fix: bump alpine from 3.15.4 to 3.15.6 to patch zlib CVE (#911) #65
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# Create konvoy-image-builder release when a tag is created. | |
# - Creates github release | |
# - Signs mac-os binary and reuploads artifacts to the github release | |
# - Bumps KIB version in mesosphere/cluster-api-provider-preprovisioned repository | |
on: | |
workflow_dispatch: | |
push: | |
tags: | |
- 'v*' | |
name: Release konvoy-image-builder | |
jobs: | |
release-to-github: | |
runs-on: | |
- self-hosted | |
- small | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.ref }} | |
- name: Setup Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version-file: 'go.mod' | |
cache: true | |
- name: Download GoReleaser | |
run: go install github.com/goreleaser/goreleaser@v1.11.5 | |
- name: Login to dockerhub Registry | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ secrets.NEXUS_USERNAME }} | |
password: ${{ secrets.NEXUS_PASSWORD }} | |
- name: Setup buildkit | |
uses: docker/setup-buildx-action@v2 | |
- name: Login to D2iQ's Mirror Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ secrets.D2IQ_DOCKER_MIRROR_REGISTRY}} | |
username: ${{ secrets.NEXUS_USERNAME }} | |
password: ${{ secrets.NEXUS_PASSWORD }} | |
- name: Release | |
run: make cmd/konvoy-image-wrapper/image/konvoy-image-builder.tar.gz && make release | |
env: | |
DOCKER_CLI_EXPERIMENTAL: "enabled" | |
GITHUB_TOKEN: ${{ secrets.MESOSPHERECI_USER_TOKEN }} | |
bump-kib: | |
runs-on: ubuntu-latest | |
needs: release-to-github | |
steps: | |
- name: Checkout mesosphere/cluster-api-provider-preprovisioned repository | |
uses: actions/checkout@v3 | |
with: | |
repository: mesosphere/cluster-api-provider-preprovisioned | |
token: ${{ secrets.MESOSPHERECI_USER_TOKEN }} | |
path: cluster-api-provider-preprovisioned | |
fetch-depth: 0 | |
- name: Setup Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version-file: 'cluster-api-provider-preprovisioned/go.mod' | |
cache: true | |
- name: Track default github workspace as safe directory | |
run: git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
- name: Update Konvoy-image-builder version in mesosphere/cluster-api-provider-preprovisioned repository | |
run: make update-kib | |
working-directory: cluster-api-provider-preprovisioned | |
env: | |
GITHUB_TOKEN: ${{ secrets.MESOSPHERECI_USER_TOKEN }} | |
- name: Create Pull Request in mesosphere/cluster-api-provider-preprovisioned for Konvoy-image-builder version update | |
uses: peter-evans/create-pull-request@v4 | |
with: | |
token: ${{ secrets.MESOSPHERECI_USER_TOKEN }} | |
add-paths: preprovisioned/kib | |
body: bumps KIB to latest version | |
commit-message: "fix: bump kib to ${{ github.ref_name }}" | |
path: cluster-api-provider-preprovisioned | |
title: "fix: bump kib to ${{ github.ref_name }}" | |
sign-macos-binary: | |
needs: release-to-github | |
runs-on: macos-latest | |
env: | |
KEYCHAIN: job-${{ github.job }}-${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }} | |
steps: | |
- name: Checkout konvoy-image-builder repository | |
uses: actions/checkout@v3 | |
with: | |
ref: main | |
fetch-depth: 0 | |
- uses: dsaltares/fetch-gh-release-asset@1.1.0 | |
with: | |
version: "tags/${{ github.ref_name }}" | |
file: "konvoy-image-bundle-${{ github.ref_name }}_darwin_amd64.tar.gz" | |
- name: Create directory to extract the pulled file into | |
run: mkdir "konvoy-image-bundle_darwin_amd64" | |
- name: Extract the pulled file | |
run: tar -xvzf "konvoy-image-bundle-${{ github.ref_name }}_darwin_amd64.tar.gz" -C "konvoy-image-bundle_darwin_amd64" | |
- name: Remove original downloaded file | |
run: rm "konvoy-image-bundle-${{ github.ref_name }}_darwin_amd64.tar.gz" | |
- name: Import Code-Signing Certificates | |
uses: Apple-Actions/import-codesign-certs@v1 | |
with: | |
keychain: ${{ env.KEYCHAIN }} | |
# The certificates in a PKCS12 file encoded as a base64 string | |
p12-file-base64: ${{ secrets.D2IQ_APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }} | |
# The password used to import the PKCS12 file. | |
p12-password: ${{ secrets.D2IQ_APPLE_DEVELOPER_CERTIFICATE_PASSWORD }} | |
- name: Install required binaries | |
run: | | |
brew tap mitchellh/gon | |
brew install mitchellh/gon/gon | |
brew install coreutils | |
- name: Run Gon to notarize | |
env: | |
GITHUB_TOKEN: ${{ secrets.MESOSPHERECI_USER_TOKEN }} | |
AC_USERNAME: ${{ secrets.D2IQ_APPLE_DEVELOPER_USERNAME }} | |
AC_PASSWORD: ${{ secrets.D2IQ_APPLE_DEVELOPER_PASSWORD }} | |
run: | | |
gon -log-level=info -log-json gon.hcl | |
- name: Tar signed bundle | |
run: | | |
unzip -o konvoy-image.zip | |
mv konvoy-image konvoy-image-bundle_darwin_amd64 | |
mv konvoy-image-bundle_darwin_amd64 konvoy-image-bundle-${{ github.ref_name }}_darwin_amd64 | |
tar czf konvoy-image-bundle-${{ github.ref_name }}_darwin_amd64.tar.gz konvoy-image-bundle-${{ github.ref_name }}_darwin_amd64 | |
- name: Delete keychain | |
if: always() | |
run: | | |
security delete-keychain "${{ env.KEYCHAIN }}".keychain | |
- name: Get checksum file | |
uses: dsaltares/fetch-gh-release-asset@1.1.0 | |
with: | |
version: "tags/${{ github.ref_name }}" | |
file: "konvoy-image-builder_${{ github.ref_name }}_checksums.txt" | |
- name: Calculate checksum | |
run: | | |
cat konvoy-image-builder_${{ github.ref_name }}_checksums.txt | grep darwin | xargs -I{} sed -i'.bak' s/{}//g konvoy-image-builder_${{ github.ref_name }}_checksums.txt | |
sed -i'.bak' '/^[[:space:]]*$/d' konvoy-image-builder_${{ github.ref_name }}_checksums.txt | |
sha256sum konvoy-image-bundle-${{ github.ref_name}}_darwin_amd64.tar.gz >> konvoy-image-builder_${{ github.ref_name }}_checksums.txt | |
- name: Replace release artifact | |
uses: ncipollo/release-action@v1 | |
with: | |
tag: "${{ github.ref_name }}" | |
artifacts: konvoy-image-bundle-${{ github.ref_name }}_darwin_amd64.tar.gz,konvoy-image-builder_${{ github.ref_name }}_checksums.txt | |
replacesArtifacts: true | |
token: ${{ secrets.MESOSPHERECI_USER_TOKEN }} | |
artifactErrorsFailBuild: true | |
allowUpdates: true |