Skip to content

[v0.15] Fix namespace label equality check and nil map panic (#5172) #389

[v0.15] Fix namespace label equality check and nil map panic (#5172)

[v0.15] Fix namespace label equality check and nil map panic (#5172) #389

Workflow file for this run

# Fleet release workflow
name: Fleet release
on:
push:
tags:
- v**
permissions:
contents: write
id-token: write # this is important, it's how we authenticate with Vault
pull-requests: read
checks: read
env:
GOARCH: amd64
CGO_ENABLED: 0
RELEASE_TAG: ${{ github.ref_name }}
jobs:
build-fleet:
runs-on: runs-on,runner=8cpu-linux-x64,mem=16,run-id=${{ github.run_id }}
env:
IS_HOTFIX: ${{ contains(github.ref, '-hotfix-') }}
if: github.repository == 'rancher/fleet'
steps:
- name: Check out Fleet
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Verify CI passed on tagged commit
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
COMMIT_SHA=$(git rev-list -n 1 "$RELEASE_TAG")
echo "Verifying CI checks for ${RELEASE_TAG} (${COMMIT_SHA})"
PR_NUMBER=$(gh api \
"repos/${{ github.repository }}/commits/${COMMIT_SHA}/pulls" \
--jq '[.[] | select(.merged_at != null)] | first | .number // empty')
if [[ -n "${PR_NUMBER:-}" ]]; then
echo "Found PR #${PR_NUMBER}, verifying required checks..."
gh pr checks "${PR_NUMBER}" \
--repo "${{ github.repository }}" \
--required
else
echo "No merged PR found (hotfix), verifying all commit checks..."
ISSUES=$(gh api \
"repos/${{ github.repository }}/commits/${COMMIT_SHA}/check-runs" \
--jq 'if .total_count == 0 then "no CI checks found" else ([.check_runs[] | select(.status != "completed" or (.conclusion != "success" and .conclusion != "skipped")) | .name] | join(", ")) end')
if [[ -n "${ISSUES}" ]]; then
echo "ERROR: ${ISSUES}"
exit 1
fi
echo "✓ All checks passed for ${RELEASE_TAG} (${COMMIT_SHA})"
fi
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: 'go.mod'
cache: false
- name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
with:
# renovate: datasource=docker depName=tonistiigi/binfmt extractVersion=^qemu-v(?<version>.+)$
image: tonistiigi/binfmt:qemu-v10.2.1-65@sha256:d3b963f787999e6c0219a48dba02978769286ff61a5f4d26245cb6a6e5567ea3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Install Cosign
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
- name: Install Slsactl
uses: rancherlabs/slsactl/actions/install-slsactl@a5177a3699b7cabfa4797e883314dde7e40523cc # v0.1.22
with:
# renovate: datasource=github-releases depName=rancherlabs/slsactl
version: v0.1.22
- name: "Read Vault Secrets"
uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | STAGE_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | STAGE_REGISTRY_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials registry | STAGE_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
- name: Log into Docker Container registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
if: ${{ env.IS_HOTFIX == 'false' }}
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_PASSWORD }}
- name: Log into Staging registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
username: ${{ env.STAGE_REGISTRY_USERNAME }}
password: ${{ env.STAGE_REGISTRY_PASSWORD }}
registry: ${{ env.STAGE_REGISTRY }}
- name: Setup goreleaser
shell: bash
run: |
set -euo pipefail
OS="Linux"
if [[ ${RUNNER_OS} != "Linux" ]]; then
echo "Unsupported OS: ${RUNNER_OS}"
exit 1
fi
# renovate-local: goreleaser-x86_64
GORELEASER_VERSION="v2.14.3"
# renovate-local: goreleaser-x86_64=v2.14.3
GORELEASER_CHECKSUM_x86_64="dc7faeeeb6da8bdfda788626263a4ae725892a8c7504b975c3234127d4a44579"
ARCH=$(uname -m)
CHECKSUM="${GORELEASER_CHECKSUM_x86_64}"
if [[ "${ARCH}" != "x86_64" ]]; then
echo "Unsupported architecture: ${ARCH}"
exit 1
fi
FILE="goreleaser_${OS}_${ARCH}.tar.gz"
echo "Installing ${FILE}"
curl --fail --location -O "https://github.com/goreleaser/goreleaser/releases/download/${GORELEASER_VERSION}/${FILE}"
echo "${CHECKSUM} ${FILE}" | sha256sum -c
tar -xf "${FILE}" goreleaser
