diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 1a51e2a485..7322aab050 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -3,18 +3,12 @@ name: Docker on: push: branches: - - master + # - master # commented due to Codefresh convention - release-* # Run tests for any PRs. pull_request: -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -permissions: {} - jobs: set-vars: permissions: @@ -26,68 +20,98 @@ jobs: platforms: ${{ steps.platform-matrix.outputs.platform-matrix }} steps: + - name: Checkout + uses: actions/checkout@v3.1.0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Cache Docker layers + uses: actions/cache@v2 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-buildx-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-buildx- + - name: Docker meta (controller) id: controller-meta uses: docker/metadata-action@v4 with: images: | - quay.io/argoproj/argo-rollouts + quay.io/codefresh/argo-rollouts + # ghcr.io/codefresh-io/argo-rollouts tags: | - type=ref,event=branch,enable=${{ github.ref != 'refs/heads/master'}} - type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }} + type=ref,event=branch + # commented due to Codefresh convention + # flavor: | + # latest=${{ github.ref == 'refs/heads/master' }} - name: Docker meta (plugin) id: plugin-meta uses: docker/metadata-action@v4 with: images: | - quay.io/argoproj/kubectl-argo-rollouts + quay.io/codefresh/kubectl-argo-rollouts + # ghcr.io/codefresh-io/kubectl-argo-rollouts tags: | - type=ref,event=branch,enable=${{ github.ref != 'refs/heads/master'}} - type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }} + type=ref,event=branch + # commented due to Codefresh convention + # flavor: | + # latest=${{ github.ref == 'refs/heads/master' }} + + # - name: Login to GitHub Container Registry + # if: github.event_name != 'pull_request' + # uses: docker/login-action@v1 + # with: + # registry: ghcr.io + # username: ${{ github.repository_owner }} + # password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Quay.io + if: github.event_name != 'pull_request' + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_ROBOT_TOKEN }} # avoid building linux/arm64 for PRs since it takes so long - name: Set Platform Matrix id: platform-matrix run: | PLATFORM_MATRIX=linux/amd64 - if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-arm-image') }}" == "true" ]] - then + if [ ${{ github.event_name != 'pull_request' }} = true ]; then PLATFORM_MATRIX=$PLATFORM_MATRIX,linux/arm64 fi echo "platform-matrix=$PLATFORM_MATRIX" >> $GITHUB_OUTPUT - build-and-push-controller-image: - needs: [set-vars] - permissions: - contents: read - packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags - id-token: write # for creating OIDC tokens for signing. - uses: ./.github/workflows/image-reuse.yaml - with: - quay_image_name: ${{ needs.set-vars.outputs.controller-meta-tags }} - # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) - go-version: '1.20' - platforms: ${{ needs.set-vars.outputs.platforms }} - push: ${{ github.event_name != 'pull_request' }} - secrets: - quay_username: ${{ secrets.QUAY_USERNAME }} - quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }} + - name: Build and push (controller-image) + uses: docker/build-push-action@v3 + with: + platforms: ${{ steps.platform-matrix.outputs.platform-matrix }} + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.controller-meta.outputs.tags }} + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache - build-and-push-plugin-image: - needs: [set-vars] - permissions: - contents: read - packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags - id-token: write # for creating OIDC tokens for signing. - uses: ./.github/workflows/image-reuse.yaml - with: - quay_image_name: ${{ needs.set-vars.outputs.plugin-meta-tags }} - # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) - go-version: '1.20' - platforms: ${{ needs.set-vars.outputs.platforms }} - push: ${{ github.event_name != 'pull_request' }} - target: kubectl-argo-rollouts - secrets: - quay_username: ${{ secrets.QUAY_USERNAME }} - quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }} + - name: Build and push (plugin-image) + uses: docker/build-push-action@v3 + with: + target: kubectl-argo-rollouts + platforms: ${{ steps.platform-matrix.outputs.platform-matrix }} + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.plugin-meta.outputs.tags }} + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache-new + + # Temp fix + # https://github.com/docker/build-push-action/issues/252 + # https://github.com/moby/buildkit/issues/1896 + - name: Move cache + run: | + rm -rf /tmp/.buildx-cache + mv /tmp/.buildx-cache-new /tmp/.buildx-cache diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 403aaab60d..2d050379fd 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,114 +1,141 @@ name: Release + on: - push: - tags: - - 'v*' + workflow_dispatch: + inputs: + tag: + description: Git tag to build release from + required: