Skip to content

release

release #53

Workflow file for this run

name: release
on:
push:
tags:
- 'v*'
workflow_dispatch:
inputs:
tag:
description: 'image tag prefix'
default: 'rc'
required: true
permissions:
contents: read
env:
IMAGE: "ghcr.io/fluxcd/${{ github.event.repository.name }}"
jobs:
release-flagger:
outputs:
hashes: ${{ steps.slsa.outputs.hashes }}
runs-on:
group: "Default Larger Runners"
permissions:
contents: write # needed to write releases
id-token: write # needed for keyless signing
packages: write # needed for ghcr access
steps:
- uses: actions/checkout@v4
- uses: fluxcd/flux2/action@main
- uses: sigstore/[email protected]
- name: Prepare
id: prep
run: |
if [[ ${GITHUB_EVENT_NAME} = "workflow_dispatch" ]]; then
VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}"
else
VERSION=$(grep 'VERSION' pkg/version/version.go | awk '{ print $4 }' | tr -d '"')
fi
CHANGELOG="https://github.com/fluxcd/flagger/blob/main/CHANGELOG.md#$(echo $VERSION | tr -d '.')"
echo "[CHANGELOG](${CHANGELOG})" > notes.md
echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
- name: Setup QEMU
uses: docker/setup-qemu-action@v3
- name: Setup Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: fluxcdbot
password: ${{ secrets.GHCR_TOKEN }}
- name: Generate image meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.IMAGE }}
tags: |
type=raw,value=${{ steps.prep.outputs.VERSION }}
- name: Publish image
id: build-push
uses: docker/build-push-action@v5
with:
sbom: true
provenance: true
push: true
builder: ${{ steps.buildx.outputs.name }}
context: .
file: ./Dockerfile
platforms: linux/amd64,linux/arm64,linux/arm/v7
build-args: |
REVISON=${{ github.sha }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Sign image
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign sign --yes ${{ env.IMAGE }}@${{ steps.build-push.outputs.digest }}
- name: Publish signed manifests to GHCR
if: startsWith(github.ref, 'refs/tags/v')
env:
COSIGN_EXPERIMENTAL: 1
run: |
OCI_URL=$(flux push artifact \
oci://ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }} \
--path="./kustomize" \
--source="$(git config --get remote.origin.url)" \
--revision="${{ steps.prep.outputs.VERSION }}/$(git rev-parse HEAD)" \
--output json | \
jq -r '. | .repository + "@" + .digest')
cosign sign --yes ${OCI_URL}
- name: Publish Helm charts
if: startsWith(github.ref, 'refs/tags/v')
uses: stefanprodan/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
charts_url: https://flagger.app
linting: off
- uses: fluxcd/pkg/actions/helm@main
with:
version: 3.12.3
- name: Publish signed Helm chart to GHCR
if: startsWith(github.ref, 'refs/tags/v')
env:
COSIGN_EXPERIMENTAL: 1
run: |
helm package charts/flagger
helm push flagger-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/fluxcd/charts |& tee .digest
cosign sign --yes ghcr.io/fluxcd/charts/flagger@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}')
rm flagger-${{ steps.prep.outputs.VERSION }}.tgz
rm .digest
- uses: anchore/sbom-action/download-syft@v0
- name: Create release and SBOM
id: run-goreleaser
uses: goreleaser/goreleaser-action@v5
if: startsWith(github.ref, 'refs/tags/v')
with:
version: latest
args: release --release-notes=notes.md --rm-dist --skip-validate
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Generate SLSA metadata
id: slsa
if: startsWith(github.ref, 'refs/tags/v')
env:
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
run: |
set -euo pipefail
hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
echo "hashes=$hashes" >> $GITHUB_OUTPUT
release-provenance:
needs: [release-flagger]
if: startsWith(github.ref, 'refs/tags/v')
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
contents: write # for uploading attestations to GitHub releases.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
provenance-name: "provenance.intoto.jsonl"
base64-subjects: "${{ needs.release-flagger.outputs.hashes }}"
upload-assets: true