| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126 |
- name: Create Release
- on:
- workflow_dispatch:
- inputs:
- version:
- description: 'version to release, e.g. v1.5.13'
- required: true
- default: 'v0.1.0'
- source_ref:
- description: 'source ref to publish from. E.g.: main or release-x.y'
- required: true
- default: 'main'
- env:
- IMAGE_NAME: ghcr.io/${{ github.repository }}
- jobs:
- release:
- name: Create Release
- runs-on: ubuntu-latest
- permissions:
- contents: write # to create a release and push new docs
- steps:
- - name: Checkout
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- with:
- fetch-depth: 0
- ref: ${{ github.event.inputs.source_ref }}
- - name: Create Release
- uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
- with:
- tag_name: ${{ github.event.inputs.version }}
- target_commitish: ${{ github.event.inputs.source_ref }}
- generate_release_notes: true
- body: |
- Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}`
- Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi`
- Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi-boringssl`
- env:
- GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- - name: Configure Git
- run: |
- git config user.name "$GITHUB_ACTOR"
- git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- - name: Update Docs
- if: github.ref == 'refs/heads/main'
- run: make docs.publish DOCS_VERSION=${{ github.event.inputs.version }} DOCS_ALIAS=latest
- env:
- GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- promote:
- name: Promote Container Image
- runs-on: ubuntu-latest
- strategy:
- matrix:
- include:
- - tag_suffix: "" # distroless image
- - tag_suffix: "-ubi" # ubi image
- - tag_suffix: "-ubi-boringssl" # ubi image
- permissions:
- contents: write #to update the github release
- id-token: write #for keyless sign
- packages: write #to update packages with added SBOMs.
- env:
- SOURCE_TAG: ${{ github.event.inputs.source_ref }}${{ matrix.tag_suffix }}
- RELEASE_TAG: ${{ github.event.inputs.version }}${{ matrix.tag_suffix }}
- steps:
- - name: Checkout
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- with:
- fetch-depth: 0
- - name: Setup Go
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
- id: setup-go
- with:
- go-version-file: "go.mod"
- - name: Download Go modules
- if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
- run: go mod download
- - name: Login to Docker
- uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
- with:
- registry: ghcr.io
- username: ${{ github.actor }}
- password: ${{ secrets.GITHUB_TOKEN }}
- - name: Promote Container Image
- run: make docker.promote
- - name: Build release manifests
- run: |
- # temporarily patch the version so we generate manifests with the new version
- yq e -i '.version = "${{ github.event.inputs.version }}"' ./deploy/charts/external-secrets/Chart.yaml
- yq e -i '.appVersion = "${{ github.event.inputs.version }}"' ./deploy/charts/external-secrets/Chart.yaml
- make manifests
- - name: Sign promoted image
- id: sign
- uses: ./.github/actions/sign
- with:
- image-name: ${{ env.IMAGE_NAME }}
- image-tag: ${{ env.RELEASE_TAG }}
- GHCR_USERNAME: ${{ github.actor }}
- GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- - name: Update Release
- uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
- with:
- tag_name: ${{ github.event.inputs.version }}
- files: |
- provenance.${{ env.RELEASE_TAG }}.intoto.jsonl
- sbom.${{ env.RELEASE_TAG }}.spdx.json
- bin/deploy/manifests/external-secrets.yaml
- env:
- GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
|
