change sync strategy for rollback #5
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish ArgoCD Release | |
on: | |
push: | |
tags: | |
- 'v*' | |
- '!v2.4*' | |
- '!v2.5*' | |
- '!v2.6*' | |
permissions: {} | |
env: | |
GOLANG_VERSION: '1.21' # Note: go-version must also be set in job argocd-image.with.go-version | |
jobs: | |
argocd-image: | |
permissions: | |
contents: read | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # used to push images to `ghcr.io` if used. | |
if: github.repository == 'argoproj/argo-cd' | |
uses: ./.github/workflows/image-reuse.yaml | |
with: | |
quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }} | |
# Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) | |
go-version: 1.21 | |
platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le | |
push: true | |
secrets: | |
quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }} | |
quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }} | |
argocd-image-provenance: | |
needs: [argocd-image] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) | |
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
if: github.repository == 'argoproj/argo-cd' | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
image: quay.io/argoproj/argocd | |
digest: ${{ needs.argocd-image.outputs.image-digest }} | |
secrets: | |
registry-username: ${{ secrets.RELEASE_QUAY_USERNAME }} | |
registry-password: ${{ secrets.RELEASE_QUAY_TOKEN }} | |
goreleaser: | |
needs: | |
- argocd-image | |
- argocd-image-provenance | |
permissions: | |
contents: write # used for uploading assets | |
if: github.repository == 'argoproj/argo-cd' | |
runs-on: ubuntu-22.04 | |
outputs: | |
hashes: ${{ steps.hash.outputs.hashes }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
with: | |
fetch-depth: 0 | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Fetch all tags | |
run: git fetch --force --tags | |
- name: Set GORELEASER_PREVIOUS_TAG # Workaround, GoReleaser uses 'git-describe' to determine a previous tag. Our tags are created in realease branches. | |
run: | | |
set -xue | |
if echo ${{ github.ref_name }} | grep -E -- '-rc1+$';then | |
echo "GORELEASER_PREVIOUS_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n 2 | head -n 1)" >> $GITHUB_ENV | |
else | |
echo "This is not the first release on the branch, Using GoReleaser defaults" | |
fi | |
- name: Setup Golang | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0 | |
with: | |
go-version: ${{ env.GOLANG_VERSION }} | |
- name: Set environment variables for ldflags | |
id: set_ldflag | |
run: | | |
echo "KUBECTL_VERSION=$(go list -m k8s.io/client-go | head -n 1 | rev | cut -d' ' -f1 | rev)" >> $GITHUB_ENV | |
echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV | |
- name: Free Disk Space (Ubuntu) | |
uses: jlumbroso/free-disk-space@4d9e71b726748f254fe64fa44d273194bd18ec91 | |
with: | |
large-packages: false | |
docker-images: false | |
swap-storage: false | |
tool-cache: false | |
- name: Run GoReleaser | |
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 | |
id: run-goreleaser | |
with: | |
version: latest | |
args: release --clean --timeout 55m | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
KUBECTL_VERSION: ${{ env.KUBECTL_VERSION }} | |
GIT_TREE_STATE: ${{ env.GIT_TREE_STATE }} | |
- name: Generate subject for provenance | |
id: hash | |
env: | |
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" | |
run: | | |
set -euo pipefail | |
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0) | |
if test "$hashes" = ""; then # goreleaser < v1.13.0 | |
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') | |
hashes=$(cat $checksum_file | base64 -w0) | |
fi | |
echo "hashes=$hashes" >> $GITHUB_OUTPUT | |
goreleaser-provenance: | |
needs: [goreleaser] | |
permissions: | |
actions: read # for detecting the Github Actions environment | |
id-token: write # Needed for provenance signing and ID | |
contents: write # Needed for release uploads | |
if: github.repository == 'argoproj/argo-cd' | |
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" | |
provenance-name: "argocd-cli.intoto.jsonl" | |
upload-assets: true | |
generate-sbom: | |
name: Create SBOM and generate hash | |
needs: | |
- argocd-image | |
- goreleaser | |
permissions: | |
contents: write # Needed for release uploads | |
outputs: | |
hashes: ${{ steps.sbom-hash.outputs.hashes}} | |
if: github.repository == 'argoproj/argo-cd' | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
with: | |
fetch-depth: 0 | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Setup Golang | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
with: | |
go-version: ${{ env.GOLANG_VERSION }} | |
- name: Generate SBOM (spdx) | |
id: spdx-builder | |
env: | |
