trustify/.github/workflows/latest-release.yaml at 29d9b15aba087979401e0c60d0d1580fc5092b98 · mrrajan/trustify · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: latest-release

# Build "latest" container, run e2e tests against it, and deploy it to
# https://trustify-latest-staging.apps.cluster.trustification.rocks/

on:
  push:
    branches:
      - main
      - release/*
  workflow_dispatch:

concurrency:
  group: latest-release-${{ github.ref }}
  cancel-in-progress: false

env:
  OPENSHIFT_NAMESPACE: trustify-latest
  OPENSHIFT_SERVER: https://api.cluster.trustification.rocks:6443
  APP_NAME: staging

jobs:
  init:
    runs-on: ubuntu-24.04
    outputs:
      version: ${{steps.version.outputs.version}}
      prerelease: ${{steps.state.outputs.prerelease}}
    steps:
      - name: Evaluate pre-release state
        id: state
        env:
          HEAD_REF: ${{github.head_ref}}
        run: |
          test -z "${HEAD_REF}" && (echo 'do-publish=true' >> $GITHUB_OUTPUT)
          if [[ "${{ github.event.ref }}" =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
              echo release=true >> $GITHUB_OUTPUT
              echo release=true >> $GITHUB_ENV
          elif [[ "${{ github.event.ref }}" =~ ^refs/tags/v.*$ ]]; then
              echo prerelease=true >> $GITHUB_OUTPUT
              echo prerelease=true >> $GITHUB_ENV
          fi
      - name: Set version
        id: version
        run: |
          VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
          [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
          [[ "$VERSION" == "main" ]] && VERSION=latest
          [[ "${{ github.ref }}" == "refs/heads/release/"* ]] && VERSION=$(echo "$VERSION" | sed -e 's/^release\///')
          echo "version=$VERSION" >> $GITHUB_OUTPUT
          echo "version=$VERSION" >> $GITHUB_ENV
      - name: Show result
        run: |
          echo "Version: $version"
          echo "Release: $release"
          echo "Pre-release: $prerelease"

  build:
    needs: [ init ]
    uses: ./.github/workflows/build-binary.yaml
    with:
      version: ${{ needs.init.outputs.version }}

  publish:
    needs: [ init, build ]
    runs-on: ubuntu-24.04

    outputs:
      image: ${{ steps.push.outputs.registry-path }}

    permissions:
      contents: write
      packages: write
      id-token: write
      attestations: write

    steps:

      - name: Checkout
        uses: actions/checkout@v4

      - uses: actions/download-artifact@v4
        with:
          path: ${{ github.workspace }}/download

      - name: Display downloaded content
        run: ls -R ${{ github.workspace }}/download

      # Build the container

      - uses: ./.github/actions/build-container
        with:
          image_tag: ${{ needs.init.outputs.version }}

      # Push to ghcr.io

      - name: Push to ghcr.io (trustd)
        id: push-trustd
        uses: redhat-actions/push-to-registry@v2
        with:
          image: trustd
          tags: ${{ needs.init.outputs.version }}
          registry: ghcr.io/${{ github.repository_owner }}
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Push to ghcr.io (xtask)
        id: push-xtask
        uses: redhat-actions/push-to-registry@v2
        with:
          image: xtask
          tags: ${{ needs.init.outputs.version }}
          registry: ghcr.io/${{ github.repository_owner }}
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Push to ghcr.io (gensbom)
        id: push-gensbom
        uses: redhat-actions/push-to-registry@v2
        with:
          image: gensbom
          tags: ${{ needs.init.outputs.version }}
          registry: ghcr.io/${{ github.repository_owner }}
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

  deploy:
    if: ${{ (github.repository == 'guacsec/trustify') && (needs.init.outputs.version == 'main') }}
    runs-on: ubuntu-24.04
    needs:
      - publish

    steps:

      - name: Log in and set context
        uses: redhat-actions/oc-login@v1
        with:
          openshift_server_url: ${{ env.OPENSHIFT_SERVER }}
          openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}

      - name: Install trustify
        uses: trustification/trustify-operator/.github/actions/install-trustify@main
        env:
          SERVER_IMAGE: ${{ needs.publish.outputs.image }}
        with:
          operator-bundle-image: ghcr.io/trustification/trustify-operator-bundle:latest
          trustify-cr: '{"kind":"Trustify","apiVersion":"org.trustify/v1alpha1","metadata":{"name":"${{ env.APP_NAME }}"},"spec":{"serverImage":"${{ env.SERVER_IMAGE }}"}}'
          namespace: ${{ env.OPENSHIFT_NAMESPACE }}
          app-name: ${{ env.APP_NAME }}