Skip to content
Fleet release

Track UID of existing bundle deployment to prevent orphaning on failu… #194

Sign in to view logs

Track UID of existing bundle deployment to prevent orphaning on failu…

Track UID of existing bundle deployment to prevent orphaning on failu… #194

Workflow file for this run

.github/workflows/release.yml at a6a84a8
# Fleet release workflow
name: Fleet release
on:
push:
tags:
- v**
workflow_dispatch:
permissions:
contents: write
packages: write
id-token: write # this is important, it's how we authenticate with Vault
env:
GOARCH: amd64
CGO_ENABLED: 0
jobs:
build-fleet:
runs-on: runs-on,runner=8cpu-linux-x64,mem=16,run-id=${{ github.run_id }}
env:
IS_HOTFIX: ${{ contains(github.ref, '-hotfix-') }}
if: github.repository == 'rancher/fleet'
steps:
- name: Check out Fleet
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
with:
fetch-depth: 0
- name: Verify Rancher is not in code freeze (alpha/beta only)
run: |
set -x
FLEET_VERSION="${GITHUB_REF_NAME#v}"
if [[ ! "${FLEET_VERSION}" =~ (alpha|beta) ]]; then
echo "Skipping code freeze check for non-alpha/beta release"
exit 0
fi
FLEET_MINOR=$(echo "${FLEET_VERSION}" | cut -d'.' -f2)
RANCHER_VERSION="2.$((FLEET_MINOR - 1))"
if ! CHART_DEFAULT_BRANCH=$(curl -sf "https://raw.githubusercontent.com/rancher/rancher/release/v${RANCHER_VERSION}/package/Dockerfile" | grep "ARG CHART_DEFAULT_BRANCH=" | cut -d'=' -f2); then
echo "Release branch release/v${RANCHER_VERSION} not found, assuming main branch which can not be in code freeze"
exit 0
fi
if [[ "${CHART_DEFAULT_BRANCH}" != "dev-v${RANCHER_VERSION}" ]]; then
echo "ERROR: CHART_DEFAULT_BRANCH does not match the expected dev branch!"
exit 1
fi
LATEST_RANCHER_RELEASE=$(curl -sf "https://api.github.com/repos/rancher/rancher/releases" | jq -r "[.[] | select(.tag_name | startswith(\"v${RANCHER_VERSION}.\"))] | first | .tag_name")
if [ -z "${LATEST_RANCHER_RELEASE}" ]; then
echo "No Rancher ${RANCHER_VERSION}.x release found, assuming pre-release state"
exit 0
fi
if [[ "${LATEST_RANCHER_RELEASE}" =~ -rc ]]; then
echo "ERROR: Latest Rancher ${RANCHER_VERSION}.x release is an RC (${LATEST_RANCHER_RELEASE}), indicating code freeze!"
exit 1
fi
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
with:
go-version-file: 'go.mod'
check-latest: true
- name: "Read Vault Secrets"
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/fossa/credential token | FOSSA_API_KEY
- name: Run FOSSA scan
uses: fossas/fossa-action@3ebcea1862c6ffbd5cf1b4d0bd6b3fe7bd6f2cac # v1.7.0
with:
api-key: ${{ env.FOSSA_API_KEY }}
- name: Run FOSSA tests
uses: fossas/fossa-action@3ebcea1862c6ffbd5cf1b4d0bd6b3fe7bd6f2cac # v1.7.0
with:
api-key: ${{ env.FOSSA_API_KEY }}
run-tests: false
- name: Install Ginkgo CLI
run: go install github.com/onsi/ginkgo/v2/ginkgo
- name: Check for code changes
continue-on-error: ${{ contains(github.ref, 'rc') }}
run: |
./.github/scripts/check-for-auto-generated-changes.sh
go mod verify
- name: Run unit tests
continue-on-error: ${{ contains(github.ref, 'rc') }}
run: go test -cover -tags=test $(go list ./... | grep -v -e /e2e -e /integrationtests -e /benchmarks)
- name: Run integration tests
continue-on-error: ${{ contains(github.ref, 'rc') }}
env:
SETUP_ENVTEST_VER: v0.0.0-20250218120612-6f6111124902
ENVTEST_K8S_VERSION: 1.32
run: ./.github/scripts/run-integration-tests.sh
- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
- name: Install Cosign
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
- uses: rancherlabs/slsactl/actions/install-slsactl@19ddea7b1a42a888d57bf5dd2fe0c6926cac8b06 # v0.0.19
- name: "Read Vault Secrets"
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | STAGE_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | STAGE_REGISTRY_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials registry | STAGE_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
- name: Prepare Docker environment to support sbom/provenance parameters
run: |
sudo bash -c 'echo "{\"features\": {\"containerd-snapshotter\": true}}" > /etc/docker/daemon.json'
sudo systemctl restart docker
- name: Log into Docker Container registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
if: ${{ env.IS_HOTFIX == 'false' }}
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_PASSWORD }}
- name: Log into Staging registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
