release #63

Workflow file for this run

.github/workflows/release.yml at 09759f8

	name: release

	on:
	push:
	tags:
	- 'v*'

	jobs:
	draft-release:
	runs-on: ubuntu-latest
	permissions:
	contents: write
	packages: write
	id-token: write
	steps:
	- name: Checkout
	uses: actions/checkout@v2
	with:
	fetch-depth: 0
	- name: Set up Go
	uses: actions/setup-go@v2
	with:
	go-version: 1.22.2
	- name: Set up Cosign
	uses: sigstore/cosign-installer@v3
	- name: Install Carvel Tools
	uses: carvel-dev/setup-action@v2
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	only: ytt, kapp, kbld, imgpkg, kctrl, vendir
	ytt: v0.45.4
	kapp: v0.58.0
	kbld: v0.37.5
	imgpkg: v0.37.3
	kctrl: v0.50.2
	vendir: v0.34.4
	- name: Login to GitHub Container Registry
	uses: docker/login-action@v2
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Run release script
	run: \|
	set -e -x
	minikube start --driver=docker --wait=all
	docker buildx create minikube --use --driver=kubernetes --bootstrap
	./hack/build-and-publish-release.sh
	mkdir release
	cp ./tmp/release.yml release/
	- name: Sign secretgen-controller OCI image
	run: \|
	image_url=`yq e '.spec.template.spec.containers[] \| select(.name == "secretgen-controller") \| .image' release/release.yml`
	cosign sign --yes "$image_url"
	- name: Verify signature on secretgen-controller OCI image
	run: \|
	image_url=`yq e '.spec.template.spec.containers[] \| select(.name == "secretgen-controller") \| .image' release/release.yml`
	cosign verify \
	$image_url \
	--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
	--certificate-oidc-issuer=https://token.actions.githubusercontent.com
	- name: Run Package build
	run: \|
	constraintVersion="${{ github.ref_name }}"
	kctrl pkg release -y -v ${constraintVersion:1} --debug
	mv carvel-artifacts/packages/secretgen-controller.carvel.dev/metadata.yml carvel-artifacts/packages/secretgen-controller.carvel.dev/package-metadata.yml
	cp carvel-artifacts/packages/secretgen-controller.carvel.dev/* release/
	- name: Sign secretgen-controller-package-bundle OCI image
	run: \|
	image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
	cosign sign --yes "$image_url"

	- name: Verify signature on secretgen-controller-package-bundle OCI image
	run: \|
	image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
	cosign verify \
	$image_url \
	--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
	--certificate-oidc-issuer=https://token.actions.githubusercontent.com

	- name: Updating release notes
	run: \|
	RELEASE_TAG=$(git describe --tags --abbrev=0)
	SGC_CONTROLLER_IMAGE=$(yq e '.spec.template.spec.containers[] \| select(.name == "secretgen-controller") \| .image' release/release.yml)
	SGC_CONTROLLER_PACKAGE_BUNDLE_IMAGE=$(yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml)
	RELEASE_NOTES="
	<details>
	<summary><h2>Installation and signature verification</h2></summary>

	## Verify checksums file signature

	Install cosign on your system https://docs.sigstore.dev/system_config/installation/

	The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands:

	\`\`\`shell
	# Download the checksums file, certificate, and signature
	curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt
	curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.pem
	curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.sig

	### Verify the checksums file
	cosign verify-blob checksums.txt \
	--certificate checksums.txt.pem \
	--signature checksums.txt.sig \
	--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
	--certificate-oidc-issuer=https://token.actions.githubusercontent.com
	\`\`\`

	## Installation of secretgen-controller

	secretgen-controller can be installed by using kapp
	\`\`\`shell
	kapp deploy -a sg -f https://github.com/carvel-dev/secretgen-controller/releases/$RELEASE_TAG/download/release.yml
	\`\`\`

	or by using kubectl
	\`\`\`shell
	kubectl deploy -f https://github.com/carvel-dev/secretgen-controller/releases/$RELEASE_TAG/download/release.yml
	\`\`\`

	### Container Images

	secretgen-controller and secretgen-controller-package-bundle images are available in Github Container Registry.

	### OCI Image URLs

	- $SGC_CONTROLLER_IMAGE
	- $SGC_CONTROLLER_PACKAGE_BUNDLE_IMAGE

	### Verify container image signature

	The container images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of OCI images, run the following commands:
	\`\`\`shell
	# Verifying secretgen-controller image
	cosign verify $SGC_CONTROLLER_IMAGE \
	--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
	--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
	-o text

	# Verifying secretgen-controller-package-bundle image
	cosign verify $SGC_CONTROLLER_PACKAGE_BUNDLE_IMAGE \
	--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
	--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
	-o text
	\`\`\`

	</summary>
	</details>
	"
	echo "$RELEASE_NOTES" > ./tmp/release_notes.txt

	- name: Create checksum and add it to release notes
	run: \|
	pushd release
	shasum -a 256 ./release.yml ./package.yml ./package-metadata.yml \| tee ../tmp/checksums.txt
	popd
	cat ./tmp/checksums.txt \| tee -a ./tmp/release_notes.txt
	cp ./tmp/checksums.txt release/checksums.txt

	- name: Sign checksums.txt
	run: \|
	cosign sign-blob --yes ./tmp/checksums.txt --output-certificate release/checksums.txt.pem --output-signature release/checksums.txt.sig
	- name: Verify checksums signature
	run: \|
	cosign verify-blob \
	--cert release/checksums.txt.pem \
	--signature release/checksums.txt.sig \
	--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
	--certificate-oidc-issuer=https://token.actions.githubusercontent.com ./tmp/checksums.txt

	- name: Create release draft and upload release yaml
	uses: softprops/action-gh-release@17cd0d34deddf848fc0e7d9be5202c148c270a0a
	with:
	name: ${{ github.ref_name }}
	token: ${{ secrets.GITHUB_TOKEN }}
	body_path: ./tmp/release_notes.txt
	files: \|
	./release/*
	draft: true
	- name: Get uploaded release YAML checksum
	uses: actions/github-script@v6
	id: get-checksums-from-draft-release
	if: startsWith(github.ref, 'refs/tags/')
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	result-encoding: string
	script: \|
	var crypto = require('crypto');
	const { owner, repo } = context.repo;
	// https://docs.github.com/en/rest/reference/repos#list-releases
	// https://octokit.github.io/rest.js/v18#repos-list-releases
	var releases = await github.rest.repos.listReleases({
	owner: owner,
	repo: repo
	});
	var crypto = require('crypto')
	var fs = require('fs')
	const url = require('url');
	const https = require('https');
	checksums = {}
	var releaseMatched = false;
	var assetsFound = false;
	for (const r of releases["data"]) {
	if (r.draft && `refs/tags/${r.tag_name}` == "${{ github.ref }}") {
	releaseMatched = true;
	for (const asset of r.assets) {
	assetsFound = true;
	var release_asset = await github.rest.repos.getReleaseAsset({ headers: {accept: `application/octet-stream`}, accept: `application/octet-stream`, owner: owner, repo: repo, asset_id: asset.id });
	const hash = crypto.createHash('sha256');
	let http_promise = new Promise((resolve, reject) => {
	https.get(release_asset.url, (stream) => {
	stream.on('data', function (data) {
	hash.update(data);
	});
	stream.on('end', function () {
	checksums[asset.name]= hash.digest('hex');
	resolve(`${asset.name}`);
	});
	});
	});
	await http_promise;
	http_promise.then(
	(result) => {
	console.log(checksums);
	},
	(error) => {
	console.log("Encountered an Error for " + asset.name + " asset: " + error); // Log an error
	});
	}
	}
	}
	if (!releaseMatched) {
	console.log("No release matched")
	}
	if (!assetsFound) {
	console.log("No assets found for " + "${{ github.ref }}" + " release")
	}
	return `${checksums['release.yml']} ./release.yml
	${checksums['package.yml']} ./package.yml
	${checksums['package-metadata.yml']} ./package-metadata.yml`

	- name: Verify uploaded artifacts
	if: startsWith(github.ref, 'refs/tags/')
	env:
	GITHUB_CONTEXT: ${{ toJson(github) }}
	run: \|
	set -e -x
	cat ./tmp/checksums.txt
	diff ./tmp/checksums.txt <(cat <<EOF
	${{steps.get-checksums-from-draft-release.outputs.result}}
	EOF
	)

	- name: Run PackageCR Validation Tests
	run: \|
	set -e -x

	# deploy admin sa for secretgen-controller - enough permissions for SGC to be deployed properly
	kapp deploy -a rbac -f https://raw.githubusercontent.com/carvel-dev/kapp-controller/develop/examples/rbac/cluster-admin.yml -y

	# Kapp-controller is needed for our PackageInstall
	kapp deploy -a kc -f https://github.com/carvel-dev/kapp-controller/releases/latest/download/release.yml -y

	constraintVersion="${{ github.ref_name }}"

	kubectl create ns sg

	kapp deploy -a sg -f carvel-artifacts/packages/secretgen-controller.carvel.dev/package.yml -f carvel-artifacts/packages/secretgen-controller.carvel.dev/package-metadata.yml -n sg -y

	# installing pkg with kctrl
	kctrl pkg install -p secretgen-controller.carvel.dev -i scg --version ${constraintVersion:1} -n sg

	export SECRETGEN_E2E_NAMESPACE=secretgen-test

	./hack/test-e2e.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

release #63

Workflow file

release #63

Jobs

Run details

Workflow file for this run