Merge pull request #237 from fluxcd/flux-2.5 #37

Workflow file for this run

.github/workflows/release.yaml at 2bfbf05

	name: release

	on:
	push:
	tags:
	- 'v*'
	workflow_dispatch:
	inputs:
	tag:
	description: 'image tag prefix'
	default: 'rc'
	required: true

	permissions:
	contents: read

	env:
	CONTROLLER: ${{ github.event.repository.name }}

	jobs:
	release:
	outputs:
	hashes: ${{ steps.hash.outputs.hashes }}
	image_url: ${{ steps.hash.outputs.image_url }}
	image_digest: ${{ steps.hash.outputs.image_digest }}
	runs-on: ubuntu-latest
	permissions:
	contents: write # needed to write releases
	id-token: write # needed for keyless signing
	packages: write # needed for ghcr access
	steps:
	- name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- name: Setup Kustomize
	uses: fluxcd/pkg/actions/kustomize@main
	- name: Prepare
	id: prep
	run: \|
	VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}"
	if [[ $GITHUB_REF == refs/tags/* ]]; then
	VERSION=${GITHUB_REF/refs\/tags\//}
	fi
	echo "version=${VERSION}" >> $GITHUB_OUTPUT
	- name: Setup Go
	uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
	with:
	go-version: 1.23.x
	cache-dependency-path: \|
	**/go.sum
	**/go.mod
	- uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
	- uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
	- uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
	- uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
	- name: Docker login ghcr.io
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: fluxcdbot
	password: ${{ secrets.GHCR_TOKEN }}
	- name: Docker login docker.io
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	username: fluxcdbot
	password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
	- name: Docker meta
	id: meta
	uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
	with:
	images: \|
	fluxcd/${{ env.CONTROLLER }}
	ghcr.io/fluxcd/${{ env.CONTROLLER }}
	tags: \|
	type=raw,value=${{ steps.prep.outputs.version }}
	- name: Docker push
	uses: docker/build-push-action@0adf9959216b96bec444f325f1e493d4aa344497 # v6.14.0
	id: build-push
	with:
	sbom: true
	provenance: true
	push: true
	builder: ${{ steps.buildx.outputs.name }}
	context: .
	file: ./Dockerfile
	platforms: linux/amd64,linux/arm/v7,linux/arm64
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	- name: Sign images
	env:
	COSIGN_EXPERIMENTAL: 1
	run: \|
	cosign sign --yes fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
	cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
	- name: GoReleaser publish signed SBOM
	id: run-goreleaser
	if: startsWith(github.ref, 'refs/tags/v')
	uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
	with:
	version: latest
	args: release --clean --skip=validate
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Generate SLSA hashes
	id: hash
	env:
	ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
	run: \|
	set -euo pipefail

	hashes=$(echo $ARTIFACTS \| jq --raw-output '.[] \| {name, "digest": (.extra.Digest // .extra.Checksum)} \| select(.digest) \| {digest} + {name} \| join(" ") \| sub("^sha256:";"")' \| base64 -w0)
	echo "hashes=$hashes" >> $GITHUB_OUTPUT

	image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
	image_digest=${{ steps.build-push.outputs.digest }}
	echo "image_url=$image_url" >> $GITHUB_OUTPUT
	echo "image_digest=$image_digest" >> $GITHUB_OUTPUT

	release-provenance:
	needs: [release]
	permissions:
	actions: read # To read the workflow path.
	id-token: write # To sign the provenance.
	contents: write # To add assets to the release.
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	base64-subjects: "${{ needs.release.outputs.hashes }}"
	upload-assets: true

	dockerhub-provenance:
	needs: [release]
	permissions:
	actions: read # for detecting the Github Actions environment.
	id-token: write # for creating OIDC tokens for signing.
	packages: write # for uploading attestations.
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	image: ${{ needs.release.outputs.image_url }}
	digest: ${{ needs.release.outputs.image_digest }}
	registry-username: fluxcdbot
	secrets:
	registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}

	ghcr-provenance:
	needs: [release]
	permissions:
	actions: read # for detecting the Github Actions environment.
	id-token: write # for creating OIDC tokens for signing.
	packages: write # for uploading attestations.
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	image: ghcr.io/${{ needs.release.outputs.image_url }}
	digest: ${{ needs.release.outputs.image_digest }}
	registry-username: fluxcdbot
	secrets:
	registry-password: ${{ secrets.GHCR_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #237 from fluxcd/flux-2.5 #37

Workflow file

Merge pull request #237 from fluxcd/flux-2.5 #37

Jobs

Run details

Workflow file for this run