-
Notifications
You must be signed in to change notification settings - Fork 107
295 lines (248 loc) · 11.9 KB
/
release-process.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
name: kapp-controller release
on:
workflow_dispatch:
push:
tags:
- 'v*'
jobs:
kapp-controller-release:
name: kapp-controller release
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
id-token: write
steps:
- name: Check out code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Carvel Tools
run: ./hack/install-deps.sh
- name: Install imgpkg
uses: carvel-dev/setup-action@v2
with:
only: imgpkg
token: ${{ secrets.GITHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Go 1.x
uses: actions/setup-go@v4
with:
go-version: 1.21.6
- name: Set up Cosign
uses: sigstore/[email protected]
- name: Run release script
run: |
set -e -x
minikube start --driver=docker --wait=all
docker buildx create --name minikube --use --driver=kubernetes --bootstrap
./hack/build-release.sh
# Create release folder to store all the output artifacts
mkdir release
cp ./tmp/release.yml release/release.yml
cd cli
./hack/build-binaries.sh
cp ./kctrl-* ../release/
- name: Sign kapp-controller OCI image
run: |
image_url=`yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' release/release.yml`
cosign sign --yes "$image_url"
- name: Verify signature on Kapp-controller OCI image
run: |
image_url=`yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' release/release.yml`
cosign verify \
$image_url \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
- name: Run Package build
run: |
constraintVersion="${{ github.ref_name }}"
./cli/kctrl-linux-amd64 pkg release -y -v ${constraintVersion:1} --debug
mv ./carvel-artifacts/packages/kapp-controller.carvel.dev/metadata.yml ./carvel-artifacts/packages/kapp-controller.carvel.dev/package-metadata.yml
mv ./carvel-artifacts/packages/kapp-controller.carvel.dev/* release/
- name: Sign kapp-controller-package-bundle OCI image
run: |
image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
cosign sign --yes "$image_url"
- name: Verify signature on kapp-controller-package-bundle OCI image
run: |
image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
cosign verify \
$image_url \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
- name: Generate release notes
run: |
RELEASE_TAG=$(git describe --tags --abbrev=0)
KAPP_CONTROLLER_IMAGE=$(yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' release/release.yml)
KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE=$(yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml)
RELEASE_NOTES="
<details>
<summary><h2>Installation and signature verification</h2></summary>
## Installation of kctrl
#### By downloading binary from the release
For instance, if you are using Linux on an AMD64 architecture:
\`\`\`shell
# Download the binary
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/kctrl-linux-amd64
# Move the binary in to your PATH
mv kctrl-linux-amd64 /usr/local/bin/kctrl
# Make the binary executable
chmod +x /usr/local/bin/kctrl
\`\`\`
#### Via Homebrew (macOS or Linux)
\`\`\`shell
$ brew tap carvel-dev/carvel
$ brew install kctrl
$ kctrl version
\`\`\`
## Verify checksums file signature
Install cosign on your system https://docs.sigstore.dev/system_config/installation/
The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands:
\`\`\`shell
# Download the checksums file, certificate, and signature
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.pem
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.sig
### Verify the checksums file
cosign verify-blob checksums.txt \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
\`\`\`
### Verify binary integrity
To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature. For instance, if you are using Linux on an AMD64 architecture:
\`\`\`shell
# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing
\`\`\`
## Installation of kapp-controller
kapp-controller can be installed by using kapp
\`\`\`shell
kapp deploy -a kc -f https://github.com/carvel-dev/kapp-controller/releases/$RELEASE_TAG/download/release.yml
\`\`\`
or by using kubectl
\`\`\`shell
kubectl deploy -f https://github.com/carvel-dev/kapp-controller/releases/$RELEASE_TAG/download/release.yml
\`\`\`
### Container Images
Kapp-controller and Kapp-controller-package-bundle images are available in Github Container Registry.
