@@ -26,27 +26,18 @@ jobs:
2626 steps :
2727
2828 - name : Checkout repository
29- uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
30- # https://github.com/actions/checkout/releases/tag/v4.1.1
29+ uses : actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
3130
32- - name : Setup Go
33- uses : actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
34- # https://github.com/actions/setup-go/releases/tag/v5.0.0
35- with :
36- go-version-file : ' go.mod'
31+ - name : Build Binary
32+ run : make build ARCH=${{ matrix.arch }}
3733
38- - name : Build and package
39- run : |
40- ./scripts/build
41- mkdir -p dist/artifacts
42- cp bin/webhook dist/artifacts/webhook-linux-${{ matrix.arch }}
43- env :
44- ARCH : " ${{ matrix.arch}}"
45- GOARCH : " ${{ matrix.arch}}"
34+ - name : Package Helm Chart
35+ run : make package-helm
4636
47- - name : Generate checksum files
37+ - name : Prepare Artifacts
4838 run : |
49- ls -lR dist
39+ mkdir -p dist/artifacts
40+ cp bin/webhook dist/artifacts/webhook-linux-${{ matrix.arch }}
5041 cd dist/artifacts
5142 sha256sum webhook-linux-${{ matrix.arch }} > sha256sum-${{ matrix.arch }}.txt
5243
@@ -67,10 +58,10 @@ jobs:
6758
6859 - name : Checkout repository
6960 # https://github.com/actions/checkout/releases/tag/v4.1.1
70- uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
61+ uses : actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
7162
7263 - name : package-helm
73- run : ./scripts/ package-helm
64+ run : make package-helm
7465
7566 - name : Download the amd64 artifacts
7667 uses : actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
@@ -99,135 +90,44 @@ jobs:
9990 env :
10091 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
10192
102- image :
93+ publish :
94+ runs-on : ubuntu-latest
10395 permissions :
10496 contents : read
105- id-token : write
106- strategy :
107- matrix :
108- arch :
109- - amd64
110- - arm64
111- name : Build and push Webhook images
112- runs-on : ubuntu-latest
113- needs : build
97+ id-token : write # Required for cosign signing
11498 steps :
11599 - name : Checkout repository
116100 # https://github.com/actions/checkout/releases/tag/v4.1.1
117- uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
118-
119- - name : Download the artifacts
120- uses : actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
121- # https://github.com/actions/download-artifact/releases/tag/v4.1.7
122- with :
123- name : webhook-artifacts-${{ matrix.arch }}
124- path : dist/artifacts
125-
126- - name : Move binary to bin/
127- run : |
128- mkdir -p bin/
129- cp -v dist/artifacts/webhook-linux-${{ matrix.arch }} bin/webhook
130- chmod +x bin/webhook
101+ uses : actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
131102
132- # PANDARIA
133103 # - name: "Read vault secrets"
134- # uses: rancher-eio/read-vault-secrets@main
104+ # uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3
135105 # with:
136106 # secrets: |
137107 # secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
138- # secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
108+ # secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ;
109+ # secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials registry | PRIME_STG_REGISTRY ;
110+ # secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | PRIME_STG_REGISTRY_USERNAME ;
111+ # secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | PRIME_STG_REGISTRY_PASSWORD
139112
140- - name : Set up QEMU
141- # https://github.com/docker/setup-qemu-action/releases/tag/v3.1.0
142- uses : docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
143-
144- - name : Set up Docker Buildx
145- uses : docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
146- # https://github.com/docker/setup-buildx-action/releases/tag/v3.4.0
147-
148- - name : Log in to the Container registry
149- # https://github.com/docker/login-action/releases/tag/v3.2.0
150- uses : docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
113+ - name : Publish image
114+ uses : rancher/ecm-distro-tools/actions/publish-image@master
151115 with :
152- registry : ${{ env.REGISTRY }}
153- username : ${{ secrets.TCR_USERNAME }}
154- password : ${{ secrets.TCR_TOKEN }}
155-
156- - name : Build and push the webhook image
157- id : build
158- # https://github.com/docker/build-push-action/releases/tag/v6.3.0
159- uses : docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
160- with :
161- context : .
162- file : ./package/Dockerfile
163- platforms : " linux/${{ matrix.arch }}"
164- outputs : type=image,name=${{ env.REGISTRY }}/${{ env.REPO }}/rancher-webhook,push-by-digest=true,name-canonical=true,push=true
165-
166- - name : Export digest
167- run : |
168- mkdir -p /tmp/digests
169- digest="${{ steps.build.outputs.digest }}"
170- touch "/tmp/digests/${digest#sha256:}"
171-
172- - name : Upload digest
173- uses : actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
174- # https://github.com/actions/upload-artifact/releases/tag/v4.3.3
175- with :
176- name : digests-${{ matrix.arch }}
177- path : /tmp/digests/*
178- if-no-files-found : error
179- retention-days : 1
180-
181- merge :
182- permissions :
183- id-token : write
184- runs-on : ubuntu-latest
185- needs : image
186- steps :
187- - name : Download digests
188- uses : actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
189- # https://github.com/actions/download-artifact/releases/tag/v4.1.7
190- with :
191- path : /tmp/digests
192- pattern : digests-*
193- merge-multiple : true
194-
195- - name : Set up Docker Buildx
196- uses : docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
197- # https://github.com/docker/setup-buildx-action/releases/tag/v3.4.0
198-
199- # PANDARIA
200- # - name: "Read vault secrets"
201- # uses: rancher-eio/read-vault-secrets@main
202- # with:
203- # secrets: |
204- # secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
205- # secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
206-
207- - name : Log in to the Container registry
208- uses : docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
209- # https://github.com/docker/login-action/releases/tag/v3.2.0
210- with :
211- registry : ${{ env.REGISTRY }}
212- username : ${{ secrets.TCR_USERNAME }}
213- password : ${{ secrets.TCR_TOKEN }}
116+ image : rancher-webhook
117+ tag : ${{ github.ref_name }}
118+ platforms : linux/amd64,linux/arm64
214119
215- # setup tag name
216- - if : ${{ startsWith(github.ref, 'refs/tags/') }}
217- run : |
218- echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV
120+ public-registry : registry.rancher.cn
121+ public-repo : cnrancher
122+ public-username : ${{ secrets.TCR_USERNAME }}
123+ public-password : ${{ secrets.TCR_TOKEN }}
219124
220- - name : Create manifest list and push
221- working-directory : /tmp/digests
222- run : |
223- docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ env.REPO }}/rancher-webhook:${{ env.TAG_NAME }} \
224- $(printf '${{ env.REGISTRY }}/${{ env.REPO }}/rancher-webhook@sha256:%s ' *)
225125 image-sign :
226126 permissions :
227127 contents : read
228128 id-token : write # required for hangar sign OIDC keyless mode
229129 runs-on : ubuntu-latest
230- needs : [ merge ]
130+ needs : [ publish ]
231131 steps :
232132 - name : Checkout code
233133 uses : actions/checkout@v4
0 commit comments