github.com/argoproj/argo-cd/v3@v3.2.1/.github/workflows/release.yaml (about) 1 name: Publish ArgoCD Release 2 on: 3 push: 4 tags: 5 - 'v*' 6 - '!v2.4*' 7 - '!v2.5*' 8 - '!v2.6*' 9 10 permissions: {} 11 12 env: 13 # renovate: datasource=golang-version packageName=golang 14 GOLANG_VERSION: '1.25.0' # Note: go-version must also be set in job argocd-image.with.go-version 15 16 jobs: 17 argocd-image: 18 permissions: 19 contents: read 20 id-token: write # for creating OIDC tokens for signing. 21 packages: write # used to push images to `ghcr.io` if used. 22 if: github.repository == 'argoproj/argo-cd' 23 uses: ./.github/workflows/image-reuse.yaml 24 with: 25 quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }} 26 # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) 27 # renovate: datasource=golang-version packageName=golang 28 go-version: 1.25.0 29 platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le 30 push: true 31 secrets: 32 quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }} 33 quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }} 34 35 setup-variables: 36 name: Setup Release Variables 37 if: github.repository == 'argoproj/argo-cd' 38 runs-on: ubuntu-22.04 39 outputs: 40 is_pre_release: ${{ steps.var.outputs.is_pre_release }} 41 is_latest_release: ${{ steps.var.outputs.is_latest_release }} 42 steps: 43 - name: Checkout code 44 uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0 45 with: 46 fetch-depth: 0 47 token: ${{ secrets.GITHUB_TOKEN }} 48 - name: Setup variables 49 id: var 50 run: | 51 set -xue 52 # Fetch all tag information 53 git fetch --prune --tags --force 54 55 LATEST_RELEASE_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | grep -v '-' | tail -n1) 56 57 PRE_RELEASE=false 58 # Check if latest tag is a pre-release 59 if echo ${{ github.ref_name }} | grep -E -- '-rc[0-9]+$';then 60 PRE_RELEASE=true 61 fi 62 63 IS_LATEST=false 64 # Ensure latest release tag matches github.ref_name 65 if [[ $LATEST_RELEASE_TAG == ${{ github.ref_name }} ]];then 66 IS_LATEST=true 67 fi 68 echo "is_pre_release=$PRE_RELEASE" >> $GITHUB_OUTPUT 69 echo "is_latest_release=$IS_LATEST" >> $GITHUB_OUTPUT 70 71 argocd-image-provenance: 72 needs: [argocd-image] 73 permissions: 74 actions: read # for detecting the Github Actions environment. 75 id-token: write # for creating OIDC tokens for signing. 76 packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) 77 # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator 78 if: github.repository == 'argoproj/argo-cd' 79 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0 80 with: 81 image: quay.io/argoproj/argocd 82 digest: ${{ needs.argocd-image.outputs.image-digest }} 83 secrets: 84 registry-username: ${{ secrets.RELEASE_QUAY_USERNAME }} 85 registry-password: ${{ secrets.RELEASE_QUAY_TOKEN }} 86 87 goreleaser: 88 needs: 89 - setup-variables 90 - argocd-image 91 - argocd-image-provenance 92 permissions: 93 contents: write # used for uploading assets 94 if: github.repository == 'argoproj/argo-cd' 95 runs-on: ubuntu-22.04 96 env: 97 GORELEASER_MAKE_LATEST: ${{ needs.setup-variables.outputs.is_latest_release }} 98 outputs: 99 hashes: ${{ steps.hash.outputs.hashes }} 100 steps: 101 - name: Checkout code 102 uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0 103 with: 104 fetch-depth: 0 105 token: ${{ secrets.GITHUB_TOKEN }} 106 107 - name: Fetch all tags 108 run: git fetch --force --tags 109 110 - name: Setup Golang 111 uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 112 with: 113 go-version: ${{ env.GOLANG_VERSION }} 114 cache: false 115 116 - name: Set GORELEASER_PREVIOUS_TAG # Workaround, GoReleaser uses 'git-describe' to determine a previous tag. Our tags are created in release branches. 