true + update_stable_tag: + description: 'Update stable tag' + required: true + type: boolean + default: 'false' +permissions: + contents: read -permissions: {} +jobs: + release-images: + runs-on: ubuntu-latest -env: - GOLANG_VERSION: '1.20' # Note: go-version must also be set in job controller-image.with.go-version & plugin-image.with.go-version. + steps: + - name: Checkout + uses: actions/checkout@v3.1.0 + with: + ref: ${{ github.event.inputs.tag }} -jobs: - controller-image: - permissions: - contents: read - packages: write # Required and used to push images to `ghcr.io` if used. - id-token: write # For creating OIDC tokens for signing. - uses: ./.github/workflows/image-reuse.yaml - with: - quay_image_name: quay.io/argoproj/argo-rollouts:${{ github.ref_name }} - # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) - go-version: '1.20' - platforms: linux/amd64,linux/arm64 - push: true - secrets: - quay_username: ${{ secrets.QUAY_USERNAME }} - quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }} + - name: Get SHA + id: get-sha + run: echo "::set-output name=sha::$(git log -1 --format='%H')" - plugin-image: - permissions: - contents: read - packages: write # Required and used to push images to `ghcr.io` if used. - id-token: write # For creating OIDC tokens for signing. - uses: ./.github/workflows/image-reuse.yaml - with: - quay_image_name: quay.io/argoproj/kubectl-argo-rollouts:${{ github.ref_name }} - # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) - go-version: '1.20' - platforms: linux/amd64,linux/arm64 - push: true - target: kubectl-argo-rollouts - secrets: - quay_username: ${{ secrets.QUAY_USERNAME }} - quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }} + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + with: + config-inline: | + [worker.oci] + gc = false - controller-image-provenance: - needs: - - controller-image - permissions: - actions: read # for detecting the Github Actions environment. - id-token: write # for creating OIDC tokens for signing. - packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) - # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 - with: - image: quay.io/argoproj/argo-rollouts - digest: ${{ needs.controller-image.outputs.image-digest }} - secrets: - registry-username: ${{ secrets.QUAY_USERNAME }} - registry-password: ${{ secrets.QUAY_ROBOT_TOKEN }} + - name: Print Disk Usage + run: | + df -ah + docker buildx du - plugin-image-provenance: - needs: - - plugin-image - permissions: - actions: read # for detecting the Github Actions environment. - id-token: write # for creating OIDC tokens for signing. - packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) - # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 - with: - image: quay.io/argoproj/kubectl-argo-rollouts - digest: ${{ needs.plugin-image.outputs.image-digest }} - secrets: - registry-username: ${{ secrets.QUAY_USERNAME }} - registry-password: ${{ secrets.QUAY_ROBOT_TOKEN }} + - name: Docker meta (controller) + id: controller-meta + uses: docker/metadata-action@v4 + with: + images: | + quay.io/codefresh/argo-rollouts + # ghcr.io/codefresh-io/argo-rollouts + tags: | + type=semver,pattern={{version}},prefix=v,value=${{ github.event.inputs.tag }} + flavor: | + latest=false + + - name: Docker meta (plugin) + id: plugin-meta + uses: docker/metadata-action@v4 + with: + images: | + quay.io/codefresh/kubectl-argo-rollouts + # ghcr.io/codefresh-io/kubectl-argo-rollouts + tags: | + type=semver,pattern={{version}},prefix=v,value=${{ github.event.inputs.tag }} + flavor: | + latest=false + + # - name: Login to GitHub Container Registry + # if: github.event_name != 'pull_request' + # uses: docker/login-action@v2 + # with: + # registry: ghcr.io + # username: ${{ github.repository_owner }} + # password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Quay.io + if: github.event_name != 'pull_request' + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_ROBOT_TOKEN }} + - name: Build and push (controller-image) + uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.controller-meta.outputs.tags }} + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache + + - name: Build and push (plugin-image) + uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 + with: + context: . + target: kubectl-argo-rollouts + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.plugin-meta.outputs.tags }} + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache-new + + # Temp fix + # https://github.com/docker/build-push-action/issues/252 + # https://github.com/moby/buildkit/issues/1896 + - name: Move cache + run: | + rm -rf /tmp/.buildx-cache + mv /tmp/.buildx-cache-new /tmp/.buildx-cache release-artifacts: permissions: contents: write # for softprops/action-gh-release to create GitHub release runs-on: ubuntu-latest - outputs: - hashes: ${{ steps.hash.outputs.hashes }} + needs: release-images steps: - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@v3.1.0 with: - fetch-depth: 0 - token: ${{ secrets.GITHUB_TOKEN }} + ref: ${{ github.event.inputs.tag }} - name: Setup Golang - uses: actions/setup-go@v4.1.0 # v4.0.1 + uses: actions/setup-go@v4 with: - go-version: ${{ env.GOLANG_VERSION }} - - - name: Set up QEMU - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 + go-version: 1.19 - name: Generate release artifacts run: | make release-plugins - make checksums - make manifests IMAGE_TAG=${{ github.ref_name }} + make manifests IMAGE_TAG=${{ github.event.inputs.tag }} - name: Draft release - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 + uses: softprops/action-gh-release@v1 with: tag_name: ${{ github.event.inputs.tag }} draft: true @@ -116,156 +143,12 @@ jobs: dist/kubectl-argo-rollouts-linux-amd64 dist/kubectl-argo-rollouts-linux-arm64 dist/kubectl-argo-rollouts-darwin-amd64 - dist/kubectl-argo-rollouts-darwin-arm64 dist/kubectl-argo-rollouts-windows-amd64 - dist/argo-rollouts-checksums.txt manifests/dashboard-install.yaml manifests/install.yaml manifests/namespace-install.yaml manifests/notifications-install.yaml docs/features/kustomize/rollout_cr_schema.json - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Generate hashes for provenance - id: hash - run: | - echo "hashes=$(sha256sum ./dist/kubectl-argo-rollouts-* ./manifests/*.yaml | base64 -w0)" >> "$GITHUB_OUTPUT" - - - release-artifacts-provenance: - needs: - - release-artifacts - permissions: - actions: read # for detecting the Github Actions environment - id-token: write # Needed for provenance signing and ID - contents: write # Needed for release uploads - # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.8.0 - with: - base64-subjects: "${{ needs.release-artifacts.outputs.hashes }}" - provenance-name: "argo-rollouts.intoto.jsonl" - upload-assets: true - draft-release: true - - generate-sbom: - name: Create Sbom and sign assets - needs: - - release-artifacts - - release-artifacts-provenance - permissions: - contents: write # Needed for release uploads - id-token: write # Needed for signing Sbom - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.3.0 - with: - fetch-depth: 0 - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Setup Golang - uses: actions/setup-go@v4.1.0 # v4.0.0 - with: - go-version: ${{ env.GOLANG_VERSION }} - - - name: Install cosign - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 - with: - cosign-release: 'v2.2.0' - - - name: Generate SBOM (spdx) - id: spdx-builder - env: - # defines the spdx/spdx-sbom-generator version to use. - SPDX_GEN_VERSION: v0.0.13 - # defines the sigs.k8s.io/bom version to use. - SIGS_BOM_VERSION: v0.2.1 - # comma delimited list of project relative folders to inspect for package - # managers (gomod, yarn, npm). - PROJECT_FOLDERS: ".,./ui" - # full qualified name of the container image to be inspected - CONTAINER_IMAGE: quay.io/argoproj/argo-rollouts:${{ github.event.inputs.tag }} - - run: | - yarn install --cwd ./ui - go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION - go install sigs.k8s.io/bom/cmd/bom@$SIGS_BOM_VERSION - - # Generate SPDX for project dependencies analyzing package managers - for folder in $(echo $PROJECT_FOLDERS | sed "s/,/ /g") - do - generator -p $folder -o /tmp - done - - # Generate SPDX for binaries analyzing the container image - if [[ ! -z CONTAINER_IMAGE ]]; then - bom generate -o /tmp/bom-docker-image.spdx -i $CONTAINER_IMAGE - fi - - cd /tmp && tar -zcf sbom.tar.gz *.spdx - - - name: Sign SBOM - run: | - cosign sign-blob \ - --output-certificate=/tmp/sbom.tar.gz.pem \ - --output-signature=/tmp/sbom.tar.gz.sig \ - --yes \ /tmp/sbom.tar.gz - - - name: Upload SBOM and signature assets - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ github.ref_name }} - draft: true - files: | - /tmp/sbom.tar.* - - post-release: - needs: - - release-artifacts - - generate-sbom - permissions: - contents: write # Needed to push commit to update stable tag - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.3.0 - with: - fetch-depth: 0 - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Setup Git author information - run: | - set -ue - git config --global user.email 'ci@argoproj.com' - git config --global user.name 'CI' - - - name: Check if tag is the latest version and not a pre-release - run: | - set -xue - # Fetch all tag information - git fetch --prune --tags --force - - LATEST_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n1) - - PRE_RELEASE=false - # Check if latest tag is a pre-release - if echo $LATEST_TAG | grep -E -- '-rc[0-9]+$';then - PRE_RELEASE=true - fi - - # Ensure latest tag matches github.ref_name & not a pre-release - if [[ $LATEST_TAG == ${{ github.ref_name }} ]] && [[ $PRE_RELEASE != 'true' ]];then - echo "TAG_STABLE=true" >> $GITHUB_ENV - else - echo "TAG_STABLE=false" >> $GITHUB_ENV - fi - - - name: Update stable tag to latest version - run: | - git tag -f stable ${{ github.ref_name }} - git push -f origin stable - if: ${{ env.TAG_STABLE == 'true' }}