[backport -> release/3.9.x] fix(wasm): execute filter plugins in a consistent order #17438
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Package & Release | |
# The workflow to build and release official Kong packages and images. | |
on: # yamllint disable-line rule:truthy | |
pull_request: | |
paths-ignore: | |
- '**/*.md' | |
- '.github/workflows/build_and_test.yml' | |
- 'changelog/**' | |
- 'kong.conf.default' | |
schedule: | |
- cron: '0 0 * * *' | |
push: | |
branches: | |
- master | |
workflow_dispatch: | |
inputs: | |
official: | |
description: 'Official release?' | |
required: true | |
type: boolean | |
default: false | |
version: | |
description: 'Release version, e.g. `3.0.0.0-beta.2`' | |
required: true | |
type: string | |
# `commit-ly` is a flag that indicates whether the build should be run per commit. | |
env: | |
# official release repo | |
DOCKER_REPOSITORY: kong/kong | |
PRERELEASE_DOCKER_REPOSITORY: kong/kong | |
FULL_RELEASE: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.actor == 'dependabot[bot]'}} | |
# only for PR | |
GHA_CACHE: ${{ github.event_name == 'pull_request' }} | |
# PRs opened from fork and from dependabot don't have access to repo secrets | |
HAS_ACCESS_TO_GITHUB_TOKEN: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }} | |
jobs: | |
metadata: | |
name: Metadata | |
runs-on: ubuntu-24.04 | |
outputs: | |
kong-version: ${{ steps.build-info.outputs.kong-version }} | |
prerelease-docker-repository: ${{ env.PRERELEASE_DOCKER_REPOSITORY }} | |
docker-repository: ${{ steps.build-info.outputs.docker-repository }} | |
release-desc: ${{ steps.build-info.outputs.release-desc }} | |
release-label: ${{ steps.build-info.outputs.release-label || '' }} | |
deploy-environment: ${{ steps.build-info.outputs.deploy-environment }} | |
matrix: ${{ steps.build-info.outputs.matrix }} | |
arch: ${{ steps.build-info.outputs.arch }} | |
# use github.event.pull_request.head.sha instead of github.sha on a PR, as github.sha on PR is the merged commit (temporary commit) | |
commit-sha: ${{ github.event.pull_request.head.sha || github.sha }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build Info | |
id: build-info | |
run: | | |
KONG_VERSION=$(bash scripts/grep-kong-version.sh) | |
echo "kong-version=$KONG_VERSION" >> $GITHUB_OUTPUT | |
if [ "${{ github.event_name == 'schedule' }}" == "true" ]; then | |
echo "release-label=$(date -u +'%Y%m%d')" >> $GITHUB_OUTPUT | |
fi | |
matrix_file=".github/matrix-commitly.yml" | |
if [ "$FULL_RELEASE" == "true" ]; then | |
matrix_file=".github/matrix-full.yml" | |
fi | |
if [ "${{ github.event.inputs.official }}" == "true" ]; then | |
release_desc="$KONG_VERSION (official)" | |
echo "docker-repository=$DOCKER_REPOSITORY" >> $GITHUB_OUTPUT | |
echo "deploy-environment=release" >> $GITHUB_OUTPUT | |
else | |
release_desc="$KONG_VERSION (pre-release)" | |
echo "docker-repository=$PRERELEASE_DOCKER_REPOSITORY" >> $GITHUB_OUTPUT | |
fi | |
echo "release-desc=$release_desc" >> $GITHUB_OUTPUT | |
echo "matrix=$(yq -I=0 -o=json $matrix_file)" >> $GITHUB_OUTPUT | |
echo "docker-test-image=${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ github.event.pull_request.head.sha || github.sha }}" >> $GITHUB_OUTPUT | |
cat $GITHUB_OUTPUT | |
echo "### :package: Building and packaging for $release_desc" >> $GITHUB_STEP_SUMMARY | |
echo >> $GITHUB_STEP_SUMMARY | |
echo '- event_name: ${{ github.event_name }}' >> $GITHUB_STEP_SUMMARY | |
echo '- ref_name: ${{ github.ref_name }}' >> $GITHUB_STEP_SUMMARY | |
echo '- inputs.version: ${{ github.event.inputs.version }}' >> $GITHUB_STEP_SUMMARY | |
echo >> $GITHUB_STEP_SUMMARY | |
echo '```' >> $GITHUB_STEP_SUMMARY | |
cat $GITHUB_OUTPUT >> $GITHUB_STEP_SUMMARY | |
echo '```' >> $GITHUB_STEP_SUMMARY | |
build-packages: | |
needs: metadata | |
name: Build & Package - ${{ matrix.label }} | |
environment: ${{ needs.metadata.outputs.deploy-environment }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: "${{ fromJSON(needs.metadata.outputs.matrix)['build-packages'] }}" | |
runs-on: ubuntu-24.04 | |
container: | |
image: ${{ matrix.image }} | |
options: --privileged | |
steps: | |
- name: Early Rpm Setup | |
if: matrix.package == 'rpm' && matrix.image != '' | |
run: | | |
# tar/gzip is needed to restore git cache (if available) | |
yum install -y tar gzip which file zlib-devel | |
- name: Early Deb in Container Setup | |
if: matrix.package == 'deb' && matrix.image != '' | |
run: | | |
# tar/gzip is needed to restore git cache (if available) | |
apt-get update | |
apt-get install -y git tar gzip file sudo | |
- name: Cache Git | |
id: cache-git | |
if: (matrix.package == 'rpm') && matrix.image != '' | |
uses: actions/cache@v4 | |
with: | |
path: /usr/local/git | |
key: ${{ matrix.label }}-git-2.41.0 | |
# el-7,8, amazonlinux-2,2023 doesn't have git 2.18+, so we need to install it manually | |
- name: Install newer Git | |
if: (matrix.package == 'rpm') && matrix.image != '' && steps.cache-git.outputs.cache-hit != 'true' | |
run: | | |
if which apt 2>/dev/null; then | |
apt update | |
apt install -y wget libz-dev libssl-dev libcurl4-gnutls-dev libexpat1-dev gettext make gcc autoconf sudo | |
else | |
yum update -y | |
yum groupinstall -y 'Development Tools' | |
yum install -y wget zlib-devel openssl-devel curl-devel expat-devel gettext-devel perl-CPAN perl-devel | |
fi | |
wget https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.41.0.tar.gz | |
tar xf git-2.41.0.tar.gz | |
cd git-2.41.0 | |
make configure | |
./configure --prefix=/usr/local/git | |
make -j$(nproc) | |
make install | |
- name: Add Git to PATH | |
if: (matrix.package == 'rpm') && matrix.image != '' | |
run: | | |
echo "/usr/local/git/bin" >> $GITHUB_PATH | |
- name: Checkout Kong source code | |
uses: actions/checkout@v4 | |
- name: Swap git with https | |
run: git config --global url."https://github".insteadOf git://github | |
- name: Generate build cache key | |
id: cache-key | |
if: env.GHA_CACHE == 'true' | |
uses: ./.github/actions/build-cache-key | |
with: | |
prefix: ${{ matrix.label }}-build | |
extra: | | |
${{ hashFiles('kong/**') }} | |
- name: Cache Packages | |
id: cache-deps | |
if: env.GHA_CACHE == 'true' | |
uses: actions/cache@v4 | |
with: | |
path: bazel-bin/pkg | |
key: ${{ steps.cache-key.outputs.cache-key }} | |
- name: Set .requirements into environment variables | |
run: | | |
grep -v '^#' .requirements >> $GITHUB_ENV | |
- name: Setup Bazel | |
uses: bazel-contrib/setup-bazel@e403ad507104847c3539436f64a9e9eecc73eeec #0.8.5 | |
with: | |
bazelisk-version: "1.20.0" | |
# Avoid downloading Bazel every time. | |
bazelisk-cache: true | |
- name: Install Deb Dependencies | |
if: matrix.package == 'deb' && steps.cache-deps.outputs.cache-hit != 'true' | |
run: | | |
sudo apt-get update && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y \ | |
automake \ | |
build-essential \ | |
curl \ | |
file \ | |
libyaml-dev \ | |
m4 \ | |
perl \ | |
pkg-config \ | |
unzip \ | |
zlib1g-dev | |
- name: Install Ubuntu Cross Build Dependencies (arm64) | |
if: matrix.package == 'deb' && steps.cache-deps.outputs.cache-hit != 'true' && endsWith(matrix.label, 'arm64') | |
run: | | |
sudo apt-get install crossbuild-essential-arm64 -y | |
- name: Install Rpm Dependencies | |
if: matrix.package == 'rpm' && matrix.image != '' | |
run: | | |
yum groupinstall -y 'Development Tools' | |
dnf install -y 'dnf-command(config-manager)' | |
dnf config-manager --set-enabled powertools || true # enable devel packages on rockylinux:8 | |
dnf config-manager --set-enabled crb || true # enable devel packages on rockylinux:9 | |
yum install -y libyaml-devel | |
yum install -y cpanminus || (yum install -y perl && curl -L https://raw.githubusercontent.com/miyagawa/cpanminus/master/cpanm | perl - App::cpanminus) # amazonlinux2023 removed cpanminus | |
# required for openssl 3.x config | |
cpanm IPC/Cmd.pm | |
- name: Build Kong dependencies | |
if: steps.cache-deps.outputs.cache-hit != 'true' | |
env: | |
GH_TOKEN: ${{ github.token }} | |
run: | | |
bazel build --config release //build:kong --verbose_failures ${{ matrix.bazel-args }} | |
- name: Package Kong - ${{ matrix.package }} | |
if: matrix.package != 'rpm' && steps.cache-deps.outputs.cache-hit != 'true' | |
run: | | |
bazel build --config release :kong_${{ matrix.package }} --verbose_failures ${{ matrix.bazel-args }} | |
- name: Package Kong - rpm | |
if: matrix.package == 'rpm' && steps.cache-deps.outputs.cache-hit != 'true' | |
env: | |
RELEASE_SIGNING_GPG_KEY: ${{ secrets.RELEASE_SIGNING_GPG_KEY }} | |
NFPM_RPM_PASSPHRASE: ${{ secrets.RELEASE_SIGNING_GPG_KEY_PASSPHRASE }} | |
run: | | |
if [ -n "${RELEASE_SIGNING_GPG_KEY:-}" ]; then | |
RPM_SIGNING_KEY_FILE=$(mktemp) | |
echo "$RELEASE_SIGNING_GPG_KEY" > $RPM_SIGNING_KEY_FILE | |
export RPM_SIGNING_KEY_FILE=$RPM_SIGNING_KEY_FILE | |
fi | |
bazel build --config release :kong_${{ matrix.package-type }} --action_env=RPM_SIGNING_KEY_FILE --action_env=NFPM_RPM_PASSPHRASE ${{ matrix.bazel-args }} | |
- name: Bazel Debug Outputs | |
if: failure() | |
run: | | |
cat bazel-out/_tmp/actions/stderr-* | |
sudo dmesg || true | |
tail -n500 bazel-out/**/*/CMake.log || true | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ matrix.label }}-packages | |
path: bazel-bin/pkg | |
retention-days: 3 | |
verify-manifest-packages: | |
needs: [metadata, build-packages] | |
name: Verify Manifest - Package ${{ matrix.label }} | |
runs-on: ubuntu-24.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
include: "${{ fromJSON(needs.metadata.outputs.matrix)['build-packages'] }}" | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ${{ matrix.label }}-packages | |
path: bazel-bin/pkg | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.11' | |
cache: 'pip' # caching pip dependencies | |
- name: Verify | |
run: | | |
cd scripts/explain_manifest | |
pip install -r requirements.txt | |
pkg=$(ls ../../bazel-bin/pkg/kong* |head -n1) | |
python ./main.py -f filelist.txt -p $pkg -o test.txt -s ${{ matrix.check-manifest-suite }} | |
build-images: | |
name: Build Images - ${{ matrix.label }} | |
needs: [metadata, build-packages] | |
runs-on: ubuntu-24.04 | |
permissions: | |
# create comments on commits for docker images needs the `write` permission | |
contents: write | |
strategy: | |
fail-fast: false | |
matrix: | |
include: "${{ fromJSON(needs.metadata.outputs.matrix)['build-images'] }}" | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ${{ matrix.artifact-from }}-packages | |
path: bazel-bin/pkg | |
- name: Download artifact (alt) | |
if: matrix.artifact-from-alt != '' | |
uses: actions/download-artifact@v4 | |
with: | |
name: ${{ matrix.artifact-from-alt }}-packages | |
path: bazel-bin/pkg | |
- name: Login to Docker Hub | |
