Merge pull request #36 from cybozu-go/improve-release-workflow

Improve release workflow
cybozu-go · Jul 4, 2023 · 069f77f · 069f77f
2 parents a308ed3 + ff8e8c9
commit 069f77f
Show file tree

Hide file tree

Showing 11 changed files with 180 additions and 165 deletions.
diff --git a/.github/actions/aqua/action.yaml b/.github/actions/aqua/action.yaml
@@ -0,0 +1,14 @@
+name: "Setup tools"
+description: "Setup tools with aqua"
+inputs:
+  github_token:
+    description: "GitHub Token"
+    required: true
+runs:
+  using: composite
+  steps:
+    - uses: aquaproj/aqua-installer@36dc5833b04eb63f06e3bb818aa6b7a6e6db99a9 # v2.1.2
+      with:
+        aqua_version: v2.9.0
+      env:
+        GITHUB_TOKEN: ${{ inputs.github_token }}
diff --git a/.github/release.yml b/.github/release.yml
@@ -0,0 +1,30 @@
+changelog:
+  exclude:
+    labels:
+      - ignore-for-release
+      - ci
+      - documentation
+      - refactoring
+      - test
+  categories:
+    - title: Features
+      labels:
+        - enhancement
+    - title: Bug Fixes
+      labels:
+        - bug
+    - title: Deprecated
+      labels:
+        - deprecate
+    - title: Removed
+      labels:
+        - remove
+    - title: Security
+      labels:
+        - security
+    - title: Dependencies
+      labels:
+        - dependencies
+    - title: Others
+      labels:
+        - "*"
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -13,14 +13,32 @@ jobs:
       - uses: actions/setup-go@v3
         with:
           go-version-file: go.mod
-          cache: true
-      - run: make setup
+      - uses: ./.github/actions/aqua
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
       - run: make lint
       - run: make check-generate
       - run: make test
-  build-image:
-    name: Build Container Image
+  dry-run:
+    name: Dry-run release
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
-      - run: docker build -t quay.io/cybozu/pod-security-admission:latest .
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-buildx-action@v2
+      - name: Setup go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+      - uses: ./.github/actions/aqua
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      - run: make install.yaml
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
+        with:
+          version: latest
+          args: --snapshot --skip-publish --clean
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -2,38 +2,45 @@ name: Release
 on:
   push:
     tags:
-    - 'v*'
-env:
-  tag: ${GITHUB_REF#refs/tags/v}
-  prerelease: ${{ contains(github.ref, '-') }}
+      - 'v*'
 jobs:
-  image:
-    name: Push Container Image
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: actions/checkout@v3
-      - run: docker build -t quay.io/cybozu/pod-security-admission:latest .
-      - name: Push docker image to Quay.io
-        run: |
-          echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USER }} --password-stdin quay.io
-          echo "pushing image ..."
-          docker tag quay.io/cybozu/pod-security-admission:latest quay.io/cybozu/pod-security-admission:${{ env.tag }}
-          docker push quay.io/cybozu/pod-security-admission:${{ env.tag }}
-          BRANCH=$(echo ${{ env.tag }} | cut -d "." -f 1-2)
-          docker tag quay.io/cybozu/pod-security-admission:latest quay.io/cybozu/pod-security-admission:$BRANCH
-          docker push quay.io/cybozu/pod-security-admission:$BRANCH
   release:
-    name: Release on GitHub
-    needs: image
     runs-on: ubuntu-22.04
-    container:
-      image: quay.io/cybozu/golang:1.20-jammy
     steps:
-      - uses: actions/checkout@v3
-      - run: make build/install.yaml
-      - name: Create release
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-buildx-action@v2
+      - name: GHCR Login
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: quay.io Login
+        uses: docker/login-action@v2
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USER }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+      - name: Setup go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+      - uses: ./.github/actions/aqua
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set Tag
         run: |
-          if ${{ env.prerelease }}; then
-            PRERELEASE="-prerelease"
-          fi
-          ghr -t ${{ secrets.GITHUB_TOKEN }} -u cybozu-go -r pod-security-admission -n v${{ env.tag }} ${PRERELEASE} -b "See [CHANGELOG.md](./CHANGELOG.md) for details." v${{ env.tag }} ./build/
+          TAG=${GITHUB_REF#refs/tags/v}
+          sed -i "s/newTag: .*/newTag: $TAG/g" config/manager/kustomization.yaml
+          make install.yaml
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
+        with:
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -0,0 +1,48 @@
+project_name: pod-security-admission
+dist: bin/
+builds:
+  - env:
+      - CGO_ENABLED=0
+    main: ./cmd
+    binary: pod-security-admission
+    goos:
+      - linux
+    goarch:
+      - amd64
+    ldflags:
+      - -X github.com/cybozu-go/pod-security-admission.Version={{.Version}}
+archives:
+  - files:
+      - install.yaml
+dockers:
+  - image_templates:
+    - "quay.io/cybozu/{{.ProjectName}}:{{ .Version }}-amd64"
+    - "ghcr.io/cybozu-go/{{.ProjectName}}:{{ .Version }}-amd64"
+    use: buildx
+    dockerfile: Dockerfile
+    extra_files:
+      - LICENSE
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+docker_manifests:
+  - name_template: "quay.io/cybozu/{{.ProjectName}}:{{ .Version }}"
+    image_templates:
+      - "quay.io/cybozu/{{.ProjectName}}:{{ .Version }}-amd64"
+  - name_template: "quay.io/cybozu/{{.ProjectName}}:{{ .Major }}.{{ .Minor }}"
+    image_templates:
+      - "quay.io/cybozu/{{.ProjectName}}:{{ .Version }}-amd64"
+  - name_template: "ghcr.io/cybozu-go/{{.ProjectName}}:{{ .Version }}"
+    image_templates:
+      - "ghcr.io/cybozu-go/{{.ProjectName}}:{{ .Version }}-amd64"
+  - name_template: "ghcr.io/cybozu-go/{{.ProjectName}}:{{ .Major }}.{{ .Minor }}"
+    image_templates:
+      - "ghcr.io/cybozu-go/{{.ProjectName}}:{{ .Version }}-amd64"
+checksum:
+  name_template: 'checksums.txt'
+snapshot:
+  name_template: "{{ .Tag }}-next"
+changelog:
+  use: github-native
diff --git a/CHANGELOG.md b/CHANGELOG.md
diff --git a/Dockerfile b/Dockerfile
@@ -1,25 +1,9 @@
-# Build the manager binary
-FROM quay.io/cybozu/golang:1.20-jammy as builder
-
-WORKDIR /workspace
-# Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-RUN go mod download
-
-# Copy the go source
-COPY version.go version.go
-COPY cmd/ cmd/
-COPY hooks/ hooks/
-
-# Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o pod-security-admission cmd/main.go
-
 FROM scratch
+LABEL org.opencontainers.image.authors="Cybozu, Inc." \
+      org.opencontainers.image.title="pod-security-admission" \
+      org.opencontainers.image.source="https://github.com/cybozu-go/pod-security-admission"
 WORKDIR /
-COPY --from=builder /workspace/pod-security-admission .
+COPY pod-security-admission /
 USER 10000:10000
 
