Skip to content
Release

Release #12

Sign in to view logs

Release

Release #12

Workflow file for this run

.github/workflows/release.yaml at 7938d52
name: Release
on:
release:
types:
- published
schedule:
- cron: '0 1 * * 1-5' # 1 AM UTC is 5 PM PST/ 6 PM PDT
workflow_dispatch:
permissions:
contents: read
jobs:
publish-image:
permissions:
contents: write # Used to upload assets
packages: write # Used to push images to `ghcr.io`
id-token: write # Needed to create an OIDC token for keyless signing
runs-on: ubuntu-latest
services:
registry:
image: registry:3.0.0
ports:
- 5000:5000
outputs:
image-digest: ${{ steps.image.outputs.digest }}
kargo-repo: ${{ steps.repo.outputs.repo }}
unstable-version: ${{ steps.unstable-version.outputs.unstable-version }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Determine which repository to use for images
id: repo
run: |
REPO=ghcr.io/akuity/kargo
if ${{ github.event_name != 'release' }}
then
REPO=ghcr.io/akuity/kargo-unstable
fi
echo "Repository is set to: $REPO"
echo "repo=$REPO" >> $GITHUB_OUTPUT
- name: Setup Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: '1.26.0'
- name: Set version for unstable builds
id: unstable-version
run: |
set -xue
# Once Kargo goes to v2, we need to replace github.com/akuity/kargo with github.com/akuity/kargo/v2 on the next line
LATEST_VERSION=$(go list -m -versions github.com/akuity/kargo | awk '{print $NF}' | awk -F "." '{print $1"."$2".0"}')
NEW_VERSION=$(awk 'BEGIN {FS=OFS="."} {$2++; print}' <<< "${LATEST_VERSION}")
echo "unstable-version=${NEW_VERSION}-unstable-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
- name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
with:
driver-opts: network=host
- name: Install Cosign
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
with:
cosign-release: 'v2.2.1' # optional
- name: Login to GHCR
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Docker meta
id: meta
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
with:
images: ${{ steps.repo.outputs.repo }}
flavor: latest=false
tags: |
type=semver,pattern={{raw}}
type=raw,value=${{ steps.unstable-version.outputs.unstable-version }},enable=${{ github.event_name != 'release'}}
- name: Build base image
run: |
BASE_IMAGE=localhost:5000/kargo-base make build-base-image
docker push localhost:5000/kargo-base:latest-arm64
docker push localhost:5000/kargo-base:latest-amd64
- name: Build and push final image
id: image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
platforms: linux/amd64,linux/arm64
build-args: |
BASE_IMAGE=localhost:5000/kargo-base
VERSION=${{ github.ref_name }}
GIT_COMMIT=${{ github.sha }}
GIT_TREE_STATE=clean
tags: ${{ steps.meta.outputs.tags }}
push: true
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: false
sbom: false
- name: Sign image
run: |
cosign sign \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "sha=${{ github.sha }}" \
--yes \
${{ steps.repo.outputs.repo}}@${{ steps.image.outputs.digest}}
- name: Publish SBOM
if: github.event_name == 'release'
uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
with:
image: ${{ steps.meta.outputs.tags }}
kargo-image-provenance:
needs:
- publish-image
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
with:
image: ${{ needs.publish-image.outputs.kargo-repo }}
digest: ${{ needs.publish-image.outputs.image-digest }}
secrets:
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}
publish-charts:
needs: publish-image
permissions:
contents: read
packages: write # Used to push images to `ghcr.io`
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Determine which repository to use
id: chart_repo
run: |
REPO=ghcr.io/akuity/kargo-charts
if ${{ github.event_name != 'release' }}
then
REPO=ghcr.io/akuity/kargo-charts-unstable
fi
echo "Repository is set to: $REPO"
echo "chart_repo=$REPO" >> $GITHUB_OUTPUT
- name: Determine Version
id: version
run: |
VERSION=${{ github.ref_name }}
if ${{ github.event_name != 'release' }}
then
VERSION=${{ needs.publish-image.outputs.unstable-version }}
fi
echo "VERSION is set to: $VERSION"
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Set up Helm
uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
with:
version: '3.19.4'
- name: Login to GHCR
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Publish chart
env:
HELM_EXPERIMENTAL_OCI: '1'
KARGO_CHARTS_REPO: ${{ steps.chart_repo.outputs.chart_repo }}
VERSION: ${{ steps.version.outputs.version }}
run: |
CHART_VERSION=$(echo $VERSION | cut -c 2-)
cd charts/kargo
helm dep up
helm package . --version ${CHART_VERSION} --app-version ${VERSION}
helm push kargo-${CHART_VERSION}.tgz oci://${KARGO_CHARTS_REPO}
build-ui:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
with:
package_json_file: ui/package.json
- name: Install nodejs
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: "24.7.0"
cache: "pnpm"
cache-dependency-path: "**/pnpm-lock.yaml"
- name: Build UI
env:
VERSION: ${{ github.ref_name }}
working-directory: ./ui
run: |
pnpm install
NODE_ENV=production pnpm run build
- name: Upload UI artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: ui-dist
path: ui/build