if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN == 'true' }} | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v2.1.0 | |
with: | |
username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }} | |
password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }} | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
env: | |
DOCKER_METADATA_PR_HEAD_SHA: true | |
with: | |
images: ${{ needs.metadata.outputs.prerelease-docker-repository }} | |
tags: | | |
type=raw,${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} | |
type=raw,enable=${{ matrix.label == 'ubuntu' }},${{ needs.metadata.outputs.commit-sha }} | |
- name: Set up QEMU | |
if: matrix.docker-platforms != '' | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Set platforms | |
id: docker_platforms_arg | |
run: | | |
platforms="${{ matrix.docker-platforms }}" | |
if [[ -z "$platforms" ]]; then | |
platforms="linux/amd64" | |
fi | |
echo "platforms=$platforms" | |
echo "platforms=$platforms" >> $GITHUB_OUTPUT | |
- name: Set rpm platform | |
id: docker_rpm_platform_arg | |
if: matrix.package == 'rpm' | |
run: | | |
rpm_platform="${{ matrix.rpm_platform }}" | |
if [[ -z "$rpm_platform" ]]; then | |
rpm_platform="el9" | |
fi | |
echo "rpm_platform=$rpm_platform" | |
echo "rpm_platform=$rpm_platform" >> $GITHUB_OUTPUT | |
- name: Build Docker Image | |
uses: docker/build-push-action@v5 | |
with: | |
file: build/dockerfiles/${{ matrix.package }}.Dockerfile | |
context: . | |
push: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN == 'true' }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
platforms: ${{ steps.docker_platforms_arg.outputs.platforms }} | |
build-args: | | |
KONG_BASE_IMAGE=${{ matrix.base-image }} | |
KONG_ARTIFACT_PATH=bazel-bin/pkg | |
KONG_VERSION=${{ needs.metadata.outputs.kong-version }} | |
RPM_PLATFORM=${{ steps.docker_rpm_platform_arg.outputs.rpm_platform }} | |
EE_PORTS=8002 8445 8003 8446 8004 8447 | |
- name: Comment on commit | |
if: github.event_name == 'push' && matrix.label == 'ubuntu' | |
uses: peter-evans/commit-comment@5a6f8285b8f2e8376e41fe1b563db48e6cf78c09 # v3.0.0 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
body: | | |
### Bazel Build | |
Docker image available `${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}` | |
Artifacts available https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
verify-manifest-images: | |
needs: [metadata, build-images] | |
name: Verify Manifest - Image ${{ matrix.label }} | |
runs-on: ubuntu-24.04 | |
if: github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') | |
strategy: | |
fail-fast: false | |
matrix: | |
include: "${{ fromJSON(needs.metadata.outputs.matrix)['build-images'] }}" | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.11' | |
cache: 'pip' # caching pip dependencies | |
- name: Verify | |
run: | | |
cd scripts/explain_manifest | |
# docker image verify requires sudo to set correct permissions, so we | |
# also install deps for root | |
sudo -E pip install -r requirements.txt | |
IMAGE=${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} | |
sudo -E python ./main.py --image $IMAGE -f docker_image_filelist.txt -s docker-image | |
if [[ ! -z "${{ matrix.docker-platforms }}" ]]; then | |
DOCKER_DEFAULT_PLATFORM=linux/arm64 sudo -E python ./main.py --image $IMAGE -f docker_image_filelist.txt -s docker-image | |
fi | |
scan-images: | |
name: Scan Images - ${{ matrix.label }} | |
needs: [metadata, build-images] | |
runs-on: ubuntu-24.04 | |
timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }} | |
if: |- | |
always() | |
&& vars.DISABLE_SCA_SCAN == 'false' | |
&& fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] != '' | |
