Merge pull request #516 from carvel-dev/ra-bump-crypto-in-15.x #56
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: release | |
on: | |
push: | |
tags: | |
- 'v*' | |
jobs: | |
draft-release: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@v2 | |
with: | |
go-version: 1.21.5 | |
- name: Install Carvel Tools | |
uses: carvel-dev/setup-action@v1 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
only: ytt, kapp, kbld, imgpkg, kctrl, vendir | |
ytt: v0.45.4 | |
kapp: v0.58.0 | |
kbld: v0.37.5 | |
imgpkg: v0.37.3 | |
kctrl: v0.46.2 | |
vendir: v0.34.4 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Run release script | |
run: | | |
set -e -x | |
minikube start --driver=docker --wait=all | |
docker buildx create minikube --use --driver=kubernetes --bootstrap | |
./hack/build-and-publish-release.sh | |
mkdir release | |
cp ./tmp/release.yml release/ | |
- name: Run Package build | |
run: | | |
constraintVersion="${{ github.ref_name }}" | |
kctrl pkg release -y -v ${constraintVersion:1} --debug | |
mv carvel-artifacts/packages/secretgen-controller.carvel.dev/metadata.yml carvel-artifacts/packages/secretgen-controller.carvel.dev/package-metadata.yml | |
cp carvel-artifacts/packages/secretgen-controller.carvel.dev/* release/ | |
- name: Checksum | |
run: | | |
pushd release | |
shasum -a 256 ./release.yml ./package.yml ./package-metadata.yml | tee ../tmp/checksums.txt | |
popd | |
- name: Create release draft and upload release yaml | |
uses: softprops/action-gh-release@17cd0d34deddf848fc0e7d9be5202c148c270a0a | |
with: | |
name: ${{ github.ref_name }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
body_path: ./tmp/checksums.txt | |
files: | | |
./release/* | |
draft: true | |
- name: Get uploaded release YAML checksum | |
uses: actions/github-script@v6 | |
id: get-checksums-from-draft-release | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
result-encoding: string | |
script: | | |
var crypto = require('crypto'); | |
const { owner, repo } = context.repo; | |
// https://docs.github.com/en/rest/reference/repos#list-releases | |
// https://octokit.github.io/rest.js/v18#repos-list-releases | |
var releases = await github.rest.repos.listReleases({ | |
owner: owner, | |
repo: repo | |
}); | |
var crypto = require('crypto') | |
var fs = require('fs') | |
const url = require('url'); | |
const https = require('https'); | |
checksums = {} | |
var releaseMatched = false; | |
var assetsFound = false; | |
for (const r of releases["data"]) { | |
if (r.draft && `refs/tags/${r.tag_name}` == "${{ github.ref }}") { | |
releaseMatched = true; | |
for (const asset of r.assets) { | |
assetsFound = true; | |
var release_asset = await github.rest.repos.getReleaseAsset({ headers: {accept: `application/octet-stream`}, accept: `application/octet-stream`, owner: owner, repo: repo, asset_id: asset.id }); | |
const hash = crypto.createHash('sha256'); | |
let http_promise = new Promise((resolve, reject) => { | |
https.get(release_asset.url, (stream) => { | |
stream.on('data', function (data) { | |
hash.update(data); | |
}); | |
stream.on('end', function () { | |
checksums[asset.name]= hash.digest('hex'); | |
resolve(`${asset.name}`); | |
}); | |
}); | |
}); | |
await http_promise; | |
http_promise.then( | |
(result) => { | |
console.log(checksums); | |
}, | |
(error) => { | |
console.log("Encountered an Error for " + asset.name + " asset: " + error); // Log an error | |
}); | |
} | |
} | |
} | |
if (!releaseMatched) { | |
console.log("No release matched") | |
} | |
if (!assetsFound) { | |
console.log("No assets found for " + "${{ github.ref }}" + " release") | |
} | |
return `${checksums['release.yml']} ./release.yml | |
${checksums['package.yml']} ./package.yml | |
${checksums['package-metadata.yml']} ./package-metadata.yml` | |
- name: Verify uploaded artifacts | |
if: startsWith(github.ref, 'refs/tags/') | |
env: | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
run: | | |
set -e -x | |
cat ./tmp/checksums.txt | |
diff ./tmp/checksums.txt <(cat <<EOF | |
${{steps.get-checksums-from-draft-release.outputs.result}} | |
EOF | |
) | |
- name: Run PackageCR Validation Tests | |
run: | | |
set -e -x | |
# deploy admin sa for secretgen-controller - enough permissions for SGC to be deployed properly | |
kapp deploy -a rbac -f https://raw.githubusercontent.com/carvel-dev/kapp-controller/develop/examples/rbac/cluster-admin.yml -y | |
# Kapp-controller is needed for our PackageInstall | |
kapp deploy -a kc -f https://github.com/carvel-dev/kapp-controller/releases/latest/download/release.yml -y | |
constraintVersion="${{ github.ref_name }}" | |
kubectl create ns sg | |
kapp deploy -a sg -f carvel-artifacts/packages/secretgen-controller.carvel.dev/package.yml -f carvel-artifacts/packages/secretgen-controller.carvel.dev/package-metadata.yml -n sg -y | |
# installing pkg with kctrl | |
kctrl pkg install -p secretgen-controller.carvel.dev -i scg --version ${constraintVersion:1} -n sg | |
export SECRETGEN_E2E_NAMESPACE=secretgen-test | |
./hack/test-e2e.sh | |