Publish Release #17

Summary
Jobs
- release
- chart-pr
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/publish-release.yaml at 6b1b331

	name: Publish Release

	on:
	workflow_dispatch:
	inputs:
	chart:
	description: 'Chart version (e.g. 2.11.3)'
	required: true
	type: string

	jobs:
	release:
	runs-on: ubuntu-latest
	env:
	controller_dockerhub_image_name: docker.io/bitnami/sealed-secrets-controller
	controller_ghcr_image_name: ghcr.io/bitnami-labs/sealed-secrets-controller
	kubeseal_dockerhub_image_name: docker.io/bitnami/sealed-secrets-kubeseal
	kubeseal_ghcr_image_name: ghcr.io/bitnami-labs/sealed-secrets-kubeseal
	steps:
	# Checkout and set env
	- name: Checkout
	uses: actions/[email protected]
	with:
	fetch-depth: 0
	- id: load-version
	run: \|
	source $GITHUB_WORKSPACE/versions.env
	echo "GO_VERSION=$GO_VERSION" >> $GITHUB_ENV
	- name: Set up Go
	uses: actions/[email protected]
	with:
	go-version: ${{ env.GO_VERSION }}
	- name: Setup kubecfg
	run: \|
	mkdir -p ~/bin
	curl -sLf https://github.com/kubecfg/kubecfg/releases/download/v0.26.0/kubecfg_Linux_X64 >~/bin/kubecfg
	chmod +x ~/bin/kubecfg

	- name: Install dependencies
	run: \|
	go install gotest.tools/[email protected]

	# Setup env tools to copy images
	- name: Set up regctl
	uses: iarekylew00t/regctl-installer@v1
	with:
	regctl-release: v0.4.7

	# Check Release
	- name: Check Release
	run: \|
	VERSION_TAG=$(git describe --tags --match "v[0-9]*" --abbrev=0 \| tr -d v)
	echo "Tag looking for $VERSION_TAG"
	CHECK_CONTROLLER=$(./scripts/release-check ${{ env.controller_dockerhub_image_name }} $VERSION_TAG)
	CHECK_KUBESEAL=$(./scripts/release-check ${{ env.kubeseal_dockerhub_image_name }} $VERSION_TAG)
	echo "RELEASE=$(($CHECK_CONTROLLER * $CHECK_KUBESEAL))" >> $GITHUB_ENV
	echo "VERSION_TAG=$VERSION_TAG" >> $GITHUB_ENV
	echo "GORELEASER_CURRENT_TAG=v$VERSION_TAG" >> $GITHUB_ENV

	# Run tests
	- name: Tests
	if: env.RELEASE == 1
	run: make test

	# Generate K8s manifests
	- name: K8s manifests
	if: env.RELEASE == 1
	run: \|
	export PATH=~/bin:$PATH
	make CONTROLLER_IMAGE=${{ env.controller_dockerhub_image_name }}:${VERSION_TAG} controller.yaml controller-norbac.yaml

	# Setup Cosign
	- name: Install Cosign
	uses: sigstore/[email protected]
	with:
	cosign-release: v2.2.3

	if: env.RELEASE == 1
	- name: Write Cosign key
	if: env.RELEASE == 1
	run: echo "$COSIGN_KEY" > /tmp/cosign.key
	env:
	COSIGN_KEY: ${{ secrets.COSIGN_KEY }}

	- name: Checkout version
	run: git checkout "$GORELEASER_CURRENT_TAG"

	# Build & Release binaries
	- name: Run GoReleaser
	uses: goreleaser/[email protected]
	if: success() && startsWith(github.ref, 'refs/heads/') && env.RELEASE == 1
	with:
	version: v1.10.3
	args: release --rm-dist
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