&& needs.build-images.result == 'success' | |
&& (github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')) | |
strategy: | |
fail-fast: false | |
matrix: | |
include: "${{ fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] }}" | |
env: | |
IMAGE: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} | |
steps: | |
- name: Install regctl | |
uses: regclient/actions/regctl-installer@main | |
- name: Login to Docker Hub | |
if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN }} | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v2.1.0 | |
with: | |
username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }} | |
password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }} | |
# TODO: Refactor matrix file to support and parse platforms specific to distro | |
# Workaround: Look for specific amd64 and arm64 hardcooded architectures | |
- name: Parse Architecture Specific Image Manifest Digests | |
id: image_manifest_metadata | |
run: | | |
manifest_list_exists="$( | |
if regctl manifest get "${IMAGE}" --format raw-body --require-list -v panic &> /dev/null; then | |
echo true | |
else | |
echo false | |
fi | |
)" | |
echo "manifest_list_exists=$manifest_list_exists" | |
echo "manifest_list_exists=$manifest_list_exists" >> $GITHUB_OUTPUT | |
amd64_sha="$(regctl image digest "${IMAGE}" --platform linux/amd64 || echo '')" | |
arm64_sha="$(regctl image digest "${IMAGE}" --platform linux/arm64 || echo '')" | |
echo "amd64_sha=$amd64_sha" | |
echo "amd64_sha=$amd64_sha" >> $GITHUB_OUTPUT | |
echo "arm64_sha=$arm64_sha" | |
echo "arm64_sha=$arm64_sha" >> $GITHUB_OUTPUT | |
- name: Scan AMD64 Image digest | |
id: sbom_action_amd64 | |
if: steps.image_manifest_metadata.outputs.amd64_sha != '' | |
uses: Kong/public-shared-actions/security-actions/scan-docker-image@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3 | |
with: | |
asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-amd64 | |
image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} | |
skip_cis_scan: true # FIXME | |
- name: Scan ARM64 Image digest | |
if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != '' | |
id: sbom_action_arm64 | |
uses: Kong/public-shared-actions/security-actions/scan-docker-image@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3 | |
with: | |
asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-arm64 | |
image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} | |
skip_cis_scan: true # FIXME | |
release-packages: | |
name: Release Packages - ${{ matrix.label }} - ${{ needs.metadata.outputs.release-desc }} | |
needs: [metadata, build-packages, build-images] | |
runs-on: ubuntu-24.04 | |
if: fromJSON(needs.metadata.outputs.matrix)['release-packages'] != '' | |
timeout-minutes: 5 # PULP takes a while to publish | |
environment: release | |
strategy: | |
# limit to 3 jobs at a time | |
max-parallel: 3 | |
fail-fast: false | |
matrix: | |
include: "${{ fromJSON(needs.metadata.outputs.matrix)['release-packages'] }}" | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ${{ matrix.artifact-from }}-packages | |
path: bazel-bin/pkg | |
- name: Set package architecture | |
id: pkg-arch | |
run: | | |
arch='amd64' | |
if [[ '${{ matrix.label }}' == *'arm64' ]]; then | |
arch='arm64' | |
fi | |
echo "arch=$arch" | |
echo "arch=$arch" >> $GITHUB_OUTPUT | |
- name: Upload Packages | |
env: | |
ARCHITECTURE: ${{ steps.pkg-arch.outputs.arch }} | |
OFFICIAL_RELEASE: ${{ github.event.inputs.official }} | |
ARTIFACT_VERSION: ${{ matrix.artifact-version }} | |
ARTIFACT_TYPE: ${{ matrix.artifact-type }} | |
ARTIFACT: ${{ matrix.artifact }} | |
