build kotsadm-migrations, rqlite, minio, and dex with apko and melang… #1696
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: release | |
on: | |
push: | |
tags: | |
- "v*.*.*" | |
branches: | |
- main | |
jobs: | |
generate-tag: | |
runs-on: ubuntu-20.04 | |
outputs: | |
tag: ${{ github.ref_type == 'branch' && steps.get_tag.outputs.GIT_TAG || github.ref_name }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Get tags | |
id: get_tag | |
uses: ./.github/actions/version-tag | |
- name: Push tag | |
if: github.ref_type == 'branch' | |
env: | |
GIT_TAG: ${{ steps.get_tag.outputs.GIT_TAG }} | |
run: | | |
git tag "$GIT_TAG" | |
git push origin "$GIT_TAG" | |
image-deps-updater: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup Go | |
uses: actions/setup-go@v4 | |
with: | |
go-version: '^1.20.0' | |
- name: Run Update Script | |
env: | |
GITHUB_AUTH_TOKEN: ${{ secrets.NIGHTLY_GH_PAT }} | |
run: | | |
go run ./cmd/imagedeps | |
- name: Create Pull Request # creates a PR if there are differences | |
uses: peter-evans/create-pull-request@v5 | |
id: cpr | |
with: | |
token: ${{ secrets.NIGHTLY_GH_PAT }} | |
commit-message: update kots image dependency tags | |
title: 'Automated Kots Image Dependency Tag Update' | |
branch: automation/image-dependencies | |
delete-branch: true | |
labels: | | |
automated-pr | |
images | |
type::security | |
draft: false | |
base: "main" | |
body: "Automated changes by the [release](https://github.com/replicatedhq/kots/blob/main/.github/workflows/release.yaml) GitHub action" | |
- name: Check outputs | |
run: | | |
echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" | |
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" | |
build-kotsadm-migrations: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- uses: ./.github/actions/build-push-kotsadm-migrations-image | |
with: | |
image-name: index.docker.io/kotsadm/kotsadm-migrations:${{ needs.generate-tag.outputs.tag }} | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
registry-username: ${{ secrets.DOCKERHUB_USER }} | |
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
build-web: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup Node.js environment | |
uses: actions/setup-node@v4 | |
with: | |
node-version: '18.x' | |
- name: Build web | |
env: | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make -C web deps build-kotsadm | |
- name: Upload web artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: web | |
path: ./web/dist | |
build-kurl-proxy: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag] | |
steps: | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: '^1.20.0' | |
cache: true | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- uses: ./.github/actions/build-push-kurl-proxy-image | |
with: | |
image-name: index.docker.io/kotsadm/kurl-proxy:${{ needs.generate-tag.outputs.tag }} | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
registry-username: ${{ secrets.DOCKERHUB_USER }} | |
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
build-kots: | |
runs-on: ubuntu-20.04 | |
needs: [build-web, generate-tag] | |
steps: | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: '^1.20.0' | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Cache Go modules | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.cache/go-build | |
~/go/pkg/mod | |
key: ${{ runner.os }}-go-kots-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go-kots- | |
- name: Download web artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: web | |
path: ./web/dist | |
- name: Build KOTS | |
env: | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
SCOPE_DSN_PUBLIC: "" | |
