-
Notifications
You must be signed in to change notification settings - Fork 3.2k
356 lines (316 loc) · 12 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
name: Release
on:
push:
tags:
- v*
branches:
- master
- dev-*
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
defaults:
run:
shell: bash
permissions:
contents: read
jobs:
build-linux:
name: Build & push linux
if: github.repository == 'argoproj/argo-workflows'
runs-on: ubuntu-latest
strategy:
matrix:
platform: [ linux/amd64, linux/arm64 ]
target: [ workflow-controller, argocli, argoexec ]
steps:
- uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
version: v0.10.4
- name: Cache Docker layers
uses: actions/cache@v3
id: cache
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx-
- name: Docker Login
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}
- name: Docker Login
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
- name: Docker Buildx
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
PLATFORM: ${{ matrix.platform }}
TARGET: ${{ matrix.target }}
run: |
set -eux
tag=$(basename $GITHUB_REF)
if [ $tag = "master" ]; then
tag="latest"
fi
# copied verbatim from Makefile
GIT_COMMIT=$(git rev-parse HEAD || echo unknown)
GIT_TAG=$(git describe --exact-match --tags --abbrev=0 2> /dev/null || echo untagged)
GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)
tag_suffix=$(echo $PLATFORM | sed -r "s/\//-/g")
image_name="${DOCKERIO_ORG}/${TARGET}:${tag}-${tag_suffix}"
docker buildx build \
--cache-from "type=local,src=/tmp/.buildx-cache" \
--cache-to "type=local,dest=/tmp/.buildx-cache" \
--output "type=image,push=true" \
--build-arg GIT_COMMIT=$GIT_COMMIT \
--build-arg GIT_TAG=$GIT_TAG \
--build-arg GIT_TREE_STATE=$GIT_TREE_STATE \
--platform="${PLATFORM}" \
--target $TARGET \
--provenance=false \
--tag $image_name \
--tag quay.io/$image_name .
build-windows:
name: Build & push windows
if: github.repository == 'argoproj/argo-workflows'
runs-on: windows-2022
steps:
- uses: actions/checkout@v4
- name: Docker Login
uses: Azure/docker-login@v1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}
- name: Login to Quay
uses: Azure/docker-login@v1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
- name: Build & Push Windows Docker Images
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
run: |
docker_org=$DOCKERIO_ORG
tag=$(basename $GITHUB_REF)
if [ $tag = "master" ]; then
tag="latest"
fi
targets="argoexec"
for target in $targets; do
image_name="${docker_org}/${target}:${tag}-windows"
docker build \
--build-arg GIT_COMMIT=$tag \
--build-arg GIT_BRANCH=$branch \
--build-arg GIT_TREE_STATE=$tree_state \
--target $target \
-t $image_name \
-f Dockerfile.windows \
.
docker push $image_name
docker tag $image_name quay.io/$image_name
docker push quay.io/$image_name
done
push-images:
name: Push manifest with all images
if: github.repository == 'argoproj/argo-workflows'
runs-on: ubuntu-latest
needs: [ build-linux, build-windows ]
steps:
- uses: actions/checkout@v4
- name: Docker Login
uses: Azure/docker-login@v1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}
- name: Login to Quay
uses: Azure/docker-login@v1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
- name: Install cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.13.0'
- name: Push Multiarch Image
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
run: |
echo $(jq -c '. + { "experimental": "enabled" }' ${DOCKER_CONFIG}/config.json) > ${DOCKER_CONFIG}/config.json
docker_org=$DOCKERIO_ORG
tag=$(basename $GITHUB_REF)
if [ $tag = "master" ]; then
tag="latest"
fi
targets="workflow-controller argoexec argocli"
for target in $targets; do
image_name="${docker_org}/${target}:${tag}"
if [ $target = "argoexec" ]; then
docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64 ${image_name}-windows
docker manifest create quay.io/$image_name quay.io/${image_name}-linux-arm64 quay.io/${image_name}-linux-amd64 quay.io/${image_name}-windows
else
docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64
docker manifest create quay.io/$image_name quay.io/${image_name}-linux-arm64 quay.io/${image_name}-linux-amd64
fi
docker manifest push $image_name
docker manifest push quay.io/$image_name
cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/$image_name
done
test-images-linux-amd64:
name: Try pulling linux/amd64
if: github.repository == 'argoproj/argo-workflows'