	# Build & Publish multi-arch image
	- name: Login to Docker Hub
	if: env.RELEASE == 1
	uses: docker/[email protected]
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_PASSWORD }}
	- name: Login to GHRC
	if: env.RELEASE == 1
	uses: docker/[email protected]
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Extract metadata (tags, labels) for Docker controller image
	if: env.RELEASE == 1
	id: meta_controller
	uses: docker/[email protected]
	with:
	images: \|
	${{ env.controller_dockerhub_image_name }}
	${{ env.controller_ghcr_image_name }}
	tags: \|
	type=raw,value=${{ env.VERSION_TAG }}
	type=raw,value=latest
	- name: Copy controller image
	if: env.RELEASE == 1
	run: \|
	regctl image copy ${{ env.controller_dockerhub_image_name }}:latest ${{ env.controller_ghcr_image_name }}:latest
	regctl image copy ${{ env.controller_dockerhub_image_name }}:${VERSION_TAG} ${{ env.controller_ghcr_image_name }}:${VERSION_TAG}
	- name: Extract metadata (tags, labels) for Docker kubeseal image
	if: env.RELEASE == 1
	id: meta_kubeseal
	uses: docker/[email protected]
	with:
	images: \|
	${{ env.kubeseal_dockerhub_image_name }}
	${{ env.kubeseal_ghcr_image_name }}
	tags: \|
	type=raw,value=${{ env.VERSION_TAG }}
	type=raw,value=latest
	- name: Copy kubeseal image
	if: env.RELEASE == 1
	run: \|
	regctl image copy ${{ env.kubeseal_dockerhub_image_name }}:latest ${{ env.kubeseal_ghcr_image_name }}:latest
	regctl image copy ${{ env.kubeseal_dockerhub_image_name }}:${VERSION_TAG} ${{ env.kubeseal_ghcr_image_name }}:${VERSION_TAG}
	- name: Sign controller image with a key in GHCR
	if: env.RELEASE == 1
	run: \|
	echo -n "$COSIGN_PASSWORD" \| cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT
	env:
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	TAG_CURRENT: ${{ steps.meta_controller.outputs.tags }}
	COSIGN_REPOSITORY: ${{ env.controller_ghcr_image_name }}/signs
	- name: Sign kubeseal image with a key in GHCR
	if: env.RELEASE == 1
	run: \|
	echo -n "$COSIGN_PASSWORD" \| cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT
	env:
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	TAG_CURRENT: ${{ steps.meta_kubeseal.outputs.tags }}
	COSIGN_REPOSITORY: ${{ env.kubeseal_ghcr_image_name }}/signs

	chart-pr:
	needs: release
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
	with:
	fetch-depth: 0

	- name: Config Git
	run: \|
	git config user.name "$GITHUB_ACTOR"
	git config user.email "[email protected]"

	- name: Fetch Versions
	run: \|
	echo NEW_VERSION=$(git describe --tags --match "v[0-9]*" --abbrev=0 \| tr -d v) >> "$GITHUB_ENV"
	echo PREV_VERSION=$(grep appVersion helm/sealed-secrets/Chart.yaml \| grep -o '[0-9.]*') >> "$GITHUB_ENV"

	- name: Update Version
	run: \|
	sed -i "s/version: .*/version: ${{ inputs.chart }}/" helm/sealed-secrets/Chart.yaml
	sed -i "s/appVersion: .*/appVersion: $NEW_VERSION/" helm/sealed-secrets/Chart.yaml
	sed -i "s/tag: .*/tag: $NEW_VERSION/" helm/sealed-secrets/values.yaml
	sed -i "s/\`$PREV_VERSION\`/\`$NEW_VERSION\`/" helm/sealed-secrets/README.md
	git checkout -B 'release-chart-${{ inputs.chart }}'
	git add helm/sealed-secrets/Chart.yaml helm/sealed-secrets/values.yaml helm/sealed-secrets/README.md
	git commit -sm 'Release chart ${{ inputs.chart }}'
	git push origin 'release-chart-${{ inputs.chart }}'

	- name: Create PR
	run: gh pr create --fill --base main --repo $GITHUB_REPOSITORY
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Publish Release #17

Workflow file

Publish Release #17

Jobs

Run details

Workflow file for this run