docs: Added SecurityGroup for groups TokenIDClaims (#19591) #11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Image | |
on: | |
push: | |
branches: | |
- master | |
pull_request: | |
branches: | |
- master | |
types: [ labeled, unlabeled, opened, synchronize, reopened ] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
permissions: {} | |
jobs: | |
set-vars: | |
permissions: | |
contents: read | |
if: github.repository == 'argoproj/argo-cd' | |
runs-on: ubuntu-22.04 | |
outputs: | |
image-tag: ${{ steps.image.outputs.tag}} | |
platforms: ${{ steps.platforms.outputs.platforms }} | |
steps: | |
- uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0 | |
- name: Set image tag for ghcr | |
run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT | |
id: image | |
- name: Determine image platforms to use | |
id: platforms | |
run: | | |
IMAGE_PLATFORMS=linux/amd64 | |
if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-multi-image') }}" == "true" ]] | |
then | |
IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le | |
fi | |
echo "Building image for platforms: $IMAGE_PLATFORMS" | |
echo "platforms=$IMAGE_PLATFORMS" >> $GITHUB_OUTPUT | |
build-only: | |
needs: [set-vars] | |
permissions: | |
contents: read | |
packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags | |
id-token: write # for creating OIDC tokens for signing. | |
if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name != 'push' }} | |
uses: ./.github/workflows/image-reuse.yaml | |
with: | |
# Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) | |
go-version: 1.22 | |
platforms: ${{ needs.set-vars.outputs.platforms }} | |
push: false | |
build-and-publish: | |
needs: [set-vars] | |
permissions: | |
contents: read | |
packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags | |
id-token: write # for creating OIDC tokens for signing. | |
if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} | |
uses: ./.github/workflows/image-reuse.yaml | |
with: | |
quay_image_name: quay.io/argoproj/argocd:latest | |
ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} | |
# Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) | |
go-version: 1.22 | |
platforms: ${{ needs.set-vars.outputs.platforms }} | |
push: true | |
secrets: | |
quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }} | |
quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }} | |
ghcr_username: ${{ github.actor }} | |
ghcr_password: ${{ secrets.GITHUB_TOKEN }} | |
build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io | |
needs: | |
- build-and-publish | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) | |
if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} | |
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 | |
with: | |
image: ghcr.io/argoproj/argo-cd/argocd | |
digest: ${{ needs.build-and-publish.outputs.image-digest }} | |
registry-username: ${{ github.actor }} | |
secrets: | |
registry-password: ${{ secrets.GITHUB_TOKEN }} | |
Deploy: | |
needs: | |
- build-and-publish | |
- set-vars | |
permissions: | |
contents: write # for git to push upgrade commit if not already deployed | |
packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags | |
if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0 | |
- run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments" | |
env: | |
TOKEN: ${{ secrets.TOKEN }} | |
- run: | | |
docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} | |
git config --global user.email 'ci@argoproj.com' | |
git config --global user.name 'CI' | |
git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ needs.set-vars.outputs.image-tag }}' && git push) | |
working-directory: argoproj-deployments/argocd | |