name: release on: push: tags: - 'v*' workflow_dispatch: inputs: tag: description: 'image tag prefix' default: 'rc' required: true permissions: contents: write # needed to write releases id-token: write # needed for keyless signing packages: write # needed for ghcr access env: CONTROLLER: ${{ github.event.repository.name }} jobs: build-push: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 - name: Setup Kustomize uses: fluxcd/pkg/actions/kustomize@main - name: Prepare id: prep run: | VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}" if [[ $GITHUB_REF == refs/tags/* ]]; then VERSION=${GITHUB_REF/refs\/tags\//} fi echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT - name: Setup QEMU uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 - name: Setup Docker Buildx id: buildx uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 - name: Login to GitHub Container Registry uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: registry: ghcr.io username: fluxcdbot password: ${{ secrets.GHCR_TOKEN }} - name: Login to Docker Hub uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: username: fluxcdbot password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }} - name: Generate images meta id: meta uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0 with: images: | fluxcd/${{ env.CONTROLLER }} ghcr.io/fluxcd/${{ env.CONTROLLER }} tags: | type=raw,value=${{ steps.prep.outputs.VERSION }} - name: Publish images uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 with: sbom: true provenance: true push: true builder: ${{ steps.buildx.outputs.name }} context: . file: ./Dockerfile platforms: linux/amd64,linux/arm/v7,linux/arm64 tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - name: Check images run: | docker buildx imagetools inspect docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} docker buildx imagetools inspect ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} docker pull docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} docker pull ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} - uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1 - name: Sign images env: COSIGN_EXPERIMENTAL: 1 run: | cosign sign --yes fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} - name: Generate release artifacts if: startsWith(github.ref, 'refs/tags/v') run: | mkdir -p config/release kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml echo '[CHANGELOG](https://github.com/fluxcd/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)' > ./config/release/notes.md - uses: anchore/sbom-action/download-syft@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3 - name: Create release and SBOM if: startsWith(github.ref, 'refs/tags/v') uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0 with: version: latest args: release --release-notes=config/release/notes.md --rm-dist --skip-validate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}