Merge pull request #967 from kubewarden/renovate/sigs.k8s.io-controll… #127

Workflow file for this run

.github/workflows/release.yml at 72547cc

	name: kubewarden-controller release
	on:
	push:
	tags:
	- "v*"

	# Declare default permissions as read only.
	permissions: read-all

	jobs:
	ci:
	uses: ./.github/workflows/ci.yml
	permissions: read-all

	build:
	name: Build container image, sign it
	permissions:
	packages: write
	id-token: write # to mint the OIDC token for Sigstore signatures
	runs-on: ubuntu-latest
	outputs:
	repository: ${{ steps.setoutput.outputs.repository }}
	tag: ${{ steps.setoutput.outputs.tag }}
	digest: ${{ steps.setoutput.outputs.digest }}
	steps:
	- name: Checkout code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- name: Install cosign
	uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
	- name: Set up QEMU
	uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
	- name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Retrieve tag name (tag)
	run: \|
	echo TAG_NAME=$(echo $GITHUB_REF \| sed -e "s\|refs/tags/\|\|") >> $GITHUB_ENV
	- name: Build and push container image
	id: build-image
	uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
	with:
	context: .
	file: ./Dockerfile
	platforms: linux/amd64, linux/arm64
	push: true
	sbom: true
	provenance: mode=max
	tags: \|
	ghcr.io/${{github.repository_owner}}/kubewarden-controller:${{ env.TAG_NAME }}
	- name: Sign container image
	run: \|
	cosign sign --yes \
	ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ steps.build-image.outputs.digest }}

	cosign verify \
	--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
	--certificate-identity="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/release.yml@${{ github.ref }}" \
	ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ steps.build-image.outputs.digest }}
	- id: setoutput
	name: Set output parameters
	run: \|
	echo "repository=ghcr.io/${{github.repository_owner}}/kubewarden-controller" >> $GITHUB_OUTPUT
	echo "tag=${{ env.TAG_NAME }}" >> $GITHUB_OUTPUT
	echo "digest=${{ steps.build-image.outputs.digest }}" >> $GITHUB_OUTPUT

	attestation:
	name: Sign attestations and upload as artifacts
	needs: build
	strategy:
	matrix:
	arch: [amd64, arm64]
	permissions:
	packages: write
	id-token: write
	runs-on: ubuntu-latest
	steps:
	- name: Install cosign
	uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
	- name: Install the crane command
	uses: kubewarden/github-actions/crane-installer@0c23eadfd96cc18828d477629a04cdfe7f2607ee # v3.4.5
	- name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Find platform digest
	shell: bash
	run: \|
	set -e
	DIGEST=$(crane digest \
	--platform "linux/${{ matrix.arch }}" \
	ghcr.io/${{ github.repository_owner }}/kubewarden-controller@${{ needs.build.outputs.digest }})

	echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"

	- name: Find attestation digest
	run: \|
	set -e
	DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ needs.build.outputs.digest }} \
	\| jq '.manifests[] \| select(.annotations["vnd.docker.reference.type"]=="attestation-manifest") \| select(.annotations["vnd.docker.reference.digest"]=="${{ env.PLATFORM_DIGEST }}") \| .digest'
	)
	echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV"

	- name: Find provenance manifest digest
	run: \|
	set -e
	DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.ATTESTATION_MANIFEST_DIGEST}} \| \
	jq '.layers[] \| select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") \| .digest')
	echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV"

	- name: Sign provenance manifest
	run: \|
	cosign sign --yes \
	ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.PROVENANCE_DIGEST}}

	cosign verify \
	--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
	--certificate-identity="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/release.yml@${{ github.ref }}" \
	ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.PROVENANCE_DIGEST}}

	- name: Find SBOM manifest layer digest
	run: \|
	set -e
	DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.ATTESTATION_MANIFEST_DIGEST}} \| \
	jq '.layers \| map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) \| map(.digest) \| join(" ")')
	echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"

	- name: Download provenance and SBOM files
	run: \|
	set -e
	crane blob ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.PROVENANCE_DIGEST}} \
	> kubewarden-controller-attestation-${{ matrix.arch }}-provenance.json
	sha256sum kubewarden-controller-attestation-${{ matrix.arch }}-provenance.json \
	>> kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt

	crane blob ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.SBOM_DIGEST}} \
	> kubewarden-controller-attestation-${{ matrix.arch }}-sbom.json
	sha256sum kubewarden-controller-attestation-${{ matrix.arch }}-sbom.json \
	>> kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt

