Add new rules to permission script and remove outdated permission (#2… #151
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - v[0-9]+.[0-9]+.[0-9]+ | |
| - v[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+ # include prerelease tags too | |
| jobs: | |
| prepare: | |
| permissions: | |
| contents: read | |
| id-token: write | |
| name: Prepare properties | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Prepare build parameters | |
| id: prep | |
| run: | | |
| hack/build/ci/prepare-build-variables.sh | |
| - name: Docker metadata | |
| uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
| id: meta | |
| with: | |
| images: dynatrace/dynatrace-operator | |
| tags: ${{ steps.prep.outputs.docker_image_tag }} | |
| labels: | | |
| ${{ steps.prep.outputs.docker_image_labels }} | |
| vcs-ref=${{ github.sha }} | |
| outputs: | |
| labels: ${{ steps.meta.outputs.labels }} | |
| version: ${{ steps.prep.outputs.docker_image_tag }} | |
| version_without_prefix: ${{ steps.prep.outputs.docker_image_tag_without_prefix }} | |
| build: | |
| name: Build images | |
| runs-on: ubuntu-latest | |
| needs: [prepare] | |
| strategy: | |
| matrix: | |
| platform: [amd64, arm64, ppc64le] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Build image | |
| uses: ./.github/actions/build-image | |
| with: | |
| platform: ${{ matrix.platform }} | |
| labels: ${{ needs.prepare.outputs.labels }} | |
| image-tag: ${{ needs.prepare.outputs.version }} | |
| push: | |
| name: Push images | |
| environment: Release | |
| needs: [prepare, build] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| strategy: | |
| matrix: | |
| platform: [amd64, arm64, ppc64le] | |
| registry: [gcr, dockerhub, amazon-ecr] | |
| include: | |
| - registry: gcr | |
| url: gcr.io | |
| repository: GCR_REPOSITORY | |
| username: GCR_USERNAME | |
| password: GCR_JSON_KEY | |
| - registry: dockerhub | |
| url: docker.io | |
| repository: DOCKERHUB_REPOSITORY | |
| username: DOCKERHUB_USERNAME | |
| password: DOCKERHUB_PASSWORD | |
| - registry: amazon-ecr | |
| url: public.ecr.aws | |
| repository: ECR_REPOSITORY | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Login to Registry | |
| if: ${{ matrix.registry != 'amazon-ecr' }} | |
| uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 | |
| with: | |
| registry: ${{ matrix.url }} | |
| username: ${{ secrets[matrix.username] }} | |
| password: ${{ secrets[matrix.password] }} | |
| - name: Configure aws credentials | |
| if: ${{ matrix.registry == 'amazon-ecr' }} | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: ${{ secrets.ECR_IMAGEPUSH_ROLE }} | |
| aws-region: us-east-1 | |
| - name: Login to Amazon ECR | |
| if: ${{ matrix.registry == 'amazon-ecr' }} | |
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 | |
| with: | |
| registry-type: public | |
| - name: Push ${{matrix.platform}} to ${{matrix.registry}} | |
| uses: ./.github/actions/upload-image | |
| with: | |
| platform: ${{ matrix.platform }} | |
| labels: ${{ needs.prepare.outputs.labels }} | |
| version: ${{ needs.prepare.outputs.version }} | |
| registry: ${{ matrix.url }} | |
| repository: ${{ secrets[matrix.repository] }} | |
| - name: Get image digest | |
| id: digest | |
| env: | |
| IMAGE: ${{ matrix.url }}/${{ secrets[matrix.repository] }}:${{ needs.prepare.outputs.version }}-${{ matrix.platform }} | |
| run: | | |
| hack/build/ci/get-image-digest.sh | |
| - name: Sign image for ${{matrix.registry}} | |
| uses: ./.github/actions/sign-image | |
| with: | |
| image: ${{ matrix.url }}/${{ secrets[matrix.repository] }}:${{ needs.prepare.outputs.version }}-${{ matrix.platform }}@${{steps.digest.outputs.digest}} | |
| signing-key: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| signing-password: ${{ secrets.COSIGN_PASSWORD }} | |
| push-rhcc: | |
