mirror of
https://github.com/argoproj/argo-cd.git
synced 2026-04-01 14:28:48 +02:00
b8f85c9500
* better release notes Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * work on fork Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * don't do unnecessary stuff Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * fix path Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * fix path Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * help debug Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * refactor, clean up Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * use a workspace to avoid touching the main go.mod Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --------- Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
306 lines
12 KiB
YAML
306 lines
12 KiB
YAML
name: Publish ArgoCD Release
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
- '!v2.4*'
|
|
- '!v2.5*'
|
|
- '!v2.6*'
|
|
|
|
permissions: {}
|
|
|
|
env:
|
|
# renovate: datasource=golang-version packageName=golang
|
|
GOLANG_VERSION: '1.23.2' # Note: go-version must also be set in job argocd-image.with.go-version
|
|
|
|
jobs:
|
|
argocd-image:
|
|
permissions:
|
|
contents: read
|
|
id-token: write # for creating OIDC tokens for signing.
|
|
packages: write # used to push images to `ghcr.io` if used.
|
|
if: github.repository == 'argoproj/argo-cd'
|
|
uses: ./.github/workflows/image-reuse.yaml
|
|
with:
|
|
quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }}
|
|
# Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
|
|
# renovate: datasource=golang-version packageName=golang
|
|
go-version: 1.23.2
|
|
platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
|
|
push: true
|
|
secrets:
|
|
quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }}
|
|
quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}
|
|
|
|
argocd-image-provenance:
|
|
needs: [argocd-image]
|
|
permissions:
|
|
actions: read # for detecting the Github Actions environment.
|
|
id-token: write # for creating OIDC tokens for signing.
|
|
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
|
|
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
|
|
if: github.repository == 'argoproj/argo-cd'
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
|
|
with:
|
|
image: quay.io/argoproj/argocd
|
|
digest: ${{ needs.argocd-image.outputs.image-digest }}
|
|
secrets:
|
|
registry-username: ${{ secrets.RELEASE_QUAY_USERNAME }}
|
|
registry-password: ${{ secrets.RELEASE_QUAY_TOKEN }}
|
|
|
|
goreleaser:
|
|
needs:
|
|
- argocd-image
|
|
- argocd-image-provenance
|
|
permissions:
|
|
contents: write # used for uploading assets
|
|
if: github.repository == 'argoproj/argo-cd'
|
|
runs-on: ubuntu-22.04
|
|
outputs:
|
|
hashes: ${{ steps.hash.outputs.hashes }}
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
|
|
with:
|
|
fetch-depth: 0
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Fetch all tags
|
|
run: git fetch --force --tags
|
|
|
|
- name: Setup Golang
|
|
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
|
|
with:
|
|
go-version: ${{ env.GOLANG_VERSION }}
|
|
|
|
- name: Set GORELEASER_PREVIOUS_TAG # Workaround, GoReleaser uses 'git-describe' to determine a previous tag. Our tags are created in release branches.
