forked from zarf-dev/zarf
-
Notifications
You must be signed in to change notification settings - Fork 0
204 lines (171 loc) · 7.48 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
name: Release CLI and Packages on Tag
permissions:
contents: read
on:
push:
tags:
- "v*"
jobs:
build-release:
runs-on: ubuntu-latest
permissions:
id-token: write
packages: write
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Setup golang
uses: ./.github/actions/golang
- name: Install tools
uses: ./.github/actions/install-tools
- name: install grype
env:
VERSION: v0.74.6
run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin $VERSION"
shell: bash
- name: Build CLI
run: |
make build-cli-linux-amd
make build-cli-linux-arm
- name: "Zarf Agent: Login to GHCR"
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: dummy
password: ${{ github.token }}
- name: "Zarf Agent: Build and Publish the Image"
run: |
cp build/zarf build/zarf-linux-amd64
cp build/zarf-arm build/zarf-linux-arm64
docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/zarf-dev/zarf/agent:$GITHUB_REF_NAME .
rm build/zarf-linux-amd64
rm build/zarf-linux-arm64
echo ZARF_AGENT_IMAGE_DIGEST=$(docker buildx imagetools inspect ghcr.io/zarf-dev/zarf/agent:$GITHUB_REF_NAME --format '{{ json . }}' | jq -r .manifest.digest) >> $GITHUB_ENV
- name: Auth with AWS
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ secrets.AWS_KMS_ROLE }}
role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
aws-region: us-east-2
role-duration-seconds: 3600
- name: "Zarf Agent: Sign the Image"
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/zarf-dev/zarf/agent@$ZARF_AGENT_IMAGE_DIGEST -y
env:
COSIGN_EXPERIMENTAL: 1
# Builds init packages since GoReleaser won't handle this for us
- name: Build init-packages For Release
run: |
make release-init-package ARCH=amd64 AGENT_IMAGE_TAG=$GITHUB_REF_NAME
make release-init-package ARCH=arm64 AGENT_IMAGE_TAG=$GITHUB_REF_NAME
- name: Publish Init Package as OCI and Skeleton
run: |
make publish-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/zarf-dev/packages
make publish-init-package ARCH=arm64 REPOSITORY_URL=ghcr.io/zarf-dev/packages
# Create a CVE report based on this build
- name: Create release time CVE report
run: "make cve-report"
# Upload the contents of the build directory for later stages to use
- name: Upload build artifacts
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: build-artifacts
path: build/
retention-days: 1
validate-release:
runs-on: ubuntu-latest
needs: build-release
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Download build artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: build-artifacts
path: build/
- name: Setup golang
uses: ./.github/actions/golang
- name: Make Zarf executable
run: |
chmod +x build/zarf
# Before we run the regular tests we need to aggressively cleanup files to reduce disk pressure
- name: Cleanup files
uses: ./.github/actions/cleanup-files
# Build the example packages and run the tests
- name: Build examples and run tests
run: |
sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true make test-e2e ARCH=amd64
- name: Save logs
if: always()
uses: ./.github/actions/save-logs
create-release:
runs-on: ubuntu-latest
needs: validate-release
environment: release
permissions:
contents: write
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Setup golang
uses: ./.github/actions/golang
- name: Install tools
uses: ./.github/actions/install-tools
- name: Download build artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: build-artifacts
path: build/
- name: Make zarf executable and skip brew latest for pre-release tags
run: |
chmod +x build/zarf
if [[ $GITHUB_REF_NAME == *"rc"* ]]; then
echo "BREW_NAME=zarf@latest-rc" >> $GITHUB_ENV
else
echo "BREW_NAME=zarf" >> $GITHUB_ENV
fi
# Before we run the release we need to aggressively cleanup files to reduce disk pressure
- name: Cleanup files
uses: ./.github/actions/cleanup-files
- name: Setup release ENV vars
run: |
K8S_MODULES_VER=$(go list -f '{{.Version}}' -m k8s.io/client-go | sed 's/v//; s/\./ /g')
echo K8S_MODULES_MAJOR_VER=$(expr $(echo "$K8S_MODULES_VER" | cut -d " " -f 1) + 1) >> $GITHUB_ENV
echo K8S_MODULES_MINOR_VER=$(echo "$K8S_MODULES_VER" | cut -d " " -f 2) >> $GITHUB_ENV
echo K8S_MODULES_PATCH_VER=$(echo "$K8S_MODULES_VER" | cut -d " " -f 3) >> $GITHUB_ENV
echo K9S_VERSION=$(go list -f '{{.Version}}' -m github.com/derailed/k9s) >> $GITHUB_ENV
echo CRANE_VERSION=$(go list -f '{{.Version}}' -m github.com/google/go-containerregistry) >> $GITHUB_ENV
echo SYFT_VERSION=$(go list -f '{{.Version}}' -m github.com/anchore/syft) >> $GITHUB_ENV
echo ARCHIVER_VERSION=$(go list -f '{{.Version}}' -m github.com/mholt/archiver/v3) >> $GITHUB_ENV
echo HELM_VERSION=$(go list -f '{{.Version}}' -m helm.sh/helm/v3) >> $GITHUB_ENV
- name: Get Brew tap repo token
id: brew-tap-token
uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
with:
app-id: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_ID }}
private-key: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_SECRET }}
owner: defenseunicorns
repositories: homebrew-tap
# Create the GitHub release notes, upload artifact backups to S3, publish homebrew recipe
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
with:
distribution: goreleaser
version: "~> v2"
args: release --clean --verbose
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.brew-tap-token.outputs.token }}
- name: Save CVE report
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: cve-report
path: build/zarf-known-cves.csv