Merge pull request #343 from stefanprodan/release-6.6.0 #56
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| push: | |
| tags: | |
| - '*' | |
| permissions: | |
| contents: read | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # needed to write releases | |
| id-token: write # needed for keyless signing | |
| packages: write # needed for ghcr access | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: sigstore/cosign-installer@v3 | |
| - uses: fluxcd/flux2/action@main | |
| - uses: stefanprodan/timoni/actions/setup@main | |
| - name: Setup Notation CLI | |
| uses: notaryproject/notation-action/setup@v1 | |
| with: | |
| version: "1.1.0" | |
| - name: Setup Notation signing keys | |
| run: | | |
| mkdir -p ~/.config/notation/localkeys/ | |
| cp ./.notation/signingkeys.json ~/.config/notation/ | |
| cp ./.notation/notation.crt ~/.config/notation/localkeys/ | |
| echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key | |
| env: | |
| NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }} | |
| - name: Setup Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: 1.21.x | |
| - name: Setup Helm | |
| uses: azure/setup-helm@v3 | |
| with: | |
| version: v3.12.3 | |
| - name: Setup QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| with: | |
| platforms: all | |
| - name: Setup Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Prepare | |
| id: prep | |
| run: | | |
| VERSION=sha-${GITHUB_SHA::8} | |
| if [[ $GITHUB_REF == refs/tags/* ]]; then | |
| VERSION=${GITHUB_REF/refs\/tags\//} | |
| fi | |
| echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT | |
| echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT | |
| echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT | |
| - name: Generate images meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| docker.io/stefanprodan/podinfo | |
| ghcr.io/stefanprodan/podinfo | |
| tags: | | |
| type=raw,value=${{ steps.prep.outputs.VERSION }} | |
| type=raw,value=latest | |
| - name: Publish multi-arch image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| sbom: true | |
| provenance: true | |
| push: true | |
| builder: ${{ steps.buildx.outputs.name }} | |
| context: . | |
| file: ./Dockerfile.xx | |
| build-args: | | |
| REVISION=${{ steps.prep.outputs.REVISION }} | |
| platforms: linux/amd64,linux/arm/v7,linux/arm64 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Publish Timoni module to GHCR | |
| run: | | |
| timoni mod push ./timoni/podinfo oci://ghcr.io/stefanprodan/modules/podinfo \ | |
| --sign cosign \ | |
| --version ${{ steps.prep.outputs.VERSION }} \ | |
| -a 'org.opencontainers.image.source=https://github.com/stefanprodan/podinfo' \ | |
| -a 'org.opencontainers.image.licenses=Apache-2.0' \ | |
| -a 'org.opencontainers.image.description=A timoni.sh module for deploying Podinfo.' \ | |
| -a 'org.opencontainers.image.documentation=https://github.com/stefanprodan/podinfo/blob/main/timoni/podinfo/README.md' | |
| - name: Publish Helm chart to GHCR | |
| run: | | |
| helm package charts/podinfo | |
| helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/stefanprodan/charts | |
| rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz | |
| - name: Publish Flux OCI artifact to GHCR | |
| run: | | |
| flux push artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} \ | |
| --path="./kustomize" \ | |
| --source="${{ github.event.repository.html_url }}" \ | |
| --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}" | |
| flux tag artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --tag latest | |
| - name: Sign OCI artifacts | |
| env: | |
| COSIGN_EXPERIMENTAL: 1 | |
| run: | | |
| cosign sign docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes | |
| cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes | |
| cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes | |
| cosign sign ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes | |
| notation sign --signature-format cose docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} | |
| notation sign --signature-format cose ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} | |
| notation sign --signature-format cose ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} | |
| notation sign --signature-format cose ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} | |
| - name: Publish base image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| push: true | |
| builder: ${{ steps.buildx.outputs.name }} | |
| context: . | |
| platforms: linux/amd64 | |
| file: ./Dockerfile.base | |
| tags: docker.io/stefanprodan/podinfo-base:latest | |
| - name: Publish helm chart | |
| uses: stefanprodan/helm-gh-pages@master | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Publish config artifact | |
| run: | | |
| flux push artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} \ | |
| --path="./kustomize" \ | |
| --source="${{ github.event.repository.html_url }}" \ | |
| --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}" | |
| flux tag artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --tag latest | |
| - name: Sign config artifact | |
| run: | | |
| echo "$COSIGN_KEY" > /tmp/cosign.key | |
| cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes | |
| cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest --yes | |
| notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} | |
| notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:latest | |
| env: | |
| COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} | |
| COSIGN_KEY: ${{secrets.COSIGN_KEY}} | |
| - uses: ./.github/actions/release-notes | |
| - name: Generate release notes | |
| run: | | |
| echo 'CHANGELOG' > /tmp/release.txt | |
| github-release-notes -org stefanprodan -repo podinfo -since-latest-release >> /tmp/release.txt | |
| - name: Publish release | |
| uses: goreleaser/goreleaser-action@v5 | |
| with: | |
| version: latest | |
| args: release --release-notes=/tmp/release.txt --skip-validate | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |