-
Notifications
You must be signed in to change notification settings - Fork 3
149 lines (135 loc) · 6.08 KB
/
reusable-cd.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
---
on:
workflow_call:
inputs:
tool-directory:
type: string
description: Path to the tool's directory, relative to repo root
dockerfile-path:
type: string
description: Path to the tool's dockerfile, relative to repo root
default: ./tools/repo-release-tooling/Dockerfile
jobs:
release:
name: Release
runs-on: ubuntu-22.04-8core
permissions:
contents: write # Needed to create the release
packages: write # Needed to upload the images to GHCR
steps:
# Setup
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Get the name of the tool
working-directory: ${{ inputs.tool-directory }}
run: set -euo pipefail; echo "TOOL_NAME=$(make print-tool-name)" >> "${GITHUB_ENV}"
- name: Create event-specific values
id: setup
working-directory: ${{ inputs.tool-directory }}
run: |
set -euo pipefail
# Determine if the workflow was triggered via a push to main or a tag
# and get the version based off of that
if [[ "${GITHUB_REF}" =~ refs/tags/.* ]]; then
# Transforms tag refs like refs/tags/tools/${TOOL_NAME}/v1.2.3 into v1.2.3
VERSION="${GITHUB_REF#refs/tags/tools/${TOOL_NAME}/}"
echo "version=${VERSION}" >> "${GITHUB_OUTPUT}"
# Eventually the parse-version action from the teleport.e repo
# should move into this repo and replace this logic
echo "should-release=true" >> "${GITHUB_OUTPUT}"
# Any '-' character in the version means that it is a prerelease
if [[ "${VERSION}" == *-* ]]; then
echo "is-prerelease=true" >> "${GITHUB_OUTPUT}"
fi
# Verify that the tag version matches the tool version
MAKEFILE_VERSION="$(make print-version)"
if [[ "${MAKEFILE_VERSION}" != "${VERSION}" ]]; then
echo "Makefile version '${MAKEFILE_VERSION}' does not match tag '${VERSION}'" >&2
exit 1
fi
fi
# Build the binaries
- name: Setup Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: "${{ inputs.tool-directory }}/go.mod"
cache-dependency-path: "${{ inputs.tool-directory }}/go.sum"
- name: Build the project
working-directory: ${{ inputs.tool-directory }}
run: |
set -euo pipefail
make tarball OS=linux ARCH=amd64
make tarball OS=linux ARCH=arm64
make tarball OS=darwin ARCH=amd64
make tarball OS=darwin ARCH=arm64
make tarball OS=windows ARCH=amd64
# Build and push the image
- name: Install docker buildx
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
- name: Login to GitHub Container Registry
id: login-ghcr
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# TODO move this to `make container-image` or similar.
# Using these to actions for now because they greatly reduce the amount
# of in-house logic required
- name: Prepare container image labels and tags
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
ghcr.io/${{ github.repository_owner }}/${{ env.TOOL_NAME }}
flavor: |
latest=false
# Enable sha tag on branch push events and pull requests.
# Enable semver tags on tag push events, but don't overwrite major/minor tags for prereleases.
# Semver tags won't be generated except upon tag events.
tags: |
type=sha,prefix=v0.0.0-{{branch}}-,enable=${{ startsWith(github.ref, 'refs/heads/') }}
type=sha,prefix=v0.0.0-{{base_ref}}-,enable=${{ github.event_name == 'pull_request' }}
type=semver,pattern={{major}},value=${{ steps.setup.outputs.version }},enable=${{ steps.setup.outputs.is-prerelease != 'true' }}
type=semver,pattern={{major}}.{{minor}},value=${{ steps.setup.outputs.version }},enable=${{ steps.setup.outputs.is-prerelease != 'true' }}
type=semver,pattern={{version}},value=${{ steps.setup.outputs.version }}
- name: Build the container image and push
uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1
with:
context: ${{ inputs.tool-directory }}
file: ${{ inputs.dockerfile-path }}
build-args: TOOL_NAME=${{ env.TOOL_NAME }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
cache-from: type=gha
cache-to: type=gha,mode=max
platforms: |
linux/amd64
linux/arm64
provenance: true
sbom: true
# File a new release with the tarballs attached
- name: Create a new GitHub release
if: ${{ steps.setup.outputs.should-release == 'true' }}
working-directory: ${{ inputs.tool-directory }}
env:
VERSION: ${{ steps.setup.outputs.version }}
IS_PRERELEASE: ${{ steps.setup.outputs.is-prerelease }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
if [[ "${IS_PRERELEASE}" == 'true' ]]; then
EXTRA_FLAGS=("--prerelease")
else
EXTRA_FLAGS=("--latest")
fi
readarray -d '' RELEASE_TARBALLS < <(
find . -name '*.tar.gz' -print0
)
echo "Creating a release for ${VERSION} with files:"
ls -lh "${RELEASE_TARBALLS[@]}"
gh release create --title "${TOOL_NAME} ${VERSION}" --verify-tag \
--generate-notes "${EXTRA_FLAGS[@]}" "${GITHUB_REF_NAME}" \
"${RELEASE_TARBALLS[@]}"