Release #20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| release: | |
| types: | |
| - created | |
| schedule: | |
| - cron: '0 1 * * 1-5' # 1 AM UTC is 5 PM PST/ 6 PM PDT | |
| jobs: | |
| publish-image: | |
| permissions: | |
| contents: write # Used to upload assets | |
| packages: write # Used to push images to `ghcr.io` | |
| id-token: write # Needed to create an OIDC token for keyless signing | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image-digest: ${{ steps.image.outputs.digest }} | |
| kargo-repo: ${{ steps.repo.outputs.repo }} | |
| unstable-version: ${{ steps.unstable-version.outputs.unstable-version }} | |
| steps: | |
| - name: Determine which repository to use for images | |
| id: repo | |
| run: | | |
| REPO=ghcr.io/akuity/kargo | |
| if ${{ github.event_name != 'release' }} | |
| then | |
| REPO=ghcr.io/akuity/kargo-unstable | |
| fi | |
| echo "Repository is set to: $REPO" | |
| echo "repo=$REPO" >> $GITHUB_OUTPUT | |
| - name: Set version for unstable builds | |
| id: unstable-version | |
| run: | | |
| set -xue | |
| LATEST_VERSION=$(go list -f {{.Version}} -mod=mod -m github.com/akuity/kargo@main | cut -f1 -d'-') | |
| NEW_VERSION=$(awk 'BEGIN {FS=OFS="."} {$3++; print}' <<< "${LATEST_VERSION}") | |
| echo "unstable-version=${NEW_VERSION}-unstable-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3.3.0 | |
| with: | |
| cosign-release: 'v2.2.1' # optional | |
| - name: Login to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ steps.repo.outputs.repo }} | |
| flavor: latest=false | |
| tags: | | |
| type=semver,pattern={{raw}} | |
| type=raw,value=${{ steps.unstable-version.outputs.unstable-version }},enable=${{ github.event_name != 'release'}} | |
| - name: Build and push | |
| id: image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| platforms: linux/amd64,linux/arm64 | |
| build-args: | | |
| VERSION=${{ github.ref_name }} | |
| GIT_COMMIT=${{ github.sha }} | |
| GIT_TREE_STATE=clean | |
| tags: ${{ steps.meta.outputs.tags }} | |
| push: true | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| provenance: false | |
| sbom: false | |
| - name: Sign image | |
| run: | | |
| cosign sign \ | |
| -a "repo=${{ github.repository }}" \ | |
| -a "workflow=${{ github.workflow }}" \ | |
| -a "sha=${{ github.sha }}" \ | |
| --yes \ | |
| ${{ steps.repo.outputs.repo}}@${{ steps.image.outputs.digest}} | |
| - name: Publish SBOM | |
| if: github.event_name == 'release' | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| image: ${{ steps.meta.outputs.tags }} | |
| kargo-image-provenance: | |
| needs: | |
| - publish-image | |
| permissions: | |
| actions: read # for detecting the Github Actions environment. | |
| id-token: write # for creating OIDC tokens for signing. | |
| packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) | |
| # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 | |
| with: | |
| image: ${{ needs.publish-image.outputs.kargo-repo }} | |
| digest: ${{ needs.publish-image.outputs.image-digest }} | |
| secrets: | |
| registry-username: ${{ github.actor }} | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| publish-charts: | |
| needs: publish-image | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Determine which repository to use | |
| id: chart_repo | |
| run: | | |
| REPO=ghcr.io/akuity/kargo-charts | |
| if ${{ github.event_name != 'release' }} | |
| then | |
| REPO=ghcr.io/akuity/kargo-charts-unstable | |
| fi | |
| echo "Repository is set to: $REPO" | |
| echo "chart_repo=$REPO" >> $GITHUB_OUTPUT | |
| - name: Determine Version | |
| id: version | |
| run: | | |
| VERSION=${{ github.ref_name }} | |
| if ${{ github.event_name != 'release' }} | |
| then | |
| VERSION=${{ needs.publish-image.outputs.unstable-version }} | |
| fi | |
| echo "VERSION is set to: $VERSION" | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v3 | |
| with: | |
| version: '3.12.3' | |
| - name: Login to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Publish chart | |
| env: | |
| HELM_EXPERIMENTAL_OCI: '1' | |
| KARGO_CHARTS_REPO: ${{ steps.chart_repo.outputs.chart_repo }} | |
| VERSION: ${{ steps.version.outputs.version }} | |
| run: | | |
| CHART_VERSION=$(echo $VERSION | cut -c 2-) | |
| cd charts/kargo | |
| helm dep up | |
| helm package . --version ${CHART_VERSION} --app-version ${VERSION} | |