runs-on: ubuntu-latest
needs: [ push-images ]
strategy:
matrix:
platform: [ linux/amd64 ]
target: [ workflow-controller, argocli, argoexec ]
steps:
- name: Docker Login
uses: Azure/docker-login@v1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}
- name: Login to Quay
uses: Azure/docker-login@v1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
- name: Docker Buildx
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
PLATFORM: ${{ matrix.platform }}
TARGET: ${{ matrix.target }}
run: |
tag=$(basename $GITHUB_REF)
if [ $tag = "master" ]; then
tag="latest"
fi
image_name="${DOCKERIO_ORG}/${TARGET}:${tag}"
docker pull $image_name
docker pull quay.io/$image_name
test-images-windows:
name: Try pulling windows
if: github.repository == 'argoproj/argo-workflows'
runs-on: windows-2022
needs: [ push-images ]
steps:
- name: Docker Login
uses: Azure/docker-login@v1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}
- name: Login to Quay
uses: Azure/docker-login@v1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
- name: Try pulling
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
run: |
docker_org=$DOCKERIO_ORG
tag=$(basename $GITHUB_REF)
if [ $tag = "master" ]; then
tag="latest"
fi
targets="argoexec"
for target in $targets; do
image_name="${docker_org}/${target}:${tag}"
docker pull $image_name
docker pull quay.io/$image_name
done
publish-release:
permissions:
contents: write # for softprops/action-gh-release to create GitHub release
runs-on: ubuntu-latest
if: github.repository == 'argoproj/argo-workflows'
needs: [ push-images, test-images-linux-amd64, test-images-windows ]
env:
NODE_OPTIONS: --max-old-space-size=4096
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
with:
node-version: "20" # change in all GH Workflows
- uses: actions/setup-go@v4
with:
go-version: "1.21"
- name: Restore node packages cache
uses: actions/cache@v3
with:
path: ui/node_modules
key: ${{ runner.os }}-node-dep-v1-${{ hashFiles('**/yarn.lock') }}
- name: Install cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.13.0'
# https://stackoverflow.com/questions/58033366/how-to-get-current-branch-within-github-actions
- run: |
if [ ${GITHUB_REF##*/} = master ]; then
echo "VERSION=latest" >> $GITHUB_ENV
else
echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV
fi
- run: go install sigs.k8s.io/bom/cmd/[email protected]
- run: go install github.com/spdx/spdx-sbom-generator/cmd/[email protected]
- run: mkdir -p dist
- run: generator -o dist -p .
- run: yarn --cwd ui install
- run: generator -o dist -p ui
- run: bom generate --image quay.io/argoproj/workflow-controller:$VERSION -o dist/workflow-controller.spdx
- run: bom generate --image quay.io/argoproj/argocli:$VERSION -o dist/argocli.spdx
- run: bom generate --image quay.io/argoproj/argoexec:$VERSION -o dist/argoexec.spdx
# pack the boms into one file to make it easy to download
- run: tar -zcf dist/sbom.tar.gz dist/*.spdx
- run: make release-notes VERSION=$VERSION
- run: cat release-notes
- run: make manifests VERSION=$VERSION
- name: Print image tag (please check it is not `:latest`)
run: |
grep image: dist/manifests/install.yaml
- run: go mod download
- run: make clis STATIC_FILES=true VERSION=$VERSION
- name: Print version (please check it is not dirty)
run: dist/argo-linux-amd64 version
- run: make checksums
- name: Sign checksums and create public key for release assets
run: |
cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argo-workflows-cli-checksums.txt > ./dist/argo-workflows-cli-checksums.sig
# Retrieves the public key to release as an asset
cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argo-workflows-cosign.pub
# https://github.com/softprops/action-gh-release
# This will publish the release and upload assets.
# If a conflict occurs (because you are not on a tag), the release will not be updated. This is a short coming
# of this action.
# Instead, delete the release so it is re-created.
- uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/v')
with:
prerelease: ${{ startsWith(github.ref, 'refs/tags/v0') || contains(github.ref, 'rc') }}
body_path: release-notes
files: |
dist/argo-*.gz
dist/argo-workflows-cli-checksums.txt
dist/argo-workflows-cli-checksums.sig
dist/manifests/*.yaml
dist/argo-workflows-cosign.pub
dist/sbom.tar.gz
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}