name: release on: push: tags: - '*' permissions: contents: read jobs: release: runs-on: ubuntu-latest permissions: contents: write # needed to write releases id-token: write # needed for keyless signing packages: write # needed for ghcr access steps: - uses: actions/checkout@v6 - uses: ./.github/actions/runner-cleanup - uses: sigstore/cosign-installer@v4.0.0 with: cosign-release: v2.6.1 - uses: fluxcd/flux2/action@v2.7.5 - uses: stefanprodan/timoni/actions/setup@v0.25.2 - name: Setup Notation CLI uses: notaryproject/notation-action/setup@v1 with: version: "1.1.0" - name: Setup Notation signing keys run: | mkdir -p ~/.config/notation/localkeys/ cp ./.notation/signingkeys.json ~/.config/notation/ cp ./.notation/notation.crt ~/.config/notation/localkeys/ echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key env: NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }} - name: Setup Go uses: actions/setup-go@v6 with: go-version: 1.25.x - name: Setup Helm uses: azure/setup-helm@v4 with: version: v3.17.3 - name: Setup QEMU uses: docker/setup-qemu-action@v3 with: platforms: all - name: Setup Docker Buildx id: buildx uses: docker/setup-buildx-action@v3 - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Prepare id: prep run: | VERSION=sha-${GITHUB_SHA::8} if [[ $GITHUB_REF == refs/tags/* ]]; then VERSION=${GITHUB_REF/refs\/tags\//} fi echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT - name: Generate images meta id: meta uses: docker/metadata-action@v5 with: images: | docker.io/stefanprodan/podinfo ghcr.io/stefanprodan/podinfo tags: | type=raw,value=${{ steps.prep.outputs.VERSION }} type=raw,value=latest - name: Publish multi-arch image uses: docker/build-push-action@v6 with: sbom: true provenance: true push: true builder: ${{ steps.buildx.outputs.name }} context: . file: ./Dockerfile.xx build-args: | REVISION=${{ steps.prep.outputs.REVISION }} platforms: linux/amd64,linux/arm/v7,linux/arm64 tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - name: Publish Timoni module to GHCR run: | timoni mod push ./timoni/podinfo oci://ghcr.io/stefanprodan/modules/podinfo \ --sign cosign \ --version ${{ steps.prep.outputs.VERSION }} \ -a 'org.opencontainers.image.source=https://github.com/stefanprodan/podinfo' \ -a 'org.opencontainers.image.licenses=Apache-2.0' \ -a 'org.opencontainers.image.description=A timoni.sh module for deploying Podinfo.' \ -a 'org.opencontainers.image.documentation=https://github.com/stefanprodan/podinfo/blob/main/timoni/podinfo/README.md' - name: Publish Helm chart to GHCR run: | helm package charts/podinfo helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/stefanprodan/charts rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz - name: Publish Flux OCI artifact to GHCR run: | flux push artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} \ --path="./kustomize" \ --source="${{ github.event.repository.html_url }}" \ --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}" flux tag artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --tag latest - name: Sign artifacts with Cosign env: COSIGN_EXPERIMENTAL: 1 run: | cosign sign docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes cosign sign ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes - name: Publish base image uses: docker/build-push-action@v6 with: push: true builder: ${{ steps.buildx.outputs.name }} context: . platforms: linux/amd64 file: ./Dockerfile.base tags: docker.io/stefanprodan/podinfo-base:latest - name: Publish helm chart uses: stefanprodan/helm-gh-pages@master with: token: ${{ secrets.GITHUB_TOKEN }} - name: Publish config artifact run: | flux push artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} \ --path="./kustomize" \ --source="${{ github.event.repository.html_url }}" \ --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}" flux tag artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --tag latest - name: Sign config artifact with cso run: | echo "$COSIGN_KEY" > /tmp/cosign.key cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest --yes env: COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} COSIGN_KEY: ${{secrets.COSIGN_KEY}} - name: Sign artifacts with Notation run: | notation sign --signature-format cose ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} notation sign --signature-format cose ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} notation sign --signature-format cose ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:latest - name: Publish release uses: goreleaser/goreleaser-action@v6 with: version: latest args: release --skip=validate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}