run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make ci-test kots | |
- name: Upload Go API artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: kots | |
path: ./bin/kots | |
build-minio: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Read image tags from env file | |
uses: falti/dotenv-action@v1 | |
id: dotenv | |
with: | |
path: .image.env | |
- uses: ./.github/actions/build-push-image-with-apko | |
with: | |
apko-config: deploy/minio/apko.yaml | |
image-name: index.docker.io/kotsadm/minio:${{ steps.dotenv.outputs.MINIO_TAG }} | |
registry-username: ${{ secrets.DOCKERHUB_USER }} | |
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
build-rqlite: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Read image tags from env file | |
uses: falti/dotenv-action@v1 | |
id: dotenv | |
with: | |
path: .image.env | |
- uses: ./.github/actions/build-push-image-with-apko | |
with: | |
apko-config: deploy/rqlite/apko.yaml | |
image-name: index.docker.io/kotsadm/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }} | |
registry-username: ${{ secrets.DOCKERHUB_USER }} | |
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
build-dex: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Read image tags from env file | |
uses: falti/dotenv-action@v1 | |
id: dotenv | |
with: | |
path: .image.env | |
- uses: ./.github/actions/build-push-image-with-apko | |
with: | |
apko-config: deploy/dex/apko.yaml | |
image-name: index.docker.io/kotsadm/dex:${{ steps.dotenv.outputs.DEX_TAG }} | |
registry-username: ${{ secrets.DOCKERHUB_USER }} | |
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
build-kotsadm: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag] | |
permissions: | |
id-token: write # required to be able to assume the GCP SA identity to pull private Chainguard packages. | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- uses: ./.github/actions/build-push-kotsadm-image | |
with: | |
chainguard-gcp-wif-pool: ${{ secrets.CHAINGUARD_GCP_WIF_POOL }} | |
chainguard-gcp-sa: ${{ secrets.CHAINGUARD_GCP_SA }} | |
chainguard-gcp-project-id: ${{ secrets.CHAINGUARD_GCP_PROJECT_ID }} | |
image-name: index.docker.io/kotsadm/kotsadm:${{ needs.generate-tag.outputs.tag }} | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
registry-username: ${{ secrets.DOCKERHUB_USER }} | |
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
build-release: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag, build-kotsadm-migrations, build-kotsadm, build-minio, build-rqlite, build-dex] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Read image tags from env file | |
uses: falti/dotenv-action@v1 | |
id: dotenv | |
with: | |
path: .image.env | |
- name: Build tagged release | |
env: | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
DOCKER_CONFIG: ./.docker | |
run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make build-release | |
- name: Upload kotsadm release | |
uses: actions/upload-artifact@v3 | |
with: | |
name: kotsadm-release | |
path: ./bin/docker-archive | |
goreleaser: | |
runs-on: ubuntu-20.04 | |
if: github.ref_type != 'branch' | |
needs: [generate-tag, build-web] | |
steps: | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: '^1.20.0' | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Cache Go modules | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.cache/go-build | |
~/go/pkg/mod | |
key: ${{ runner.os }}-go-goreleaser-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go-goreleaser- | |
- name: Unshallow | |
run: git fetch --prune --unshallow | |
- run: sudo apt-get update -y | |
- run: sudo apt-get -qq -y install gnupg2 libdevmapper-dev libgpgme-dev libc6-dev-i386 btrfs-progs libbtrfs-dev pkg-config | |
- name: set previous release tag for goreleaser | |
run: | | |
TAG="$(curl --silent "https://api.github.com/repos/replicatedhq/kots/releases/latest" | grep -Po '"tag_name": "\K.*?(?=")')" | |
export TAG | |
echo "GORELEASER_PREVIOUS_TAG=${TAG}" >> "$GITHUB_ENV" | |
- uses: sigstore/cosign-installer@main | |
with: | |
cosign-release: 'v1.2.1' | |
- name: Get Cosign Key | |
run: | | |
echo "$COSIGN_KEY" | base64 -d > ./cosign.key | |
env: | |
COSIGN_KEY: ${{ secrets.COSIGN_KEY }} | |
- name: Download web artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: web | |
path: ./web/dist | |
- name: Generate SBOM | |
run: | | |
set -x | |
make sbom | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
- name: Run GoReleaser | |
uses: goreleaser/goreleaser-action@v5 | |
with: | |
version: "v1.2.5" | |
args: release --rm-dist --config deploy/.goreleaser.yaml | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GORELEASER_CURRENT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
generate-kurl-addon: | |
runs-on: ubuntu-20.04 | |
needs: [ generate-tag, build-kurl-proxy, build-kots, build-release ] | |
outputs: | |
addon_package_url: ${{ steps.addon-generate.outputs.addon_package_url }} | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.KURL_ADDONS_AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.KURL_ADDONS_AWS_SECRET_ACCESS_KEY }} | |
AWS_DEFAULT_REGION: us-east-1 | |
steps: | |
- name: checkout | |
uses: actions/checkout@v4 | |
- name: set outputs | |
id: vars | |
run: | | |
addon_version=${{ needs.generate-tag.outputs.tag }} | |
echo "addon_version=${addon_version#v}" >> "$GITHUB_OUTPUT" | |
- name: download kots binary | |
uses: actions/download-artifact@v3 | |
with: | |
name: kots | |
path: bin/ | |
- name: prepare kots binary executable | |
run: | | |
chmod +x bin/* | |
tar -C bin/ -czvf bin/kots.tar.gz kots | |
- uses: ./.github/actions/kurl-addon-kots-generate | |
id: addon-generate | |
with: | |
addon_version: ${{ steps.vars.outputs.addon_version }} | |
s3_prefix: "${{ github.ref_type != 'branch' && '' || 'test/' }}" | |
kotsadm_binary_override: bin/kots.tar.gz | |
# only run validate-kurl-addon if changes to "deploy/kurl/kotsadm/template/**" | |
kurl-addon-changes-filter: | |
runs-on: ubuntu-20.04 | |
outputs: | |
ok-to-test: ${{ steps.filter.outputs.kurl-addon }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: dorny/paths-filter@v2 | |
id: filter | |
with: | |
filters: | | |
kurl-addon: | |
- 'deploy/kurl/kotsadm/template/**' | |
- 'deploy/kurl/kotsadm/testgrid-os-spec.yaml' | |
validate-kurl-addon: | |
runs-on: ubuntu-20.04 | |
if: ${{ github.ref_type != 'branch' || needs.kurl-addon-changes-filter.outputs.ok-to-test == 'true' }} | |
needs: [ generate-tag, generate-kurl-addon, kurl-addon-changes-filter ] | |
steps: | |
- name: checkout | |
uses: actions/checkout@v4 | |
- name: set outputs | |
id: vars | |
run: | | |
addon_version=${{ needs.generate-tag.outputs.tag }} | |
echo "addon_version=${addon_version#v}" >> "$GITHUB_OUTPUT" | |
- uses: ./.github/actions/kurl-addon-kots-test | |
with: | |
addon_version: ${{ steps.vars.outputs.addon_version }} | |
addon_package_url: "${{ needs.generate-kurl-addon.outputs.addon_package_url }}" | |
priority: ${{ github.ref_type != 'branch' && '1' || '0' }} | |
testgrid_api_token: ${{ secrets.TESTGRID_PROD_API_TOKEN }} | |
publish-kurl-addon: | |
runs-on: ubuntu-20.04 | |
if: ${{ github.ref_type != 'branch' }} | |
needs: [ generate-tag, generate-kurl-addon ] | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.KURL_ADDONS_AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.KURL_ADDONS_AWS_SECRET_ACCESS_KEY }} | |
AWS_DEFAULT_REGION: us-east-1 | |