 ENTRYPOINT ["/pod-security-admission"]
diff --git a/Makefile b/Makefile
@@ -1,15 +1,11 @@
-CONTROLLER_TOOLS_VERSION = 0.11.3
-KUSTOMIZE_VERSION = 4.5.7
 ENVTEST_K8S_VERSION = 1.25.0
 
 # Set the shell used to bash for better error handling.
 SHELL = /bin/bash
 .SHELLFLAGS = -e -o pipefail -c
 BIN_DIR := $(shell pwd)/bin
-INSTALL_YAML = build/install.yaml
+INSTALL_YAML = install.yaml
 
-KUSTOMIZE = $(BIN_DIR)/kustomize
-CONTROLLER_GEN = $(BIN_DIR)/controller-gen
 STATICCHECK = $(BIN_DIR)/staticcheck
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
@@ -41,12 +37,12 @@ help: ## Display this help.
 ##@ Development
 
 .PHONY: manifests
-manifests: $(CONTROLLER_GEN) ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=pod-security-admission webhook paths="./..."
+manifests: setup ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
+	controller-gen rbac:roleName=pod-security-admission webhook paths="./..."
 
 .PHONY: generate
-generate: $(CONTROLLER_GEN) ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
-	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
+generate: setup ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
+	controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
 .PHONY: check-generate
 check-generate:
@@ -71,16 +67,9 @@ test: setup-envtest manifests generate ## Run tests.
 build: ## Build binary.
 	CGO_ENABLED=0 go build -o bin/pod-security-admission -ldflags="-w -s" ./cmd
 
-$(INSTALL_YAML): $(KUSTOMIZE)
+$(INSTALL_YAML): setup
 	mkdir -p build
-	$(KUSTOMIZE) build ./config/default > $@
-
-$(CONTROLLER_GEN): ## Download controller-gen locally if necessary.
-	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v$(CONTROLLER_TOOLS_VERSION))
-
-$(KUSTOMIZE): ## Download kustomize locally if necessary.
-	mkdir -p $(BIN_DIR)
-	curl -sSLf https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv$(KUSTOMIZE_VERSION)/kustomize_v$(KUSTOMIZE_VERSION)_linux_amd64.tar.gz | tar -xz -C $(BIN_DIR)
+	kustomize build ./config/default > $@
 
 $(STATICCHECK):
 	$(call go-install-tool,$(STATICCHECK),honnef.co/go/tools/cmd/staticcheck@latest)
@@ -92,7 +81,8 @@ setup-envtest: ## Download setup-envtest locally if necessary
 	GOBIN=$(BIN_DIR) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
 
 .PHONY: setup
-setup: $(STATICCHECK) $(KUSTOMIZE) $(CONTROLLER_GEN) setup-envtest
+setup:
+	aqua i -l
 
 .PHONY: clean
 clean: