name: Create Release on: workflow_dispatch: inputs: version: description: 'version to release, e.g. v1.5.13' required: true default: 'v0.1.0' source_ref: description: 'source ref to publish from. E.g.: main' required: true default: 'main' env: IMAGE_NAME: ghcr.io/${{ github.repository }} permissions: contents: read jobs: check-docs-for-release: name: Check Docs for release runs-on: ubuntu-latest permissions: contents: read steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: egress-policy: audit - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Resolve and validate ref id: resolve_ref env: SOURCE_REF: ${{ github.event.inputs.source_ref }} run: | set -e # Try to fetch the ref from remote if git fetch origin "$SOURCE_REF"; then # Remote ref exists, use it RESOLVED_SHA=$(git rev-parse "origin/$SOURCE_REF") elif git rev-parse --verify "$SOURCE_REF" >/dev/null 2>&1; then # Local ref exists (e.g., a tag) RESOLVED_SHA=$(git rev-parse "$SOURCE_REF") else echo "Error: ref '$SOURCE_REF' not found" exit 1 fi echo "Resolved to SHA: $RESOLVED_SHA" echo "sha=$RESOLVED_SHA" >> $GITHUB_OUTPUT - name: Checkout validated ref run: git checkout ${{ steps.resolve_ref.outputs.sha }} - name: check-docs env: DOCS_VERSION: ${{ github.event.inputs.version }} run: | make docs.check release: name: Create Release runs-on: ubuntu-latest permissions: contents: write # to create a release and push new docs steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: egress-policy: audit - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Resolve and validate ref id: resolve_ref env: SOURCE_REF: ${{ github.event.inputs.source_ref }} run: | set -e # Try to fetch the ref from remote if git fetch origin "$SOURCE_REF"; then # Remote ref exists, use it RESOLVED_SHA=$(git rev-parse "origin/$SOURCE_REF") elif git rev-parse --verify "$SOURCE_REF" >/dev/null 2>&1; then # Local ref exists (e.g., a tag) RESOLVED_SHA=$(git rev-parse "$SOURCE_REF") else echo "Error: ref '$SOURCE_REF' not found" exit 1 fi echo "Resolved to SHA: $RESOLVED_SHA" echo "sha=$RESOLVED_SHA" >> $GITHUB_OUTPUT - name: Checkout validated ref run: git checkout ${{ steps.resolve_ref.outputs.sha }} - name: Create Release uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: tag_name: ${{ github.event.inputs.version }} target_commitish: ${{ github.event.inputs.source_ref }} generate_release_notes: true body: | Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}` Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi` Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi-boringssl` env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - name: Configure Git env: TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" git remote set-url origin "https://x-access-token:${{ env.TOKEN }}@github.com/${{ github.repository }}.git" - name: Update Docs if: github.ref == 'refs/heads/main' env: DOCS_VERSION: ${{ github.event.inputs.version }} GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" run: make docs.publish DOCS_ALIAS=latest promote: name: Promote Container Image runs-on: ubuntu-latest strategy: matrix: include: - tag_suffix: "" # distroless image - tag_suffix: "-ubi" # ubi image - tag_suffix: "-ubi-boringssl" # ubi image permissions: contents: write #to update the github release id-token: write #for keyless sign packages: write #to update packages with added SBOMs. env: SOURCE_TAG: ${{ github.event.inputs.source_ref }}${{ matrix.tag_suffix }} RELEASE_TAG: ${{ github.event.inputs.version }}${{ matrix.tag_suffix }} steps: - uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: egress-policy: audit - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Setup Go uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 id: setup-go with: go-version-file: "go.mod" - name: Download Go modules run: go mod download - name: Login to Docker uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Promote Container Image run: make docker.promote - name: Build release manifests env: RELEASE_VERSION: ${{ github.event.inputs.version }} run: | # temporarily patch the version so we generate manifests with the new version yq e -i ".version = \"$RELEASE_VERSION\"" ./deploy/charts/external-secrets/Chart.yaml yq e -i ".appVersion = \"$RELEASE_VERSION\"" ./deploy/charts/external-secrets/Chart.yaml make manifests - name: Sign promoted image id: sign uses: ./.github/actions/sign with: image-name: ${{ env.IMAGE_NAME }} image-tag: ${{ env.RELEASE_TAG }} - name: Update Release uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: tag_name: ${{ github.event.inputs.version }} files: | provenance.${{ env.RELEASE_TAG }}.intoto.jsonl sbom.${{ env.RELEASE_TAG }}.spdx.json bin/deploy/manifests/external-secrets.yaml env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"