INPUT_VERSION: ${{ github.event.inputs.version }} | |
PACKAGE_TYPE: ${{ matrix.package }} | |
KONG_RELEASE_LABEL: ${{ needs.metadata.outputs.release-label }} | |
VERBOSE: ${{ runner.debug == '1' && '1' || '' }} | |
CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} | |
CLOUDSMITH_DRY_RUN: '' | |
IGNORE_CLOUDSMITH_FAILURES: ${{ vars.IGNORE_CLOUDSMITH_FAILURES }} | |
USE_CLOUDSMITH: ${{ vars.USE_CLOUDSMITH }} | |
run: | | |
sha256sum bazel-bin/pkg/* | |
# set the version input as tags passed to release-scripts | |
# note: release-scripts rejects user tags if missing internal flag | |
# | |
# this can be a comma-sepratated list of tags to apply | |
if [[ "$OFFICIAL_RELEASE" == 'false' ]]; then | |
if echo "$INPUT_VERSION" | grep -qs -E 'rc|alpha|beta|nightly'; then | |
PACKAGE_TAGS="$INPUT_VERSION" | |
export PACKAGE_TAGS | |
fi | |
fi | |
scripts/release-kong.sh | |
release-images: | |
name: Release Images - ${{ matrix.label }} - ${{ needs.metadata.outputs.release-desc }} | |
needs: [metadata, build-images] | |
runs-on: ubuntu-24.04 | |
if: fromJSON(needs.metadata.outputs.matrix)['release-images'] != '' | |
strategy: | |
# limit to 3 jobs at a time | |
max-parallel: 3 | |
fail-fast: false | |
matrix: | |
include: "${{ fromJSON(needs.metadata.outputs.matrix)['release-images'] }}" | |
steps: | |
- name: Login to Docker Hub | |
if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN == 'true' }} | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v2.1.0 | |
with: | |
username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }} | |
password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }} | |
- uses: actions/checkout@v4 | |
- name: Get latest commit SHA on master | |
run: | | |
echo "latest_sha=$(git ls-remote origin -h refs/heads/master | cut -f1)" >> $GITHUB_ENV | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ needs.metadata.outputs.docker-repository }} | |
sep-tags: " " | |
tags: | | |
type=raw,value=latest,enable=${{ matrix.label == 'ubuntu' && github.ref_name == 'master' && env.latest_sha == needs.metadata.outputs.commit-sha }} | |
type=match,enable=${{ github.event_name == 'workflow_dispatch' }},pattern=\d.\d,value=${{ github.event.inputs.version }} | |
type=match,enable=${{ github.event_name == 'workflow_dispatch' && matrix.label == 'ubuntu' }},pattern=\d.\d,value=${{ github.event.inputs.version }},suffix= | |
type=raw,enable=${{ github.event_name == 'workflow_dispatch' }},${{ github.event.inputs.version }} | |
type=raw,enable=${{ github.event_name == 'workflow_dispatch' && matrix.label == 'ubuntu' }},${{ github.event.inputs.version }},suffix= | |
type=ref,event=branch | |
type=ref,enable=${{ matrix.label == 'ubuntu' }},event=branch,suffix= | |
type=ref,event=tag | |
type=ref,enable=${{ matrix.label == 'ubuntu' }},event=tag,suffix= | |
type=ref,event=pr | |
type=schedule,pattern=nightly | |
type=schedule,enable=${{ matrix.label == 'ubuntu' }},pattern=nightly,suffix= | |
type=schedule,pattern={{date 'YYYYMMDD'}} | |
type=schedule,enable=${{ matrix.label == 'ubuntu' }},pattern={{date 'YYYYMMDD'}},suffix= | |
flavor: | | |
latest=false | |
suffix=-${{ matrix.label }} | |
- name: Install regctl | |
uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc | |
- name: Push Images | |
if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN == 'true' }} | |
env: | |
TAGS: "${{ steps.meta.outputs.tags }}" | |
run: | | |
PRERELEASE_IMAGE=${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} | |
docker pull $PRERELEASE_IMAGE | |
for tag in $TAGS; do | |
regctl -v debug image copy $PRERELEASE_IMAGE $tag | |
done |