From a53cc67cd49a83c19075788d34819429592798aa Mon Sep 17 00:00:00 2001 From: Charles Sibbald Date: Thu, 2 Jan 2025 19:45:57 +0200 Subject: [PATCH 1/5] fix: enable uploads to ghcr.io, upload binaries to github --- .github/workflows/pr.yaml | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index c38bffbc66..f9ccbdffa3 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -11,8 +11,8 @@ permissions: contents: read # for actions/checkout to fetch code env: - CI_CONTAINER_REGISTRY: europe-west1-docker.pkg.dev - CI_CONTAINER_REPOSITORY: europe-west1-docker.pkg.dev/weave-gitops-clusters/weave-gitops + CI_CONTAINER_REGISTRY: ghcr.io + CI_CONTAINER_REPOSITORY: ghcr.io/weaveworks/weave-gitops name: PR CI Workflow jobs: @@ -117,7 +117,7 @@ jobs: path: /tmp/${{ matrix.docker-image }}.tar ci-upload-images: - name: CI Upload Images - Disabled + name: CI Upload Images runs-on: ubuntu-latest # Make sure we only upload images if tests etc have passed needs: [ci-go, ci-static, ci-js, ci-build-gitops-image, ci-generate-tag] @@ -138,21 +138,15 @@ jobs: with: name: ${{ matrix.docker-image }} path: /tmp -# - name: Authenticate to Google Cloud -# id: gcloud-auth -# uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 -# with: -# service_account: ${{ secrets.service_account }} -# workload_identity_provider: ${{ secrets.workload_identity_provider }} -# - name: Login to gcloud for docker -# run: gcloud --quiet auth configure-docker ${{ env.CI_CONTAINER_REGISTRY }} -# - name: Push images to gcloud -# run: | -# docker load --input /tmp/${{ matrix.docker-image }}.tar -# docker push "${{ env.CI_CONTAINER_REPOSITORY }}/${{ matrix.docker-image }}:${{ needs.ci-generate-tag.outputs.tag }}" + - name: Login to ghcr + run: echo ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }} | docker login ghcr.io -u weaveworks --password-stdin + - name: Push images to gcloud + run: | + docker load --input /tmp/${{ matrix.docker-image }}.tar + docker push "${{ env.CI_CONTAINER_REPOSITORY }}/${{ matrix.docker-image }}:${{ needs.ci-generate-tag.outputs.tag }}" ci-upload-binary: - name: Upload Binary - Disabled + name: Upload Binary runs-on: ${{matrix.os}} needs: [ci-go, ci-static, ci-js, ci-build-gitops-image] strategy: @@ -175,6 +169,15 @@ jobs: - name: build run: | make gitops + - name: publish to github artifacts + uses: softprops/action-gh-release@v2 + if: startsWith(github.ref, 'refs/tags/') + with: + files: | + - Release.txt + - bin/gitops-${{matrix.os}}-${{steps.gitsha.outputs.sha}} + - bin/gitops-server + # - name: publish to s3 # uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 # with: From 64b42a34ad87802a4c97cdff4521181321410c03 Mon Sep 17 00:00:00 2001 From: Charles Sibbald Date: Thu, 2 Jan 2025 20:59:08 +0200 Subject: [PATCH 2/5] Updated step name text --- .github/workflows/pr.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index f9ccbdffa3..0f4a72d283 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -138,9 +138,9 @@ jobs: with: name: ${{ matrix.docker-image }} path: /tmp - - name: Login to ghcr + - name: Login to GHCR run: echo ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }} | docker login ghcr.io -u weaveworks --password-stdin - - name: Push images to gcloud + - name: Push images to GHCR run: | docker load --input /tmp/${{ matrix.docker-image }}.tar docker push "${{ env.CI_CONTAINER_REPOSITORY }}/${{ matrix.docker-image }}:${{ needs.ci-generate-tag.outputs.tag }}" From d0d8f2357bd55bc15c9885dd2e733f4d00de44cd Mon Sep 17 00:00:00 2001 From: Charles Sibbald Date: Thu, 2 Jan 2025 21:05:29 +0200 Subject: [PATCH 3/5] remove non existent file from upload list --- .github/workflows/pr.