Skip to content
.github/workflows/release.yaml

Merge pull request #15 from betterup/GFSB-2259 #150

Sign in to view logs

Merge pull request #15 from betterup/GFSB-2259

Merge pull request #15 from betterup/GFSB-2259 #150

Workflow file for this run

.github/workflows/release.yaml at e7820f7
# name: Publish ArgoCD Release
# on:
# push:
# tags:
# - 'v*'
# - '!v2.4*'
# - '!v2.5*'
# - '!v2.6*'
# permissions: {}
# env:
# GOLANG_VERSION: '1.19' # Note: go-version must also be set in job argocd-image.with.go-version
# jobs:
# argocd-image:
# permissions:
# contents: read
# id-token: write # for creating OIDC tokens for signing.
# packages: write # used to push images to `ghcr.io` if used.
# if: github.repository == 'argoproj/argo-cd'
# uses: ./.github/workflows/image-reuse.yaml
# with:
# quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }}
# # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
# go-version: 1.19
# platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
# push: true
# secrets:
# quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }}
# quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}
# argocd-image-provenance:
# needs: [argocd-image]
# permissions:
# actions: read # for detecting the Github Actions environment.
# id-token: write # for creating OIDC tokens for signing.
# packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
# # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
# if: github.repository == 'argoproj/argo-cd'
# uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
# with:
# image: quay.io/argoproj/argocd
# digest: ${{ needs.argocd-image.outputs.image-digest }}
# secrets:
# registry-username: ${{ secrets.RELEASE_QUAY_USERNAME }}
# registry-password: ${{ secrets.RELEASE_QUAY_TOKEN }}
# goreleaser:
# needs:
# - argocd-image
# - argocd-image-provenance
# permissions:
# contents: write # used for uploading assets
# if: github.repository == 'argoproj/argo-cd'
# runs-on: ubuntu-22.04
# outputs:
# hashes: ${{ steps.hash.outputs.hashes }}
# steps:
# - name: Checkout code
# uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
# with:
# fetch-depth: 0
# token: ${{ secrets.GITHUB_TOKEN }}
# - name: Fetch all tags
# run: git fetch --force --tags
# - name: Set GORELEASER_PREVIOUS_TAG # Workaround, GoReleaser uses 'git-describe' to determine a previous tag. Our tags are created in realease branches.
# run: |
# set -xue
# if echo ${{ github.ref_name }} | grep -E -- '-rc1+$';then
# echo "GORELEASER_PREVIOUS_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n 2 | head -n 1)" >> $GITHUB_ENV
# else
# echo "This is not the first release on the branch, Using GoReleaser defaults"
# fi
# - name: Setup Golang
# uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
# with:
# go-version: ${{ env.GOLANG_VERSION }}
# - name: Set environment variables for ldflags
# id: set_ldflag
# run: |
# echo "KUBECTL_VERSION=$(go list -m k8s.io/client-go | head -n 1 | rev | cut -d' ' -f1 | rev)" >> $GITHUB_ENV
# echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV
# - name: Run GoReleaser
# uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
# id: run-goreleaser
# with:
# version: latest
# args: release --clean --timeout 55m
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# KUBECTL_VERSION: ${{ env.KUBECTL_VERSION }}
# GIT_TREE_STATE: ${{ env.GIT_TREE_STATE }}
# - name: Generate subject for provenance
# id: hash
# env:
# ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
# run: |
# set -euo pipefail
# hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
# if test "$hashes" = ""; then # goreleaser < v1.13.0
# checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
# hashes=$(cat $checksum_file | base64 -w0)
# fi
# echo "hashes=$hashes" >> $GITHUB_OUTPUT
# goreleaser-provenance:
# needs: [goreleaser]
# permissions:
# actions: read # for detecting the Github Actions environment
# id-token: write # Needed for provenance signing and ID
# contents: write # Needed for release uploads
# if: github.repository == 'argoproj/argo-cd'
# # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
# uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
# with:
# base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
# provenance-name: "argocd-cli.intoto.jsonl"
# upload-assets: true
# generate-sbom:
# name: Create Sbom and sign assets
