Merge pull request #971 from fluxcd/backport-fix-release-v1.0.x

[release/v1.0.x] Fix release workflow

Author: matheuscscp

.github/workflows/backport.yaml

@@ -1,31 +1,12 @@
 name: backport
-
 on:
   pull_request_target:
     types: [closed, labeled]
-
 jobs:
-  pull-request:
-    runs-on: ubuntu-latest
+  backport:
     permissions:
-      contents: write
-      pull-requests: write
-    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
-    steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Create backport PRs
-        uses: korthout/backport-action@ca4972adce8039ff995e618f5fc02d1b7961f27a # v3.3.0
-        # xref: https://github.com/korthout/backport-action#inputs
-        with:
-          # Use token to allow workflows to be triggered for the created PR
-          github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
-          # Match labels with a pattern `backport:<target-branch>`
-          label_pattern: '^backport:([^ ]+)$'
-          # A bit shorter pull-request title than the default
-          pull_title: '[${target_branch}] ${pull_title}'
-          # Simpler PR description than default
-          pull_description: |-
-            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
+      contents: write # for reading and creating branches.
+      pull-requests: write # for creating pull requests against release branches.
+    uses: fluxcd/gha-workflows/.github/workflows/[email protected]
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/build.yaml

@@ -4,39 +4,22 @@ on:
   pull_request:
   push:
     branches: [ 'main', 'release/**' ]
-
-permissions:
-  contents: read # for actions/checkout to fetch code
-
 jobs:
   test-linux-amd64:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # for reading the repository code.
     steps:
-    - name: checkout
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-    - name: Setup Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-      with:
-        go-version: 1.25.x
-        cache-dependency-path: |
-          **/go.sum
-          **/go.mod
-    - name: Setup QEMU
-      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
-    - name: Setup Docker Buildx
-      id: buildx
-      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-    - name: Run tests
-      run: make test
-    - name: Verify
-      run: make verify
-    - name: Build multi-arch container image
-      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-      with:
-        push: false
-        builder: ${{ steps.buildx.outputs.name }}
-        context: .
-        file: ./Dockerfile
-        platforms: linux/amd64,linux/arm/v7,linux/arm64
-        tags: |
-          ${{ github.repository }}:latest
+      - name: Test suite setup
+        uses: fluxcd/gha-workflows/.github/actions/[email protected]
+        with:
+          go-version: 1.25.x
+      - name: Run tests
+        run: make test
+      - name: Verify
+        run: make verify
+      - name: Build container image
+        run: |
+          make docker-build IMG=ghcr.io/fluxcd/${{ github.event.repository.name }} \
+            BUILD_PLATFORMS=linux/amd64 \
+            BUILD_ARGS="--load"

.github/workflows/cifuzz.yaml

@@ -2,22 +2,15 @@ name: fuzz
 on:
   pull_request:
     branches: [ 'main', 'release/**' ]
-
-permissions:
-  contents: read # for actions/checkout to fetch code
-
 jobs:
   smoketest:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # for reading the repository code.
     steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      - name: Test suite setup
+        uses: fluxcd/gha-workflows/.github/actions/[email protected]
         with:
           go-version: 1.25.x
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
       - name: Smoke test Fuzzers
         run: make fuzz-smoketest

.github/workflows/release.yaml

@@ -0,0 +1,66 @@
+name: release
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'image tag prefix'
+        default: 'rc'
+        required: true
+jobs:
+  release:
+    permissions:
+      contents: write # for creating the GitHub release.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for pushing and signing container images.
+    uses: fluxcd/gha-workflows/.github/workflows/[email protected]
+    with:
+      controller: ${{ github.event.repository.name }}
+      release-candidate-prefix: ${{ github.event.inputs.tag }}
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+      dockerhub-token: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+  release-provenance:
+    needs: [release]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      contents: write # for uploading attestations to GitHub releases.
+    if: startsWith(github.ref, 'refs/tags/v')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      provenance-name: "provenance.intoto.jsonl"
+      base64-subjects: "${{ needs.release.outputs.release-digests }}"
+      upload-assets: true
+  dockerhub-provenance:
+    needs: [release]
+    permissions:
+      contents: read # for reading the repository code.
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: startsWith(github.ref, 'refs/tags/v')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ${{ needs.release.outputs.image-name }}
+      digest: ${{ needs.release.outputs.image-digest }}
+      registry-username: ${{ github.repository_owner == 'fluxcd' && 'fluxcdbot' || github.repository_owner }}
+    secrets:
+      registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+  ghcr-provenance:
+    needs: [release]
+    permissions:
+      contents: read # for reading the repository code.
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: startsWith(github.ref, 'refs/tags/v')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ghcr.io/${{ needs.release.outputs.image-name }}
+      digest: ${{ needs.release.outputs.image-digest }}
+      registry-username: fluxcdbot # not necessary for ghcr.io
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}