Skip to content

Merge pull request #344 from codefresh-io/CR-22221-sync-v1.9.0 #115

Merge pull request #344 from codefresh-io/CR-22221-sync-v1.9.0

Merge pull request #344 from codefresh-io/CR-22221-sync-v1.9.0 #115

Workflow file for this run

name: release
on:
push:
tags:
- 'v*'
branches:
- "master"
- "release-*"
defaults:
run:
shell: bash
permissions:
contents: read
jobs:
build-binaries:
runs-on: ubuntu-20.04
name: Build binaries
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/[email protected]
with:
go-version: "1.20"
- name: Build binaries
run: |
make build
chmod -R +x dist
- name: Make checksums
run: make checksums
- name: store artifacts
uses: actions/upload-artifact@v3
with:
name: binaries
path: dist
build-push-linux-multi:
name: Build & push linux/amd64 and linux/arm64
needs: [ build-binaries ]
runs-on: ubuntu-20.04
strategy:
matrix:
target: [ argo-events ]
outputs:
VERSION: ${{ steps.version.outputs.VERSION }}
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Download binaries
uses: actions/download-artifact@v3
with:
name: binaries
path: dist/
- name: Registry Login
uses: docker/login-action@v2
with:
registry: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
- name: set Version
id: version
run: |
tag=$(basename $GITHUB_REF)
if [ $tag = "master" ]; then
tag="latest"
fi
echo "VERSION=$tag" >> $GITHUB_OUTPUT
- name: Container build and push with arm64/amd64
env:
IMAGE_NAMESPACE: quay.io/${{ secrets.QUAYIO_ORG }}
run: |
VERSION=${{ steps.version.outputs.VERSION }} DOCKER_PUSH=true make image-multi
bom:
runs-on: ubuntu-latest
needs: [ build-push-linux-multi ]
steps:
# https://stackoverflow.com/questions/58033366/how-to-get-current-branch-within-github-actions
- id: version
run: |
if [ ${GITHUB_REF##*/} = master ]; then
echo "VERSION=latest" >> $GITHUB_ENV
else
echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_OUTPUT
fi
- uses: actions/[email protected]
with:
go-version: "1.20"
- uses: actions/checkout@v4
- run: go install sigs.k8s.io/bom/cmd/[email protected]
- run: go install github.com/spdx/spdx-sbom-generator/cmd/[email protected]
- run: mkdir -p dist
- run: generator -o dist -p .
# do not scan images, this is only supported for debian-based images. See: https://github.com/kubernetes-sigs/bom#usage
- env:
VERSION: ${{ steps.version.outputs.VERSION }}
run:
bom generate --scan-images=false --image quay.io/${{ secrets.QUAYIO_ORG }}/argo-events:$VERSION -o /tmp/argo-events.spdx
# pack the boms into one file to make it easy to download
- run: cd /tmp && tar -zcf sbom.tar.gz *.spdx
- uses: actions/upload-artifact@v3
with:
name: sbom.tar.gz
path: /tmp/sbom.tar.gz
release:
runs-on: ubuntu-latest
needs: [ build-push-linux-multi, bom ]
permissions:
contents: write # for softprops/action-gh-release to create GitHub release
id-token: write # Needed to create an OIDC token for keyless signing
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set Version
run: |
if [ ${GITHUB_REF##*/} = master ]; then
echo "VERSION=latest" >> $GITHUB_ENV
else
echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV
fi
- name: Download binaries
uses: actions/download-artifact@v3
with:
name: binaries
path: dist/
- uses: actions/download-artifact@v3
with:
name: sbom.tar.gz
path: /tmp
- name: Registry Login
uses: docker/login-action@v2
with:
registry: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
- name: Install cosign
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
with:
cosign-release: 'v2.1.1'
- name: Install crane to get digest of image
uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4 # v0.2
- name: Get digests of container images
id: get-digest
env:
VERSION: ${{ needs.build-push-linux-multi.outputs.VERSION }}
run: |
echo "digest=$(crane digest quay.io/${{ secrets.QUAYIO_ORG }}/argo-events:$VERSION)" >> $GITHUB_OUTPUT
- name: Sign Argo Events container image and assets
env:
IMAGE_DIGEST: ${{ steps.get-digest.outputs.digest }}
run: |
cosign sign -y quay.io/${{ secrets.QUAYIO_ORG }}/argo-events@$IMAGE_DIGEST
cosign sign-blob -y ./dist/argo-events-checksums.txt > ./dist/argo-events-checksums.sig
cosign sign-blob -y /tmp/sbom.tar.gz > /tmp/sbom.tar.gz.sig
- name: Release binaries
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
dist/*.gz
dist/argo-events-checksums.txt
dist/argo-events-checksums.sig
manifests/*.yaml
/tmp/sbom.tar.gz
/tmp/sbom.tar.gz.sig
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}