# needs:
# - argocd-image
# - goreleaser
# permissions:
# contents: write # Needed for release uploads
# id-token: write # Needed for signing Sbom
# if: github.repository == 'argoproj/argo-cd'
# runs-on: ubuntu-22.04
# steps:
# - name: Checkout code
# uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.2.0
# with:
# fetch-depth: 0
# token: ${{ secrets.GITHUB_TOKEN }}
# - name: Setup Golang
# uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
# with:
# go-version: ${{ env.GOLANG_VERSION }}
# - name: Install cosign
# uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
# with:
# cosign-release: 'v2.0.0'
# - name: Generate SBOM (spdx)
# id: spdx-builder
# env:
# # defines the spdx/spdx-sbom-generator version to use.
# SPDX_GEN_VERSION: v0.0.13
# # defines the sigs.k8s.io/bom version to use.
# SIGS_BOM_VERSION: v0.2.1
# # comma delimited list of project relative folders to inspect for package
# # managers (gomod, yarn, npm).
# PROJECT_FOLDERS: ".,./ui"
# # full qualified name of the docker image to be inspected
# DOCKER_IMAGE: quay.io/argoproj/argocd:${{ github.ref_name }}
# run: |
# yarn install --cwd ./ui
# go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION
# go install sigs.k8s.io/bom/cmd/bom@$SIGS_BOM_VERSION
# # Generate SPDX for project dependencies analyzing package managers
# for folder in $(echo $PROJECT_FOLDERS | sed "s/,/ /g")
# do
# generator -p $folder -o /tmp
# done
# # Generate SPDX for binaries analyzing the docker image
# if [[ ! -z $DOCKER_IMAGE ]]; then
# bom generate -o /tmp/bom-docker-image.spdx -i $DOCKER_IMAGE
# fi
# cd /tmp && tar -zcf sbom.tar.gz *.spdx
# - name: Sign SBOM
# run: |
# cosign sign-blob \
# --output-certificate=/tmp/sbom.tar.gz.pem \
# --output-signature=/tmp/sbom.tar.gz.sig \
# -y \
# /tmp/sbom.tar.gz
# - name: Upload SBOM and signature assets
# uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# with:
# files: |
# /tmp/sbom.tar.*
# post-release:
# needs:
# - argocd-image
# - goreleaser
# - generate-sbom
# permissions:
# contents: write # Needed to push commit to update stable tag
# pull-requests: write # Needed to create PR for VERSION update.
# if: github.repository == 'argoproj/argo-cd'
# runs-on: ubuntu-22.04
# steps:
# - name: Checkout code
# uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.2.0
# with:
# fetch-depth: 0
# token: ${{ secrets.GITHUB_TOKEN }}
# - name: Setup Git author information
# run: |
# set -ue
# git config --global user.email '[email protected]'
# git config --global user.name 'CI'
# - name: Check if tag is the latest version and not a pre-release
# run: |
# set -xue
# # Fetch all tag information
# git fetch --prune --tags --force
# LATEST_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n1)
# PRE_RELEASE=false
# # Check if latest tag is a pre-release
# if echo $LATEST_TAG | grep -E -- '-rc[0-9]+$';then
# PRE_RELEASE=true
# fi
# # Ensure latest tag matches github.ref_name & not a pre-release
# if [[ $LATEST_TAG == ${{ github.ref_name }} ]] && [[ $PRE_RELEASE != 'true' ]];then
# echo "TAG_STABLE=true" >> $GITHUB_ENV
# else
# echo "TAG_STABLE=false" >> $GITHUB_ENV
# fi
# - name: Update stable tag to latest version
# run: |
# git tag -f stable ${{ github.ref_name }}
# git push -f origin stable
# if: ${{ env.TAG_STABLE == 'true' }}
# - name: Check to see if VERSION should be updated on master branch
# run: |
# set -xue
# SOURCE_TAG=${{ github.ref_name }}
# VERSION_REF="${SOURCE_TAG#*v}"
# if echo "$VERSION_REF" | grep -E -- '^[0-9]+\.[0-9]+\.0$';then
# VERSION=$(awk 'BEGIN {FS=OFS="."} {$2++; print}' <<< "${VERSION_REF}")
# echo "Updating VERSION to: $VERSION"
# echo "UPDATE_VERSION=true" >> $GITHUB_ENV
# echo "NEW_VERSION=$VERSION" >> $GITHUB_ENV
# else
# echo "Not updating VERSION"
# echo "UPDATE_VERSION=false" >> $GITHUB_ENV
# fi
# - name: Update VERSION on master branch
# run: |
# echo ${{ env.NEW_VERSION }} > VERSION
# if: ${{ env.UPDATE_VERSION == 'true' }}
# - name: Create PR to update VERSION on master branch
# uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # v4.2.4
# with:
# commit-message: Bump version in master
# title: "chore: Bump version in master"
# body: All images built from master should indicate which version we are on track for.
# signoff: true
# branch: update-version
# branch-suffix: random
# base: master
# if: ${{ env.UPDATE_VERSION == 'true' }}