github.com/argoproj/argo-cd/v2@v2.10.9/.github/workflows/image.yaml (about)

     1  name: Image
     2  
     3  on:
     4    push:
     5      branches:
     6        - master
     7    pull_request:
     8      branches:
     9        - master
    10      types: [ labeled, unlabeled, opened, synchronize, reopened ]
    11  
    12  concurrency:
    13    group: ${{ github.workflow }}-${{ github.ref }}
    14    cancel-in-progress: true
    15  
    16  permissions: {}
    17  
    18  jobs:
    19    set-vars:
    20      permissions:
    21        contents: read
    22      if: github.repository == 'argoproj/argo-cd'
    23      runs-on: ubuntu-22.04
    24      outputs:
    25        image-tag: ${{ steps.image.outputs.tag}}
    26        platforms: ${{ steps.platforms.outputs.platforms }}
    27      steps:
    28        - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
    29  
    30        - name: Set image tag for ghcr
    31          run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
    32          id: image
    33  
    34        - name: Determine image platforms to use
    35          id: platforms
    36          run: |
    37            IMAGE_PLATFORMS=linux/amd64
    38            if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-multi-image') }}" == "true" ]]
    39            then
    40              IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
    41            fi
    42            echo "Building image for platforms: $IMAGE_PLATFORMS"
    43            echo "platforms=$IMAGE_PLATFORMS" >> $GITHUB_OUTPUT
    44  
    45    build-only:
    46      needs: [set-vars]
    47      permissions:
    48        contents: read
    49        packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
    50        id-token: write # for creating OIDC tokens for signing.
    51      if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name != 'push' }}
    52      uses: ./.github/workflows/image-reuse.yaml
    53      with:
    54        # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
    55        go-version: 1.21
    56        platforms: ${{ needs.set-vars.outputs.platforms }}
    57        push: false
    58  
    59    build-and-publish:
    60      needs: [set-vars]
    61      permissions:
    62        contents: read
    63        packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
    64        id-token: write # for creating OIDC tokens for signing.
    65      if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
    66      uses: ./.github/workflows/image-reuse.yaml
    67      with:
    68        quay_image_name: quay.io/argoproj/argocd:latest
    69        ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
    70        # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
    71        go-version: 1.21
    72        platforms: ${{ needs.set-vars.outputs.platforms }}
    73        push: true
    74      secrets:
    75        quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }}
    76        quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}
    77        ghcr_username: ${{ github.actor }}
    78        ghcr_password: ${{ secrets.GITHUB_TOKEN }}
    79  
    80    build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io
    81      needs:
    82        - build-and-publish
    83      permissions:
    84        actions: read # for detecting the Github Actions environment.
    85        id-token: write # for creating OIDC tokens for signing.
    86        packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
    87      if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
    88      # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    89      uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
    90      with:
    91        image: ghcr.io/argoproj/argo-cd/argocd
    92        digest: ${{ needs.build-and-publish.outputs.image-digest }}
    93        registry-username: ${{ github.actor }}
    94      secrets:
    95        registry-password: ${{ secrets.GITHUB_TOKEN }}
    96  
    97    Deploy:
    98      needs:
    99        - build-and-publish
   100        - set-vars
   101      permissions:
   102        contents: write  # for git to push upgrade commit if not already deployed
   103        packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
   104      if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
   105      runs-on: ubuntu-22.04
   106      steps:
   107        - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
   108        - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
   109          env:
   110            TOKEN: ${{ secrets.TOKEN }}
   111        - run: |
   112            docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
   113            git config --global user.email 'ci@argoproj.com'
   114            git config --global user.name 'CI'
   115            git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ needs.set-vars.outputs.image-tag }}' && git push)
   116          working-directory: argoproj-deployments/argocd
   117