Merge pull request #815 from yiannistri/748-slsa-release-v2.8 #89
Workflow file for this run
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | name: Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| # GitHub settings / example values: | |
| # | |
| # org level vars: | |
| # - PUBLIC_REGISTRY: docker.io | |
| # repo level vars: | |
| # - PUBLIC_REGISTRY_REPO: rancher | |
| # repo level secrets: | |
| # - PUBLIC_REGISTRY_USERNAME | |
| # - PUBLIC_REGISTRY_PASSWORD | |
| jobs: | |
| publish-images: | |
| permissions: | |
| contents: read | |
| id-token: write # required for reading vault secrets and for cosign's use in ecm-distro-tools/publish-image | |
| strategy: | |
| matrix: | |
| include: | |
| # Three images are created: | |
| # - Multi-arch manifest for both amd64 and arm64 | |
| - tag-suffix: "" | |
| platforms: linux/amd64,linux/arm64 | |
| # - arm64 manifest | |
| - tag-suffix: "-arm64" | |
| platforms: linux/arm64 | |
| # - amd64 manifest | |
| - tag-suffix: "-amd64" | |
| platforms: linux/amd64 | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.ref_name }} | |
| - name: Read secrets | |
| uses: rancher-eio/read-vault-secrets@main | |
| with: | |
| secrets: | | |
| secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | PUBLIC_REGISTRY_USERNAME ; | |
| secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | PUBLIC_REGISTRY_PASSWORD ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD | |
| - name: Publish images | |
| uses: rancher/ecm-distro-tools/actions/publish-image@master | |
| with: | |
| image: aks-operator | |
| tag: ${{ github.ref_name }}${{ matrix.tag-suffix }} | |
| platforms: ${{ matrix.platforms }} | |
| public-registry: docker.io | |
| public-repo: rancher | |
| public-username: ${{ env.PUBLIC_REGISTRY_USERNAME }} | |
| public-password: ${{ env.PUBLIC_REGISTRY_PASSWORD }} | |
| prime-registry: ${{ env.PRIME_REGISTRY }} | |
| prime-repo: rancher | |
| prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} | |
| prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} | |
| make-target: image-push | |
| push-to-prime: true | |
| release: | |
| permissions: | |
| contents: write # required for creating GH release | |
| runs-on: ubuntu-latest | |
| needs: publish-images | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.ref_name}} | |
| - name: Create release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for creating GH release | |
| GORELEASER_CURRENT_TAG: ${{ github.ref_name }} # specify the tag to be released | |
| id: goreleaser | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| distribution: goreleaser | |
| version: "~> v2" | |
| args: release --clean --verbose | |
| - name: Upload charts to release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for updating GH release | |
| REPO: rancher # First name component for Docker repository to reference in `values.yaml` of the Helm chart release, this is expected to be `rancher`, image name is appended to this value | |
| TAG: ${{ github.ref_name }} # image tag to be referenced in `values.yaml` of the Helm chart release | |
| run: | | |
| version=$(echo '${{ steps.goreleaser.outputs.metadata }}' | jq -r '.version') | |
| echo "Publishing helm charts (version: $version)" | |
| # Both version and appVersion are set to the same value in the Chart.yaml (excluding the 'v' prefix) | |
| CHART_VERSION=$version GIT_TAG=$version make charts | |
| for f in $(find bin/ -name '*.tgz'); do | |
| echo "Uploading $f to GitHub release $TAG" | |
| gh release upload $TAG $f | |
| done | |
| echo "Charts successfully uploaded to GitHub release $TAG" |