mkdir -p "${HOME}/.local/bin"
install -m 755 goreleaser "${HOME}/.local/bin/goreleaser"
echo "${HOME}/.local/bin" >> "${GITHUB_PATH}"
rm -f "${FILE}" goreleaser
- name: Run GoReleaser
id: goreleaser
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: ${{ env.RELEASE_TAG }}
STAGE_REGISTRY: ${{ env.STAGE_REGISTRY }}
PRIME_REGISTRY: ${{ env.PRIME_REGISTRY }}
shell: bash
run: |
set -euo pipefail
goreleaser release --clean --draft --verbose
if [[ ! -f dist/metadata.json ]] || [[ ! -s dist/metadata.json ]]; then
echo "ERROR: dist/metadata.json not found or empty after GoReleaser run"
exit 1
fi
if [[ ! -f dist/artifacts.json ]] || [[ ! -s dist/artifacts.json ]]; then
echo "ERROR: dist/artifacts.json not found or empty after GoReleaser run"
exit 1
fi
echo "metadata=$(tr -d '\n\r' < dist/metadata.json)" >> "${GITHUB_OUTPUT}"
echo "artifacts=$(tr -d '\n\r' < dist/artifacts.json)" >> "${GITHUB_OUTPUT}"
- name: Attest provenance
shell: bash
env:
STAGE_REGISTRY: ${{ env.STAGE_REGISTRY }}
run: |
set -euo pipefail
if [[ ! -f dist/digests.txt ]] || [[ ! -s dist/digests.txt ]]; then
echo "ERROR: dist/digests.txt not found or empty"
exit 1
fi
# Extract staging images (exclude platform-specific tags)
# Format: <digest> <image:tag> → only staging registry images
staging_images=$(grep -v -- '-linux-' dist/digests.txt | \
awk '{print "sha256:" $1, $NF}' | \
grep -F -- "${STAGE_REGISTRY}" || true)
if [[ -z "$staging_images" ]]; then
echo "ERROR: No staging images found"
exit 1
fi
echo "=== Staging images for attestation ==="
echo "$staging_images"
echo ""
max_retries=3
while read -r digest image_ref; do
echo ""
echo "Attesting: ${image_ref}"
echo " Digest: ${digest}"
for platform in "linux/amd64" "linux/arm64"; do
echo " Platform ${platform}..."
prov_file="provenance_${platform/\//_}.json"
# Retry download
for ((i=1; i<=max_retries; i++)); do
echo " Attempt ${i}/${max_retries}..."
if slsactl download provenance --format=slsav1 --platform="${platform}" "${image_ref}@${digest}" > "${prov_file}"; then
echo " ✓ Downloaded provenance"
break
fi
if [ "${i}" -eq "${max_retries}" ]; then
echo "ERROR: Failed to download provenance for ${platform} of ${image_ref} after ${max_retries} attempts"
exit 1
fi
echo " Waiting before retry..."
sleep 5
done
# Attest (must succeed)
if ! cosign attest --yes --predicate "${prov_file}" --type slsaprovenance1 "${image_ref}@${digest}" 2>&1; then
echo "ERROR: cosign attest failed for ${platform} of ${image_ref}"
rm -f "${prov_file}"
exit 1
fi
echo " ✓ Attested"
rm -f "${prov_file}"
done
done <<< "$staging_images"
echo ""
echo "✓ Provenance attestation completed for all images"
- name: Add charts to branch
if: ${{ env.IS_HOTFIX == 'false' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
version=$(jq -r '.version' <<< '${{ steps.goreleaser.outputs.metadata }}')
branch_version=v$(cut -d'.' -f1,2 <<< "$version")
charts_branch=charts/$branch_version
if [ ! -e ~/.gitconfig ]; then
git config --global user.name "fleet-bot"
git config --global user.email fleet@suse.de
fi
echo "publishing helm chart in the branch $charts_branch"
if ! git ls-remote --exit-code --heads origin "$charts_branch"; then
git checkout --orphan "$charts_branch"
git rm -rf .
echo "# Fleet Helm Charts for $branch_version versions" > README.md
echo "The documentation is centralized in a unique place, checkout https://fleet.rancher.io/." >> README.md
git checkout origin/main -- LICENSE .gitignore
git add README.md LICENSE .gitignore
git commit -m "Initial commit for $charts_branch"
else
git checkout .
git checkout "$charts_branch"
fi
mkdir -p charts
find .charts/ -name '*.tgz' -exec tar -xf {} -C charts/ \;
git add charts/**/*
git commit -m "Update charts to version $version"
git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git"
git push origin "$charts_branch"
- name: Publish Release
if: ${{ env.IS_HOTFIX == 'false' }}
run: gh release edit "${RELEASE_TAG}" --draft=false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}