Skip to content

Merge pull request #516 from carvel-dev/ra-bump-crypto-in-15.x #56

Merge pull request #516 from carvel-dev/ra-bump-crypto-in-15.x

Merge pull request #516 from carvel-dev/ra-bump-crypto-in-15.x #56

Workflow file for this run

name: release
on:
push:
tags:
- 'v*'
jobs:
draft-release:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.21.5
- name: Install Carvel Tools
uses: carvel-dev/setup-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
only: ytt, kapp, kbld, imgpkg, kctrl, vendir
ytt: v0.45.4
kapp: v0.58.0
kbld: v0.37.5
imgpkg: v0.37.3
kctrl: v0.46.2
vendir: v0.34.4
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run release script
run: |
set -e -x
minikube start --driver=docker --wait=all
docker buildx create minikube --use --driver=kubernetes --bootstrap
./hack/build-and-publish-release.sh
mkdir release
cp ./tmp/release.yml release/
- name: Run Package build
run: |
constraintVersion="${{ github.ref_name }}"
kctrl pkg release -y -v ${constraintVersion:1} --debug
mv carvel-artifacts/packages/secretgen-controller.carvel.dev/metadata.yml carvel-artifacts/packages/secretgen-controller.carvel.dev/package-metadata.yml
cp carvel-artifacts/packages/secretgen-controller.carvel.dev/* release/
- name: Checksum
run: |
pushd release
shasum -a 256 ./release.yml ./package.yml ./package-metadata.yml | tee ../tmp/checksums.txt
popd
- name: Create release draft and upload release yaml
uses: softprops/action-gh-release@17cd0d34deddf848fc0e7d9be5202c148c270a0a
with:
name: ${{ github.ref_name }}
token: ${{ secrets.GITHUB_TOKEN }}
body_path: ./tmp/checksums.txt
files: |
./release/*
draft: true
- name: Get uploaded release YAML checksum
uses: actions/github-script@v6
id: get-checksums-from-draft-release
if: startsWith(github.ref, 'refs/tags/')
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
result-encoding: string
script: |
var crypto = require('crypto');
const { owner, repo } = context.repo;
// https://docs.github.com/en/rest/reference/repos#list-releases
// https://octokit.github.io/rest.js/v18#repos-list-releases
var releases = await github.rest.repos.listReleases({
owner: owner,
repo: repo
});
var crypto = require('crypto')
var fs = require('fs')
const url = require('url');
const https = require('https');
checksums = {}
var releaseMatched = false;
var assetsFound = false;
for (const r of releases["data"]) {
if (r.draft && `refs/tags/${r.tag_name}` == "${{ github.ref }}") {
releaseMatched = true;
for (const asset of r.assets) {
assetsFound = true;
var release_asset = await github.rest.repos.getReleaseAsset({ headers: {accept: `application/octet-stream`}, accept: `application/octet-stream`, owner: owner, repo: repo, asset_id: asset.id });
const hash = crypto.createHash('sha256');
let http_promise = new Promise((resolve, reject) => {
https.get(release_asset.url, (stream) => {
stream.on('data', function (data) {
hash.update(data);
});
stream.on('end', function () {
checksums[asset.name]= hash.digest('hex');
resolve(`${asset.name}`);
});
});
});
await http_promise;
http_promise.then(
(result) => {
console.log(checksums);
},
(error) => {
console.log("Encountered an Error for " + asset.name + " asset: " + error); // Log an error
});
}
}
}
if (!releaseMatched) {
console.log("No release matched")
}
if (!assetsFound) {
console.log("No assets found for " + "${{ github.ref }}" + " release")
}
return `${checksums['release.yml']} ./release.yml
${checksums['package.yml']} ./package.yml
${checksums['package-metadata.yml']} ./package-metadata.yml`
- name: Verify uploaded artifacts
if: startsWith(github.ref, 'refs/tags/')
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: |
set -e -x
cat ./tmp/checksums.txt
diff ./tmp/checksums.txt <(cat <<EOF
${{steps.get-checksums-from-draft-release.outputs.result}}
EOF
)
- name: Run PackageCR Validation Tests
run: |
set -e -x
# deploy admin sa for secretgen-controller - enough permissions for SGC to be deployed properly
kapp deploy -a rbac -f https://raw.githubusercontent.com/carvel-dev/kapp-controller/develop/examples/rbac/cluster-admin.yml -y
# Kapp-controller is needed for our PackageInstall
kapp deploy -a kc -f https://github.com/carvel-dev/kapp-controller/releases/latest/download/release.yml -y
constraintVersion="${{ github.ref_name }}"
kubectl create ns sg
kapp deploy -a sg -f carvel-artifacts/packages/secretgen-controller.carvel.dev/package.yml -f carvel-artifacts/packages/secretgen-controller.carvel.dev/package-metadata.yml -n sg -y
# installing pkg with kctrl
kctrl pkg install -p secretgen-controller.carvel.dev -i scg --version ${constraintVersion:1} -n sg
export SECRETGEN_E2E_NAMESPACE=secretgen-test
./hack/test-e2e.sh