Publish Flux install manifests at release time

Signed-off-by: Stefan Prodan <[email protected]>

.github/workflows/release.yaml

@@ -0,0 +1,65 @@
+name: release
+on:
+  push:
+    tags: [ 'v*' ]
+
+permissions:
+  contents: read
+
+jobs:
+  manifests:
+    strategy:
+      matrix:
+        variant:
+          - distroless
+          - alpine
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Setup Flux
+        uses: fluxcd/flux2/action@5c5c15ea212b8f029a110f9975851d25c8272695 #v2.2.2
+        with:
+          version: ${{ github.ref_name }}
+      - name: Login to GHCR
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build manifests
+        run: |
+          mkdir -p bin/${{ matrix.variant }}
+          flux install \
+          --components-extra="image-reflector-controller,image-automation-controller" \
+          --registry=ghcr.io/controlplaneio-fluxcd/${{ matrix.variant }} \
+          --image-pull-secret=flux-enterprise-auth \
+          --export > --export > bin/${{ matrix.variant }}/gotk-components.yaml
+      - name: Push manifests
+        id: push
+        run: |
+          set -euo pipefail
+          
+          img_digest=$(flux push artifact \
+          oci://ghcr.io/controlplaneio-fluxcd/${{ matrix.variant }}/flux-manifests:${{ github.ref_name }} \
+          --path=bin/${{ matrix.variant }} \
+          --source=${{ github.repositoryUrl }} \
+          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
+          --annotations='org.opencontainers.image.description=ControlPLane Enterprise for Flux CD' \
+          --output=json | jq -r '.digest')
+          
+          echo "img_digest=$img_digest" >> $GITHUB_OUTPUT
+          
+          img_repository=ghcr.io/controlplaneio-fluxcd/${{ matrix.variant }}/flux-manifests
+          echo "img_repository=$img_repository" >> $GITHUB_OUTPUT
+
+          img_url=${img_repository}:${{ github.ref_name }}
+          echo "img_url=$img_url" >> $GITHUB_OUTPUT
+      - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      - name: Sign manifests
+        run: |
+          cosign sign --yes ${{ steps.push.outputs.img_repository }}@${{ steps.push.outputs.img_digest }}

.gitignore

@@ -1,21 +1,2 @@
-# If you prefer the allow list template instead of the deny list, see community template:
-# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
-#
-# Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-
-# Test binary, built with `go test -c`
-*.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
-*.out
-
-# Dependency directories (remove the comment below to include it)
-# vendor/
-
-# Go workspace file
-go.work
+bin/
+workspace/

README.md

@@ -3,15 +3,14 @@
 [![e2e-fips](https://github.com/controlplaneio-fluxcd/distribution/actions/workflows/e2e-fips.yaml/badge.svg)](https://github.com/controlplaneio-fluxcd/distribution/actions/workflows/e2e-fips.yaml)
 
 The [ControlPlane](https://control-plane.io) distribution for [Flux CD](https://fluxcd.io)
-comes with enterprise-hardened container images for the
-[GitOps Toolkit controllers](https://fluxcd.io/flux/components/) including:
+comes with enterprise-hardened Flux controllers including:
 
 - Hardened container images and SBOMs in-sync with upstream Flux releases.
 - Continuous scanning and CVE patching for Flux container base images.
 - SLAs for remediation of critical vulnerabilities affecting Flux functionality.
 - FIPS-compliant Flux builds based on FIPS 140-2 validated BoringSSL.
 - Extended compatibility of Flux controllers for the latest six minor releases of Kubernetes.
-- Assured compatibility with Kubernetes LTS versions provided by cloud vendors such as Azure, AWS, Google and others.
+- Assured compatibility with Kubernetes LTS versions provided by cloud vendors.
 
 ## Distribution Channels