mirror of
https://github.com/argoproj/argo-cd.git
synced 2026-02-20 01:28:45 +01:00
a2e0b6f902
Signed-off-by: Patroklos Papapetrou <ppapapetrou76@gmail.com> Co-authored-by: Nitish Kumar <justnitish06@gmail.com>
153 lines
7.2 KiB
YAML
153 lines
7.2 KiB
YAML
name: Image
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
pull_request:
|
|
branches:
|
|
- master
|
|
types: [labeled, unlabeled, opened, synchronize, reopened]
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
set-vars:
|
|
permissions:
|
|
contents: read
|
|
# Always run to calculate variables - other jobs check outputs
|
|
runs-on: ubuntu-24.04
|
|
outputs:
|
|
image-tag: ${{ steps.image.outputs.tag}}
|
|
platforms: ${{ steps.platforms.outputs.platforms }}
|
|
image_namespace: ${{ steps.image.outputs.image_namespace }}
|
|
image_repository: ${{ steps.image.outputs.image_repository }}
|
|
quay_image_name: ${{ steps.image.outputs.quay_image_name }}
|
|
ghcr_image_name: ${{ steps.image.outputs.ghcr_image_name }}
|
|
ghcr_provenance_image: ${{ steps.image.outputs.ghcr_provenance_image }}
|
|
allow_ghcr_publish: ${{ steps.image.outputs.allow_ghcr_publish }}
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
|
|
- name: Set image tag and names
|
|
run: |
|
|
# Calculate image tag
|
|
TAG="$(cat ./VERSION)-${GITHUB_SHA::8}"
|
|
echo "tag=$TAG" >> $GITHUB_OUTPUT
|
|
|
|
# Calculate image names with defaults
|
|
IMAGE_NAMESPACE="${{ vars.IMAGE_NAMESPACE || 'argoproj' }}"
|
|
IMAGE_REPOSITORY="${{ vars.IMAGE_REPOSITORY || 'argocd' }}"
|
|
GHCR_NAMESPACE="${{ vars.GHCR_NAMESPACE || github.repository }}"
|
|
GHCR_REPOSITORY="${{ vars.GHCR_REPOSITORY || 'argocd' }}"
|
|
|
|
echo "image_namespace=$IMAGE_NAMESPACE" >> $GITHUB_OUTPUT
|
|
echo "image_repository=$IMAGE_REPOSITORY" >> $GITHUB_OUTPUT
|
|
|
|
# Construct image name
|
|
echo "quay_image_name=quay.io/$IMAGE_NAMESPACE/$IMAGE_REPOSITORY:latest" >> $GITHUB_OUTPUT
|
|
|
|
ALLOW_GHCR_PUBLISH=false
|
|
if [[ "${{ github.repository }}" == "argoproj/argo-cd" || "$GHCR_NAMESPACE" != argoproj/* ]]; then
|
|
ALLOW_GHCR_PUBLISH=true
|
|
echo "ghcr_image_name=ghcr.io/$GHCR_NAMESPACE/$GHCR_REPOSITORY:$TAG" >> $GITHUB_OUTPUT
|
|
echo "ghcr_provenance_image=ghcr.io/$GHCR_NAMESPACE/$GHCR_REPOSITORY" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "GhCR publish skipped: refusing to push to namespace '$GHCR_NAMESPACE'. Please override GHCR_* for forks." >&2
|
|
echo "ghcr_image_name=" >> $GITHUB_OUTPUT
|
|
echo "ghcr_provenance_image=" >> $GITHUB_OUTPUT
|
|
fi
|
|
echo "allow_ghcr_publish=$ALLOW_GHCR_PUBLISH" >> $GITHUB_OUTPUT
|
|
id: image
|
|
|
|
- name: Determine image platforms to use
|
|
id: platforms
|
|
run: |
|
|
IMAGE_PLATFORMS=linux/amd64
|
|
if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-multi-image') }}" == "true" ]]
|
|
then
|
|
IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
|
|
fi
|
|
echo "Building image for platforms: $IMAGE_PLATFORMS"
|
|
echo "platforms=$IMAGE_PLATFORMS" >> $GITHUB_OUTPUT
|
|
|
|
build-only:
|
|
needs: [set-vars]
|
|
permissions:
|
|
contents: read
|
|
packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
|
|
id-token: write # for creating OIDC tokens for signing.
|
|
if: ${{ (github.repository == 'argoproj/argo-cd' || needs.set-vars.outputs.image_namespace != 'argoproj') && github.event_name != 'push' }}
|
|
uses: ./.github/workflows/image-reuse.yaml
|
|
with:
|
|
# Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
|
|
# renovate: datasource=golang-version packageName=golang
|
|
go-version: 1.26.0
|
|
platforms: ${{ needs.set-vars.outputs.platforms }}
|
|
push: false
|
|
|
|
build-and-publish:
|
|
needs: [set-vars]
|
|
permissions:
|
|
contents: read
|
|
packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
|
|
id-token: write # for creating OIDC tokens for signing.
|
|
if: ${{ (github.repository == 'argoproj/argo-cd' || needs.set-vars.outputs.image_namespace != 'argoproj') && github.event_name == 'push' }}
|
|
uses: ./.github/workflows/image-reuse.yaml
|
|
with:
|
|
quay_image_name: ${{ needs.set-vars.outputs.quay_image_name }}
|
|
ghcr_image_name: ${{ needs.set-vars.outputs.ghcr_image_name }}
|
|
# Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
|
|
# renovate: datasource=golang-version packageName=golang
|
|
go-version: 1.26.0
|
|
platforms: ${{ needs.set-vars.outputs.platforms }}
|
|
push: true
|
|
secrets:
|
|
quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }}
|
|
quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}
|
|
ghcr_username: ${{ github.actor }}
|
|
ghcr_password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io
|
|
needs:
|
|
- set-vars
|
|
- build-and-publish
|
|
permissions:
|
|
actions: read # for detecting the Github Actions environment.
|
|
id-token: write # for creating OIDC tokens for signing.
|
|
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
|
|
if: ${{ (github.repository == 'argoproj/argo-cd' || needs.set-vars.outputs.image_namespace != 'argoproj') && github.event_name == 'push' && needs.set-vars.outputs.allow_ghcr_publish == 'true'}}
|
|
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
|
|
with:
|
|
image: ${{ needs.set-vars.outputs.ghcr_provenance_image }}
|
|
digest: ${{ needs.build-and-publish.outputs.image-digest }}
|
|
registry-username: ${{ github.actor }}
|
|
secrets:
|
|
registry-password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
Deploy:
|
|
needs:
|
|
- build-and-publish
|
|
- set-vars
|
|
permissions:
|
|
contents: write # for git to push upgrade commit if not already deployed
|
|
packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
|
|
if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
|
|
env:
|
|
TOKEN: ${{ secrets.TOKEN }}
|
|
- run: |
|
|
docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
|
|
git config --global user.email 'ci@argoproj.com'
|
|
git config --global user.name 'CI'
|
|
git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ needs.set-vars.outputs.image-tag }}' && git push)
|
|
working-directory: argoproj-deployments/argocd
|