--build-arg GIT_TREE_STATE=$GIT_TREE_STATE \
--platform="${PLATFORM}" \
--target $TARGET \
--provenance=false \
--tag $image_name \
--tag quay.io/$image_name .
build-windows:
name: Build & push windows
if: github.repository == 'argoproj/argo-workflows'
runs-on: windows-2022
steps:
- uses: actions/checkout@v4
- name: Docker Login
uses: Azure/docker-login@v1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}
- name: Login to Quay
uses: Azure/docker-login@v1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
- name: Build & Push Windows Docker Images
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
run: |
docker_org=$DOCKERIO_ORG
tag=$(basename $GITHUB_REF)
if [ $tag = "main" ]; then
tag="latest"
fi
targets="argoexec"
for target in $targets; do
image_name="${docker_org}/${target}:${tag}-windows"
docker build \
--build-arg GIT_COMMIT=$tag \
--build-arg GIT_BRANCH=$branch \
--build-arg GIT_TREE_STATE=$tree_state \
--target $target \
-t $image_name \
-f Dockerfile.windows \
.
docker push $image_name
docker tag $image_name quay.io/$image_name
docker push quay.io/$image_name
done
push-images:
name: Push manifest with all images
if: github.repository == 'argoproj/argo-workflows'
runs-on: ubuntu-latest
needs: [ build-linux, build-windows ]
steps:
- uses: actions/checkout@v4
- name: Docker Login
uses: Azure/docker-login@v1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}
- name: Login to Quay
uses: Azure/docker-login@v1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
- name: Install cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.13.0'
- name: Push Multiarch Image
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
run: |
echo $(jq -c '. + { "experimental": "enabled" }' ${DOCKER_CONFIG}/config.json) > ${DOCKER_CONFIG}/config.json
docker_org=$DOCKERIO_ORG
tag=$(basename $GITHUB_REF)
if [ $tag = "main" ]; then
tag="latest"
fi
targets="workflow-controller argoexec argocli"
for target in $targets; do
image_name="${docker_org}/${target}:${tag}"
if [ $target = "argoexec" ]; then
docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64 ${image_name}-windows
docker manifest create quay.io/$image_name quay.io/${image_name}-linux-arm64 quay.io/${image_name}-linux-amd64 quay.io/${image_name}-windows
else
docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64
docker manifest create quay.io/$image_name quay.io/${image_name}-linux-arm64 quay.io/${image_name}-linux-amd64
fi
docker manifest push $image_name
docker manifest push quay.io/$image_name
cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/$image_name
done
test-images-linux-amd64:
name: Try pulling linux/amd64
if: github.repository == 'argoproj/argo-workflows'
runs-on: ubuntu-latest
needs: [ push-images ]
strategy:
matrix:
platform: [ linux/amd64 ]
target: [ workflow-controller, argocli, argoexec ]
steps:
- name: Docker Login
uses: Azure/docker-login@v1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}
- name: Login to Quay
uses: Azure/docker-login@v1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
- name: Docker Buildx
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
PLATFORM: ${{ matrix.platform }}
TARGET: ${{ matrix.target }}
run: |
tag=$(basename $GITHUB_REF)
if [ $tag = "main" ]; then
tag="latest"
fi
image_name="${DOCKERIO_ORG}/${TARGET}:${tag}"
docker pull $image_name
docker pull quay.io/$image_name
test-images-windows:
name: Try pulling windows
if: github.repository == 'argoproj/argo-workflows'
runs-on: windows-2022
needs: [ push-images ]
steps:
- name: Docker Login
uses: Azure/docker-login@v1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}
- name: Login to Quay
uses: Azure/docker-login@v1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
- name: Try pulling
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
run: |
docker_org=$DOCKERIO_ORG
tag=$(basename $GITHUB_REF)
if [ $tag = "main" ]; then
tag="latest"
fi
targets="argoexec"
for target in $targets; do
image_name="${docker_org}/${target}:${tag}"
docker pull $image_name
docker pull quay.io/$image_name
done
publish-release:
permissions:
contents: write # for softprops/action-gh-release to create GitHub release
runs-on: ubuntu-latest
if: github.repository == 'argoproj/argo-workflows'
needs: [ push-images, test-images-linux-amd64, test-images-windows ]
env:
NODE_OPTIONS: --max-old-space-size=4096
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "20" # change in all GH Workflows
- uses: actions/setup-go@v5
with:
go-version: "1.21"
- name: Restore node packages cache
uses: actions/cache@v3
with:
path: ui/node_modules
key: ${{ runner.os }}-node-dep-v1-${{ hashFiles('**/yarn.lock') }}
- name: Install cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.13.0'
# https://stackoverflow.com/questions/58033366/how-to-get-current-branch-within-github-actions
- run: |
if [ ${GITHUB_REF##*/} = main ]; then
echo "VERSION=latest" >> $GITHUB_ENV
else
echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV
fi
- run: go install sigs.k8s.io/bom/cmd/[email protected]
- run: go install github.com/spdx/spdx-sbom-generator/cmd/[email protected]
- run: mkdir -p dist
- run: generator -o dist -p .
- run: yarn --cwd ui install
- run: generator -o dist -p ui
- run: bom generate --image quay.io/argoproj/workflow-controller:$VERSION -o dist/workflow-controller.spdx
- run: bom generate --image quay.io/argoproj/argocli:$VERSION -o dist/argocli.spdx
- run: bom generate --image quay.io/argoproj/argoexec:$VERSION -o dist/argoexec.spdx
# pack the boms into one file to make it easy to download
- run: tar -zcf dist/sbom.tar.gz dist/*.spdx
- run: make release-notes VERSION=$VERSION
- run: cat release-notes
- run: make manifests VERSION=$VERSION
- name: Print image tag (please check it is not `:latest`)
run: |
grep image: dist/manifests/install.yaml
- run: go mod download
- run: make clis STATIC_FILES=true VERSION=$VERSION
- name: Print version (please check it is not dirty)
run: dist/argo-linux-amd64 version
- run: make checksums
- name: Sign checksums and create public key for release assets
run: |
cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argo-workflows-cli-checksums.txt > ./dist/argo-workflows-cli-checksums.sig
# Retrieves the public key to release as an asset
cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argo-workflows-cosign.pub
# https://github.com/softprops/action-gh-release
# This will publish the release and upload assets.
# If a conflict occurs (because you are not on a tag), the release will not be updated. This is a short coming
# of this action.
# Instead, delete the release so it is re-created.
- uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/v')
with:
prerelease: ${{ startsWith(github.ref, 'refs/tags/v0') || contains(github.ref, 'rc') }}
body_path: release-notes
files: |
dist/argo-*.gz
dist/argo-workflows-cli-checksums.txt
dist/argo-workflows-cli-checksums.sig
dist/manifests/*.yaml
dist/argo-workflows-cosign.pub
dist/sbom.tar.gz
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}