117 run: | 118 set -xue 119 GORELEASER_PREVIOUS_TAG=$(go run hack/get-previous-release/get-previous-version-for-release-notes.go ${{ github.ref_name }}) || exit 1 120 echo "GORELEASER_PREVIOUS_TAG=$GORELEASER_PREVIOUS_TAG" >> $GITHUB_ENV 121 122 - name: Set environment variables for ldflags 123 id: set_ldflag 124 run: | 125 echo "KUBECTL_VERSION=$(go list -m k8s.io/client-go | head -n 1 | rev | cut -d' ' -f1 | rev)" >> $GITHUB_ENV 126 echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV 127 128 - name: Free Disk Space (Ubuntu) 129 uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be 130 with: 131 large-packages: false 132 docker-images: false 133 swap-storage: false 134 tool-cache: false 135 136 - name: Run GoReleaser 137 uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 138 id: run-goreleaser 139 with: 140 version: latest 141 args: release --clean --timeout 55m 142 env: 143 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 144 KUBECTL_VERSION: ${{ env.KUBECTL_VERSION }} 145 GIT_TREE_STATE: ${{ env.GIT_TREE_STATE }} 146 147 - name: Generate subject for provenance 148 id: hash 149 env: 150 ARTIFACTS: '${{ steps.run-goreleaser.outputs.artifacts }}' 151 run: | 152 set -euo pipefail 153 154 hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0) 155 if test "$hashes" = ""; then # goreleaser < v1.13.0 156 checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') 157 hashes=$(cat $checksum_file | base64 -w0) 158 fi 159 echo "hashes=$hashes" >> $GITHUB_OUTPUT 160 161 goreleaser-provenance: 162 needs: [goreleaser] 163 permissions: 164 actions: read # for detecting the Github Actions environment 165 id-token: write # Needed for provenance signing and ID 166 contents: write # Needed for release uploads 167 if: github.repository == 'argoproj/argo-cd' 168 # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator 169 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 170 with: 171 base64-subjects: '${{ needs.goreleaser.outputs.hashes }}' 172 provenance-name: 'argocd-cli.intoto.jsonl' 173 upload-assets: true 174 175 generate-sbom: 176 name: Create SBOM and generate hash 177 needs: 178 - argocd-image 179 - goreleaser 180 permissions: 181 contents: write # Needed for release uploads 182 outputs: 183 hashes: ${{ steps.sbom-hash.outputs.hashes }} 184 if: github.repository == 'argoproj/argo-cd' 185 runs-on: ubuntu-22.04 186 steps: 187 - name: Checkout code 188 uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0 189 with: 190 fetch-depth: 0 191 token: ${{ secrets.GITHUB_TOKEN }} 192 193 - name: Setup Golang 194 uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 195 with: 196 go-version: ${{ env.GOLANG_VERSION }} 197 cache: false 198 199 - name: Generate SBOM (spdx) 200 id: spdx-builder 201 env: 202 # defines the spdx/spdx-sbom-generator version to use. 203 SPDX_GEN_VERSION: v0.0.13 204 # defines the sigs.k8s.io/bom version to use. 205 SIGS_BOM_VERSION: v0.2.1 206 # comma delimited list of project relative folders to inspect for package 207 # managers (gomod, yarn, npm). 208 PROJECT_FOLDERS: '.,./ui' 209 # full qualified name of the docker image to be inspected 210 DOCKER_IMAGE: quay.io/argoproj/argocd:${{ github.ref_name }} 211 run: | 212 yarn install --cwd ./ui 213 go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION 214 go install sigs.k8s.io/bom/cmd/bom@$SIGS_BOM_VERSION 215 216 # Generate SPDX for project dependencies analyzing package managers 217 for folder in $(echo $PROJECT_FOLDERS | sed "s/,/ /g") 218 do 219 generator -p $folder -o /tmp 220 done 221 222 # Generate SPDX for binaries analyzing the docker image 223 if [[ ! -z $DOCKER_IMAGE ]]; then 224 bom generate -o /tmp/bom-docker-image.spdx -i $DOCKER_IMAGE 225 fi 226 227 cd /tmp && tar -zcf sbom.tar.gz *.spdx 228 229 - name: Generate SBOM hash 230 shell: bash 231 id: sbom-hash 232 run: | 233 # sha256sum generates sha256 hash for sbom. 234 # base64 -w0 encodes to base64 and outputs on a single line. 235 # sha256sum /tmp/sbom.tar.gz ... | base64 -w0 236 echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT" 237 238 - name: Upload SBOM 239 uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # v2.3.3 240 env: 241 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 242 with: 243 files: | 244 /tmp/sbom.tar.gz 245 246 sbom-provenance: 247 needs: [generate-sbom] 248 permissions: 249 actions: read # for detecting the Github Actions environment 250 id-token: write # Needed for provenance signing and ID 251 contents: write # Needed for release uploads 252 if: github.repository == 'argoproj/argo-cd' 253 # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator 254 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 255 with: 256 base64-subjects: '${{ needs.generate-sbom.outputs.hashes }}' 257 provenance-name: 'argocd-sbom.intoto.jsonl' 258 upload-assets: true 259 260 post-release: 261 needs: 262 - setup-variables 263 - argocd-image 264 - goreleaser 265 - generate-sbom 266 permissions: 267 contents: write # Needed to push commit to update stable tag 268 pull-requests: write # Needed to create PR for VERSION update. 269 if: github.repository == 'argoproj/argo-cd' 270 runs-on: ubuntu-22.04 271 env: 272 TAG_STABLE: ${{ needs.setup-variables.outputs.is_latest_release }} 273 steps: 274 - name: Checkout code 275 uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0 276 with: 277 fetch-depth: 0 278 token: ${{ secrets.GITHUB_TOKEN }} 279 280 - name: Setup Git author information 281 run: | 282 set -ue 283 git config --global user.email 'ci@argoproj.com' 284 git config --global user.name 'CI' 285 286 - name: Update stable tag to latest version 287 run: | 288 git tag -f stable ${{ github.ref_name }} 289 git push -f origin stable 290 if: ${{ env.TAG_STABLE == 'true' }} 291 292 - name: Check to see if VERSION should be updated on master branch 293 run: | 294 set -xue 295 SOURCE_TAG=${{ github.ref_name }} 296 VERSION_REF="${SOURCE_TAG#*v}" 297 COMMIT_HASH=$(git rev-parse HEAD) 298 if echo "$VERSION_REF" | grep -E -- '^[0-9]+\.[0-9]+\.0-rc1';then 299 VERSION=$(awk 'BEGIN {FS=OFS="."} {$2++; print}' <<< "${VERSION_REF%-rc1}") 300 echo "Updating VERSION to: $VERSION" 301 echo "UPDATE_VERSION=true" >> $GITHUB_ENV 302 echo "NEW_VERSION=$VERSION" >> $GITHUB_ENV 303 echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV 304 else 305 echo "Not updating VERSION" 306 echo "UPDATE_VERSION=false" >> $GITHUB_ENV 307 fi 308 309 - name: Update VERSION on master branch 310 run: | 311 echo ${{ env.NEW_VERSION }} > VERSION 312 # Replace the 'project-release: vX.X.X-rcX' line in SECURITY-INSIGHTS.yml 313 sed -i "s/project-release: v.*$/project-release: v${{ env.NEW_VERSION }}/" SECURITY-INSIGHTS.yml 314 # Update the 'commit-hash: XXXXXXX' line in SECURITY-INSIGHTS.yml 315 sed -i "s/commit-hash: .*/commit-hash: ${{ env.COMMIT_HASH }}/" SECURITY-INSIGHTS.yml 316 if: ${{ env.UPDATE_VERSION == 'true' }} 317 318 - name: Create PR to update VERSION on master branch 319 uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 320 with: 321 commit-message: Bump version in master 322 title: 'chore: Bump version in master' 323 body: All images built from master should indicate which version we are on track for. 324 signoff: true 325 branch: update-version 326 branch-suffix: random 327 base: master 328 if: ${{ env.UPDATE_VERSION == 'true' }}