	- name: Sign checksum file
	run: \|
	cosign sign-blob --yes \
	--bundle kubewarden-controller-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
	kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt

	cosign verify-blob \
	--bundle kubewarden-controller-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
	--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
	--certificate-identity="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/release.yml@${{ github.ref }}" \
	kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt

	- name: Upload SBOMs as artifacts
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
	with:
	name: attestation-${{ matrix.arch }}
	path: kubewarden-controller-attestation-${{ matrix.arch }}*

	crds:
	name: Build CRDs
	runs-on: ubuntu-latest
	steps:
	- name: Install Golang
	uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
	with:
	go-version: "1.23"

	- name: Checkout code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Generate CRDs
	run: \|
	make generate-crds
	tar -czf CRDS.tar.gz -C generated-crds $(ls generated-crds)
	- name: Upload CRDs as artifacts
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
	with:
	name: CRDS
	path: CRDS.tar.gz

	release:
	name: Create release

	needs:
	- ci
	- crds
	- build
	- attestation

	permissions:
	contents: write

	runs-on: ubuntu-latest

	steps:
	- name: Retrieve tag name
	if: ${{ startsWith(github.ref, 'refs/tags/') }}
	run: \|
	echo TAG_NAME=$(echo ${{ github.ref_name }}) >> $GITHUB_ENV

	- name: Get latest release tag
	id: get_last_release_tag
	uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
	with:
	script: \|
	let release = await github.rest.repos.getLatestRelease({
	owner: context.repo.owner,
	repo: context.repo.repo,
	});

	if (release.status === 200 ) {
	core.setOutput('old_release_tag', release.data.tag_name)
	return
	}
	core.setFailed("Cannot find latest release")

	- name: Get release ID from the release created by release drafter
	uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
	with:
	script: \|
	let releases = await github.rest.repos.listReleases({
	owner: context.repo.owner,
	repo: context.repo.repo,
	});
	for (const release of releases.data) {
	if (release.draft) {
	core.info(release)
	core.exportVariable('RELEASE_ID', release.id)
	return
	}
	}
	core.setFailed(`Draft release not found`)

	- name: Download attestation artifacts
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
	with:
	pattern: attestation-*
	merge-multiple: true

	- name: Download CRDs artifact
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
	with:
	name: CRDS

	- name: Display structure of downloaded files
	run: ls -R

	- name: Create tarball for the attestation files
	run: \|
	for arch in "amd64" "arm64"; do
	tar -czf attestation-$arch.tar.gz $(ls kubewarden-controller-attestation-$arch-*)
	done

	- name: Upload release assets
	id: upload_release_assets
	uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
	with:
	script: \|
	let fs = require('fs');
	let path = require('path');

	let files = [
	'attestation-amd64.tar.gz',
	'attestation-arm64.tar.gz',
	"CRDS.tar.gz"]
	const {RELEASE_ID} = process.env

	for (const file of files) {
	let file_data = fs.readFileSync(file);

	let response = await github.rest.repos.uploadReleaseAsset({
	owner: context.repo.owner,
	repo: context.repo.repo,
	release_id: `${RELEASE_ID}`,
	name: path.basename(file),
	data: file_data,
	});
	// store the crds asset id used it in the helm chart update
	if (file === "CRDS.tar.gz") {
	core.setOutput('crds_asset_id', response.data.id)
	}
	}

	- name: Publish release
	uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
	with:
	script: \|
	const {RELEASE_ID} = process.env
	const {TAG_NAME} = process.env
	isPreRelease = ${{ contains(github.ref_name, '-alpha') \|\| contains(github.ref_name, '-beta') \|\| contains(github.ref_name, '-rc') }}
	github.rest.repos.updateRelease({
	owner: context.repo.owner,
	repo: context.repo.repo,
	release_id: `${RELEASE_ID}`,
	draft: false,
	tag_name: `${TAG_NAME}`,
	name: `${TAG_NAME}`,
	prerelease: isPreRelease,
	make_latest: !isPreRelease
	});

	- name: Trigger chart update
	uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
	with:
	token: ${{ secrets.WORKFLOW_PAT }}
	repository: "${{github.repository_owner}}/helm-charts"
	event-type: update-chart
	client-payload: '{"version": "${{ github.ref_name }}", "oldVersion": "${{ steps.get_last_release_tag.outputs.old_release_tag }}", "repository": "${{ github.repository }}", "crds_asset_id": "${{steps.upload_release_assets.outputs.crds_asset_id}}"}'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #967 from kubewarden/renovate/sigs.k8s.io-controll… #127

Workflow file

Merge pull request #967 from kubewarden/renovate/sigs.k8s.io-controll… #127

Jobs

Run details

Workflow file for this run