Skip to content
Fleet release

Set typos action version to v1.38.0 #181

Sign in to view logs

Set typos action version to v1.38.0

Set typos action version to v1.38.0 #181

Workflow file for this run

.github/workflows/release.yml at 4e1bbc3
# Fleet release workflow
name: Fleet release
on:
push:
tags:
- v**
workflow_dispatch:
permissions:
contents: write
packages: write
id-token: write # this is important, it's how we authenticate with Vault
env:
GOARCH: amd64
CGO_ENABLED: 0
jobs:
build-fleet:
runs-on: runs-on,runner=8cpu-linux-x64,mem=16,run-id=${{ github.run_id }}
env:
IS_HOTFIX: ${{ contains(github.ref, '-hotfix-') }}
if: github.repository == 'rancher/fleet'
steps:
- name: Check out Fleet
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
with:
go-version-file: 'go.mod'
check-latest: true
- name: "Read Vault Secrets"
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/fossa/credential token | FOSSA_API_KEY
- name: Run FOSSA scan
uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
with:
api-key: ${{ env.FOSSA_API_KEY }}
- name: Run FOSSA tests
uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
with:
api-key: ${{ env.FOSSA_API_KEY }}
run-tests: false
- name: Install Ginkgo CLI
run: go install github.com/onsi/ginkgo/v2/ginkgo
- name: Check for code changes
continue-on-error: ${{ contains(github.ref, 'rc') }}
run: |
./.github/scripts/check-for-auto-generated-changes.sh
go mod verify
- name: Run unit tests
continue-on-error: ${{ contains(github.ref, 'rc') }}
run: go test -cover -tags=test $(go list ./... | grep -v -e /e2e -e /integrationtests -e /benchmarks)
- name: Run integration tests
continue-on-error: ${{ contains(github.ref, 'rc') }}
env:
SETUP_ENVTEST_VER: v0.0.0-20250218120612-6f6111124902
ENVTEST_K8S_VERSION: 1.32
run: ./.github/scripts/run-integration-tests.sh
- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
- name: Install Cosign
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
- uses: rancherlabs/slsactl/actions/install-slsactl@98797bdd14674569903f0edf14a8052ad95422ba # v0.0.10
- name: "Read Vault Secrets"
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | STAGE_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | STAGE_REGISTRY_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials registry | STAGE_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
- name: Prepare Docker environment to support sbom/provenance parameters
run: |
sudo bash -c 'echo "{\"features\": {\"containerd-snapshotter\": true}}" > /etc/docker/daemon.json'
sudo systemctl restart docker
- name: Log into Docker Container registry
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
if: ${{ env.IS_HOTFIX == 'false' }}
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_PASSWORD }}
- name: Log into Staging registry
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
with:
username: ${{ env.STAGE_REGISTRY_USERNAME }}
password: ${{ env.STAGE_REGISTRY_PASSWORD }}
registry: ${{ env.STAGE_REGISTRY }}
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6
id: goreleaser
with:
distribution: goreleaser
version: '~> v2'
args: release --clean --verbose
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: ${{ github.ref_name }}
STAGE_REGISTRY: ${{ env.STAGE_REGISTRY }}
PRIME_REGISTRY: ${{ env.PRIME_REGISTRY }}
# Workaround until `docker manifest create` supports provenance meta data
# Background: https://stackoverflow.com/questions/75521775/buildx-docker-image-claims-to-be-a-manifest-list
# Released images will eventually be moved into the Prime registry, hence their signatures must match that registry.
- name: Create Docker manifest for Staging and sign it for the Prime registry
shell: bash
env:
STAGE_REGISTRY: ${{ env.STAGE_REGISTRY }}
PRIME_REGISTRY: ${{ env.PRIME_REGISTRY }}
run: |
for IMAGE in fleet fleet-agent; do
URL="${{ env.STAGE_REGISTRY }}/rancher/${IMAGE}:${{ github.ref_name }}"
docker buildx imagetools create -t "${URL}" \
"${URL}-linux-amd64" \
"${URL}-linux-arm64"
cosign sign \
--oidc-provider=github-actions \
--yes \
--sign-container-identity="${{ env.PRIME_REGISTRY }}/rancher/${IMAGE}" \
"${URL}"
done
- name: Attest provenance
shell: bash
run: |
for IMG_NAME in $(yq e '.dockers[].image_templates[0]' .goreleaser.yaml | grep STAGE_REGISTRY | sed "s/{{ .Env.STAGE_REGISTRY }}/${{ env.STAGE_REGISTRY }}/g" | sed "s/{{ .Tag }}/${{ github.ref_name }}/g"); do
# Extract Docker image reference plus digest from local image
URL=$(docker inspect --format='{{index .RepoDigests 0}}' "${IMG_NAME}")
max_retries=3
retry_delay=5
for ((i=0; i<max_retries; i++)); do
if slsactl download provenance --format=slsav1 "${URL}" > provenance-slsav1.json; then
break
fi
if [ "${i}" -eq "$(( max_retries - 1 ))" ]; then
echo "ERROR: Failed to generate slsav1 provenance. Check whether the image is present in the Staging registry."
exit 1
fi
sleep "${retry_delay}"
done
cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${URL}"
done
- name: Upload charts to release
if: ${{ env.IS_HOTFIX == 'false' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
repo: "rancher"
run: |
version=$(jq -r '.version' <<< '${{ steps.goreleaser.outputs.metadata }}')
tag=$(jq -r '.tag' <<< '${{ steps.goreleaser.outputs.metadata }}')
echo "publishing helm chart for (repo: $repo, tag: $tag, version: $version)"
# Replace rancher/fleet and rancher/fleet-agent and rancher/gitjob image names
sed -i \
-e "s@repository: rancher/\(fleet.*\|gitjob\).*@repository: $repo/\\1@" \
-e "s/tag:.*/tag: $tag/" \
charts/fleet/values.yaml
sed -i \
-e "s@repository: rancher/\(fleet.*\|gitjob\).*@repository: $repo/\\1@" \
-e "s/tag: dev/tag: $tag/" \
charts/fleet-agent/values.yaml
find charts/ -maxdepth 1 -mindepth 1 -type d -exec helm package --version="$version" --app-version="$version" -d ./dist {} \;
find dist/ -name '*.tgz' -exec gh release upload $tag {} +
- name: Add charts to branch
if: ${{ env.IS_HOTFIX == 'false' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
version=$(jq -r '.version' <<< '${{ steps.goreleaser.outputs.metadata }}')
branch_version=v$(cut -d'.' -f1,2 <<< "$version")
charts_branch=charts/$branch_version
if [ ! -e ~/.gitconfig ]; then
git config --global user.name "fleet-bot"
git config --global user.email [email protected]
fi
echo "publishing helm chart in the branch $charts_branch"
if ! git ls-remote --exit-code --heads origin "$charts_branch"; then
git checkout --orphan "$charts_branch"
git rm -rf .
echo "# Fleet Helm Charts for $branch_version versions" > README.md
echo "The documentation is centralized in a unique place, checkout https://fleet.rancher.io/." >> README.md
git checkout origin/main -- LICENSE .gitignore
git add README.md LICENSE .gitignore
git commit -m "Initial commit for $charts_branch"
else
git checkout .
git checkout "$charts_branch"
fi
mkdir -p charts
find dist/ -name '*.tgz' -exec tar -xf {} -C charts/ \;
git add charts/**/*
git commit -m "Update charts to version $version"
git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git
git push origin "$charts_branch"