Release Next #56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release Next | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: '0 1 * * *' | |
env: | |
SETUP_GO_VERSION: '1.20' | |
SETUP_NODE_VERSION: '16' | |
jobs: | |
release-next: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write # This is the key for OIDC! | |
contents: write | |
packages: write | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
fetch-depth: 0 | |
- | |
name: Set up Go | |
uses: actions/setup-go@v4 | |
with: | |
cache: false | |
go-version: ${{ env.SETUP_GO_VERSION }} | |
- | |
name: Set up Node | |
uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ env.SETUP_NODE_VERSION }} | |
- | |
name: Install yarn | |
run: npm install --global yarn | |
- | |
uses: anchore/sbom-action/download-syft@v0.13.1 | |
- | |
uses: sigstore/cosign-installer@v2.8.1 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- | |
name: Login to GitHub Docker Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- | |
name: Get latest tag | |
id: get_latest_tag | |
run: echo "LATEST_TAG=$(git describe --tags --abbrev=0)" >> $GITHUB_OUTPUT | |
- | |
name: Tag current commit as latest-next | |
run: git tag ${{ steps.get_latest_tag.outputs.LATEST_TAG }}-next | |
- | |
name: Build Epinio dashboard | |
# build the ui, move the build to `ui` in the workflow root (as per location when downloading from url) | |
run: | | |
./.github/workflows/scripts/build-ui.sh | |
mv dashboard/$OUTPUT_DIR/$ARTIFACT_NAME backend/ui | |
env: | |
RANCHER_ENV: epinio | |
EXCLUDES_PKG: rancher-components,harvester | |
EXCLUDE_OPERATOR_PKG: true | |
OUTPUT_DIR: dist | |
RELEASE_DIR: release | |
ARTIFACT_NAME: rancher-dashboard-epinio-standalone | |
NODE_OPTIONS: "--max-old-space-size=4096" | |
LOGIN_LOCALE_SELECTOR: false | |
################# | |
- | |
name: Run GoReleaser Cross | |
run: ./backend/build/bk-release.sh release --rm-dist -f ./backend/.goreleaser-next.yml | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
UI_BUNDLE_URL: "dev" | |
# The "id-token: write" permission for the OIDC will set the ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN | |
# environment variables. Since we are running goreleaser-cross from a Docker image we need to pass those to the script and the container. | |
# See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#updating-your-actions-for-oidc | |
ACTIONS_ID_TOKEN_REQUEST_URL: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }} | |
ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN }} | |
- | |
name: Verify signatures on the generated docker images and manifests | |
id: verify_signatures | |
run: | | |
cosign verify ghcr.io/epinio/epinio-ui:latest-next | |
env: | |
DOCKER_CLI_EXPERIMENTAL: enabled | |
COSIGN_EXPERIMENTAL: 1 | |
- | |
name: Cleanup the latest-next tag | |
run: git tag -d ${{ steps.get_latest_tag.outputs.LATEST_TAG }}-next |