forked from rancher/scc-operator
-
Notifications
You must be signed in to change notification settings - Fork 0
153 lines (135 loc) · 6.05 KB
/
Copy pathrelease.yml
File metadata and controls
153 lines (135 loc) · 6.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name : Publish Images & artifacts (via goreleaser)
on:
push:
tags:
- "*"
env:
PUBLIC_REGISTRY: docker.io
REPO : rancher
permissions:
contents: write
id-token: write
attestations: write
jobs:
ci:
uses: ./.github/workflows/ci.yml
permissions:
contents: read
goreleaser:
# Provide binary (for dev/debug only) on releases
# In the future, if needed, we can also publish a chart via this step too (similar to BRO) [even if just a dev chart]
needs: [ ci ]
runs-on: ubuntu-latest
container:
image: ghcr.io/rancher/ci-image/go1.25
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- run: git fetch --force --tags
- name: Run goreleaser
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: ${{ github.ref_name }}
shell: bash
run: |-
goreleaser release --clean
if [[ ! -f dist/metadata.json ]] || [[ ! -s dist/metadata.json ]]; then
echo "Missing required file: dist/metadata.json"
exit 1
fi
if [[ ! -f dist/artifacts.json ]] || [[ ! -s dist/artifacts.json ]]; then
echo "Missing required file: dist/artifacts.json"
exit 1
fi
echo "metadata=$(tr -d '\n\r' < dist/metadata.json)" >> "${GITHUB_OUTPUT}"
echo "artifacts=$(tr -d '\n\r' < dist/artifacts.json)" >> "${GITHUB_OUTPUT}"
- name: Attest build provenance
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-path: dist/scc-operator_*
image:
name : Build and push SCC-operator images
needs: [ ci ]
permissions:
contents : read
id-token: write
runs-on: ubuntu-latest
container:
image: ghcr.io/rancher/ci-image/go1.25
steps:
- name : Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: "Read Secrets"
if: github.repository == 'rancher/scc-operator'
uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials registry | PRIME_STG_REGISTRY;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | PRIME_STG_REGISTRY_USERNAME;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | PRIME_STG_REGISTRY_PASSWORD;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
# This encapsulates: login, qemu, build/push
- name: Build and push scc-operator image (dockerhub and prime stg)
uses: rancher/ecm-distro-tools/actions/publish-image@da9f5b6e258c327660eeab3db97952b612f1cf9f # v0.69.3
with:
image: 'scc-operator'
tag: ${{ github.ref_name }}
public-registry: ${{ env.PUBLIC_REGISTRY }}
public-repo: ${{ env.REPO }}
public-username: ${{ env.DOCKER_USERNAME || vars.DOCKER_USERNAME || github.repository_owner }}
public-password: ${{ env.DOCKER_PASSWORD || secrets.DOCKER_PASSWORD }}
push-to-prime: ${{ github.repository == 'rancher/scc-operator' }}
prime-registry: ${{ env.PRIME_STG_REGISTRY }}
prime-repo: ${{ env.REPO }}
prime-username: ${{ env.PRIME_STG_REGISTRY_USERNAME }}
prime-password: ${{ env.PRIME_STG_REGISTRY_PASSWORD }}
identity-registry: ${{ env.PRIME_STG_REGISTRY }}
- name: Check SemVer Characteristics
id: semver_check
run: bash ./.github/scripts/check-semver "${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
- name: "Read prime prod secrets"
if: ${{github.repository == 'rancher/scc-operator' && steps.semver_check.outputs.HAS_PRERELEASE == 'false'}}
uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD;
- name: Build and push scc-operator image (prod)
if: ${{github.repository == 'rancher/scc-operator' && steps.semver_check.outputs.HAS_PRERELEASE == 'false'}}
uses: rancher/ecm-distro-tools/actions/publish-image@da9f5b6e258c327660eeab3db97952b612f1cf9f # v0.69.3
with:
image: 'scc-operator'
tag: ${{ github.ref_name }}
push-to-public: false
push-to-prime: true
prime-registry: ${{ env.PRIME_REGISTRY }}
prime-repo: rancher
prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
release:
name: Un-draft release
runs-on: ubuntu-latest
needs: [ ci, goreleaser, image ]
permissions:
contents: write
steps:
- name: Fully publish release (retry until visible)
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
run: |
set -euo pipefail
tag="${{ github.ref_name }}"
for i in {1..12}; do
if gh release view -R "${{ github.repository }}" "$tag" >/dev/null 2>&1; then
gh release edit -R "${{ github.repository }}" "$tag" --draft=false
exit 0
fi
echo "Release '$tag' not found yet (attempt $i/12). Sleeping 10s..."
sleep 10
done
echo "Release '$tag' still not found after retries; failing."
exit 1