Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: helm-chart
Branches Tags
helm-externa...
/
.github
/
workflows
/
rebuild-image.yml

rebuild-image.yml 2.4 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 
  1. name: Rebuild
    2. 

  2. 

  3. on:
    4. 

  4.   workflow_dispatch:
    5. 

  5.     inputs:
    6. 

  6.       ref:
    7. 

  7.         description: 'ref to rebuild, can be a tag, branch or commit sha.'
    8. 

  8.         required: true
    9. 

  9.         default: 'v0.6.1'
    10. 

  10. 

  11. permissions:
    12. 

  12.   contents: read
    13. 

  13. 

  14. jobs:
    15. 

  15.   checkout:
    16. 

  16.     name: Checkout repo
    17. 

  17.     runs-on: ubuntu-latest
    18. 

  18.     outputs:
    19. 

  19.       timestamp: ${{ steps.timestamp.outputs.timestamp }}
    20. 

  20. 

  21.     steps:
    22. 

  22.       - uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
    23. 

  23.         with:
    24. 

  24.           egress-policy: audit
    25. 

  25.       - name: Checkout
    26. 

  26.         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    27. 

  27.         with:
    28. 

  28.           fetch-depth: 0
    29. 

  29.           ref: ${{ github.event.inputs.ref }}
    30. 

  30.       - name: set timestamp output
    31. 

  31.         id: timestamp
    32. 

  32.         run: |
    33. 

  33.           echo "timestamp=$(date +%s)" >> $GITHUB_OUTPUT
    34. 

  34. 

  35.   # this rebuilds the image and creates a new tag with a timestamp suffix
    36. 

  36.   # e.g. v0.6.1-1669145271 and v0.6.1-ubi-1669145271
    37. 

  37.   publish-artifacts:
    38. 

  38.     uses: ./.github/workflows/publish.yml
    39. 

  39.     needs: checkout
    40. 

  40.     permissions:
    41. 

  41.       contents: read
    42. 

  42.       id-token: write #for keyless sign
    43. 

  43.       packages: write #for updating packages
    44. 

  44.     strategy:
    45. 

  45.       matrix:
    46. 

  46.         include:
    47. 

  47.         - dockerfile: "Dockerfile"
    48. 

  48.           build-args: "CGO_ENABLED=0"
    49. 

  49.           build-arch: "amd64 arm64 ppc64le"
    50. 

  50.           build-platform: "linux/amd64,linux/arm64,linux/ppc64le"
    51. 

  51.           tag-suffix: "-${{ needs.checkout.outputs.timestamp }}" # distroless
    52. 

  52.         - dockerfile: "Dockerfile.ubi"
    53. 

  53.           build-args: "CGO_ENABLED=0"
    54. 

  54.           build-arch: "amd64 arm64 ppc64le"
    55. 

  55.           build-platform: "linux/amd64,linux/arm64,linux/ppc64le"
    56. 

  56.           tag-suffix: "-ubi-${{ needs.checkout.outputs.timestamp }}" # ubi
    57. 

  57.         - dockerfile: "Dockerfile.ubi"
    58. 

  58.           build-args: "CGO_ENABLED=0 GOEXPERIMENT=boringcrypto" # fips
    59. 

  59.           build-arch: "amd64 ppc64le"
    60. 

  60.           build-platform: "linux/amd64,linux/ppc64le"
    61. 

  61.           tag-suffix: "-ubi-boringssl-${{ needs.checkout.outputs.timestamp }}"
    62. 

  62.     with:
    63. 

  63.       dockerfile: ${{ matrix.dockerfile }}
    64. 

  64.       tag-suffix: ${{ matrix.tag-suffix }}
    65. 

  65.       image-name: ghcr.io/${{ github.repository }}
    66. 

  66.       build-platform: ${{ matrix.build-platform }}
    67. 

  67.       build-args: ${{ matrix.build-args }}
    68. 

  68.       build-arch: ${{ matrix.build-arch }}
    69. 

  69.       ref: ${{ github.event.inputs.ref }}
    70. 

  70.       image-tag: ${{ github.event.inputs.ref }}
    71. 

  71.       username: ${{ github.actor }}
    72. 

  72.     secrets:
    73. 

  73.       IS_FORK: ${{ secrets.GHCR_USERNAME }}
    74.