| name: Push amd64 image to RHCC | |
| if: ${{ !contains(github.ref, '-rc') }} | |
| environment: Release | |
| needs: [prepare, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| SCAN_REGISTRY: "quay.io" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Login to Registry | |
| uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 | |
| with: | |
| registry: ${{ env.SCAN_REGISTRY }} | |
| username: ${{ secrets.RHCC_USERNAME }} | |
| password: ${{ secrets.RHCC_PASSWORD }} | |
| - name: Push amd64 image to scan registry | |
| uses: ./.github/actions/upload-image | |
| with: | |
| platform: "amd64" | |
| labels: ${{ needs.prepare.outputs.labels }} | |
| version: ${{ needs.prepare.outputs.version }} | |
| registry: ${{ env.SCAN_REGISTRY }} | |
| repository: ${{ secrets.RHCC_REPOSITORY }} | |
| skip-platform-suffix: true | |
| - name: Run preflight | |
| uses: ./.github/actions/preflight | |
| with: | |
| version: ${{ needs.prepare.outputs.version }} | |
| registry: ${{ env.SCAN_REGISTRY }} | |
| repository: ${{ secrets.RHCC_REPOSITORY }} | |
| report-name: "preflight.json" | |
| redhat-project-id: ${{ secrets.REDHAT_PROJECT_ID }} | |
| pyxis-api-token: ${{ secrets.PYXIS_API_TOKEN }} | |
| manifest: | |
| name: Create Docker manifests | |
| environment: Release | |
| needs: [prepare, push] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| outputs: | |
| digest: ${{ steps.create-manifests.outputs.digest }} | |
| strategy: | |
| matrix: | |
| registry: [gcr, dockerhub, amazon-ecr] | |
| include: | |
| - registry: gcr | |
| url: gcr.io | |
| repository: GCR_REPOSITORY | |
| username: GCR_USERNAME | |
| password: GCR_JSON_KEY | |
| - registry: dockerhub | |
| url: docker.io | |
| repository: DOCKERHUB_REPOSITORY | |
| username: DOCKERHUB_USERNAME | |
| password: DOCKERHUB_PASSWORD | |
| - registry: amazon-ecr | |
| url: public.ecr.aws | |
| repository: ECR_REPOSITORY | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Login to Registry | |
| if: ${{ matrix.registry != 'amazon-ecr' }} | |
| uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 | |
| with: | |
| registry: ${{ matrix.url }} | |
| username: ${{ secrets[matrix.username] }} | |
| password: ${{ secrets[matrix.password] }} | |
| - name: Configure aws credentials | |
| if: ${{ matrix.registry == 'amazon-ecr' }} | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: ${{ secrets.ECR_IMAGEPUSH_ROLE }} | |
| aws-region: us-east-1 | |
| - name: Login to Amazon ECR | |
| if: ${{ matrix.registry == 'amazon-ecr' }} | |
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 | |
| with: | |
| registry-type: public | |
| - name: Create manifests for ${{matrix.registry}} | |
| uses: ./.github/actions/create-manifests | |
| id: create-manifests | |
| with: | |
| version: ${{ needs.prepare.outputs.version }} | |
| registry: ${{ matrix.url }} | |
| repository: ${{ secrets[matrix.repository] }} | |
| combined: true | |
| - name: Sign images for ${{matrix.registry}} | |
| uses: ./.github/actions/sign-image | |
| with: | |
| image: ${{ matrix.url }}/${{ secrets[matrix.repository] }}:${{ needs.prepare.outputs.version }}@${{ steps.create-manifests.outputs.digest }} | |
| signing-key: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| signing-password: ${{ secrets.COSIGN_PASSWORD }} | |
| attach-sbom: | |
| name: Attach sbom | |
| environment: Release | |
| needs: [ prepare, push, manifest ] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| strategy: | |
| matrix: | |
| registry: [gcr, dockerhub, amazon-ecr] | |
| include: | |
| - registry: gcr | |
| url: gcr.io | |
| repository: GCR_REPOSITORY | |
| username: GCR_USERNAME | |
| password: GCR_JSON_KEY | |
| - registry: dockerhub | |
| url: docker.io | |
| repository: DOCKERHUB_REPOSITORY | |
| username: DOCKERHUB_USERNAME | |
| password: DOCKERHUB_PASSWORD | |