|
|
run: |
|
|
set -xue
|
|
echo "GORELEASER_PREVIOUS_TAG=$(go run hack/get-previous-release/get-previous-version-for-release-notes.go ${{ github.ref_name }})" >> $GITHUB_ENV
|
|
|
|
- name: Set environment variables for ldflags
|
|
id: set_ldflag
|
|
run: |
|
|
echo "KUBECTL_VERSION=$(go list -m k8s.io/client-go | head -n 1 | rev | cut -d' ' -f1 | rev)" >> $GITHUB_ENV
|
|
echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV
|
|
|
|
- name: Free Disk Space (Ubuntu)
|
|
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
|
|
with:
|
|
large-packages: false
|
|
docker-images: false
|
|
swap-storage: false
|
|
tool-cache: false
|
|
|
|
- name: Run GoReleaser
|
|
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
|
|
id: run-goreleaser
|
|
with:
|
|
version: latest
|
|
args: release --clean --timeout 55m
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
KUBECTL_VERSION: ${{ env.KUBECTL_VERSION }}
|
|
GIT_TREE_STATE: ${{ env.GIT_TREE_STATE }}
|
|
|
|
- name: Generate subject for provenance
|
|
id: hash
|
|
env:
|
|
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
|
|
if test "$hashes" = ""; then # goreleaser < v1.13.0
|
|
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
|
|
hashes=$(cat $checksum_file | base64 -w0)
|
|
fi
|
|
echo "hashes=$hashes" >> $GITHUB_OUTPUT
|
|
|
|
goreleaser-provenance:
|
|
needs: [goreleaser]
|
|
permissions:
|
|
actions: read # for detecting the Github Actions environment
|
|
id-token: write # Needed for provenance signing and ID
|
|
contents: write # Needed for release uploads
|
|
if: github.repository == 'argoproj/argo-cd'
|
|
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
|
|
with:
|
|
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
|
|
provenance-name: "argocd-cli.intoto.jsonl"
|
|
upload-assets: true
|
|
|
|
generate-sbom:
|
|
name: Create SBOM and generate hash
|
|
needs:
|
|
- argocd-image
|
|
- goreleaser
|
|
permissions:
|
|
contents: write # Needed for release uploads
|
|
outputs:
|
|
hashes: ${{ steps.sbom-hash.outputs.hashes}}
|
|
if: github.repository == 'argoproj/argo-cd'
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
|
|
with:
|
|
fetch-depth: 0
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Setup Golang
|
|
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
|
|
with:
|
|
go-version: ${{ env.GOLANG_VERSION }}
|
|
|
|
- name: Generate SBOM (spdx)
|
|
id: spdx-builder
|
|
env:
|
|
# defines the spdx/spdx-sbom-generator version to use.
|
|
SPDX_GEN_VERSION: v0.0.13
|
|
# defines the sigs.k8s.io/bom version to use.
|
|
SIGS_BOM_VERSION: v0.2.1
|
|
# comma delimited list of project relative folders to inspect for package
|
|
# managers (gomod, yarn, npm).
|
|
PROJECT_FOLDERS: ".,./ui"
|
|
# full qualified name of the docker image to be inspected
|
|
DOCKER_IMAGE: quay.io/argoproj/argocd:${{ github.ref_name }}
|
|
run: |
|
|
yarn install --cwd ./ui
|
|
go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION
|
|
go install sigs.k8s.io/bom/cmd/bom@$SIGS_BOM_VERSION
|
|
|
|
# Generate SPDX for project dependencies analyzing package managers
|
|
for folder in $(echo $PROJECT_FOLDERS | sed "s/,/ /g")
|
|
do
|
|
generator -p $folder -o /tmp
|
|
done
|
|
|
|
# Generate SPDX for binaries analyzing the docker image
|
|
if [[ ! -z $DOCKER_IMAGE ]]; then
|
|
bom generate -o /tmp/bom-docker-image.spdx -i $DOCKER_IMAGE
|
|
fi
|
|
|
|
cd /tmp && tar -zcf sbom.tar.gz *.spdx
|
|
|
|
- name: Generate SBOM hash
|
|
shell: bash
|
|
id: sbom-hash
|
|
run: |
|
|
# sha256sum generates sha256 hash for sbom.
|
|
# base64 -w0 encodes to base64 and outputs on a single line.
|
|
# sha256sum /tmp/sbom.tar.gz ... | base64 -w0
|
|
echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Upload SBOM
|
|
uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
with:
|
|
files: |
|
|
/tmp/sbom.tar.gz
|
|
|
|
sbom-provenance:
|
|
needs: [generate-sbom]
|
|
permissions:
|
|
actions: read # for detecting the Github Actions environment
|
|
id-token: write # Needed for provenance signing and ID
|
|
contents: write # Needed for release uploads
|
|
if: github.repository == 'argoproj/argo-cd'
|
|
# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
|
|
with:
|
|
base64-subjects: "${{ needs.generate-sbom.outputs.hashes }}"
|
|
provenance-name: "argocd-sbom.intoto.jsonl"
|
|
upload-assets: true
|
|
|
|
post-release:
|
|
needs:
|
|
- argocd-image
|
|
- goreleaser
|
|
- generate-sbom
|
|
permissions:
|
|
contents: write # Needed to push commit to update stable tag
|
|
pull-requests: write # Needed to create PR for VERSION update.
