on: release: types: - published name: Build Release permissions: contents: read jobs: release-assests: permissions: contents: write # for softprops/action-gh-release to create GitHub release name: release kubectl-karmada runs-on: ubuntu-22.04 strategy: matrix: target: - karmadactl - kubectl-karmada os: - linux - darwin arch: - amd64 - arm64 steps: - uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v5 with: go-version-file: go.mod - name: Making and packaging env: GOOS: ${{ matrix.os }} GOARCH: ${{ matrix.arch }} run: make release-${{ matrix.target }} - name: upload cli uses: actions/upload-artifact@v4 with: name: cli-${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz path: _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz - name: Uploading assets... if: ${{ !env.ACT }} uses: softprops/action-gh-release@v2 with: files: | _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz.sha256 generate-subject-for-cli-provenance: needs: [release-assests] runs-on: ubuntu-22.04 outputs: hashes: ${{ steps.hash.outputs.hashes }} steps: - name: download cli uses: actions/download-artifact@v4 with: path: _output/release pattern: cli-* merge-multiple: true - name: generate cli hash id: hash run: | cd _output/release # sha256sum generates sha256 hash for cli. # base64 -w0 encodes to base64 and outputs on a single line. echo "hashes=$(sha256sum *.tgz|base64 -w0)" >> "$GITHUB_OUTPUT" cli-provenance: needs: [generate-subject-for-cli-provenance] permissions: actions: read # for detecting the Github Actions environment id-token: write # Needed for provenance signing and ID contents: write # Needed for release uploads # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 with: base64-subjects: "${{ needs.generate-subject-for-cli-provenance.outputs.hashes }}" provenance-name: "karmada-cli.intoto.jsonl" upload-assets: true release-crds-assests: permissions: contents: write # for softprops/action-gh-release to create GitHub release name: release crds outputs: hashes: ${{ steps.hash.outputs.hashes }} runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - name: Rename the crds directory run: | mv ./charts/karmada/_crds ./charts/karmada/crds - name: Tar the crds uses: a7ul/tar-action@v1.2.0 with: command: c cwd: ./charts/karmada/ files: crds outPath: crds.tar.gz - name: generate crds hash id: hash run: | # sha256sum generates sha256 hash for crds. # base64 -w0 encodes to base64 and outputs on a single line. echo "hashes=$(sha256sum crds.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT" - name: Uploading crd assets... uses: softprops/action-gh-release@v2 with: files: | crds.tar.gz crds-provenance: needs: [release-crds-assests] permissions: actions: read # for detecting the Github Actions environment id-token: write # Needed for provenance signing and ID contents: write # Needed for release uploads # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 with: base64-subjects: "${{ needs.release-crds-assests.outputs.hashes }}" provenance-name: "karmada-crds.intoto.jsonl" upload-assets: true release-charts: permissions: contents: write # for softprops/action-gh-release to create GitHub release name: Release charts outputs: hashes: ${{ steps.hash.outputs.hashes }} runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - name: Making helm charts env: VERSION: ${{ github.ref_name }} run: make package-chart - name: Uploading assets... if: ${{ !env.ACT }} uses: softprops/action-gh-release@v2 with: files: | _output/charts/karmada-chart-${{ github.ref_name }}.tgz _output/charts/karmada-chart-${{ github.ref_name }}.tgz.sha256 _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz.sha256 - name: generate charts hash id: hash run: | cd _output/charts echo "hashes=$(sha256sum *.tgz|base64 -w0)" >> "$GITHUB_OUTPUT" charts-provenance: needs: [release-charts] permissions: actions: read # for detecting the Github Actions environment id-token: write # Needed for provenance signing and ID contents: write # Needed for release uploads # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 with: base64-subjects: "${{ needs.release-charts.outputs.hashes }}" provenance-name: "karmada-charts.intoto.jsonl" upload-assets: true sbom-assests: permissions: contents: write # for softprops/action-gh-release to create GitHub release name: Release sbom outputs: hashes: ${{ steps.sbom-hash.outputs.hashes}} runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - name: Generate sbom for karmada file system uses: aquasecurity/trivy-action@0.29.0 with: scan-type: 'fs' format: 'spdx' output: 'sbom-karmada.spdx' scan-ref: "${{ github.workspace }}/" - name: Tar the sbom files run: | tar -zcf sbom.tar.gz *.spdx - name: Generate SBOM hash shell: bash id: sbom-hash run: | # sha256sum generates sha256 hash for sbom. # base64 -w0 encodes to base64 and outputs on a single line. echo "hashes=$(sha256sum sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT" - name: Uploading sbom assets... uses: softprops/action-gh-release@v2 with: files: | sbom.tar.gz sbom-provenance: needs: [sbom-assests] permissions: actions: read # for detecting the Github Actions environment id-token: write # Needed for provenance signing and ID contents: write # Needed for release uploads # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 with: base64-subjects: "${{ needs.sbom-assests.outputs.hashes }}" provenance-name: "karmada-sbom.intoto.jsonl" upload-assets: true update-krew-index: env: GH_TOKEN: ${{ github.token }} needs: - release-assests # prevent job running from forked repository, otherwise # 1. running on the forked repository would use unnecessary GitHub Action time. # 2. running on the forked repository would open a PR to publish an inaccurate version of karmada in repo kubernetes-sigs/krew-index. if: ${{ github.repository == 'karmada-io/karmada' }} name: Update krew-index runs-on: ubuntu-22.04 steps: - name: get latest tag id: get-latest-tag run: | export LATEST_TAG=`gh api repos/karmada-io/karmada/releases/latest | jq -r '.tag_name'` echo "Got the latest tag:$LATEST_TAG" echo "event.tag:"${{ github.event.release.tag_name }} echo "latestTag=$LATEST_TAG" >> "$GITHUB_OUTPUT" - uses: actions/checkout@v4 if: steps.get-latest-tag.outputs.latestTag == github.event.release.tag_name - name: Update new version in krew-index if: steps.get-latest-tag.outputs.latestTag == github.event.release.tag_name uses: rajatjindal/krew-release-bot@v0.0.47