feat(tooling): add minor-rc, patch-rc, major-rc for 0.39.x->0.40.0-rc.1 #3

Workflow file for this run

	# Simplified CI: lint, test, build; on tag also build-push image, chart, goreleaser.
	# Replaces pr.yaml and the tag-driven parts of release-please.
	#
	# On tag (v*): release workflow has already bumped Chart/values/package.json and pushed
	# the tag. This workflow:
	# - build-push-gitops-server: builds and pushes gitops-server image (:tag, :latest)
	# with provenance (mode=max) and SBOM attestations; keyless cosign signing and verify
	# - build-and-push-chart: packages Helm chart, pushes OCI, keyless cosign sign and verify
	# - goreleaser: builds gitops CLI binaries (linux/darwin, amd64/arm64), signs with cosign,
	# uploads to GitHub Release (mode: keep-existing). For non-prerelease tags, includes
	# Homebrew tap publish (.goreleaser.brew.yml).
	#
	# Runs on main and feature/re-implement-workflows (for testing). Fork-friendly: image,
	# chart and goreleaser use github.repository / github.repository_owner (your fork when
	# run in a fork).

	name: CI

	on:
	push:
	branches: [main, feature/re-implement-workflows]
	tags: ["v*"]
	pull_request:
	branches: [main, feature/re-implement-workflows]
	workflow_dispatch:

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: ${{ github.event_name == 'pull_request' }}

	permissions:
	contents: read
	pull-requests: read

	env:
	PYTHON_VERSION: "3.12"

	jobs:
	conventional-commits:
	name: Conventional Commits
	runs-on: ubuntu-latest
	if: "!startsWith(github.ref, 'refs/tags/')"
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- uses: wagoid/commitlint-github-action@v5

	build-and-test:
	name: Build and Test
	needs: [conventional-commits]
	if: startsWith(github.ref, 'refs/tags/') \|\| needs.conventional-commits.result == 'success' \|\| needs.conventional-commits.result == 'skipped'
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- uses: actions/setup-node@v4
	with:
	node-version-file: package.json
	cache: yarn

	- uses: fluxcd/flux2/action@4a15fa6a023259353ef750acf1c98fe88407d4d0

	- name: Install buf and add to PATH
	run: \|
	go install github.com/bufbuild/buf/cmd/buf@v1.48.0
	echo "$(go env GOPATH)/bin" >> $GITHUB_PATH

	# Order: clean, fmt, proto, git diff, gitops, gitops-server, lint, ui, ui-audit, ui-lint, ui-test, unit-tests
	- run: make clean
	- run: make fmt
	- run: make proto
	- run: git diff --no-ext-diff --exit-code
	- run: make gitops
	- run: make gitops-server
	- run: make lint
	- run: make ui
	- run: make ui-audit
	- run: make ui-lint
	- run: make ui-test
	- run: make unit-tests

	# --- Tag-only: image, chart, goreleaser ---
	build-push-gitops-server:
	name: Build and push gitops-server image
	needs: [build-and-test]
	if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && needs.build-and-test.result == 'success'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	id-token: write
	steps:
	- uses: actions/checkout@v4
	with:
	ref: ${{ github.ref }}

	- uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- name: Set build env
	run: \|
	TAG_VER="${GITHUB_REF#refs/tags/v}"
	echo "LDFLAGS=$(make echo-ldflags CHART_VERSION=$TAG_VER)" >> $GITHUB_ENV
	echo "FLUX_VERSION=$(make echo-flux-version)" >> $GITHUB_ENV

	- uses: docker/setup-buildx-action@v3
	- uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Build and push gitops-server
	id: build
	uses: docker/build-push-action@v5
	with:
	context: .
	file: gitops-server.dockerfile
	build-args: \|
	LDFLAGS=${{ env.LDFLAGS }}
	GIT_COMMIT=${{ github.sha }}
	push: true
	provenance: "mode=max"
	sbom: true
	tags: \|
	ghcr.io/${{ github.repository }}/gitops-server:${{ github.ref_name }}
	ghcr.io/${{ github.repository }}/gitops-server:latest
	cache-from: type=gha
	cache-to: type=gha,mode=max
	platforms: linux/amd64,linux/arm64