if-no-files-found: error
retention-days: 1
publish-cli:
needs: [build-ui]
if: github.event_name == 'release'
permissions:
contents: write
runs-on: ubuntu-latest
container:
image: &golangImage golang:1.26.1-trixie
strategy:
matrix:
os: [linux, darwin, windows]
arch: [amd64, arm64]
outputs:
hash-linux-amd64: ${{ steps.hash.outputs.hash-linux-amd64 }}
hash-linux-arm64: ${{ steps.hash.outputs.hash-linux-arm64 }}
hash-darwin-amd64: ${{ steps.hash.outputs.hash-darwin-amd64 }}
hash-darwin-arm64: ${{ steps.hash.outputs.hash-darwin-arm64 }}
hash-windows-amd64: ${{ steps.hash.outputs.hash-windows-amd64 }}
hash-windows-arm64: ${{ steps.hash.outputs.hash-windows-arm64 }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: /go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Download UI artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ui-dist
path: pkg/server/ui
- name: Build CLI
env:
GOFLAGS: -buildvcs=false
GOOS: ${{ matrix.os }}
GOARCH: ${{ matrix.arch }}
VERSION: ${{ github.ref_name }}
GIT_COMMIT: ${{ github.sha }}
GIT_TREE_STATE: clean
run: make build-cli
- name: Sign and Notarize CLI
if: ${{ matrix.os == 'darwin' }}
env:
QUILL_SIGN_P12: ${{ secrets.QUILL_SIGN_P12 }}
QUILL_SIGN_PASSWORD: ${{ secrets.QUILL_SIGN_PASSWORD }}
QUILL_NOTARY_KEY: ${{ secrets.QUILL_NOTARY_KEY }}
QUILL_NOTARY_KEY_ID: ${{ secrets.QUILL_NOTARY_KEY_ID }}
QUILL_NOTARY_ISSUER: ${{ secrets.QUILL_NOTARY_ISSUER }}
KARGO_BIN_PATH: bin/kargo-${{ matrix.os }}-${{ matrix.arch }}
run: |
make sign-and-notarize-cli
- name: Publish CLI
uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2.11.5
with:
file: bin/*
file_glob: true
repo_token: ${{ secrets.GITHUB_TOKEN }}
- name: Generate subject
id: hash
run: |
echo "hash-${{ matrix.os }}-${{ matrix.arch }}=$(sha256sum bin/kargo* | awk -F 'bin/' '{print $1 $2}'| base64 -w0)" >> "$GITHUB_OUTPUT"
publish-unstable-cli:
needs: [publish-image, build-ui]
permissions:
id-token: write
contents: read
if: github.event_name != 'release'
runs-on: ubuntu-latest
container:
image: *golangImage
strategy:
matrix:
os: [linux, darwin, windows]
arch: [amd64, arm64]
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: /go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Download UI artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ui-dist
path: pkg/server/ui
- name: Build CLI
env:
GOFLAGS: -buildvcs=false
GOOS: ${{ matrix.os }}
GOARCH: ${{ matrix.arch }}
VERSION: ${{ needs.publish-image.outputs.unstable-version }}
GIT_COMMIT: ${{ github.sha }}
GIT_TREE_STATE: clean
run: make build-nightly-cli
- name: Sign and Notarize CLI
if: ${{ matrix.os == 'darwin' }}
env:
QUILL_SIGN_P12: ${{ secrets.QUILL_SIGN_P12 }}
QUILL_SIGN_PASSWORD: ${{ secrets.QUILL_SIGN_PASSWORD }}
QUILL_NOTARY_KEY: ${{ secrets.QUILL_NOTARY_KEY }}
QUILL_NOTARY_KEY_ID: ${{ secrets.QUILL_NOTARY_KEY_ID }}
QUILL_NOTARY_ISSUER: ${{ secrets.QUILL_NOTARY_ISSUER }}
KARGO_BIN_PATH: bin/kargo-cli/${{ needs.publish-image.outputs.unstable-version }}/${{ matrix.os }}/${{ matrix.arch }}/kargo
run: |
make sign-and-notarize-cli
- name: Install awscli
run: |
apt update && apt install awscli -y
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
with:
role-to-assume: ${{ secrets.AWS_ROLE }}
aws-region: us-west-2
- name: Push binaries
env:
CF_DISTRIBUTION_ID: ${{ secrets.CF_DISTRIBUTION_ID }}
VERSION: ${{ needs.publish-image.outputs.unstable-version }}
run: |
aws s3 sync "./bin/kargo-cli/${VERSION}/${{ matrix.os }}/${{ matrix.arch }}" "s3://kargo-release/kargo-cli/${VERSION}/${{ matrix.os }}/${{ matrix.arch }}"
printf "${VERSION}" > ./bin/kargo-cli/unstable.txt
aws s3 cp ./bin/kargo-cli/unstable.txt s3://kargo-release/kargo-cli/unstable.txt
aws cloudfront create-invalidation \
--distribution-id="${CF_DISTRIBUTION_ID}" \
--paths "/kargo-cli/unstable.txt"
combine_hashes:
needs: [publish-cli]
if: github.event_name == 'release'
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.hashes.outputs.hashes }}
env:
HASHES: ${{ toJSON(needs.publish-cli.outputs) }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- id: hashes
run: |
echo "$HASHES" | jq -r '.[] | @base64d' | sed "/^$/d" > hashes.txt
echo "hashes=$(cat hashes.txt | base64 -w0)" >> "$GITHUB_OUTPUT"
provenance:
needs: [combine_hashes]
if: github.event_name == 'release'
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
with:
base64-subjects: "${{ needs.combine_hashes.outputs.hashes }}"
upload-assets: true # Optional: Upload to a new release
provenance-name: kargo-cli.intoto.jsonl
publish-best-releases:
needs: [publish-cli]
if: github.event_name == 'release'
permissions:
contents: read
pages: write
id-token: write
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
runs-on: ubuntu-latest
container:
image: *golangImage
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Generate best releases JSON
run: |
mkdir _site
go run ./hack/best-releases > _site/best-releases.json
- name: Configure Pages
uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
- name: Upload Pages artifact
uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
with:
path: _site
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0