fix: istio destionationrule subsets enforcement (#3126) #49
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
push: | |
tags: | |
- 'v*' | |
permissions: {} | |
env: | |
GOLANG_VERSION: '1.20' # Note: go-version must also be set in job controller-image.with.go-version & plugin-image.with.go-version. | |
jobs: | |
controller-image: | |
permissions: | |
contents: read | |
packages: write # Required and used to push images to `ghcr.io` if used. | |
id-token: write # For creating OIDC tokens for signing. | |
uses: ./.github/workflows/image-reuse.yaml | |
with: | |
quay_image_name: quay.io/argoproj/argo-rollouts:${{ github.ref_name }} | |
# Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) | |
go-version: '1.20' | |
platforms: linux/amd64,linux/arm64 | |
push: true | |
secrets: | |
quay_username: ${{ secrets.QUAY_USERNAME }} | |
quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }} | |
plugin-image: | |
permissions: | |
contents: read | |
packages: write # Required and used to push images to `ghcr.io` if used. | |
id-token: write # For creating OIDC tokens for signing. | |
uses: ./.github/workflows/image-reuse.yaml | |
with: | |
quay_image_name: quay.io/argoproj/kubectl-argo-rollouts:${{ github.ref_name }} | |
# Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) | |
go-version: '1.20' | |
platforms: linux/amd64,linux/arm64 | |
push: true | |
target: kubectl-argo-rollouts | |
secrets: | |
quay_username: ${{ secrets.QUAY_USERNAME }} | |
quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }} | |
controller-image-provenance: | |
needs: | |
- controller-image | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) | |
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
image: quay.io/argoproj/argo-rollouts | |
digest: ${{ needs.controller-image.outputs.image-digest }} | |
secrets: | |
registry-username: ${{ secrets.QUAY_USERNAME }} | |
registry-password: ${{ secrets.QUAY_ROBOT_TOKEN }} | |
plugin-image-provenance: | |
needs: | |
- plugin-image | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) | |
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
image: quay.io/argoproj/kubectl-argo-rollouts | |
digest: ${{ needs.plugin-image.outputs.image-digest }} | |
secrets: | |
registry-username: ${{ secrets.QUAY_USERNAME }} | |
registry-password: ${{ secrets.QUAY_ROBOT_TOKEN }} | |
release-artifacts: | |
permissions: | |
contents: write # for softprops/action-gh-release to create GitHub release | |
runs-on: ubuntu-latest | |
outputs: | |
hashes: ${{ steps.hash.outputs.hashes }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | |
with: | |
fetch-depth: 0 | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Setup Golang | |
uses: actions/[email protected] # v4.0.1 | |
with: | |
go-version: ${{ env.GOLANG_VERSION }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 | |
- name: Generate release artifacts | |
run: | | |
make release-plugins | |
make checksums | |
make manifests IMAGE_TAG=${{ github.ref_name }} | |
- name: Draft release | |
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 | |
with: | |
tag_name: ${{ github.event.inputs.tag }} | |
draft: true | |
files: | | |
dist/kubectl-argo-rollouts-linux-amd64 | |
dist/kubectl-argo-rollouts-linux-arm64 | |
dist/kubectl-argo-rollouts-darwin-amd64 | |
dist/kubectl-argo-rollouts-darwin-arm64 | |
dist/kubectl-argo-rollouts-windows-amd64 | |
dist/argo-rollouts-checksums.txt | |
manifests/dashboard-install.yaml | |
manifests/install.yaml | |
manifests/namespace-install.yaml | |
manifests/notifications-install.yaml | |
docs/features/kustomize/rollout_cr_schema.json | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Generate hashes for provenance | |
id: hash | |
run: | | |
echo "hashes=$(sha256sum ./dist/kubectl-argo-rollouts-* ./manifests/*.yaml | base64 -w0)" >> "$GITHUB_OUTPUT" | |
