Merge pull request #165 from fluxcd/flux-v1.3.0 #36

Workflow file for this run

.github/workflows/release.yaml at 65c12e2

	name: release

	on:
	push:
	tags:
	- 'v*'
	workflow_dispatch:
	inputs:
	tag:
	description: 'image tag prefix'
	default: 'rc'
	required: true

	permissions:
	contents: read

	env:
	CONTROLLER: ${{ github.event.repository.name }}

	jobs:
	release:
	outputs:
	hashes: ${{ steps.hash.outputs.hashes }}
	image_url: ${{ steps.hash.outputs.image_url }}
	image_digest: ${{ steps.hash.outputs.image_digest }}
	runs-on: ubuntu-latest
	permissions:
	contents: write # needed to write releases
	id-token: write # needed for keyless signing
	packages: write # needed for ghcr access
	steps:
	- name: Checkout
	uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
	- name: Setup Kustomize
	uses: fluxcd/pkg/actions/kustomize@main
	- name: Prepare
	id: prep
	run: \|
	VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}"
	if [[ $GITHUB_REF == refs/tags/* ]]; then
	VERSION=${GITHUB_REF/refs\/tags\//}
	fi
	echo "version=${VERSION}" >> $GITHUB_OUTPUT
	- name: Setup Go
	uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
	with:
	go-version-file: 'go.mod'
	cache-dependency-path: \|
	**/go.sum
	**/go.mod
	- uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
	- uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
	- uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
	- uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11
	- name: Docker login ghcr.io
	uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
	with:
	registry: ghcr.io
	username: fluxcdbot
	password: ${{ secrets.GHCR_TOKEN }}
	- name: Docker login docker.io
	uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
	with:
	username: fluxcdbot
	password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
	- name: Docker meta
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	images: \|
	fluxcd/${{ env.CONTROLLER }}
	ghcr.io/fluxcd/${{ env.CONTROLLER }}
	tags: \|
	type=raw,value=${{ steps.prep.outputs.version }}
	- name: Docker push
	uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
	id: build-push
	with:
	sbom: true
	provenance: true
	push: true
	builder: ${{ steps.buildx.outputs.name }}
	context: .
	file: ./Dockerfile
	platforms: linux/amd64,linux/arm/v7,linux/arm64
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	- name: Sign images
	env:
	COSIGN_EXPERIMENTAL: 1
	run: \|
	cosign sign --yes fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
	cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
	- name: GoReleaser publish signed SBOM
	id: run-goreleaser
	if: startsWith(github.ref, 'refs/tags/v')
	uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
	with:
	version: latest
	args: release --clean --skip-validate
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Generate SLSA hashes
	id: hash
	env:
	ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
	run: \|
	set -euo pipefail

	hashes=$(echo $ARTIFACTS \| jq --raw-output '.[] \| {name, "digest": (.extra.Digest // .extra.Checksum)} \| select(.digest) \| {digest} + {name} \| join(" ") \| sub("^sha256:";"")' \| base64 -w0)
	echo "hashes=$hashes" >> $GITHUB_OUTPUT

	image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
	image_digest=${{ steps.build-push.outputs.digest }}
	echo "image_url=$image_url" >> $GITHUB_OUTPUT
	echo "image_digest=$image_digest" >> $GITHUB_OUTPUT

	release-provenance:
	needs: [release]
	permissions:
	actions: read # To read the workflow path.
	id-token: write # To sign the provenance.
	contents: write # To add assets to the release.
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	base64-subjects: "${{ needs.release.outputs.hashes }}"
	upload-assets: true

	dockerhub-provenance:
	needs: [release]
	permissions:
	actions: read # for detecting the Github Actions environment.
	id-token: write # for creating OIDC tokens for signing.
	packages: write # for uploading attestations.
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	image: ${{ needs.release.outputs.image_url }}
	digest: ${{ needs.release.outputs.image_digest }}
	registry-username: fluxcdbot
	secrets:
	registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}

	ghcr-provenance:
	needs: [release]
	permissions:
	actions: read # for detecting the Github Actions environment.
	id-token: write # for creating OIDC tokens for signing.
	packages: write # for uploading attestations.
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	image: ghcr.io/${{ needs.release.outputs.image_url }}
	digest: ${{ needs.release.outputs.image_digest }}
	registry-username: fluxcdbot
	secrets:
	registry-password: ${{ secrets.GHCR_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #165 from fluxcd/flux-v1.3.0 #36

Workflow file

Merge pull request #165 from fluxcd/flux-v1.3.0 #36

Jobs

Run details

Workflow file for this run