mirror of
https://github.com/stefanprodan/podinfo.git
synced 2026-05-16 14:36:33 +00:00
96099fd157
Bumps the actions group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `4.1.1` | `4.1.2` | | [fluxcd/flux2](https://github.com/fluxcd/flux2) | `2.8.3` | `2.8.6` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `7.0.0` | `7.1.0` | | [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) | `7.0.0` | `7.2.1` | | [azure/setup-kubectl](https://github.com/azure/setup-kubectl) | `5.0.0` | `5.1.0` | Updates `sigstore/cosign-installer` from 4.1.1 to 4.1.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](cad07c2e89...6f9f177880) Updates `fluxcd/flux2` from 2.8.3 to 2.8.6 - [Release notes](https://github.com/fluxcd/flux2/releases) - [Commits](871be9b40d...04acaec616) Updates `docker/build-push-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](d08e5c354a...bcafcacb16) Updates `goreleaser/goreleaser-action` from 7.0.0 to 7.2.1 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](ec59f474b9...1a80836c5c) Updates `azure/setup-kubectl` from 5.0.0 to 5.1.0 - [Release notes](https://github.com/azure/setup-kubectl/releases) - [Changelog](https://github.com/Azure/setup-kubectl/blob/main/CHANGELOG.md) - [Commits](15650b3ad7...829323503d) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: fluxcd/flux2 dependency-version: 2.8.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: docker/build-push-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: goreleaser/goreleaser-action dependency-version: 7.2.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: azure/setup-kubectl dependency-version: 5.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
172 lines
7.8 KiB
YAML
172 lines
7.8 KiB
YAML
name: release
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- '*'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
release:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write # needed to write releases
|
|
id-token: write # needed for keyless signing
|
|
packages: write # needed for ghcr access
|
|
attestations: write # needed for provenance
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: ./.github/actions/runner-cleanup
|
|
- uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
|
|
- uses: fluxcd/flux2/action@04acaec6161ac4fb1a82ffafa88901c03271d34f # v2.8.6
|
|
- uses: stefanprodan/timoni/actions/setup@c68e33a34f17c7ca93c7fc6717d61a14819276dc # v0.26.0
|
|
- name: Setup Notation CLI
|
|
uses: notaryproject/notation-action/setup@b6fee73110795d6793253c673bd723f12bcf9bbb # v1.2.2
|
|
with:
|
|
version: "1.1.0"
|
|
- name: Setup Notation signing keys
|
|
run: |
|
|
mkdir -p ~/.config/notation/localkeys/
|
|
cp ./.notation/signingkeys.json ~/.config/notation/
|
|
cp ./.notation/notation.crt ~/.config/notation/localkeys/
|
|
echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key
|
|
env:
|
|
NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }}
|
|
- name: Setup Go
|
|
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
|
|
with:
|
|
go-version: 1.26.x
|
|
- name: Setup Helm
|
|
uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
|
|
with:
|
|
version: v4.1.1
|
|
- name: Setup QEMU
|
|
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
|
|
with:
|
|
platforms: all
|
|
- name: Setup Docker Buildx
|
|
id: buildx
|
|
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
- name: Prepare
|
|
id: prep
|
|
run: |
|
|
VERSION=sha-${GITHUB_SHA::8}
|
|
if [[ $GITHUB_REF == refs/tags/* ]]; then
|
|
VERSION=${GITHUB_REF/refs\/tags\//}
|
|
fi
|
|
echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
|
|
echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
|
|
echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT
|
|
- name: Generate images meta
|
|
id: meta
|
|
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
|
|
with:
|
|
images: |
|
|
docker.io/stefanprodan/podinfo
|
|
ghcr.io/stefanprodan/podinfo
|
|
tags: |
|
|
type=raw,value=${{ steps.prep.outputs.VERSION }}
|
|
type=raw,value=latest
|
|
- name: Publish multi-arch image
|
|
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
|
|
with:
|
|
sbom: true
|
|
provenance: true
|
|
push: true
|
|
builder: ${{ steps.buildx.outputs.name }}
|
|
context: .
|
|
file: ./Dockerfile.xx
|
|
build-args: |
|
|
REVISION=${{ steps.prep.outputs.REVISION }}
|
|
platforms: linux/amd64,linux/arm/v7,linux/arm64
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
- name: Publish Timoni module to GHCR
|
|
run: |
|
|
timoni mod push ./timoni/podinfo oci://ghcr.io/stefanprodan/modules/podinfo \
|
|
--sign cosign \
|
|
--version ${{ steps.prep.outputs.VERSION }} \
|
|
-a 'org.opencontainers.image.source=https://github.com/stefanprodan/podinfo' \
|
|
-a 'org.opencontainers.image.licenses=Apache-2.0' \
|
|
-a 'org.opencontainers.image.description=A timoni.sh module for deploying Podinfo.' \
|
|
-a 'org.opencontainers.image.documentation=https://github.com/stefanprodan/podinfo/blob/main/timoni/podinfo/README.md'
|
|
- name: Publish Helm chart to GHCR
|
|
run: |
|
|
helm package charts/podinfo
|
|
helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/stefanprodan/charts
|
|
rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz
|
|
- name: Publish Flux OCI artifact to GHCR
|
|
run: |
|
|
flux push artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} \
|
|
--path="./kustomize" \
|
|
--source="${{ github.event.repository.html_url }}" \
|
|
--revision="${GITHUB_REF_NAME}/${GITHUB_SHA}"
|
|
flux tag artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --tag latest
|
|
- name: Sign artifacts with Cosign
|
|
env:
|
|
COSIGN_EXPERIMENTAL: 1
|
|
run: |
|
|
cosign sign docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes
|
|
cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes
|
|
cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes
|
|
cosign sign ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes
|
|
- name: Publish base image
|
|
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
|
|
with:
|
|
push: true
|
|
builder: ${{ steps.buildx.outputs.name }}
|
|
context: .
|
|
platforms: linux/amd64
|
|
file: ./Dockerfile.base
|
|
tags: docker.io/stefanprodan/podinfo-base:latest
|
|
- name: Publish helm chart
|
|
uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Publish config artifact
|
|
run: |
|
|
flux push artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} \
|
|
--path="./kustomize" \
|
|
--source="${{ github.event.repository.html_url }}" \
|
|
--revision="${GITHUB_REF_NAME}/${GITHUB_SHA}"
|
|
flux tag artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --tag latest
|
|
- name: Sign config artifact with cso
|
|
run: |
|
|
echo "$COSIGN_KEY" > /tmp/cosign.key
|
|
cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes
|
|
cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest --yes
|
|
env:
|
|
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
|
|
COSIGN_KEY: ${{secrets.COSIGN_KEY}}
|
|
- name: Sign artifacts with Notation
|
|
run: |
|
|
notation sign --signature-format cose ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
|
|
notation sign --signature-format cose ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }}
|
|
notation sign --signature-format cose ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }}
|
|
notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
|
|
notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:latest
|
|
- name: Publish release
|
|
uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
|
|
with:
|
|
version: latest
|
|
args: release --skip=validate
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Attest release
|
|
uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
|
|
with:
|
|
subject-checksums: ./dist/podinfo_${{ steps.prep.outputs.VERSION }}_checksums.txt
|