logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204
							name: Create Release

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'version to release, e.g. v1.5.13'
        required: true
        default: 'v0.1.0'
      source_ref:
        description: 'source ref to publish from. E.g.: main'
        required: true
        default: 'main'

env:
  IMAGE_NAME: ghcr.io/${{ github.repository }}

permissions:
  contents: read

jobs:
  check-docs-for-release:
    name: Check Docs for release
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

      - name: Resolve and validate ref
        id: resolve_ref
        env:
          SOURCE_REF: ${{ github.event.inputs.source_ref }}
        run: |
          set -e
          # Try to fetch the ref from remote
          if git fetch origin "$SOURCE_REF"; then
            # Remote ref exists, use it
            RESOLVED_SHA=$(git rev-parse "origin/$SOURCE_REF")
          elif git rev-parse --verify "$SOURCE_REF" >/dev/null 2>&1; then
            # Local ref exists (e.g., a tag)
            RESOLVED_SHA=$(git rev-parse "$SOURCE_REF")
          else
            echo "Error: ref '$SOURCE_REF' not found"
            exit 1
          fi
          echo "Resolved to SHA: $RESOLVED_SHA"
          echo "sha=$RESOLVED_SHA" >> $GITHUB_OUTPUT

      - name: Checkout validated ref
        run: git checkout ${{ steps.resolve_ref.outputs.sha }}
      - name: check-docs
        env:
          DOCS_VERSION: ${{ github.event.inputs.version }}
        run: |
          make docs.check
  release:
    name: Create Release
    runs-on: ubuntu-latest
    permissions:
      contents: write # to create a release and push new docs
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

      - name: Resolve and validate ref
        id: resolve_ref
        env:
          SOURCE_REF: ${{ github.event.inputs.source_ref }}
        run: |
          set -e
          # Try to fetch the ref from remote
          if git fetch origin "$SOURCE_REF"; then
            # Remote ref exists, use it
            RESOLVED_SHA=$(git rev-parse "origin/$SOURCE_REF")
          elif git rev-parse --verify "$SOURCE_REF" >/dev/null 2>&1; then
            # Local ref exists (e.g., a tag)
            RESOLVED_SHA=$(git rev-parse "$SOURCE_REF")
          else
            echo "Error: ref '$SOURCE_REF' not found"
            exit 1
          fi
          echo "Resolved to SHA: $RESOLVED_SHA"
          echo "sha=$RESOLVED_SHA" >> $GITHUB_OUTPUT

      - name: Checkout validated ref
        run: git checkout ${{ steps.resolve_ref.outputs.sha }}

      - name: Create Release
        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
        with:
          tag_name: ${{ github.event.inputs.version }}
          target_commitish: ${{ github.event.inputs.source_ref }}
          generate_release_notes: true
          body: |
            Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}`
            Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi`
            Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi-boringssl`
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Configure Git
        env:
          TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git config user.name "$GITHUB_ACTOR"
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
          git remote set-url origin "https://x-access-token:${{ env.TOKEN }}@github.com/${{ github.repository }}.git"

      - name: Update Docs
        if: github.ref == 'refs/heads/main'
        env:
          DOCS_VERSION: ${{ github.event.inputs.version }}
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: make docs.publish DOCS_ALIAS=latest

  promote:
    name: Promote Container Image
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
        - tag_suffix: "" # distroless image
        - tag_suffix: "-ubi" # ubi image
        - tag_suffix: "-ubi-boringssl" # ubi image

    permissions:
      contents: write #to update the github release
      id-token: write #for keyless sign
      packages: write #to update packages with added SBOMs.

    env:
      SOURCE_TAG: ${{ github.event.inputs.source_ref }}${{ matrix.tag_suffix }}
      RELEASE_TAG: ${{ github.event.inputs.version }}${{ matrix.tag_suffix }}

    steps:
      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit
      - name: Checkout
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

      - name: Setup Go
        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        id: setup-go
        with:
          go-version-file: "go.mod"

      - name: Download Go modules
        run: go mod download

      - name: Login to Docker
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Promote Container Image
        run: make docker.promote

      - name: Build release manifests
        env:
          RELEASE_VERSION: ${{ github.event.inputs.version }}
        run: |
          # temporarily patch the version so we generate manifests with the new version
          yq e -i ".version = \"$RELEASE_VERSION\"" ./deploy/charts/external-secrets/Chart.yaml
          yq e -i ".appVersion = \"$RELEASE_VERSION\"" ./deploy/charts/external-secrets/Chart.yaml
          make manifests

      - name: Sign promoted image
        id: sign
        uses: ./.github/actions/sign
        with:
          image-name: ${{ env.IMAGE_NAME }}
          image-tag: ${{ env.RELEASE_TAG }}

      - name: Update Release
        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
        with:
          tag_name: ${{ github.event.inputs.version }}
          files: |
            provenance.${{ env.RELEASE_TAG }}.intoto.jsonl
            sbom.${{ env.RELEASE_TAG }}.spdx.json
            bin/deploy/manifests/external-secrets.yaml
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"