Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/.github/workflows/goreleaser-fleet.yaml
Lucas Manuel Rodriguez 243ca206bf
Fix tagging of fleetdm/fleet and fleetdm/fleetctl when releasing (#28251) 
For #26988.
2025-04-16 15:48:47 -03:00

156 lines
6.4 KiB
YAML
Raw Blame History

name: goreleaser
on:
push:
tags:
- "fleet-*"
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
goreleaser:
runs-on: ubuntu-22.04-4-cores
environment: Docker Hub
permissions:
contents: write
id-token: write
attestations: write
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0 # Needed for goreleaser
- name: Login to Docker Hub
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version-file: "go.mod"
- name: Set up Node.js
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version-file: package.json
- name: Install JS Dependencies
run: make deps-js
- name: Install macOS signing + notarization tools
run: |
pushd /tmp
readonly version="0.27.0"
readonly codesign_package="apple-codesign-${version}-x86_64-unknown-linux-musl.tar.gz"
curl -O -L "https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${version}/${codesign_package}"
curl -O -L "https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${version}/${codesign_package}.sha256"
echo "$(cat $codesign_package.sha256) $codesign_package" | sha256sum --quiet --strict --check -
tar --extract --strip-components 1 --file "$codesign_package"
mkdir -p $HOME/.bin
mv rcodesign $HOME/.bin/
echo "$HOME/.bin" >> $GITHUB_PATH
popd
- name: Run GoReleaser
id: goreleaser
uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
with:
distribution: goreleaser-pro
version: "~> 2"
args: release --clean -f .goreleaser.yml
env:
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }}
APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }}
APPLE_APP_STORE_CONNECT_KEY: ${{ secrets.APPLE_APP_STORE_CONNECT_KEY }}
APPLE_APP_STORE_CONNECT_KEY_ID: ${{ secrets.APPLE_APP_STORE_CONNECT_KEY_ID }}
APPLE_APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APPLE_APP_STORE_CONNECT_ISSUER_ID }}
- name: Attest binaries and archives
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: "dist/**"
- name: Get tag
run: |
echo "TAG=$(git describe --tags | sed -e "s/^fleet-//")" >> $GITHUB_OUTPUT
id: docker
# Get the image digests from the goreleaser artifacts
# Adapted from https://github.com/goreleaser/goreleaser/issues/4852#issuecomment-2122790132
- name: Get image digests
continue-on-error: true
id: image_digests
run: |
digest_fleet=$(cat ./dist/artifacts.json | jq -r 'first(.[]|select(.type == "Published Docker Image" and (.name == "fleetdm/fleet:${{ steps.docker.outputs.tag }}")) | select(. != null)|.extra.Digest)')
echo "digest_fleet=$digest_fleet" >> "$GITHUB_OUTPUT"
digest_fleetctl=$(cat ./dist/artifacts.json | jq -r 'first(.[]|select(.type == "Published Docker Image" and (.name == "fleetdm/fleetctl:${{ steps.docker.outputs.tag }}")) | select(. != null)|.extra.Digest)')
echo "digest_fleetctl=$digest_fleetctl" >> "$GITHUB_OUTPUT"
- name: Attest Fleet image
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
continue-on-error: true
with:
subject-digest: ${{steps.image_digests.outputs.digest_fleet}}
subject-name: "docker.io/fleetdm/fleet"
push-to-registry: true
- name: Attest FleetCtl image
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
continue-on-error: true
with:
subject-digest: ${{steps.image_digests.outputs.digest_fleetctl}}
subject-name: "docker.io/fleetdm/fleetctl"
push-to-registry: true
- name: Update fleetdm/fleet:latest and fleetdm/fleetctl:latest
run: |
highest_release=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/fleetdm/fleet/releases | jq -r '.[].tag_name' | sort -r | head -n 1 | sed -e "s/^fleet-//")
tag=${{ steps.docker.outputs.tag }}
if [[ $(printf "$highest_release\n$tag" | sort -r | head -n 1) = "$tag" ]]; then
docker tag fleetdm/fleet:$tag fleetdm/fleet:latest
docker push fleetdm/fleet:latest
docker tag fleetdm/fleetctl:$tag fleetdm/fleetctl:latest
docker push fleetdm/fleetctl:latest
else
echo "Skipping tagging of fleetdm/fleet:latest and fleetdm/fleetctl:latest because existing release $highest_release is higher than $tag"
fi
- name: List tags for push
run: |
echo "The following TAGs are to be pushed: ${{ steps.docker.outputs.TAG }}"
- name: Login to quay.io
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
with:
registry: quay.io
username: fleetdm+fleetreleaser
password: ${{ secrets.QUAY_REGISTRY_PASSWORD }}
- name: Tag and push to quay.io
run: |
for TAG in ${{ steps.docker.outputs.TAG }}; do
docker tag fleetdm/fleet:${TAG} quay.io/fleetdm/fleet:${TAG}
docker push quay.io/fleetdm/fleet:${TAG}
done
Reference in a new issue View git blame Copy permalink