steps: | |
- name: checkout | |
uses: actions/checkout@v4 | |
- name: set outputs | |
id: vars | |
run: | | |
addon_version=${{ needs.generate-tag.outputs.tag }} | |
echo "addon_version=${addon_version#v}" >> "$GITHUB_OUTPUT" | |
- uses: ./.github/actions/kurl-addon-kots-publisher | |
with: | |
ADDON_VERSION: ${{ steps.vars.outputs.addon_version }} | |
ADDON_PACKAGE_URL: ${{ needs.generate-kurl-addon.outputs.addon_package_url }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- run: aws s3 cp ./deploy/kurl/versions.json s3://kots-kurl-addons-production-1658439274 | |
generate-kots-release-notes-pr: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag] | |
if: github.ref_type != 'branch' | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Generate KOTS Release Notes PR | |
env: | |
GIT_TAG: ${{ needs.generate-tag.outputs.tag }} | |
GH_PAT: ${{ secrets.GH_PAT }} | |
run: | | |
curl -H "Authorization: token $GH_PAT" \ | |
-H 'Accept: application/json' \ | |
-d "{\"event_type\": \"app-manager-release-notes\", \"client_payload\": {\"version\": \"${GIT_TAG}\" }}" \ | |
"https://api.github.com/repos/replicatedhq/replicated-docs/dispatches" | |
build-airgap: | |
runs-on: ubuntu-20.04 | |
if: github.ref_type != 'branch' | |
needs: [goreleaser, generate-tag, build-release] | |
steps: | |
- name: Download kotsadm release | |
uses: actions/download-artifact@v3 | |
with: | |
name: kotsadm-release | |
path: ./docker-archive | |
- name: Make kotsadm airgap archive with minio image | |
run: | | |
tar czf ./kotsadm.tar.gz -C ./ ./docker-archive | |
- name: Upload airgap bundle with minio image | |
uses: softprops/action-gh-release@v1 | |
with: | |
tag_name: ${{ needs.generate-tag.outputs.tag }} | |
files: ./kotsadm.tar.gz | |
- name: Make kotsadm airgap archive without minio image | |
run: | | |
rm -rf ./docker-archive/minio | |
rm -f ./kotsadm.tar.gz | |
tar czf ./kotsadm-nominio.tar.gz -C ./ ./docker-archive | |
- name: Upload airgap bundle without minio image | |
uses: softprops/action-gh-release@v1 | |
with: | |
tag_name: ${{ needs.generate-tag.outputs.tag }} | |
files: ./kotsadm-nominio.tar.gz | |
regression-test-setup: | |
name: Run regression testing | |
if: github.ref_type == 'branch' | |
runs-on: ubuntu-latest | |
needs: [ generate-tag ] | |
outputs: | |
last_release_tag: ${{ steps.get_latest_release_tag.outputs.release }} | |
automation_id: ${{ steps.get_id.outputs.id }} | |
steps: | |
- name: Get latest release tag | |
id: get_latest_release_tag | |
uses: actions/github-script@v7 | |
with: | |
script: | | |
const { | |
data: { tag_name }, | |
} = await github.rest.repos.getLatestRelease({ | |
...context.repo, | |
}); | |
core.setOutput("release", tag_name); | |
- id: get_id | |
run: | | |
id=${{ github.sha }} | |
echo "id=${id:0:7}" >> "$GITHUB_OUTPUT" | |
regression-test: | |
if: github.ref_type == 'branch' | |
needs: [ regression-test-setup, generate-tag, build-kots, generate-kurl-addon, build-release ] | |
uses: ./.github/workflows/regression.yaml | |
with: | |
version_tag_old: ${{ needs.regression-test-setup.outputs.last_release_tag }} | |
version_tag_new: ${{ needs.generate-tag.outputs.tag }} | |
addon_package_url: ${{ needs.generate-kurl-addon.outputs.addon_package_url }} | |
id: ${{ needs.regression-test-setup.outputs.automation_id }} | |
secrets: | |
E2E_TESTIM_AWS_ACCESS_KEY_ID: ${{ secrets.E2E_TESTIM_AWS_ACCESS_KEY_ID }} | |
E2E_TESTIM_AWS_SECRET_ACCESS_KEY: ${{ secrets.E2E_TESTIM_AWS_SECRET_ACCESS_KEY }} | |
TESTIM_ACCESS_TOKEN: ${{ secrets.TESTIM_ACCESS_TOKEN }} | |
E2E_GH_PAT: ${{ secrets.E2E_GH_PAT }} | |
KOTS_BUILD_STATUS_SLACK_WEBHOOK_URL: ${{ secrets.KOTS_BUILD_STATUS_SLACK_WEBHOOK_URL }} |