| helm push kargo-${CHART_VERSION}.tgz oci://${KARGO_CHARTS_REPO} | |
| publish-cli: | |
| if: github.event_name == 'release' | |
| runs-on: ubuntu-latest | |
| container: | |
| image: golang:1.21.6-bookworm | |
| strategy: | |
| matrix: | |
| os: [linux, darwin, windows] | |
| arch: [amd64, arm64] | |
| outputs: | |
| hash-linux-amd64: ${{ steps.hash.outputs.hash-linux-amd64 }} | |
| hash-linux-arm64: ${{ steps.hash.outputs.hash-linux-arm64 }} | |
| hash-darwin-amd64: ${{ steps.hash.outputs.hash-darwin-amd64 }} | |
| hash-darwin-arm64: ${{ steps.hash.outputs.hash-darwin-arm64 }} | |
| hash-windows-amd64: ${{ steps.hash.outputs.hash-windows-amd64 }} | |
| hash-windows-arm64: ${{ steps.hash.outputs.hash-windows-arm64 }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - uses: actions/cache@v4 | |
| with: | |
| path: /go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Build CLI | |
| env: | |
| GOFLAGS: -buildvcs=false | |
| GOOS: ${{ matrix.os }} | |
| GOARCH: ${{ matrix.arch }} | |
| VERSION: ${{ github.ref_name }} | |
| GIT_COMMIT: ${{ github.sha }} | |
| GIT_TREE_STATE: clean | |
| run: make build-cli | |
| - name: Publish CLI | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| file: bin/* | |
| file_glob: true | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate subject | |
| id: hash | |
| run: | | |
| echo "hash-${{ matrix.os }}-${{ matrix.arch }}=$(sha256sum bin/kargo* | awk -F 'bin/' '{print $1 $2}'| base64 -w0)" >> "$GITHUB_OUTPUT" | |
| publish-unstable-cli: | |
| needs: publish-image | |
| permissions: | |
| id-token: write | |
| contents: read | |
| if: github.event_name != 'release' | |
| runs-on: ubuntu-latest | |
| container: | |
| image: golang:1.21.6-bookworm | |
| steps: | |
| - name: Install awscli | |
| run: | | |
| apt update && apt install awscli -y | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - uses: actions/cache@v4 | |
| with: | |
| path: /go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Build CLI | |
| env: | |
| GOFLAGS: -buildvcs=false | |
| VERSION: ${{ needs.publish-image.outputs.unstable-version }} | |
| GIT_COMMIT: ${{ github.sha }} | |
| GIT_TREE_STATE: clean | |
| run: make nightly-cli | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE }} | |
| aws-region: us-west-2 | |
| - name: Push binaries | |
| env: | |
| CF_DISTRIBUTION_ID: ${{ secrets.CF_DISTRIBUTION_ID }} | |
| VERSION: ${{ needs.publish-image.outputs.unstable-version }} | |
| run: | | |
| aws s3 sync "./bin/kargo-cli/${VERSION}" "s3://kargo-release/kargo-cli/${VERSION}" | |
| printf "${VERSION}" > ./bin/kargo-cli/unstable.txt | |
| aws s3 cp ./bin/kargo-cli/unstable.txt s3://kargo-release/kargo-cli/unstable.txt | |
| aws cloudfront create-invalidation \ | |
| --distribution-id="${CF_DISTRIBUTION_ID}" \ | |
| --paths "/kargo-cli/unstable.txt" | |
| push-fig-autocomplete-spec: | |
| needs: [publish-cli] | |
| if: github.event_name == 'release' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/setup-node@v4 | |
| - name: Generate the spec | |
| run: | | |
| curl -L https://github.com/akuity/kargo/releases/download/${{ github.ref_name }}/kargo-linux-amd64 -o kargo | |
| chmod 755 kargo | |
| ./kargo fig > kargo-fig-spec.ts | |
| - name: Create Autocomplete PR | |
| uses: withfig/push-to-fig-autocomplete-action@v1 | |
| with: | |
| autocomplete-spec-name: kargo | |
| spec-path: kargo-fig-spec.ts | |
| integration: cobra | |
| combine_hashes: | |
| needs: [publish-cli] | |
| if: github.event_name == 'release' | |
| runs-on: ubuntu-latest | |
| outputs: | |
| hashes: ${{ steps.hashes.outputs.hashes }} | |
| env: | |
| HASHES: ${{ toJSON(needs.publish-cli.outputs) }} | |
| steps: | |
| - id: hashes | |
| run: | | |
| echo "$HASHES" | jq -r '.[] | @base64d' | sed "/^$/d" > hashes.txt | |
| echo "hashes=$(cat hashes.txt | base64 -w0)" >> "$GITHUB_OUTPUT" | |
| provenance: | |
| needs: [combine_hashes] | |
| if: github.event_name == 'release' | |
| permissions: | |
| actions: read # To read the workflow path. | |
| id-token: write # To sign the provenance. | |
| contents: write # To add assets to a release. | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 | |
| with: | |
| base64-subjects: "${{ needs.combine_hashes.outputs.hashes }}" | |
| upload-assets: true # Optional: Upload to a new release | |
| provenance-name: kargo-cli.intoto.jsonl |