### OCI Image URLs
- $KAPP_CONTROLLER_IMAGE
- $KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE
### Verify container image signature
The container images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of OCI images, run the following commands:
\`\`\`shell
# Verifying kapp-controller image
cosign verify $KAPP_CONTROLLER_IMAGE \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-o text
# Verifying kapp-controller-package-bundle image
cosign verify $KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-o text
\`\`\`
</summary>
</details>
"
echo "$RELEASE_NOTES" > ./tmp/release_notes.txt
- name: Create formatted checksum and add it to release notes
run: |
pushd release
shasum -a 256 ./release.yml ./kctrl-* ./package.yml ./package-metadata.yml | tee ../tmp/checksums.txt
popd
echo "# :open_file_folder: Files Checksum" | tee ./tmp/checksums-formatted.txt
echo '```' | tee -a ./tmp/checksums-formatted.txt
cat ./tmp/checksums.txt | tee -a ./tmp/checksums-formatted.txt
echo '```' | tee -a ./tmp/checksums-formatted.txt
cat ./tmp/checksums-formatted.txt | tee -a ./tmp/release_notes.txt
- name: Sign checksums.txt
run: |
cosign sign-blob --yes ./tmp/checksums.txt --output-certificate release/checksums.txt.pem --output-signature release/checksums.txt.sig
- name: Verify checksums signature
run: |
cosign verify-blob \
--cert release/checksums.txt.pem \
--signature release/checksums.txt.sig \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com ./tmp/checksums.txt
- name: Create release draft and upload release yaml
uses: softprops/[email protected]
with:
name: ${{ github.ref_name }}
token: ${{ secrets.GITHUB_TOKEN }}
body_path: ./tmp/release_notes.txt
files: |
./release/*
./tmp/checksums.txt
draft: true
prerelease: true
- name: Get uploaded release YAML checksum
uses: actions/[email protected]
id: get-checksums-from-draft-release
if: startsWith(github.ref, 'refs/tags/')
with:
github-token: ${{secrets.GITHUB_TOKEN}}
result-encoding: string
script: |
var crypto = require('crypto');
const { owner, repo } = context.repo;
// https://docs.github.com/en/rest/reference/repos#list-releases
// https://octokit.github.io/rest.js/v18#repos-list-releases
var releases = await github.rest.repos.listReleases({
owner: owner,
repo: repo
});
var crypto = require('crypto')
var fs = require('fs')
const url = require('url');
const https = require('https');
checksums = {}
for (const r of releases["data"]) {
if (r.draft && `refs/tags/${r.tag_name}` == "${{ github.ref }}") {
for (const asset of r.assets) {
var release_asset = await github.rest.repos.getReleaseAsset({ headers: {accept: `application/octet-stream`}, accept: `application/octet-stream`, owner: owner, repo: repo, asset_id: asset.id });
const hash = crypto.createHash('sha256');
let http_promise = new Promise((resolve, reject) => {
https.get(release_asset.url, (stream) => {
stream.on('data', function (data) {
hash.update(data);
});
stream.on('end', function () {
checksums[asset.name]= hash.digest('hex');
resolve(`${asset.name}`);
});
});
});
await http_promise;
}
}
}
console.log(checksums)
return `${checksums['release.yml']} ./release.yml
${checksums['kctrl-darwin-amd64']} ./kctrl-darwin-amd64
${checksums['kctrl-darwin-arm64']} ./kctrl-darwin-arm64
${checksums['kctrl-linux-amd64']} ./kctrl-linux-amd64
${checksums['kctrl-linux-arm64']} ./kctrl-linux-arm64
${checksums['kctrl-windows-amd64.exe']} ./kctrl-windows-amd64.exe
${checksums['package.yml']} ./package.yml
${checksums['package-metadata.yml']} ./package-metadata.yml`
- name: Verify uploaded artifacts
if: startsWith(github.ref, 'refs/tags/')
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: |
set -e -x
cat ./tmp/checksums.txt
diff ./tmp/checksums.txt <(cat <<EOF
${{steps.get-checksums-from-draft-release.outputs.result}}
EOF
)