gha-workflows/.github/workflows/controller-release.yaml at main · fluxcd/gha-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: controller-release

on:
  workflow_call:
    inputs:
      controller:
        description: 'controller name'
        required: true
        type: string
      release-candidate-prefix:
        description: 'release candidate image tag prefix'
        required: true
        type: string
    secrets:
      github-token:
        description: 'GitHub token (for pushing to GHCR and creating GitHub releases)'
        required: true
      dockerhub-token:
        description: 'Docker Hub token'
        required: true
    outputs:
      release-digests:
        description: 'Release artifacts digests compatible with SLSA'
        value: ${{ jobs.release.outputs.release-digests }}
      image-name:
        description: 'Published container image name (without the registry)'
        value: ${{ jobs.release.outputs.image-name }}
      image-digest:
        description: 'Published container image digest'
        value: ${{ jobs.release.outputs.image-digest }}

jobs:
  release:
    outputs:
      release-digests: ${{ steps.slsa.outputs.release-digests }}
      image-name: ${{ steps.slsa.outputs.image-name }}
      image-digest: ${{ steps.slsa.outputs.image-digest }}
    runs-on: ubuntu-latest
    permissions:
      contents: write # for creating the GitHub release.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for pushing and signing container images.
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@63d73fdd0da522e94a54cc3e93607226a433ccb0 # main
      - name: Prepare
        id: prep
        env:
          GIT_REF: ${{ github.ref }}
          GIT_SHA: ${{ github.sha }}
          RELEASE_CANDIDATE_PREFIX: ${{ inputs.release-candidate-prefix }}
        run: |
          VERSION="${RELEASE_CANDIDATE_PREFIX}-${GIT_SHA::8}"
          if [[ $GIT_REF == refs/tags/* ]]; then
            VERSION=${GIT_REF/refs\/tags\//}
          fi
          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
      - name: Setup QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      - name: Setup Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Login to GitHub Container Registry
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: fluxcdbot # not necessary for ghcr.io
          password: ${{ secrets.github-token }}
      - name: Login to Docker Hub
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ github.repository_owner == 'fluxcd' && 'fluxcdbot' || github.repository_owner }}
          password: ${{ secrets.dockerhub-token }}
      - name: Generate images meta
        id: meta
        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: |
            ${{ github.repository_owner }}/${{ inputs.controller }}
            ghcr.io/${{ github.repository_owner }}/${{ inputs.controller }}
          tags: |
            type=raw,value=${{ steps.prep.outputs.VERSION }}
      - name: Publish images
        id: build-push
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          sbom: true
          provenance: true
          push: true
          builder: ${{ steps.buildx.outputs.name }}
          context: .
          file: ./Dockerfile
          platforms: linux/amd64,linux/arm/v7,linux/arm64
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
      - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
        with:
          cosign-release: v2.6.1 # TODO: remove after Flux 2.8 with support for cosign v3
      - name: Sign images
        env:
          COSIGN_EXPERIMENTAL: 1
          CONTROLLER: ${{ inputs.controller }}
          DIGEST: ${{ steps.build-push.outputs.digest }}
          REPOSITORY_OWNER: ${{ github.repository_owner }}
        run: |
          cosign sign --yes ${REPOSITORY_OWNER}/${CONTROLLER}@${DIGEST}
          cosign sign --yes ghcr.io/${REPOSITORY_OWNER}/${CONTROLLER}@${DIGEST}
      - name: Generate release artifacts
        if: startsWith(github.ref, 'refs/tags/v')
        env:
          CONTROLLER: ${{ inputs.controller }}
        run: |
          mkdir -p config/release
          kustomize build ./config/crd > ./config/release/${CONTROLLER}.crds.yaml
          kustomize build ./config/manager > ./config/release/${CONTROLLER}.deployment.yaml
      - uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
      - name: Create release and SBOM
        id: run-goreleaser
        if: startsWith(github.ref, 'refs/tags/v')
        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
        with:
          version: latest
          args: release --clean --skip=validate
        env:
          GITHUB_TOKEN: ${{ secrets.github-token }}
      - name: Generate SLSA metadata
        id: slsa
        env:
          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
          CONTROLLER: ${{ inputs.controller }}
          VERSION: ${{ steps.prep.outputs.version }}
          BUILD_DIGEST: ${{ steps.build-push.outputs.digest }}
          REPOSITORY_OWNER: ${{ github.repository_owner }}
        run: |
          release_digests=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
          echo "release-digests=$release_digests" >> $GITHUB_OUTPUT

          image_name=${REPOSITORY_OWNER}/${CONTROLLER}:${VERSION}
          echo "image-name=$image_name" >> $GITHUB_OUTPUT

          image_digest=${BUILD_DIGEST}
          echo "image-digest=$image_digest" >> $GITHUB_OUTPUT