|
|
if: github.repository == 'argoproj/argo-cd'
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
|
|
with:
|
|
fetch-depth: 0
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Setup Git author information
|
|
run: |
|
|
set -ue
|
|
git config --global user.email 'ci@argoproj.com'
|
|
git config --global user.name 'CI'
|
|
|
|
- name: Check if tag is the latest version and not a pre-release
|
|
run: |
|
|
set -xue
|
|
# Fetch all tag information
|
|
git fetch --prune --tags --force
|
|
|
|
LATEST_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n1)
|
|
|
|
PRE_RELEASE=false
|
|
# Check if latest tag is a pre-release
|
|
if echo $LATEST_TAG | grep -E -- '-rc[0-9]+$';then
|
|
PRE_RELEASE=true
|
|
fi
|
|
|
|
# Ensure latest tag matches github.ref_name & not a pre-release
|
|
if [[ $LATEST_TAG == ${{ github.ref_name }} ]] && [[ $PRE_RELEASE != 'true' ]];then
|
|
echo "TAG_STABLE=true" >> $GITHUB_ENV
|
|
else
|
|
echo "TAG_STABLE=false" >> $GITHUB_ENV
|
|
fi
|
|
|
|
- name: Update stable tag to latest version
|
|
run: |
|
|
git tag -f stable ${{ github.ref_name }}
|
|
git push -f origin stable
|
|
if: ${{ env.TAG_STABLE == 'true' }}
|
|
|
|
- name: Check to see if VERSION should be updated on master branch
|
|
run: |
|
|
set -xue
|
|
SOURCE_TAG=${{ github.ref_name }}
|
|
VERSION_REF="${SOURCE_TAG#*v}"
|
|
COMMIT_HASH=$(git rev-parse HEAD)
|
|
if echo "$VERSION_REF" | grep -E -- '^[0-9]+\.[0-9]+\.0-rc1';then
|
|
VERSION=$(awk 'BEGIN {FS=OFS="."} {$2++; print}' <<< "${VERSION_REF%-rc1}")
|
|
echo "Updating VERSION to: $VERSION"
|
|
echo "UPDATE_VERSION=true" >> $GITHUB_ENV
|
|
echo "NEW_VERSION=$VERSION" >> $GITHUB_ENV
|
|
echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV
|
|
else
|
|
echo "Not updating VERSION"
|
|
echo "UPDATE_VERSION=false" >> $GITHUB_ENV
|
|
fi
|
|
|
|
- name: Update VERSION on master branch
|
|
run: |
|
|
echo ${{ env.NEW_VERSION }} > VERSION
|
|
# Replace the 'project-release: vX.X.X-rcX' line in SECURITY-INSIGHTS.yml
|
|
sed -i "s/project-release: v.*$/project-release: v${{ env.NEW_VERSION }}/" SECURITY-INSIGHTS.yml
|
|
# Update the 'commit-hash: XXXXXXX' line in SECURITY-INSIGHTS.yml
|
|
sed -i "s/commit-hash: .*/commit-hash: ${{ env.COMMIT_HASH }}/" SECURITY-INSIGHTS.yml
|
|
if: ${{ env.UPDATE_VERSION == 'true' }}
|
|
|
|
- name: Create PR to update VERSION on master branch
|
|
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
|
|
with:
|
|
commit-message: Bump version in master
|
|
title: "chore: Bump version in master"
|
|
body: All images built from master should indicate which version we are on track for.
|
|
signoff: true
|
|
branch: update-version
|
|
branch-suffix: random
|
|
base: master
|
|
if: ${{ env.UPDATE_VERSION == 'true' }}
|