-
Notifications
You must be signed in to change notification settings - Fork 0
113 lines (98 loc) · 3.81 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
name: Release
on:
push:
branches:
- main
jobs:
release-container-images:
name: build and push to ghcr.io
strategy:
matrix:
component:
- informer
- webhook
runs-on: ubuntu-22.04
permissions:
packages: write
outputs:
informer_image: ${{ steps.release.outputs.informer_image }}
informer_digest: ${{ steps.release.outputs.informer_digest }}
informer_sbom_image: ${{ steps.release.outputs.informer_sbom_image }}
informer_sbom_digest: ${{ steps.release.outputs.informer_sbom_digest }}
webhook_image: ${{ steps.release.outputs.webhook_image }}
webhook_digest: ${{ steps.release.outputs.webhook_digest }}
webhook_sbom_image: ${{ steps.release.outputs.webhook_sbom_image }}
webhook_sbom_digest: ${{ steps.release.outputs.webhook_sbom_digest }}
steps:
- uses: actions/setup-go@v4
with:
go-version: 1.21.x
- uses: ko-build/setup-ko@v0.6
- name: Install crane
run: go install github.com/google/go-containerregistry/cmd/crane@v0.19.1
- uses: actions/checkout@v4
- id: release
name: Build and push
env:
KO_DOCKER_REPO: ghcr.io/norbjd/k8s-pod-cpu-booster
run: |
# something like 202403241909-abcdef01 if we want to use a specific version
UNIQUE_TAG="$(TZ=UTC0 git log -1 --format=%cd --date=format-local:%Y%m%d%H%M)-$(git rev-parse --short HEAD)"
ko build ./cmd/${{ matrix.component }} \
--base-import-paths \
--image-refs=.digest \
--tags=$GITHUB_REF_NAME,$UNIQUE_TAG
image=$(cat .digest | cut -d'@' -f1 | cut -d':' -f1)
digest=$(cat .digest| cut -d'@' -f2)
echo "${{ matrix.component }}_image=$image" >> "$GITHUB_OUTPUT"
echo "${{ matrix.component }}_digest=$digest" >> "$GITHUB_OUTPUT"
# this is probably not the best way to sign the SBOM:
# - requires crane to get the SBOM image pushed above
# - is vulnerable to TOCTOU attacks if someone updates the sbom between "ko build" and "crane digest"
# but, it's good enough for now, until I have a better solution
sbom_digest=$(crane digest $image:sha256-$(echo $digest | cut -d':' -f2).sbom)
echo "${{ matrix.component }}_sbom_image=$image" >> "$GITHUB_OUTPUT"
echo "${{ matrix.component }}_sbom_digest=$sbom_digest" >> "$GITHUB_OUTPUT"
# see https://github.com/slsa-framework/slsa-github-generator/blob/v1.10.0/internal/builders/container/README.md#ko
provenance:
needs:
- release-container-images
strategy:
matrix:
component:
- informer
- informer_sbom
- webhook
- webhook_sbom
permissions:
actions: read
id-token: write
packages: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
with:
image: "${{ needs.release-container-images.outputs[format('{0}_image', matrix.component)] }}"
digest: "${{ needs.release-container-images.outputs[format('{0}_digest', matrix.component)] }}"
registry-username: ${{ github.actor }}
compile-generator: true
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
release-helm-chart:
name: release helm chart
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Install helm
run: |
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
- name: Run chart-releaser
uses: helm/chart-releaser-action@v1.6.0
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"