Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 6a1373e338
Branches Tags
helm-externa...
/
.github
/
workflows
/
rebuild-image.yml

rebuild-image.yml 2.5 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374 
  1. name: Rebuild
    2. 

  2. 

  3. on:
    4. 

  4.   workflow_dispatch:
    5. 

  5.     inputs:
    6. 

  6.       ref:
    7. 

  7.         description: 'ref to rebuild, can be a tag, branch or commit sha.'
    8. 

  8.         required: true
    9. 

  9.         default: 'v0.6.1'
    10. 

  10. 

  11. permissions:
    12. 

  12.   contents: read
    13. 

  13. 

  14. jobs:
    15. 

  15.   checkout:
    16. 

  16.     name: Checkout repo
    17. 

  17.     runs-on: ubuntu-latest
    18. 

  18.     outputs:
    19. 

  19.       timestamp: ${{ steps.timestamp.outputs.timestamp }}
    20. 

  20. 

  21.     steps:
    22. 

  22.       - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
    23. 

  23.         with:
    24. 

  24.           egress-policy: audit
    25. 

  25.       - name: Checkout
    26. 

  26.         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    27. 

  27.         with:
    28. 

  28.           fetch-depth: 0
    29. 

  29.           ref: ${{ github.event.inputs.ref }}
    30. 

  30.           persist-credentials: false
    31. 

  31.       - name: set timestamp output
    32. 

  32.         id: timestamp
    33. 

  33.         run: |
    34. 

  34.           echo "timestamp=$(date +%s)" >> $GITHUB_OUTPUT
    35. 

  35. 

  36.   # this rebuilds the image and creates a new tag with a timestamp suffix
    37. 

  37.   # e.g. v0.6.1-1669145271 and v0.6.1-ubi-1669145271
    38. 

  38.   publish-artifacts:
    39. 

  39.     uses: ./.github/workflows/publish.yml
    40. 

  40.     needs: checkout
    41. 

  41.     permissions:
    42. 

  42.       contents: read
    43. 

  43.       id-token: write #for keyless sign
    44. 

  44.       packages: write #for updating packages
    45. 

  45.     strategy:
    46. 

  46.       matrix:
    47. 

  47.         include:
    48. 

  48.         - dockerfile: "Dockerfile"
    49. 

  49.           build-args: "CGO_ENABLED=0"
    50. 

  50.           build-arch: "amd64 arm64 ppc64le"
    51. 

  51.           build-platform: "linux/amd64,linux/arm64,linux/ppc64le"
    52. 

  52.           tag-suffix: "-${{ needs.checkout.outputs.timestamp }}" # distroless
    53. 

  53.         - dockerfile: "Dockerfile.ubi"
    54. 

  54.           build-args: "CGO_ENABLED=0"
    55. 

  55.           build-arch: "amd64 arm64 ppc64le"
    56. 

  56.           build-platform: "linux/amd64,linux/arm64,linux/ppc64le"
    57. 

  57.           tag-suffix: "-ubi-${{ needs.checkout.outputs.timestamp }}" # ubi
    58. 

  58.         - dockerfile: "Dockerfile.ubi"
    59. 

  59.           build-args: "CGO_ENABLED=0 GOEXPERIMENT=boringcrypto" # fips
    60. 

  60.           build-arch: "amd64 ppc64le"
    61. 

  61.           build-platform: "linux/amd64,linux/ppc64le"
    62. 

  62.           tag-suffix: "-ubi-boringssl-${{ needs.checkout.outputs.timestamp }}"
    63. 

  63.     with:
    64. 

  64.       dockerfile: ${{ matrix.dockerfile }}
    65. 

  65.       tag-suffix: ${{ matrix.tag-suffix }}
    66. 

  66.       image-name: ghcr.io/${{ github.repository }}
    67. 

  67.       build-platform: ${{ matrix.build-platform }}
    68. 

  68.       build-args: ${{ matrix.build-args }}
    69. 

  69.       build-arch: ${{ matrix.build-arch }}
    70. 

  70.       ref: ${{ github.event.inputs.ref }}
    71. 

  71.       image-tag: ${{ github.event.inputs.ref }}
    72. 

  72.       username: ${{ github.actor }}
    73. 

  73.     secrets:
    74. 

  74.       IS_FORK: ${{ secrets.GHCR_USERNAME }}
    75.