Merge pull request #470 from stefanprodan/release-6.11.2 #74
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| push: | |
| tags: | |
| - '*' | |
| permissions: | |
| contents: read | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # needed to write releases | |
| id-token: write # needed for keyless signing | |
| packages: write # needed for ghcr access | |
| attestations: write # needed for provenance | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: ./.github/actions/runner-cleanup | |
| - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 | |
| - uses: fluxcd/flux2/action@871be9b40d53627786d3a3835a3ddba1e3234bd2 # v2.8.3 | |
| - uses: stefanprodan/timoni/actions/setup@c68e33a34f17c7ca93c7fc6717d61a14819276dc # v0.26.0 | |
| - name: Setup Notation CLI | |
| uses: notaryproject/notation-action/setup@b6fee73110795d6793253c673bd723f12bcf9bbb # v1.2.2 | |
| with: | |
| version: "1.1.0" | |
| - name: Setup Notation signing keys | |
| run: | | |
| mkdir -p ~/.config/notation/localkeys/ | |
| cp ./.notation/signingkeys.json ~/.config/notation/ | |
| cp ./.notation/notation.crt ~/.config/notation/localkeys/ | |
| echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key | |
| env: | |
| NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }} | |
| - name: Setup Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: 1.26.x | |
| - name: Setup Helm | |
| uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 | |
| with: | |
| version: v4.1.1 | |
| - name: Setup QEMU | |
| uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 | |
| with: | |
| platforms: all | |
| - name: Setup Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Prepare | |
| id: prep | |
| run: | | |
| VERSION=sha-${GITHUB_SHA::8} | |
| if [[ $GITHUB_REF == refs/tags/* ]]; then | |
| VERSION=${GITHUB_REF/refs\/tags\//} | |
| fi | |
| echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT | |
| echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT | |
| echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT | |
| - name: Generate images meta | |
| id: meta | |
| uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 | |
| with: | |
| images: | | |
| docker.io/stefanprodan/podinfo | |
| ghcr.io/stefanprodan/podinfo | |
| tags: | | |
| type=raw,value=${{ steps.prep.outputs.VERSION }} | |
| type=raw,value=latest | |
| - name: Publish multi-arch image | |
| uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 | |
| with: | |
| sbom: true | |
| provenance: true | |
| push: true | |
| builder: ${{ steps.buildx.outputs.name }} | |
| context: . | |
| file: ./Dockerfile.xx | |
| build-args: | | |
| REVISION=${{ steps.prep.outputs.REVISION }} | |
| platforms: linux/amd64,linux/arm/v7,linux/arm64 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Publish Timoni module to GHCR | |
| run: | | |
| timoni mod push ./timoni/podinfo oci://ghcr.io/stefanprodan/modules/podinfo \ | |
| --sign cosign \ | |
| --version ${{ steps.prep.outputs.VERSION }} \ | |
| -a 'org.opencontainers.image.source=https://github.com/stefanprodan/podinfo' \ | |
| -a 'org.opencontainers.image.licenses=Apache-2.0' \ | |
| -a 'org.opencontainers.image.description=A timoni.sh module for deploying Podinfo.' \ | |
| -a 'org.opencontainers.image.documentation=https://github.com/stefanprodan/podinfo/blob/main/timoni/podinfo/README.md' | |
| - name: Publish Helm chart to GHCR | |
| run: | | |
| helm package charts/podinfo | |
| helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/stefanprodan/charts | |
| rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz | |
| - name: Publish Flux OCI artifact to GHCR | |
| run: | | |
| flux push artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} \ | |
| --path="./kustomize" \ | |
| --source="${{ github.event.repository.html_url }}" \ | |
| --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}" | |
| flux tag artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --tag latest | |
| - name: Sign artifacts with Cosign | |
| env: | |
| COSIGN_EXPERIMENTAL: 1 | |
| run: | | |
| cosign sign docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes | |
| cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes | |
| cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes | |
| cosign sign ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes | |
| - name: Publish base image | |
| uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 | |
| with: | |
| push: true | |
| builder: ${{ steps.buildx.outputs.name }} | |
| context: . | |
| platforms: linux/amd64 | |
| file: ./Dockerfile.base | |
| tags: docker.io/stefanprodan/podinfo-base:latest | |
| - name: Publish helm chart | |
| uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Publish config artifact | |
| run: | | |
| flux push artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} \ | |
| --path="./kustomize" \ | |
| --source="${{ github.event.repository.html_url }}" \ | |
| --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}" | |
| flux tag artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --tag latest | |
| - name: Sign config artifact with cso | |
| run: | | |
| echo "$COSIGN_KEY" > /tmp/cosign.key | |
| cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes | |
| cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest --yes | |
| env: | |
| COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} | |
| COSIGN_KEY: ${{secrets.COSIGN_KEY}} | |
| - name: Sign artifacts with Notation | |
| run: | | |
| notation sign --signature-format cose ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} | |
| notation sign --signature-format cose ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} | |
| notation sign --signature-format cose ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} | |
| notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} | |
| notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:latest | |
| - name: Publish release | |
| uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 | |
| with: | |
| version: latest | |
| args: release --skip=validate | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Attest release | |
| uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 | |
| with: | |
| subject-checksums: ./dist/podinfo_${{ steps.prep.outputs.VERSION }}_checksums.txt |