| - registry: amazon-ecr | |
| url: public.ecr.aws | |
| repository: ECR_REPOSITORY | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Login to Registry | |
| if: ${{ matrix.registry != 'amazon-ecr' }} | |
| uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 | |
| with: | |
| registry: ${{ matrix.url }} | |
| username: ${{ secrets[matrix.username] }} | |
| password: ${{ secrets[matrix.password] }} | |
| - name: Configure aws credentials | |
| if: ${{ matrix.registry == 'amazon-ecr' }} | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: ${{ secrets.ECR_IMAGEPUSH_ROLE }} | |
| aws-region: us-east-1 | |
| - name: Login to Amazon ECR | |
| if: ${{ matrix.registry == 'amazon-ecr' }} | |
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 | |
| with: | |
| registry-type: public | |
| - name: Create sbom for ${{matrix.registry}} | |
| id: sbom | |
| uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 | |
| with: | |
| image-ref: ${{ matrix.url }}/${{ secrets[matrix.repository] }}:${{ needs.prepare.outputs.version }}@${{ needs.manifest.outputs.digest }} | |
| format: 'cyclonedx' | |
| output: 'result.json' | |
| skip-dirs: '/usr/share/dynatrace-operator/third_party_licenses' | |
| - name: Upload sbom to ${{matrix.registry}} | |
| uses: ./.github/actions/upload-sbom | |
| with: | |
| image: ${{ matrix.url }}/${{ secrets[matrix.repository] }}:${{ needs.prepare.outputs.version }}@${{ needs.manifest.outputs.digest }} | |
| sbom: 'result.json' | |
| signing-key: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| signing-password: ${{ secrets.COSIGN_PASSWORD }} | |
| release: | |
| name: Create release | |
| needs: [prepare, build, attach-sbom, manifest] | |
| environment: Release | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Setup Golang | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version-file: "${{ github.workspace }}/go.mod" | |
| - name: Download dependencies | |
| id: depdownload | |
| run: | | |
| hack/build/ci/install-cgo-dependencies.sh | |
| - name: Generate release notes | |
| shell: bash | |
| env: | |
| PRE_RELEASE: ${{ contains(github.ref, '-rc.') }} | |
| run: | | |
| hack/build/ci/generate-release-notes.sh | |
| - name: Generate K8s manifests | |
| shell: bash | |
| env: | |
| VERSION_WITHOUT_PREFIX: ${{ needs.prepare.outputs.version_without_prefix }} | |
| VERSION: ${{ needs.prepare.outputs.version }} | |
| run: | | |
| make manifests/crd/release CHART_VERSION="${VERSION_WITHOUT_PREFIX}" | |
| make manifests/kubernetes/olm IMAGE="public.ecr.aws/dynatrace/dynatrace-operator" TAG="${VERSION}@${{needs.manifest.outputs.digest}}" | |
| make manifests/kubernetes IMAGE="public.ecr.aws/dynatrace/dynatrace-operator" TAG="${VERSION}@${{needs.manifest.outputs.digest}}" | |
| make manifests/openshift/olm IMAGE="registry.connect.redhat.com/dynatrace/dynatrace-operator" TAG="${VERSION}@${{needs.manifest.outputs.digest}}" | |
| make manifests/openshift IMAGE="public.ecr.aws/dynatrace/dynatrace-operator" TAG="${VERSION}@${{needs.manifest.outputs.digest}}" | |
| - name: Build helm packages | |
| uses: ./.github/actions/build-helm | |
| with: | |
| version_without_prefix: ${{ needs.prepare.outputs.version_without_prefix }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| secring: ${{ secrets.HELM_SECRING }} | |
| passphrase: ${{ secrets.HELM_PASSPHRASE }} | |
| output-dir: "./helm-pkg" | |
| - name: Login Helm to dockerhub | |
| shell: bash | |
| run: | | |
| helm registry login -u "${{ secrets.DOCKERHUB_USERNAME }}" -p "${{ secrets.DOCKERHUB_PASSWORD }}" "registry.hub.docker.com" | |
| - name: Login Docker to dockerhub | |
| uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 | |
| with: | |
| registry: docker.io | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| - name: Upload and sign helm package to dockerhub | |
