[v0.13] Fix namespace label equality check and nil map panic (#5174) #391
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Fleet release workflow | |
| name: Fleet release | |
| on: | |
| push: | |
| tags: | |
| - v** | |
| permissions: | |
| contents: write | |
| id-token: write # this is important, it's how we authenticate with Vault | |
| pull-requests: read | |
| checks: read | |
| env: | |
| GOARCH: amd64 | |
| CGO_ENABLED: 0 | |
| RELEASE_TAG: ${{ github.ref_name }} | |
| jobs: | |
| build-fleet: | |
| runs-on: runs-on,runner=8cpu-linux-x64,mem=16,run-id=${{ github.run_id }} | |
| env: | |
| IS_HOTFIX: ${{ contains(github.ref, '-hotfix-') }} | |
| if: github.repository == 'rancher/fleet' | |
| steps: | |
| - name: Check out Fleet | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Verify CI passed on tagged commit | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -euo pipefail | |
| COMMIT_SHA=$(git rev-list -n 1 "$RELEASE_TAG") | |
| echo "Verifying CI checks for ${RELEASE_TAG} (${COMMIT_SHA})" | |
| PR_NUMBER=$(gh api \ | |
| "repos/${{ github.repository }}/commits/${COMMIT_SHA}/pulls" \ | |
| --jq '[.[] | select(.merged_at != null)] | first | .number // empty') | |
| if [[ -n "${PR_NUMBER:-}" ]]; then | |
| echo "Found PR #${PR_NUMBER}, verifying required checks..." | |
| gh pr checks "${PR_NUMBER}" \ | |
| --repo "${{ github.repository }}" \ | |
| --required | |
| else | |
| echo "No merged PR found (hotfix), verifying all commit checks..." | |
| ISSUES=$(gh api \ | |
| "repos/${{ github.repository }}/commits/${COMMIT_SHA}/check-runs" \ | |
| --jq 'if .total_count == 0 then "no CI checks found" else ([.check_runs[] | select(.status != "completed" or (.conclusion != "success" and .conclusion != "skipped")) | .name] | join(", ")) end') | |
| if [[ -n "${ISSUES}" ]]; then | |
| echo "ERROR: ${ISSUES}" | |
| exit 1 | |
| fi | |
| echo "✓ All checks passed for ${RELEASE_TAG} (${COMMIT_SHA})" | |
| fi | |
| - name: Set up Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: false | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 | |
| with: | |
| # renovate: datasource=docker depName=tonistiigi/binfmt extractVersion=^qemu-v(?<version>.+)$ | |
| image: tonistiigi/binfmt:qemu-v10.2.1-65@sha256:d3b963f787999e6c0219a48dba02978769286ff61a5f4d26245cb6a6e5567ea3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 | |
| - name: Install Slsactl | |
| uses: rancherlabs/slsactl/actions/install-slsactl@a5177a3699b7cabfa4797e883314dde7e40523cc # v0.1.22 | |
| with: | |
| # renovate: datasource=github-releases depName=rancherlabs/slsactl | |
| version: v0.1.22 | |
| - name: "Read Vault Secrets" | |
| uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 | |
| with: | |
| secrets: | | |
| secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; | |
| secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | STAGE_REGISTRY_USERNAME ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | STAGE_REGISTRY_PASSWORD ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials registry | STAGE_REGISTRY ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; | |
| - name: Prepare Docker environment to support sbom/provenance parameters | |
| run: | | |
| sudo bash -c 'echo "{\"features\": {\"containerd-snapshotter\": true}}" > /etc/docker/daemon.json' | |
| sudo systemctl restart docker | |
| - name: Log into Docker Container registry | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| if: ${{ env.IS_HOTFIX == 'false' }} | |
| with: | |
| username: ${{ env.DOCKER_USERNAME }} | |
| password: ${{ env.DOCKER_PASSWORD }} | |
| - name: Log into Staging registry | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| with: | |
| username: ${{ env.STAGE_REGISTRY_USERNAME }} | |
| password: ${{ env.STAGE_REGISTRY_PASSWORD }} | |
| registry: ${{ env.STAGE_REGISTRY }} | |
| - name: Setup goreleaser | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| OS="Linux" | |
| if [[ ${RUNNER_OS} != "Linux" ]]; then | |
| echo "Unsupported OS: ${RUNNER_OS}" | |
| exit 1 | |
| fi | |
| # renovate-local: goreleaser-x86_64 | |
| GORELEASER_VERSION="v2.14.3" | |
| # renovate-local: goreleaser-x86_64=v2.14.3 | |
| GORELEASER_CHECKSUM_x86_64="dc7faeeeb6da8bdfda788626263a4ae725892a8c7504b975c3234127d4a44579" | |
| ARCH=$(uname -m) | |
| CHECKSUM="${GORELEASER_CHECKSUM_x86_64}" | |
| if [[ "${ARCH}" != "x86_64" ]]; then | |
| echo "Unsupported architecture: ${ARCH}" | |
| exit 1 | |
| fi | |
| FILE="goreleaser_${OS}_${ARCH}.tar.gz" | |
| echo "Installing ${FILE}" | |
| curl --fail --location -O "https://github.com/goreleaser/goreleaser/releases/download/${GORELEASER_VERSION}/${FILE}" | |
| echo "${CHECKSUM} ${FILE}" | sha256sum -c | |
| tar -xf "${FILE}" goreleaser | |
| mkdir -p "${HOME}/.local/bin" | |
