.github/workflows/release.yml

name: release

on:
  push:
    tags:
      - 'v*'

jobs:
  draft-release:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      packages: write
      id-token: write
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - name: Set up Go
        uses: actions/setup-go@v2
        with:
          go-version: 1.21.9
      - name: Set up Cosign
        uses: sigstore/cosign-installer@v3
      - name: Install Carvel Tools
        uses: carvel-dev/setup-action@v2
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          only: ytt, kapp, kbld, imgpkg, kctrl, vendir
          ytt: v0.45.4
          kapp: v0.58.0
          kbld: v0.37.5
          imgpkg: v0.37.3
          kctrl: v0.50.2
          vendir: v0.34.4
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Run release script
        run: |
          set -e -x
          minikube start --driver=docker --wait=all
          docker buildx create --name minikube --use --driver=kubernetes --bootstrap
          ./hack/build-and-publish-release.sh
          mkdir release
          cp ./tmp/release.yml release/
      - name: Sign secretgen-controller OCI image
        run: |
          image_url=`yq e '.spec.template.spec.containers[] | select(.name == "secretgen-controller") | .image' release/release.yml`
          cosign sign --yes "$image_url"
      - name: Verify signature on secretgen-controller OCI image
        run: |
          image_url=`yq e '.spec.template.spec.containers[] | select(.name == "secretgen-controller") | .image' release/release.yml`
          cosign verify \
            $image_url \
            --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
            --certificate-oidc-issuer=https://token.actions.githubusercontent.com
      - name: Run Package build
        run: |
          constraintVersion="${{ github.ref_name }}"
          kctrl pkg release -y -v ${constraintVersion:1} --debug
          mv carvel-artifacts/packages/secretgen-controller.carvel.dev/metadata.yml carvel-artifacts/packages/secretgen-controller.carvel.dev/package-metadata.yml
          cp carvel-artifacts/packages/secretgen-controller.carvel.dev/* release/
      - name: Sign secretgen-controller-package-bundle OCI image
        run: |
          image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
          cosign sign --yes "$image_url"
      
      - name: Verify signature on secretgen-controller-package-bundle OCI image
        run: |
          image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
          cosign verify \
            $image_url \
            --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
            --certificate-oidc-issuer=https://token.actions.githubusercontent.com

      - name: Updating release notes
        run: |
          RELEASE_TAG=$(git describe --tags --abbrev=0)
          SGC_CONTROLLER_IMAGE=$(yq e '.spec.template.spec.containers[] | select(.name == "secretgen-controller") | .image' release/release.yml)
          SGC_CONTROLLER_PACKAGE_BUNDLE_IMAGE=$(yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml)
          RELEASE_NOTES="
          <details>
          <summary><h2>Installation and signature verification</h2></summary>
          
          ## Verify checksums file signature

          Install cosign on your system https://docs.sigstore.dev/system_config/installation/

          The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands:

          \`\`\`shell
          # Download the checksums file, certificate, and signature
          curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt
          curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.pem
          curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.sig

          ### Verify the checksums file
          cosign verify-blob checksums.txt \
          --certificate checksums.txt.pem \
          --signature checksums.txt.sig \
          --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
          --certificate-oidc-issuer=https://token.actions.githubusercontent.com 
          \`\`\`

          ## Installation of secretgen-controller

          secretgen-controller can be installed by using kapp 
          \`\`\`shell
          kapp deploy -a sg -f https://github.com/carvel-dev/secretgen-controller/releases/$RELEASE_TAG/download/release.yml
          \`\`\`

          or by using kubectl
          \`\`\`shell
          kubectl deploy -f https://github.com/carvel-dev/secretgen-controller/releases/$RELEASE_TAG/download/release.yml
          \`\`\`

          ### Container Images

          secretgen-controller and secretgen-controller-package-bundle images are available in Github Container Registry.

          ### OCI Image URLs

          - $SGC_CONTROLLER_IMAGE
          - $SGC_CONTROLLER_PACKAGE_BUNDLE_IMAGE

          ### Verify container image signature

          The container images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of OCI images, run the following commands:
          \`\`\`shell
          # Verifying secretgen-controller image
          cosign verify $SGC_CONTROLLER_IMAGE \
          --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
          -o text

          # Verifying secretgen-controller-package-bundle image
          cosign verify $SGC_CONTROLLER_PACKAGE_BUNDLE_IMAGE \
          --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
          -o text
          \`\`\`
          
          </summary>
          </details>
          "
          echo "$RELEASE_NOTES" > ./tmp/release_notes.txt

      - name: Create checksum and add it to release notes
        run: |
          pushd release
          shasum -a 256 ./release.yml ./package.yml ./package-metadata.yml | tee ../tmp/checksums.txt
          popd
          cat ./tmp/checksums.txt | tee -a ./tmp/release_notes.txt
          cp ./tmp/checksums.txt release/checksums.txt
        
      - name: Sign checksums.txt
        run: |
            cosign sign-blob --yes ./tmp/checksums.txt --output-certificate release/checksums.txt.pem  --output-signature release/checksums.txt.sig
      - name: Verify checksums signature
        run: |
          cosign verify-blob \
          --cert release/checksums.txt.pem \
          --signature release/checksums.txt.sig \
          --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
          --certificate-oidc-issuer=https://token.actions.githubusercontent.com ./tmp/checksums.txt

      - name: Create release draft and upload release yaml
        uses: softprops/action-gh-release@17cd0d34deddf848fc0e7d9be5202c148c270a0a
        with:
          name: ${{ github.ref_name }}
          token: ${{ secrets.GITHUB_TOKEN }}
          body_path: ./tmp/release_notes.txt
          files: |
            ./release/*
          draft: true
      - name: Get uploaded release YAML checksum
        uses: actions/github-script@v6
        id: get-checksums-from-draft-release
        if: startsWith(github.ref, 'refs/tags/')
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          result-encoding: string
          script: |
            var crypto = require('crypto');
            const { owner, repo } = context.repo;
            // https://docs.github.com/en/rest/reference/repos#list-releases
            // https://octokit.github.io/rest.js/v18#repos-list-releases
            var releases = await github.rest.repos.listReleases({
              owner: owner,
              repo: repo
            });
            var crypto = require('crypto')
            var fs = require('fs')
            const url = require('url');
            const https = require('https');
            checksums = {}
            var releaseMatched = false;
            var assetsFound = false;
            for (const r of releases["data"]) {
              if (r.draft && `refs/tags/${r.tag_name}` == "${{ github.ref }}") {
                releaseMatched = true;
                for (const asset of r.assets) {
                  assetsFound = true;
                  var release_asset = await github.rest.repos.getReleaseAsset({ headers: {accept: `application/octet-stream`}, accept: `application/octet-stream`, owner: owner, repo: repo, asset_id: asset.id });
                  const hash = crypto.createHash('sha256');
                  let http_promise = new Promise((resolve, reject) => {
                    https.get(release_asset.url, (stream) => {
                      stream.on('data', function (data) {
                        hash.update(data);
                      });
                      stream.on('end', function () {
                        checksums[asset.name]= hash.digest('hex');
                        resolve(`${asset.name}`);
                      });
                    });
                  });
                  await http_promise;
                  http_promise.then(
                    (result) => {
                        console.log(checksums);
                    },
                    (error) => {
                        console.log("Encountered an Error for " + asset.name + " asset: " + error); // Log an error
                    });
                }
              }
            }
            if (!releaseMatched) {
              console.log("No release matched")
            }
            if (!assetsFound) {
              console.log("No assets found for " + "${{ github.ref }}" + " release")
            }
            return `${checksums['release.yml']}  ./release.yml
            ${checksums['package.yml']}  ./package.yml
            ${checksums['package-metadata.yml']}  ./package-metadata.yml`
      
      - name: Verify uploaded artifacts
        if: startsWith(github.ref, 'refs/tags/')
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
        run: |
          set -e -x
          cat ./tmp/checksums.txt
          diff ./tmp/checksums.txt <(cat <<EOF
          ${{steps.get-checksums-from-draft-release.outputs.result}}
          EOF
          )

      - name: Run PackageCR Validation Tests
        run: |
          set -e -x

          # deploy admin sa for secretgen-controller - enough permissions for SGC to be deployed properly
          kapp deploy -a rbac -f https://raw.githubusercontent.com/carvel-dev/kapp-controller/develop/examples/rbac/cluster-admin.yml -y
          
          # Kapp-controller is needed for our PackageInstall
          kapp deploy -a kc -f https://github.com/carvel-dev/kapp-controller/releases/latest/download/release.yml -y
          
          constraintVersion="${{ github.ref_name }}"
        
          kubectl create ns sg

          kapp deploy -a sg -f carvel-artifacts/packages/secretgen-controller.carvel.dev/package.yml -f carvel-artifacts/packages/secretgen-controller.carvel.dev/package-metadata.yml -n sg -y
          
          # installing pkg with kctrl
          kctrl pkg install -p secretgen-controller.carvel.dev -i scg --version ${constraintVersion:1} -n sg
          
          export SECRETGEN_E2E_NAMESPACE=secretgen-test
          
          ./hack/test-e2e.sh