release-artifacts-provenance: | |
needs: | |
- release-artifacts | |
permissions: | |
actions: read # for detecting the Github Actions environment | |
id-token: write # Needed for provenance signing and ID | |
contents: write # Needed for release uploads | |
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
base64-subjects: "${{ needs.release-artifacts.outputs.hashes }}" | |
provenance-name: "argo-rollouts.intoto.jsonl" | |
upload-assets: true | |
draft-release: true | |
generate-sbom: | |
name: Create Sbom and sign assets | |
needs: | |
- release-artifacts | |
- release-artifacts-provenance | |
permissions: | |
contents: write # Needed for release uploads | |
id-token: write # Needed for signing Sbom | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.3.0 | |
with: | |
fetch-depth: 0 | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Setup Golang | |
uses: actions/[email protected] # v4.0.0 | |
with: | |
go-version: ${{ env.GOLANG_VERSION }} | |
- name: Install cosign | |
uses: sigstore/cosign-installer@204a51a57a74d190b284a0ce69b44bc37201f343 # v3.0.3 | |
with: | |
cosign-release: 'v2.0.2' | |
- name: Generate SBOM (spdx) | |
id: spdx-builder | |
env: | |
# defines the spdx/spdx-sbom-generator version to use. | |
SPDX_GEN_VERSION: v0.0.13 | |
# defines the sigs.k8s.io/bom version to use. | |
SIGS_BOM_VERSION: v0.2.1 | |
# comma delimited list of project relative folders to inspect for package | |
# managers (gomod, yarn, npm). | |
PROJECT_FOLDERS: ".,./ui" | |
# full qualified name of the container image to be inspected | |
CONTAINER_IMAGE: quay.io/argoproj/argo-rollouts:${{ github.event.inputs.tag }} | |
run: | | |
yarn install --cwd ./ui | |
go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION | |
go install sigs.k8s.io/bom/cmd/bom@$SIGS_BOM_VERSION | |
# Generate SPDX for project dependencies analyzing package managers | |
for folder in $(echo $PROJECT_FOLDERS | sed "s/,/ /g") | |
do | |
generator -p $folder -o /tmp | |
done | |
# Generate SPDX for binaries analyzing the container image | |
if [[ ! -z CONTAINER_IMAGE ]]; then | |
bom generate -o /tmp/bom-docker-image.spdx -i $CONTAINER_IMAGE | |
fi | |
cd /tmp && tar -zcf sbom.tar.gz *.spdx | |
- name: Sign SBOM | |
run: | | |
cosign sign-blob \ | |
--output-certificate=/tmp/sbom.tar.gz.pem \ | |
--output-signature=/tmp/sbom.tar.gz.sig \ | |
--yes \ | |
/tmp/sbom.tar.gz | |
- name: Upload SBOM and signature assets | |
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: ${{ github.ref_name }} | |
draft: true | |
files: | | |
/tmp/sbom.tar.* | |
post-release: | |
needs: | |
- release-artifacts | |
- generate-sbom | |
permissions: | |
contents: write # Needed to push commit to update stable tag | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.3.0 | |
with: | |
fetch-depth: 0 | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Setup Git author information | |
run: | | |
set -ue | |
git config --global user.email '[email protected]' | |
git config --global user.name 'CI' | |
- name: Check if tag is the latest version and not a pre-release | |
run: | | |
set -xue | |
# Fetch all tag information | |
git fetch --prune --tags --force | |
LATEST_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n1) | |
PRE_RELEASE=false | |
# Check if latest tag is a pre-release | |
if echo $LATEST_TAG | grep -E -- '-rc[0-9]+$';then | |
PRE_RELEASE=true | |
fi | |
# Ensure latest tag matches github.ref_name & not a pre-release | |
if [[ $LATEST_TAG == ${{ github.ref_name }} ]] && [[ $PRE_RELEASE != 'true' ]];then | |
echo "TAG_STABLE=true" >> $GITHUB_ENV | |
else | |
echo "TAG_STABLE=false" >> $GITHUB_ENV | |
fi | |
- name: Update stable tag to latest version | |
run: | | |
git tag -f stable ${{ github.ref_name }} | |
git push -f origin stable | |
if: ${{ env.TAG_STABLE == 'true' }} |