| install -m 755 goreleaser "${HOME}/.local/bin/goreleaser" | |
| echo "${HOME}/.local/bin" >> "${GITHUB_PATH}" | |
| rm -f "${FILE}" goreleaser | |
| - name: Run GoReleaser | |
| id: goreleaser | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GORELEASER_CURRENT_TAG: ${{ env.RELEASE_TAG }} | |
| STAGE_REGISTRY: ${{ env.STAGE_REGISTRY }} | |
| PRIME_REGISTRY: ${{ env.PRIME_REGISTRY }} | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| goreleaser release --clean --draft --verbose | |
| if [[ ! -f dist/metadata.json ]] || [[ ! -s dist/metadata.json ]]; then | |
| echo "ERROR: dist/metadata.json not found or empty after GoReleaser run" | |
| exit 1 | |
| fi | |
| if [[ ! -f dist/artifacts.json ]] || [[ ! -s dist/artifacts.json ]]; then | |
| echo "ERROR: dist/artifacts.json not found or empty after GoReleaser run" | |
| exit 1 | |
| fi | |
| echo "metadata=$(tr -d '\n\r' < dist/metadata.json)" >> "${GITHUB_OUTPUT}" | |
| echo "artifacts=$(tr -d '\n\r' < dist/artifacts.json)" >> "${GITHUB_OUTPUT}" | |
| # Workaround until `docker manifest create` supports provenance meta data | |
| # Background: https://stackoverflow.com/questions/75521775/buildx-docker-image-claims-to-be-a-manifest-list | |
| # Released images will eventually be moved into the Prime registry, hence their signatures must match that registry. | |
| - name: Create Docker manifest for Staging and sign it for the Prime registry | |
| shell: bash | |
| env: | |
| STAGE_REGISTRY: ${{ env.STAGE_REGISTRY }} | |
| PRIME_REGISTRY: ${{ env.PRIME_REGISTRY }} | |
| run: | | |
| for IMAGE in fleet fleet-agent; do | |
| URL="${{ env.STAGE_REGISTRY }}/rancher/${IMAGE}:${{ github.ref_name }}" | |
| docker buildx imagetools create -t "${URL}" \ | |
| "${URL}-linux-amd64" \ | |
| "${URL}-linux-arm64" | |
| cosign sign \ | |
| --oidc-provider=github-actions \ | |
| --yes \ | |
| --sign-container-identity="${{ env.PRIME_REGISTRY }}/rancher/${IMAGE}" \ | |
| "${URL}" | |
| # Pull the manifest locally to make it available for inspection | |
| docker pull "${URL}" | |
| done | |
| - name: Attest provenance | |
| shell: bash | |
| run: | | |
| IMAGES=$(yq e '.dockers[].image_templates[0]' .goreleaser.yaml | grep STAGE_REGISTRY | sed "s/{{ .Env.STAGE_REGISTRY }}/${{ env.STAGE_REGISTRY }}/g" | sed "s/{{ .Tag }}/${{ github.ref_name }}/g") | |
| for IMG_NAME in $IMAGES; do | |
| DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "${IMG_NAME}" | cut -d'@' -f2) | |
| # Construct fully qualified image name with both tag and digest | |
| URL="${IMG_NAME}@${DIGEST}" | |
| max_retries=3 | |
| retry_delay=5 | |
| for ((i=0; i<max_retries; i++)); do | |
| if [[ "${IMG_NAME}" =~ -linux-([^-]+)$ ]]; then | |
| PLATFORM="linux/${BASH_REMATCH[1]}" | |
| else | |
| PLATFORM="linux/amd64" | |
| fi | |
| if slsactl download provenance --format=slsav1 --platform="${PLATFORM}" "${URL}" > provenance-slsav1.json; then | |
| break | |
| fi | |
| if [ "${i}" -eq "$(( max_retries - 1 ))" ]; then | |
| echo "ERROR: Failed to generate slsav1 provenance. Check whether the image is present in the Staging registry." | |
| exit 1 | |
| fi | |
| sleep "${retry_delay}" | |
| done | |
| cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${URL}" | |
| done | |
| - name: Add charts to branch | |
| if: ${{ env.IS_HOTFIX == 'false' }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| version=$(jq -r '.version' <<< '${{ steps.goreleaser.outputs.metadata }}') | |
| branch_version=v$(cut -d'.' -f1,2 <<< "$version") | |
| charts_branch=charts/$branch_version | |
| if [ ! -e ~/.gitconfig ]; then | |
| git config --global user.name "fleet-bot" | |
| git config --global user.email fleet@suse.de | |
| fi | |
| echo "publishing helm chart in the branch $charts_branch" | |
| if ! git ls-remote --exit-code --heads origin "$charts_branch"; then | |
| git checkout --orphan "$charts_branch" | |
| git rm -rf . | |
| echo "# Fleet Helm Charts for $branch_version versions" > README.md | |
| echo "The documentation is centralized in a unique place, checkout https://fleet.rancher.io/." >> README.md | |
| git checkout origin/main -- LICENSE .gitignore | |
| git add README.md LICENSE .gitignore | |
| git commit -m "Initial commit for $charts_branch" | |
| else | |
| git checkout . | |
| git checkout "$charts_branch" | |
| fi | |
| mkdir -p charts | |
| find .charts/ -name '*.tgz' -exec tar -xf {} -C charts/ \; | |
| git add charts/**/* | |
| git commit -m "Update charts to version $version" | |
| git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git" | |
| git push origin "$charts_branch" | |
| - name: Publish Release | |
| if: ${{ env.IS_HOTFIX == 'false' }} | |
| run: gh release edit "${RELEASE_TAG}" --draft=false | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |