github.com/argoproj/argo-cd/v3@v3.2.1/.github/workflows/image.yaml (about) 1 name: Image 2 3 on: 4 push: 5 branches: 6 - master 7 pull_request: 8 branches: 9 - master 10 types: [labeled, unlabeled, opened, synchronize, reopened] 11 12 concurrency: 13 group: ${{ github.workflow }}-${{ github.ref }} 14 cancel-in-progress: true 15 16 permissions: {} 17 18 jobs: 19 set-vars: 20 permissions: 21 contents: read 22 if: github.repository == 'argoproj/argo-cd' 23 runs-on: ubuntu-22.04 24 outputs: 25 image-tag: ${{ steps.image.outputs.tag}} 26 platforms: ${{ steps.platforms.outputs.platforms }} 27 steps: 28 - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0 29 30 - name: Set image tag for ghcr 31 run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT 32 id: image 33 34 - name: Determine image platforms to use 35 id: platforms 36 run: | 37 IMAGE_PLATFORMS=linux/amd64 38 if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-multi-image') }}" == "true" ]] 39 then 40 IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le 41 fi 42 echo "Building image for platforms: $IMAGE_PLATFORMS" 43 echo "platforms=$IMAGE_PLATFORMS" >> $GITHUB_OUTPUT 44 45 build-only: 46 needs: [set-vars] 47 permissions: 48 contents: read 49 packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags 50 id-token: write # for creating OIDC tokens for signing. 51 if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name != 'push' }} 52 uses: ./.github/workflows/image-reuse.yaml 53 with: 54 # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) 55 # renovate: datasource=golang-version packageName=golang 56 go-version: 1.25.0 57 platforms: ${{ needs.set-vars.outputs.platforms }} 58 push: false 59 60 build-and-publish: 61 needs: [set-vars] 62 permissions: 63 contents: read 64 packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags 65 id-token: write # for creating OIDC tokens for signing. 66 if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} 67 uses: ./.github/workflows/image-reuse.yaml 68 with: 69 quay_image_name: quay.io/argoproj/argocd:latest 70 ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} 71 # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) 72 # renovate: datasource=golang-version packageName=golang 73 go-version: 1.25.0 74 platforms: ${{ needs.set-vars.outputs.platforms }} 75 push: true 76 secrets: 77 quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }} 78 quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }} 79 ghcr_username: ${{ github.actor }} 80 ghcr_password: ${{ secrets.GITHUB_TOKEN }} 81 82 build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io 83 needs: 84 - build-and-publish 85 permissions: 86 actions: read # for detecting the Github Actions environment. 87 id-token: write # for creating OIDC tokens for signing. 88 packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) 89 if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} 90 # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator 91 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0 92 with: 93 image: ghcr.io/argoproj/argo-cd/argocd 94 digest: ${{ needs.build-and-publish.outputs.image-digest }} 95 registry-username: ${{ github.actor }} 96 secrets: 97 registry-password: ${{ secrets.GITHUB_TOKEN }} 98 99 Deploy: 100 needs: 101 - build-and-publish 102 - set-vars 103 permissions: 104 contents: write # for git to push upgrade commit if not already deployed 105 packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags 106 if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} 107 runs-on: ubuntu-22.04 108 steps: 109 - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0 110 - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments" 111 env: 112 TOKEN: ${{ secrets.TOKEN }} 113 - run: | 114 docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} 115 git config --global user.email 'ci@argoproj.com' 116 git config --global user.name 'CI' 117 git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ needs.set-vars.outputs.image-tag }}' && git push) 118 working-directory: argoproj-deployments/argocd