mirror of
https://github.com/fluxcd/flagger.git
synced 2026-02-19 04:19:55 +00:00
9ed5fcdaa3
Bumps the ci group with 4 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [actions/setup-go](https://github.com/actions/setup-go), [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) and [github/codeql-action](https://github.com/github/codeql-action). Updates `actions/checkout` from 4 to 5 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v5) Updates `actions/setup-go` from 5 to 6 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v5...v6) Updates `sigstore/cosign-installer` from 3.8.1 to 3.10.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/v3.8.1...v3.10.0) Updates `github/codeql-action` from 3 to 4 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: actions/setup-go dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: sigstore/cosign-installer dependency-version: 3.10.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci ... Signed-off-by: dependabot[bot] <support@github.com>
154 lines
5.4 KiB
YAML
154 lines
5.4 KiB
YAML
name: release
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
workflow_dispatch:
|
|
inputs:
|
|
tag:
|
|
description: 'image tag prefix'
|
|
default: 'rc'
|
|
required: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
IMAGE: "ghcr.io/fluxcd/${{ github.event.repository.name }}"
|
|
|
|
jobs:
|
|
release-flagger:
|
|
outputs:
|
|
hashes: ${{ steps.slsa.outputs.hashes }}
|
|
runs-on:
|
|
group: "Default Larger Runners"
|
|
permissions:
|
|
contents: write # needed to write releases
|
|
id-token: write # needed for keyless signing
|
|
packages: write # needed for ghcr access
|
|
steps:
|
|
- uses: actions/checkout@v5
|
|
- name: Setup Go
|
|
uses: actions/setup-go@v6
|
|
with:
|
|
go-version: 1.25.x
|
|
- uses: fluxcd/flux2/action@main
|
|
- uses: sigstore/cosign-installer@v3.10.0
|
|
- name: Prepare
|
|
id: prep
|
|
run: |
|
|
if [[ ${GITHUB_EVENT_NAME} = "workflow_dispatch" ]]; then
|
|
VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}"
|
|
else
|
|
VERSION=$(grep 'VERSION' pkg/version/version.go | awk '{ print $4 }' | tr -d '"')
|
|
fi
|
|
CHANGELOG="https://github.com/fluxcd/flagger/blob/main/CHANGELOG.md#$(echo $VERSION | tr -d '.')"
|
|
echo "[CHANGELOG](${CHANGELOG})" > notes.md
|
|
echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
|
|
echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
|
|
- name: Setup QEMU
|
|
uses: docker/setup-qemu-action@v3
|
|
- name: Setup Docker Buildx
|
|
id: buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: fluxcdbot
|
|
password: ${{ secrets.GHCR_TOKEN }}
|
|
- name: Generate image meta
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: |
|
|
${{ env.IMAGE }}
|
|
tags: |
|
|
type=raw,value=${{ steps.prep.outputs.VERSION }}
|
|
- name: Publish image
|
|
id: build-push
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
sbom: true
|
|
provenance: true
|
|
push: true
|
|
builder: ${{ steps.buildx.outputs.name }}
|
|
context: .
|
|
file: ./Dockerfile
|
|
platforms: linux/amd64,linux/arm64,linux/arm/v7
|
|
build-args: |
|
|
REVISON=${{ github.sha }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
- name: Sign image
|
|
env:
|
|
COSIGN_EXPERIMENTAL: 1
|
|
run: |
|
|
cosign sign --yes ${{ env.IMAGE }}@${{ steps.build-push.outputs.digest }}
|
|
- name: Publish signed manifests to GHCR
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
env:
|
|
COSIGN_EXPERIMENTAL: 1
|
|
run: |
|
|
OCI_URL=$(flux push artifact \
|
|
oci://ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }} \
|
|
--path="./kustomize" \
|
|
--source="$(git config --get remote.origin.url)" \
|
|
--revision="${{ steps.prep.outputs.VERSION }}/$(git rev-parse HEAD)" \
|
|
--output json | \
|
|
jq -r '. | .repository + "@" + .digest')
|
|
cosign sign --yes ${OCI_URL}
|
|
- name: Publish Helm charts
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
uses: stefanprodan/helm-gh-pages@v1.7.0
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
charts_url: https://flagger.app
|
|
linting: off
|
|
- uses: fluxcd/pkg/actions/helm@main
|
|
with:
|
|
version: 3.12.3
|
|
- name: Publish signed Helm chart to GHCR
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
env:
|
|
COSIGN_EXPERIMENTAL: 1
|
|
run: |
|
|
helm package charts/flagger
|
|
helm push flagger-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/fluxcd/charts |& tee .digest
|
|
cosign sign --yes ghcr.io/fluxcd/charts/flagger@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}')
|
|
rm flagger-${{ steps.prep.outputs.VERSION }}.tgz
|
|
rm .digest
|
|
- uses: anchore/sbom-action/download-syft@v0
|
|
- name: Create release and SBOM
|
|
id: run-goreleaser
|
|
uses: goreleaser/goreleaser-action@v6
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
with:
|
|
version: latest
|
|
args: release --release-notes=notes.md --clean --skip=validate
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Generate SLSA metadata
|
|
id: slsa
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
env:
|
|
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
|
|
echo "hashes=$hashes" >> $GITHUB_OUTPUT
|
|
|
|
release-provenance:
|
|
needs: [release-flagger]
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
permissions:
|
|
actions: read # for detecting the Github Actions environment.
|
|
id-token: write # for creating OIDC tokens for signing.
|
|
contents: write # for uploading attestations to GitHub releases.
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
|
|
with:
|
|
provenance-name: "provenance.intoto.jsonl"
|
|
base64-subjects: "${{ needs.release-flagger.outputs.hashes }}"
|
|
upload-assets: true
|