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 0f4a72d283..de250d1017 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -174,7 +174,6 @@ jobs: if: startsWith(github.ref, 'refs/tags/') with: files: | - - Release.txt - bin/gitops-${{matrix.os}}-${{steps.gitsha.outputs.sha}} - bin/gitops-server From af5313e6d767c2b56644aa07c1823a06bcfcc9d3 Mon Sep 17 00:00:00 2001 From: Charles Sibbald Date: Thu, 2 Jan 2025 21:41:04 +0200 Subject: [PATCH 4/5] update release test check --- .github/workflows/prepare-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/prepare-release.yaml b/.github/workflows/prepare-release.yaml index e19b384a7f..5e8428cb48 100644 --- a/.github/workflows/prepare-release.yaml +++ b/.github/workflows/prepare-release.yaml @@ -44,7 +44,7 @@ jobs: jq '.version = "'$GITOPS_VERSION'"' < package.json > package-new.json mv package-new.json package.json yarn - yarn test -- -u + yarn test -u git commit -am "Update javascript library version to $GITOPS_VERSION" - name: Update Chart From b815b78768b213904a4efcd431cf46973c5f74aa Mon Sep 17 00:00:00 2001 From: Charles Sibbald Date: Fri, 3 Jan 2025 11:08:25 +0200 Subject: [PATCH 5/5] Adding signing of artifacts to GoReleaser, as well as public key for users to validate signed artifacts --- .github/workflows/release.yaml | 11 +++++++++++ keys/Weaveworks-Notary-Bot.pub.asc | 15 +++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 keys/Weaveworks-Notary-Bot.pub.asc diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 747e0a37f5..7c44b9ff20 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -126,6 +126,12 @@ jobs: run: | git fetch --prune --unshallow git fetch --tags -f + - name: Import GPG key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@v6 + with: + gpg_private_key: ${{ secrets.WEAVEWORKS_ORG_GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.WEAVEWORKS_ORG_GPG_PRIVATE_KEY_PASSPHRASE }} - name: Setup Go uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: @@ -166,6 +172,11 @@ jobs: BRANCH: ${{ env.BRANCH }} GORELEASER_PREVIOUS_TAG: ${{ env.GORELEASER_PREVIOUS_TAG }} GORELEASER_CURRENT_TAG: ${{ env.GORELEASER_CURRENT_TAG }} + GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + + signs: + - artifacts: checksum + args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--output", "${signature}", "--detach-sign", "${artifact}"] merge-pr: runs-on: ubuntu-latest diff --git a/keys/Weaveworks-Notary-Bot.pub.asc b/keys/Weaveworks-Notary-Bot.pub.asc new file mode 100644 index 0000000000..cef8d16c9f --- /dev/null +++ b/keys/Weaveworks-Notary-Bot.pub.asc @@ -0,0 +1,15 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEZ3ekVBYJKwYBBAHaRw8BAQdAVL/nyYue+WbwLsiY12Xd1iVUR872nULq+Xcb +Y5esUT20WVdlYXZld29ya3MuT3JnIE5vdGFyeSBCb3QgKEF1dG9tYXRpb24ga2V5 +IGZvciByZWxlYXNlcyBvbiBHaXRIdWIpIDxub3RhcnlAd2VhdmV3b3Jrcy5vcmc+ +iJkEExYKAEEWIQRt2wWMZfiSESijWP5XJETOkMim+AUCZ3ekVAIbAwUJBi4IAAUL +CQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRBXJETOkMim+ATLAQDsd5Bzt81l +b4JOMM+6NdM5QagGRdKUNWvDlvAR8xj4awD8CXqVZtzEnv/u4k/9LFbB+u+wYapH +ptd/PzrMrz52HQi4OARnd6RUEgorBgEEAZdVAQUBAQdA1uqx0gwl4CoS7lmqf4Gu +HrxM4ID3KYxH25/0tXOiGDoDAQgHiH4EGBYKACYWIQRt2wWMZfiSESijWP5XJETO +kMim+AUCZ3ekVAIbDAUJBi4IAAAKCRBXJETOkMim+HNlAQDvvTHCmlWtKGpBSjFH +rNkQZ1+pV9Pna56DLixCJYoS8gEAi0iy39QINrBFB/GnIYEnikeuJ5bxy1ENJNmd +uOU0wQs= +=KAYZ +-----END PGP PUBLIC KEY BLOCK-----