webhook/.github/workflows/release.yaml at main · rancher/webhook · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: On release

on:
  workflow_dispatch:

permissions: {}

env:
  REGISTRY: docker.io
  REPO: rancher

jobs:
  guard:
    runs-on: ubuntu-latest
    steps:
      - name: Ensure ref is a tag
        run: |
          if [ "$GITHUB_REF_TYPE" != "tag" ]; then
            echo "::error::This workflow must be dispatched on a tag ref (got ${GITHUB_REF_TYPE} '${GITHUB_REF}')"
            exit 1
          fi

  build:
    needs: guard
    name: build and package
    runs-on: ubuntu-latest
    strategy:
      matrix:
        arch:
        - amd64
        - arm64
    steps:

    - name: Checkout repository
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Build Binary
      env:
        GIT_TAG: ${{ github.ref_name }}
      run: make build ARCH=${{ matrix.arch }}

    - name: Package Helm Chart
      env:
        GIT_TAG: ${{ github.ref_name }}
      run: make package-helm

    - name: Prepare Artifacts
      run: |
        mkdir -p dist/artifacts
        cp bin/webhook dist/artifacts/webhook-linux-${{ matrix.arch }}
        cd dist/artifacts
        sha256sum webhook-linux-${{ matrix.arch }} > sha256sum-${{ matrix.arch }}.txt

    - name: Upload artifacts
      # https://github.com/actions/upload-artifact/commit/65462800fd760344b1a7b4382951275a0abb4808
      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        name: webhook-artifacts-${{ matrix.arch }}
        path: |
          dist/artifacts/webhook-linux-${{ matrix.arch }}
          dist/artifacts/sha256sum-${{ matrix.arch }}.txt
          dist/artifacts/rancher-webhook-*.tgz

  release:
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:

    - name: Checkout repository
       # https://github.com/actions/checkout/releases/tag/v4.1.1
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Package Helm Chart
      env:
        GIT_TAG: ${{ github.ref_name }}
      run: make package-helm

    - name: Download the amd64 artifacts
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      # https://github.com/actions/download-artifact/releases/tag/v4.1.7
      with:
        name: webhook-artifacts-amd64
        path: dist/artifacts

    - name: Download the arm64 artifacts
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      # https://github.com/actions/download-artifact/releases/tag/v4.1.7
      with:
        name: webhook-artifacts-arm64
        path: dist/artifacts

    - name: Upload the files
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        VERSION: ${{ github.ref_name }}
      run: |
        ls -lR dist
        cd dist/artifacts
        flags="--verify-tag --generate-notes"
        [[ "$VERSION" == *-rc* ]] && flags="$flags --prerelease"
        gh --repo "$GITHUB_REPOSITORY" release create "$VERSION" $flags webhook-linux-* sha256sum-*.txt rancher-webhook*.tgz

  publish:
    needs: guard
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write # Required for cosign signing
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: "Read vault secrets"
        uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3
        with:
          secrets: |
            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ;
            secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials registry | PRIME_STG_REGISTRY ;
            secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | PRIME_STG_REGISTRY_USERNAME ;
            secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | PRIME_STG_REGISTRY_PASSWORD

      - name: Publish image
        uses: rancher/ecm-distro-tools/actions/publish-image@f4bd7fb86369595b07ce36e57f4a1455381ad82b # v0.68.1
        with:
          image: rancher-webhook
          tag: ${{ github.ref_name }}
          platforms: linux/amd64,linux/arm64

          public-registry: docker.io
          public-repo: rancher
          public-username: ${{ env.DOCKER_USERNAME }}
          public-password: ${{ env.DOCKER_PASSWORD }}

          push-to-prime: true
          prime-repo: rancher
          prime-make-target: push-prime-image
          identity-registry: ${{ vars.PRIME_REGISTRY_HOSTNAME }}
          prime-registry: ${{ env.PRIME_STG_REGISTRY }}
          prime-username: ${{ env.PRIME_STG_REGISTRY_USERNAME }}
          prime-password: ${{ env.PRIME_STG_REGISTRY_PASSWORD }}