github.com/argoproj/argo-cd/v2@v2.10.9/.github/workflows/release.yaml (about) 1 name: Publish ArgoCD Release 2 on: 3 push: 4 tags: 5 - 'v*' 6 - '!v2.4*' 7 - '!v2.5*' 8 - '!v2.6*' 9 10 permissions: {} 11 12 env: 13 GOLANG_VERSION: '1.21' # Note: go-version must also be set in job argocd-image.with.go-version 14 15 jobs: 16 argocd-image: 17 permissions: 18 contents: read 19 id-token: write # for creating OIDC tokens for signing. 20 packages: write # used to push images to `ghcr.io` if used. 21 if: github.repository == 'argoproj/argo-cd' 22 uses: ./.github/workflows/image-reuse.yaml 23 with: 24 quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }} 25 # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) 26 go-version: 1.21 27 platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le 28 push: true 29 secrets: 30 quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }} 31 quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }} 32 33 argocd-image-provenance: 34 needs: [argocd-image] 35 permissions: 36 actions: read # for detecting the Github Actions environment. 37 id-token: write # for creating OIDC tokens for signing. 38 packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) 39 # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator 40 if: github.repository == 'argoproj/argo-cd' 41 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0 42 with: 43 image: quay.io/argoproj/argocd 44 digest: ${{ needs.argocd-image.outputs.image-digest }} 45 secrets: 46 registry-username: ${{ secrets.RELEASE_QUAY_USERNAME }} 47 registry-password: ${{ secrets.RELEASE_QUAY_TOKEN }} 48 49 goreleaser: 50 needs: 51 - argocd-image 52 - argocd-image-provenance 53 permissions: 54 contents: write # used for uploading assets 55 if: github.repository == 'argoproj/argo-cd' 56 runs-on: ubuntu-22.04 57 outputs: 58 hashes: ${{ steps.hash.outputs.hashes }} 59 60 steps: 61 - name: Checkout code 62 uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 63 with: 64 fetch-depth: 0 65 token: ${{ secrets.GITHUB_TOKEN }} 66 67 - name: Fetch all tags 68 run: git fetch --force --tags 69 70 - name: Set GORELEASER_PREVIOUS_TAG # Workaround, GoReleaser uses 'git-describe' to determine a previous tag. Our tags are created in realease branches. 71 run: | 72 set -xue 73 if echo ${{ github.ref_name }} | grep -E -- '-rc1+$';then 74 echo "GORELEASER_PREVIOUS_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n 2 | head -n 1)" >> $GITHUB_ENV 75 else 76 echo "This is not the first release on the branch, Using GoReleaser defaults" 77 fi 78 79 - name: Setup Golang 80 uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0 81 with: 82 go-version: ${{ env.GOLANG_VERSION }} 83 84 - name: Set environment variables for ldflags 85 id: set_ldflag 86 run: | 87 echo "KUBECTL_VERSION=$(go list -m k8s.io/client-go | head -n 1 | rev | cut -d' ' -f1 | rev)" >> $GITHUB_ENV 88 echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV 89 90 - name: Free Disk Space (Ubuntu) 91 uses: jlumbroso/free-disk-space@4d9e71b726748f254fe64fa44d273194bd18ec91 92 with: 93 large-packages: false 94 docker-images: false 95 swap-storage: false 96 tool-cache: false 97 98 - name: Run GoReleaser 99 uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 100 id: run-goreleaser 101 with: 102 version: latest 103 args: release --clean --timeout 55m 104 env: 105 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 106 KUBECTL_VERSION: ${{ env.KUBECTL_VERSION }} 107 GIT_TREE_STATE: ${{ env.GIT_TREE_STATE }} 108 109 - name: Generate subject for provenance 110 id: hash 111 env: 112 ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" 113 run: | 114 set -euo pipefail 115 116 hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0) 117 if test "$hashes" = ""; then # goreleaser < v1.13.0 118 checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') 119 hashes=$(cat $checksum_file | base64 -w0) 120 fi 121 echo "hashes=$hashes" >> $GITHUB_OUTPUT 122 123 goreleaser-provenance: 124 needs: [goreleaser] 125 permissions: 126 actions: read # for detecting the Github Actions environment 127 id-token: write # Needed for provenance signing and ID 128 contents: write # Needed for release uploads 129 if: github.repository == 'argoproj/argo-cd' 130 # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator 131 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 132 with: 133 base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" 134 provenance-name: "argocd-cli.intoto.jsonl" 135 upload-assets: true 136 137 generate-sbom: 138 name: Create SBOM and generate hash 139 needs: 140 - argocd-image 141 - goreleaser 142 permissions: 143 contents: write # Needed for release uploads 144 outputs: 145 hashes: ${{ steps.sbom-hash.outputs.hashes}} 146 if: github.repository == 'argoproj/argo-cd' 147 runs-on: ubuntu-22.04 148 steps: 149 - name: Checkout code 150 uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 151 with: 152 fetch-depth: 0 153 token: ${{ secrets.GITHUB_TOKEN }} 154 155 - name: Setup Golang 156 uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 157 with: 158 go-version: ${{ env.GOLANG_VERSION }} 159 160 - name: Generate SBOM (spdx) 161 id: spdx-builder 162 env: 163 # defines the spdx/spdx-sbom-generator version to use. 164 SPDX_GEN_VERSION: v0.0.13 165 # defines the sigs.k8s.io/bom version to use. 166 SIGS_BOM_VERSION: v0.2.1 167 # comma delimited list of project relative folders to inspect for package 168 # managers (gomod, yarn, npm). 169 PROJECT_FOLDERS: ".,./ui" 170 # full qualified name of the docker image to be inspected 171 DOCKER_IMAGE: quay.io/argoproj/argocd:${{ github.ref_name }} 172 run: | 173 yarn install --cwd ./ui 174 go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION 175 go install sigs.k8s.io/bom/cmd/bom@$SIGS_BOM_VERSION 176 177 # Generate SPDX for project dependencies analyzing package managers 178 for folder in $(echo $PROJECT_FOLDERS | sed "s/,/ /g") 179 do 180 generator -p $folder -o /tmp 181 done 182 183 # Generate SPDX for binaries analyzing the docker image 184 if [[ ! -z $DOCKER_IMAGE ]]; then 185 bom generate -o /tmp/bom-docker-image.spdx -i $DOCKER_IMAGE 186 fi 187 188 cd /tmp && tar -zcf sbom.tar.gz *.spdx 189 190 - name: Generate SBOM hash 191 shell: bash 192 id: sbom-hash 193 run: | 194 # sha256sum generates sha256 hash for sbom. 195 # base64 -w0 encodes to base64 and outputs on a single line. 196 # sha256sum /tmp/sbom.tar.gz ... | base64 -w0 197 echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT" 198 199 - name: Upload SBOM 200 uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 201 env: 202 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 203 with: 204 files: | 205 /tmp/sbom.tar.gz 206 207 sbom-provenance: 208 needs: [generate-sbom] 209 permissions: 210 actions: read # for detecting the Github Actions environment 211 id-token: write # Needed for provenance signing and ID 212 contents: write # Needed for release uploads 213 if: github.repository == 'argoproj/argo-cd' 214 # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator 215 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 216 with: 217 base64-subjects: "${{ needs.generate-sbom.outputs.hashes }}" 218 provenance-name: "argocd-sbom.intoto.jsonl" 219 upload-assets: true 220 221 post-release: 222 needs: 223 - argocd-image 224 - goreleaser 225 - generate-sbom 226 permissions: 227 contents: write # Needed to push commit to update stable tag 228 pull-requests: write # Needed to create PR for VERSION update. 229 if: github.repository == 'argoproj/argo-cd' 230 runs-on: ubuntu-22.04 231 steps: 232 - name: Checkout code 233 uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 234 with: 235 fetch-depth: 0 236 token: ${{ secrets.GITHUB_TOKEN }} 237 238 - name: Setup Git author information 239 run: | 240 set -ue 241 git config --global user.email 'ci@argoproj.com' 242 git config --global user.name 'CI' 243 244 - name: Check if tag is the latest version and not a pre-release 245 run: | 246 set -xue 247 # Fetch all tag information 248 git fetch --prune --tags --force 249 250 LATEST_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n1) 251 252 PRE_RELEASE=false 253 # Check if latest tag is a pre-release 254 if echo $LATEST_TAG | grep -E -- '-rc[0-9]+$';then 255 PRE_RELEASE=true 256 fi 257 258 # Ensure latest tag matches github.ref_name & not a pre-release 259 if [[ $LATEST_TAG == ${{ github.ref_name }} ]] && [[ $PRE_RELEASE != 'true' ]];then 260 echo "TAG_STABLE=true" >> $GITHUB_ENV 261 else 262 echo "TAG_STABLE=false" >> $GITHUB_ENV 263 fi 264 265 - name: Update stable tag to latest version 266 run: | 267 git tag -f stable ${{ github.ref_name }} 268 git push -f origin stable 269 if: ${{ env.TAG_STABLE == 'true' }} 270 271 - name: Check to see if VERSION should be updated on master branch 272 run: | 273 set -xue 274 SOURCE_TAG=${{ github.ref_name }} 275 VERSION_REF="${SOURCE_TAG#*v}" 276 COMMIT_HASH=$(git rev-parse HEAD) 277 if echo "$VERSION_REF" | grep -E -- '^[0-9]+\.[0-9]+\.0-rc1';then 278 VERSION=$(awk 'BEGIN {FS=OFS="."} {$2++; print}' <<< "${VERSION_REF%-rc1}") 279 echo "Updating VERSION to: $VERSION" 280 echo "UPDATE_VERSION=true" >> $GITHUB_ENV 281 echo "NEW_VERSION=$VERSION" >> $GITHUB_ENV 282 echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV 283 else 284 echo "Not updating VERSION" 285 echo "UPDATE_VERSION=false" >> $GITHUB_ENV 286 fi 287 288 - name: Update VERSION on master branch 289 run: | 290 echo ${{ env.NEW_VERSION }} > VERSION 291 # Replace the 'project-release: vX.X.X-rcX' line in SECURITY-INSIGHTS.yml 292 sed -i "s/project-release: v.*$/project-release: v${{ env.NEW_VERSION }}/" SECURITY-INSIGHTS.yml 293 # Update the 'commit-hash: XXXXXXX' line in SECURITY-INSIGHTS.yml 294 sed -i "s/commit-hash: .*/commit-hash: ${{ env.NEW_VERSION }}/" SECURITY-INSIGHTS.yml 295 if: ${{ env.UPDATE_VERSION == 'true' }} 296 297 - name: Create PR to update VERSION on master branch 298 uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 299 with: 300 commit-message: Bump version in master 301 title: "chore: Bump version in master" 302 body: All images built from master should indicate which version we are on track for. 303 signoff: true 304 branch: update-version 305 branch-suffix: random 306 base: master 307 if: ${{ env.UPDATE_VERSION == 'true' }}