| uses: ./.github/actions/upload-helm | |
| with: | |
| version: ${{ needs.prepare.outputs.version }} | |
| version-without-prefix: ${{ needs.prepare.outputs.version_without_prefix }} | |
| cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| cosign-password: ${{ secrets.COSIGN_PASSWORD }} | |
| - name: Configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: ${{ secrets.ECR_IMAGEPUSH_ROLE }} | |
| aws-region: us-east-1 | |
| - name: Login to Amazon ECR | |
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 | |
| with: | |
| registry-type: public | |
| - name: Upload and sign helm package to Amazon ECR | |
| uses: ./.github/actions/upload-helm | |
| with: | |
| registry-url: public.ecr.aws | |
| image-base-url: public.ecr.aws | |
| version: ${{ needs.prepare.outputs.version }} | |
| version-without-prefix: ${{ needs.prepare.outputs.version_without_prefix }} | |
| cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| cosign-password: ${{ secrets.COSIGN_PASSWORD }} | |
| - name: Prepare cosign.pub artifact | |
| env: | |
| COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} | |
| run: | | |
| mkdir -p tmp | |
| echo ${COSIGN_PUBLIC_KEY} | base64 -d > tmp/cosign.pub | |
| - name: Create pre-release | |
| uses: softprops/action-gh-release@v2 | |
| if: ${{ contains(github.ref, '-rc.') }} | |
| with: | |
| body_path: ./CHANGELOG.md | |
| files: | | |
| tmp/cosign.pub | |
| config/deploy/dynatrace-operator-crd.yaml | |
| config/deploy/kubernetes/kubernetes.yaml | |
| config/deploy/openshift/openshift.yaml | |
| config/deploy/kubernetes/kubernetes-csi.yaml | |
| config/deploy/openshift/openshift-csi.yaml | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| prerelease: true | |
| draft: true | |
| fail_on_unmatched_files: true | |
| - name: Create release | |
| uses: softprops/action-gh-release@v2 | |
| if: ${{ !contains(github.ref, '-rc.') }} | |
| with: | |
| body_path: ./CHANGELOG.md | |
| files: | | |
| tmp/cosign.pub | |
| config/deploy/dynatrace-operator-crd.yaml | |
| config/deploy/kubernetes/kubernetes.yaml | |
| config/deploy/kubernetes/gke-autopilot.yaml | |
| config/deploy/openshift/openshift.yaml | |
| config/deploy/kubernetes/kubernetes-csi.yaml | |
| config/deploy/openshift/openshift-csi.yaml | |
| helm-pkg/dynatrace-operator-${{ needs.prepare.outputs.version_without_prefix }}.tgz | |
| helm-pkg/dynatrace-operator-${{ needs.prepare.outputs.version_without_prefix }}.tgz.prov | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| prerelease: false | |
| draft: true | |
| fail_on_unmatched_files: true | |
| - name: Update index helm file | |
| if: ${{ !contains(github.ref, '-rc.') }} | |
| env: | |
| VERSION_WITHOUT_PREFIX: ${{ needs.prepare.outputs.version_without_prefix }} | |
| run: | | |
| echo "Updating Helm repo index" | |
| hack/build/ci/generate-new-helm-index-yaml.sh "helm-pkg" ${{ needs.prepare.outputs.version_without_prefix }} | |
| - name: Create pull request for adding helm index to main branch | |
| if: ${{ !contains(github.ref, '-rc.') }} | |
| uses: peter-evans/create-pull-request@v6 | |
| with: | |
| base: main | |
| delete-branch: true | |
| branch: create-pull-request/update-helm-index | |
| branch-suffix: short-commit-hash | |
| add-paths: | | |
| ./config/helm/repos/stable/index.yaml | |
| ./config/helm/repos/stable/index.yaml.previous | |
| title: '[Automatic] Update index for ${{ github.ref }} release' | |
| commit-message: Update index.yaml | |
| committer: GitHub <noreply@github.com> | |
| author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> | |
| body: | | |
| # Description | |
| Upgrade `index.yaml` to include latest version of the helm chart. | |
| ## How can this be tested? | |
| Helm upgrade to and install of `${{ github.ref }}` works. | |
| ## Checklist | |
| - [x] PR is labeled accordingly |