# defines the spdx/spdx-sbom-generator version to use. | |
SPDX_GEN_VERSION: v0.0.13 | |
# defines the sigs.k8s.io/bom version to use. | |
SIGS_BOM_VERSION: v0.2.1 | |
# comma delimited list of project relative folders to inspect for package | |
# managers (gomod, yarn, npm). | |
PROJECT_FOLDERS: ".,./ui" | |
# full qualified name of the docker image to be inspected | |
DOCKER_IMAGE: quay.io/argoproj/argocd:${{ github.ref_name }} | |
run: | | |
yarn install --cwd ./ui | |
go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION | |
go install sigs.k8s.io/bom/cmd/bom@$SIGS_BOM_VERSION | |
# Generate SPDX for project dependencies analyzing package managers | |
for folder in $(echo $PROJECT_FOLDERS | sed "s/,/ /g") | |
do | |
generator -p $folder -o /tmp | |
done | |
# Generate SPDX for binaries analyzing the docker image | |
if [[ ! -z $DOCKER_IMAGE ]]; then | |
bom generate -o /tmp/bom-docker-image.spdx -i $DOCKER_IMAGE | |
fi | |
cd /tmp && tar -zcf sbom.tar.gz *.spdx | |
- name: Generate SBOM hash | |
shell: bash | |
id: sbom-hash | |
run: | | |
# sha256sum generates sha256 hash for sbom. | |
# base64 -w0 encodes to base64 and outputs on a single line. | |
# sha256sum /tmp/sbom.tar.gz ... | base64 -w0 | |
echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT" | |
- name: Upload SBOM | |
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
files: | | |
/tmp/sbom.tar.gz | |
sbom-provenance: | |
needs: [generate-sbom] | |
permissions: | |
actions: read # for detecting the Github Actions environment | |
id-token: write # Needed for provenance signing and ID | |
contents: write # Needed for release uploads | |
if: github.repository == 'argoproj/argo-cd' | |
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
base64-subjects: "${{ needs.generate-sbom.outputs.hashes }}" | |
provenance-name: "argocd-sbom.intoto.jsonl" | |
upload-assets: true | |
post-release: | |
needs: | |
- argocd-image | |
- goreleaser | |
- generate-sbom | |
permissions: | |
contents: write # Needed to push commit to update stable tag | |
pull-requests: write # Needed to create PR for VERSION update. | |
if: github.repository == 'argoproj/argo-cd' | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
with: | |
fetch-depth: 0 | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Setup Git author information | |
run: | | |
set -ue | |
git config --global user.email '[email protected]' | |
git config --global user.name 'CI' | |
- name: Check if tag is the latest version and not a pre-release | |
run: | | |
set -xue | |
# Fetch all tag information | |
git fetch --prune --tags --force | |
LATEST_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n1) | |
PRE_RELEASE=false | |
# Check if latest tag is a pre-release | |
if echo $LATEST_TAG | grep -E -- '-rc[0-9]+$';then | |
PRE_RELEASE=true | |
fi | |
# Ensure latest tag matches github.ref_name & not a pre-release | |
if [[ $LATEST_TAG == ${{ github.ref_name }} ]] && [[ $PRE_RELEASE != 'true' ]];then | |
echo "TAG_STABLE=true" >> $GITHUB_ENV | |
else | |
echo "TAG_STABLE=false" >> $GITHUB_ENV | |
fi | |
- name: Update stable tag to latest version | |
run: | | |
git tag -f stable ${{ github.ref_name }} | |
git push -f origin stable | |
if: ${{ env.TAG_STABLE == 'true' }} | |
- name: Check to see if VERSION should be updated on master branch | |
run: | | |
set -xue | |
SOURCE_TAG=${{ github.ref_name }} | |
VERSION_REF="${SOURCE_TAG#*v}" | |
COMMIT_HASH=$(git rev-parse HEAD) | |
if echo "$VERSION_REF" | grep -E -- '^[0-9]+\.[0-9]+\.0-rc1';then | |
VERSION=$(awk 'BEGIN {FS=OFS="."} {$2++; print}' <<< "${VERSION_REF%-rc1}") | |
echo "Updating VERSION to: $VERSION" | |
echo "UPDATE_VERSION=true" >> $GITHUB_ENV | |
echo "NEW_VERSION=$VERSION" >> $GITHUB_ENV | |
echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV | |
else | |
echo "Not updating VERSION" | |
echo "UPDATE_VERSION=false" >> $GITHUB_ENV | |
fi | |
- name: Update VERSION on master branch | |
run: | | |
echo ${{ env.NEW_VERSION }} > VERSION | |
# Replace the 'project-release: vX.X.X-rcX' line in SECURITY-INSIGHTS.yml | |
sed -i "s/project-release: v.*$/project-release: v${{ env.NEW_VERSION }}/" SECURITY-INSIGHTS.yml | |
# Update the 'commit-hash: XXXXXXX' line in SECURITY-INSIGHTS.yml | |
sed -i "s/commit-hash: .*/commit-hash: ${{ env.NEW_VERSION }}/" SECURITY-INSIGHTS.yml | |
if: ${{ env.UPDATE_VERSION == 'true' }} | |
- name: Create PR to update VERSION on master branch | |
uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 | |
with: | |
commit-message: Bump version in master | |
title: "chore: Bump version in master" | |
body: All images built from master should indicate which version we are on track for. | |
signoff: true | |
branch: update-version | |
branch-suffix: random | |
base: master | |
if: ${{ env.UPDATE_VERSION == 'true' }} |