-
Notifications
You must be signed in to change notification settings - Fork 0
153 lines (133 loc) · 5.58 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: Release Artifacts
run-name: 'Release run by ${{ github.actor }}'
on:
# Official stable versioned release
release:
types:
- published
permissions:
contents: read
jobs:
build-push-image:
name: 'Build and publish protect-${{ matrix.component }} images'
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
component:
- webhook
permissions:
contents: read
packages: write
id-token: write # Needed for cosign to use github OIDC token
steps:
- name: 'Harden runner'
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: 'Checkout repository'
uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb # v4.2.0
with:
submodules: recursive
persist-credentials: false
- name: 'Setup docker buildx'
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
- name: 'Login to ghcr'
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: '${{ github.actor }}'
password: '${{ github.token }}'
- name: Docker meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
id: meta
with:
images: |
ghcr.io/edera-dev/protect-${{ matrix.component }}
tags: |
# Tag with branch on push
type=ref,event=branch
# Tag with short sha on all events
type=sha,prefix=
# Tag version and stable on tag push
type=semver,pattern={{raw}}
type=semver,pattern={{version}}
type=semver,pattern={{major}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern=stable
# Tag nightly on schedule event
type=schedule,pattern=nightly
- name: 'Docker build and push protect-${{ matrix.component }}'
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
id: push
with:
file: Dockerfile
platforms: linux/amd64
tags: '${{ steps.meta.outputs.tags }}'
push: true
- name: 'Install cosign'
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: 'Cosign sign all images'
shell: bash
run: |
images=""
for tag in ${TAGS}; do
pullstring="${tag}@${DIGEST}"
echo "Signing ${pullstring}"
cosign sign --yes "${pullstring}"
done
env:
TAGS: '${{ steps.meta.outputs.tags }}'
DIGEST: '${{ steps.push.outputs.digest }}'
publish-helm-chart:
needs: build-push-image
name: Publish Helm chart for protect-webhook
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: 'Harden runner'
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
submodules: recursive
persist-credentials: false
- name: Resolve parameters
id: resolve_parameters
run: |
echo "INFO: Resolving short SHA for ${GITHUB_REF}"
echo "short_sha=$(git rev-parse --short ${GITHUB_REF})" >> $GITHUB_OUTPUT
echo "INFO: Normalizing repository name (lowercase)"
echo "repository_owner=$(echo ${GITHUB_REPOSITORY_OWNER} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
PROTECT_WEBHOOK_CHART_VERSION_TAG=$(cat charts/protect-webhook/Chart.yaml | grep version: | cut -d " " -f 2)
echo "protect_webhook_chart_version_tag=${PROTECT_WEBHOOK_CHART_VERSION_TAG}" >> $GITHUB_OUTPUT
env:
GITHUB_REF: '${{ github.ref }}'
GITHUB_REPOSITORY_OWNER: '${{ github.repository_owner }}'
- name: Set up Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2
- name: Publish new helm chart for protect-webhook
run: |
echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io --username ${GITHUB_ACTOR} --password-stdin
helm package charts/protect-webhook/ --version="${PROTECT_WEBHOOK_CHART_VERSION_TAG}"
helm push protect-webhook-"${PROTECT_WEBHOOK_CHART_VERSION_TAG}".tgz oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts
env:
GITHUB_ACTOR: '${{ github.actor }}'
GITHUB_REPOSITORY_OWNER: '${{ steps.resolve_parameters.outputs.repository_owner }}'
PROTECT_WEBHOOK_CHART_VERSION_TAG: '${{ steps.resolve_parameters.outputs.protect_webhook_chart_version_tag }}'
- name: Job summary
run: |
echo "New helm chart for protect-webhook published successfully!" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Parameters:**" >> $GITHUB_STEP_SUMMARY
echo "- Ref: ${RESOLVED_REF}" >> $GITHUB_STEP_SUMMARY
echo "- Short SHA: ${SHORT_SHA}" >> $GITHUB_STEP_SUMMARY
echo "- protect-webhook Chart version: ${PROTECT_WEBHOOK_CHART_VERSION_TAG}" >> $GITHUB_STEP_SUMMARY
env:
RESOLVED_REF: '${{ steps.resolve_parameters.outputs.resolved_ref }}'
SHORT_SHA: '${{ steps.resolve_parameters.outputs.short_sha }}'
PROTECT_WEBHOOK_CHART_VERSION_TAG: '${{ steps.resolve_parameters.outputs.protect_webhook_chart_version_tag }}'