	- name: Install cosign
	uses: sigstore/cosign-installer@v4

	- name: Keyless signing of image
	run: \|
	cosign sign --yes ghcr.io/${{ github.repository }}/gitops-server@${{ steps.build.outputs.digest }}

	- name: Verify the image signing
	run: \|
	cosign verify ghcr.io/${{ github.repository }}/gitops-server@${{ steps.build.outputs.digest }} \
	--certificate-identity "https://github.com/${{ github.workflow_ref }}" \
	--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \| jq .

	build-and-push-chart:
	name: Build and push Helm chart
	needs: [build-and-test]
	if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && needs.build-and-test.result == 'success'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	id-token: write
	steps:
	- uses: actions/checkout@v4
	with:
	ref: ${{ github.ref }}

	- uses: azure/setup-helm@v4
	with:
	version: "v3.17.0"

	- name: Helm registry login
	run: \|
	echo ${{ secrets.GITHUB_TOKEN }} \| helm registry login ghcr.io -u ${{ github.actor }} --password-stdin

	- name: Package and push chart
	id: push-chart
	run: \|
	helm package charts/gitops-server -d /tmp
	CHART=$(ls /tmp/weave-gitops-*.tgz)
	helm push "$CHART" oci://ghcr.io/${{ github.repository_owner }} 2>&1 \| tee /tmp/push.log
	CHART_DIGEST=$(awk '/Digest: /{print $2}' /tmp/push.log)
	[ -n "$CHART_DIGEST" ] \|\| { echo "Could not parse digest from helm push"; cat /tmp/push.log; exit 1; }
	echo "digest=$CHART_DIGEST" >> $GITHUB_OUTPUT

	- name: Install cosign
	uses: sigstore/cosign-installer@v4

	- name: Keyless signing of chart
	run: \|
	cosign sign --yes ghcr.io/${{ github.repository_owner }}/weave-gitops@${{ steps.push-chart.outputs.digest }}

	- name: Verify the chart signing
	run: \|
	cosign verify ghcr.io/${{ github.repository_owner }}/weave-gitops@${{ steps.push-chart.outputs.digest }} \
	--certificate-identity "https://github.com/${{ github.workflow_ref }}" \
	--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \| jq .

	goreleaser:
	name: Goreleaser (gitops CLI)
	needs: [build-and-test]
	if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && needs.build-and-test.result == 'success'
	runs-on: ubuntu-latest
	permissions:
	contents: write
	id-token: write
	env:
	FLUX_VERSION: "2.7.2"
	steps:
	- uses: actions/checkout@v4
	with:
	ref: ${{ github.ref }}
	fetch-depth: 0

	- uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- uses: fluxcd/flux2/action@4a15fa6a023259353ef750acf1c98fe88407d4d0

	- name: Set CHART_VERSION from tag
	run: echo "CHART_VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV

	- name: Include brew publishing
	if: "!contains(github.ref_name, '-')"
	run: cat .goreleaser.brew.yml >> .goreleaser.yml

	- name: Install cosign
	uses: sigstore/cosign-installer@v4

	- uses: goreleaser/goreleaser-action@v6
	with:
	distribution: goreleaser
	version: "v2"
	args: release --clean
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	FLUX_VERSION: ${{ env.FLUX_VERSION }}
	CHART_VERSION: ${{ env.CHART_VERSION }}
	BRANCH: ${{ github.ref_name }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(tooling): add minor-rc, patch-rc, major-rc for 0.39.x->0.40.0-rc.1 #3

Workflow file

feat(tooling): add minor-rc, patch-rc, major-rc for 0.39.x->0.40.0-rc.1 #3

Uh oh!

Workflow file for this run