username: ${{ env.STAGE_REGISTRY_USERNAME }}
password: ${{ env.STAGE_REGISTRY_PASSWORD }}
registry: ${{ env.STAGE_REGISTRY }}
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6
id: goreleaser
with:
distribution: goreleaser
version: '~> v2'
args: release --clean --verbose
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: ${{ github.ref_name }}
STAGE_REGISTRY: ${{ env.STAGE_REGISTRY }}
PRIME_REGISTRY: ${{ env.PRIME_REGISTRY }}
# Workaround until `docker manifest create` supports provenance meta data
# Background: https://stackoverflow.com/questions/75521775/buildx-docker-image-claims-to-be-a-manifest-list
# Released images will eventually be moved into the Prime registry, hence their signatures must match that registry.
- name: Create Docker manifest for Staging and sign it for the Prime registry
shell: bash
env:
STAGE_REGISTRY: ${{ env.STAGE_REGISTRY }}
PRIME_REGISTRY: ${{ env.PRIME_REGISTRY }}
run: |
for IMAGE in fleet fleet-agent; do
URL="${{ env.STAGE_REGISTRY }}/rancher/${IMAGE}:${{ github.ref_name }}"
docker buildx imagetools create -t "${URL}" \
"${URL}-linux-amd64" \
"${URL}-linux-arm64"
cosign sign \
--oidc-provider=github-actions \
--yes \
--sign-container-identity="${{ env.PRIME_REGISTRY }}/rancher/${IMAGE}" \
"${URL}"
# Pull the manifest locally to make it available for inspection
docker pull "${URL}"
done
- name: Attest provenance
shell: bash
run: |
IMAGES=$(yq e '.dockers[].image_templates[0]' .goreleaser.yaml | grep STAGE_REGISTRY | sed "s/{{ .Env.STAGE_REGISTRY }}/${{ env.STAGE_REGISTRY }}/g" | sed "s/{{ .Tag }}/${{ github.ref_name }}/g")
for IMG_NAME in $IMAGES; do
# Extract Docker image reference plus digest from local image
URL=$(docker inspect --format='{{index .RepoDigests 0}}' "${IMG_NAME}")
max_retries=3
retry_delay=5
for ((i=0; i<max_retries; i++)); do
if [[ "${IMG_NAME}" =~ -linux-([^-]+)$ ]]; then
PLATFORM="linux/${BASH_REMATCH[1]}"
else
PLATFORM="linux/amd64"
fi
if slsactl download provenance --format=slsav1 --platform="${PLATFORM}" "${URL}" > provenance-slsav1.json; then
break
fi
if [ "${i}" -eq "$(( max_retries - 1 ))" ]; then
echo "ERROR: Failed to generate slsav1 provenance. Check whether the image is present in the Staging registry."
exit 1
fi
sleep "${retry_delay}"
done
cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${URL}"
done
- name: Upload charts to release
if: ${{ env.IS_HOTFIX == 'false' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
repo: "rancher"
run: |
version=$(jq -r '.version' <<< '${{ steps.goreleaser.outputs.metadata }}')
tag=$(jq -r '.tag' <<< '${{ steps.goreleaser.outputs.metadata }}')
echo "publishing helm chart for (repo: $repo, tag: $tag, version: $version)"
# Replace rancher/fleet and rancher/fleet-agent and rancher/gitjob image names
sed -i \
-e "s@repository: rancher/\(fleet.*\|gitjob\).*@repository: $repo/\\1@" \
-e "s/tag:.*/tag: $tag/" \
charts/fleet/values.yaml
sed -i \
-e "s@repository: rancher/\(fleet.*\|gitjob\).*@repository: $repo/\\1@" \
-e "s/tag: dev/tag: $tag/" \
charts/fleet-agent/values.yaml
find charts/ -maxdepth 1 -mindepth 1 -type d -exec helm package --version="$version" --app-version="$version" -d ./dist {} \;
find dist/ -name '*.tgz' -exec gh release upload $tag {} +
- name: Add charts to branch
if: ${{ env.IS_HOTFIX == 'false' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
version=$(jq -r '.version' <<< '${{ steps.goreleaser.outputs.metadata }}')
branch_version=v$(cut -d'.' -f1,2 <<< "$version")
charts_branch=charts/$branch_version
if [ ! -e ~/.gitconfig ]; then
git config --global user.name "fleet-bot"
git config --global user.email [email protected]
fi
echo "publishing helm chart in the branch $charts_branch"
if ! git ls-remote --exit-code --heads origin "$charts_branch"; then
git checkout --orphan "$charts_branch"
git rm -rf .
echo "# Fleet Helm Charts for $branch_version versions" > README.md
echo "The documentation is centralized in a unique place, checkout https://fleet.rancher.io/." >> README.md
git checkout origin/main -- LICENSE .gitignore
git add README.md LICENSE .gitignore
git commit -m "Initial commit for $charts_branch"
else
git checkout .
git checkout "$charts_branch"
fi
mkdir -p charts
find dist/ -name '*.tgz' -exec tar -xf {} -C charts/ \;
git add charts/**/*
git commit -m "Update charts to version $version"
git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git
git push origin "$charts_branch"