Skip to content

fix: istio destionationrule subsets enforcement (#3126) #49

fix: istio destionationrule subsets enforcement (#3126)

fix: istio destionationrule subsets enforcement (#3126) #49

Workflow file for this run

name: Release
on:
push:
tags:
- 'v*'
permissions: {}
env:
GOLANG_VERSION: '1.20' # Note: go-version must also be set in job controller-image.with.go-version & plugin-image.with.go-version.
jobs:
controller-image:
permissions:
contents: read
packages: write # Required and used to push images to `ghcr.io` if used.
id-token: write # For creating OIDC tokens for signing.
uses: ./.github/workflows/image-reuse.yaml
with:
quay_image_name: quay.io/argoproj/argo-rollouts:${{ github.ref_name }}
# Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
go-version: '1.20'
platforms: linux/amd64,linux/arm64
push: true
secrets:
quay_username: ${{ secrets.QUAY_USERNAME }}
quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }}
plugin-image:
permissions:
contents: read
packages: write # Required and used to push images to `ghcr.io` if used.
id-token: write # For creating OIDC tokens for signing.
uses: ./.github/workflows/image-reuse.yaml
with:
quay_image_name: quay.io/argoproj/kubectl-argo-rollouts:${{ github.ref_name }}
# Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
go-version: '1.20'
platforms: linux/amd64,linux/arm64
push: true
target: kubectl-argo-rollouts
secrets:
quay_username: ${{ secrets.QUAY_USERNAME }}
quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }}
controller-image-provenance:
needs:
- controller-image
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: quay.io/argoproj/argo-rollouts
digest: ${{ needs.controller-image.outputs.image-digest }}
secrets:
registry-username: ${{ secrets.QUAY_USERNAME }}
registry-password: ${{ secrets.QUAY_ROBOT_TOKEN }}
plugin-image-provenance:
needs:
- plugin-image
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: quay.io/argoproj/kubectl-argo-rollouts
digest: ${{ needs.plugin-image.outputs.image-digest }}
secrets:
registry-username: ${{ secrets.QUAY_USERNAME }}
registry-password: ${{ secrets.QUAY_ROBOT_TOKEN }}
release-artifacts:
permissions:
contents: write # for softprops/action-gh-release to create GitHub release
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Golang
uses: actions/[email protected] # v4.0.1
with:
go-version: ${{ env.GOLANG_VERSION }}
- name: Set up QEMU
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1
- name: Generate release artifacts
run: |
make release-plugins
make checksums
make manifests IMAGE_TAG=${{ github.ref_name }}
- name: Draft release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
tag_name: ${{ github.event.inputs.tag }}
draft: true
files: |
dist/kubectl-argo-rollouts-linux-amd64
dist/kubectl-argo-rollouts-linux-arm64
dist/kubectl-argo-rollouts-darwin-amd64
dist/kubectl-argo-rollouts-darwin-arm64
dist/kubectl-argo-rollouts-windows-amd64
dist/argo-rollouts-checksums.txt
manifests/dashboard-install.yaml
manifests/install.yaml
manifests/namespace-install.yaml
manifests/notifications-install.yaml
docs/features/kustomize/rollout_cr_schema.json
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Generate hashes for provenance
id: hash
run: |
echo "hashes=$(sha256sum ./dist/kubectl-argo-rollouts-* ./manifests/*.yaml | base64 -w0)" >> "$GITHUB_OUTPUT"
release-artifacts-provenance:
needs:
- release-artifacts
permissions:
actions: read # for detecting the Github Actions environment
id-token: write # Needed for provenance signing and ID
contents: write # Needed for release uploads
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.release-artifacts.outputs.hashes }}"
provenance-name: "argo-rollouts.intoto.jsonl"
upload-assets: true
draft-release: true
generate-sbom:
name: Create Sbom and sign assets
needs:
- release-artifacts
- release-artifacts-provenance
permissions:
contents: write # Needed for release uploads
id-token: write # Needed for signing Sbom
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.3.0
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Golang
uses: actions/[email protected] # v4.0.0
with:
go-version: ${{ env.GOLANG_VERSION }}
- name: Install cosign
uses: sigstore/cosign-installer@204a51a57a74d190b284a0ce69b44bc37201f343 # v3.0.3
with:
cosign-release: 'v2.0.2'
- name: Generate SBOM (spdx)
id: spdx-builder
env:
# defines the spdx/spdx-sbom-generator version to use.
SPDX_GEN_VERSION: v0.0.13
# defines the sigs.k8s.io/bom version to use.
SIGS_BOM_VERSION: v0.2.1
# comma delimited list of project relative folders to inspect for package
# managers (gomod, yarn, npm).
PROJECT_FOLDERS: ".,./ui"
# full qualified name of the container image to be inspected
CONTAINER_IMAGE: quay.io/argoproj/argo-rollouts:${{ github.event.inputs.tag }}
run: |
yarn install --cwd ./ui
go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION
go install sigs.k8s.io/bom/cmd/bom@$SIGS_BOM_VERSION
# Generate SPDX for project dependencies analyzing package managers
for folder in $(echo $PROJECT_FOLDERS | sed "s/,/ /g")
do
generator -p $folder -o /tmp
done
# Generate SPDX for binaries analyzing the container image
if [[ ! -z CONTAINER_IMAGE ]]; then
bom generate -o /tmp/bom-docker-image.spdx -i $CONTAINER_IMAGE
fi
cd /tmp && tar -zcf sbom.tar.gz *.spdx
- name: Sign SBOM
run: |
cosign sign-blob \
--output-certificate=/tmp/sbom.tar.gz.pem \
--output-signature=/tmp/sbom.tar.gz.sig \
--yes \
/tmp/sbom.tar.gz
- name: Upload SBOM and signature assets
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref_name }}
draft: true
files: |
/tmp/sbom.tar.*
post-release:
needs:
- release-artifacts
- generate-sbom
permissions:
contents: write # Needed to push commit to update stable tag
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.3.0
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Git author information
run: |
set -ue
git config --global user.email '[email protected]'
git config --global user.name 'CI'
- name: Check if tag is the latest version and not a pre-release
run: |
set -xue
# Fetch all tag information
git fetch --prune --tags --force
LATEST_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n1)
PRE_RELEASE=false
# Check if latest tag is a pre-release
if echo $LATEST_TAG | grep -E -- '-rc[0-9]+$';then
PRE_RELEASE=true
fi
# Ensure latest tag matches github.ref_name & not a pre-release
if [[ $LATEST_TAG == ${{ github.ref_name }} ]] && [[ $PRE_RELEASE != 'true' ]];then
echo "TAG_STABLE=true" >> $GITHUB_ENV
else
echo "TAG_STABLE=false" >> $GITHUB_ENV
fi
- name: Update stable tag to latest version
run: |
git tag -f stable ${{ github.ref_name }}
git push -f origin stable
if: ${{ env.TAG_STABLE == 'true' }}