Skip to content

Bump oras-go, x/crypto, and Go toolchain (#5432) #433

Bump oras-go, x/crypto, and Go toolchain (#5432)

Bump oras-go, x/crypto, and Go toolchain (#5432) #433

Workflow file for this run

# Fleet release workflow
name: Fleet release
on:
push:
tags:
- v**
permissions:
contents: write
id-token: write # this is important, it's how we authenticate with Vault
pull-requests: read
checks: read
env:
GOARCH: amd64
CGO_ENABLED: 0
RELEASE_TAG: ${{ github.ref_name }}
jobs:
release-fleet:
runs-on: runs-on,runner=8cpu-linux-x64,mem=16,run-id=${{ github.run_id }}
env:
IS_HOTFIX: ${{ contains(github.ref, '-hotfix-') }}
if: github.repository == 'rancher/fleet'
steps:
- name: Check out Fleet
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Verify CI passed on tagged commit
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
COMMIT_SHA=$(git rev-list -n 1 "$RELEASE_TAG")
echo "Verifying CI checks for ${RELEASE_TAG} (${COMMIT_SHA})"
PR_NUMBER=$(gh api \
"repos/${{ github.repository }}/commits/${COMMIT_SHA}/pulls" \
--jq '[.[] | select(.merged_at != null)] | first | .number // empty')
if [[ -n "${PR_NUMBER:-}" ]]; then
echo "Found PR #${PR_NUMBER}, verifying required checks..."
gh pr checks "${PR_NUMBER}" \
--repo "${{ github.repository }}" \
--required
else
echo "No merged PR found (hotfix), verifying all commit checks..."
ISSUES=$(gh api \
"repos/${{ github.repository }}/commits/${COMMIT_SHA}/check-runs" \
--jq 'if .total_count == 0 then "no CI checks found" else ([.check_runs[] | select(.status != "completed" or (.conclusion != "success" and .conclusion != "skipped")) | .name] | join(", ")) end')
if [[ -n "${ISSUES}" ]]; then
echo "ERROR: ${ISSUES}"
exit 1
fi
echo "✓ All checks passed for ${RELEASE_TAG} (${COMMIT_SHA})"
fi
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: 'go.mod'
cache: false
- name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
with:
# renovate: datasource=docker depName=tonistiigi/binfmt extractVersion=^qemu-v(?<version>.+)$
image: tonistiigi/binfmt:qemu-v10.2.1-65@sha256:d3b963f787999e6c0219a48dba02978769286ff61a5f4d26245cb6a6e5567ea3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Install Cosign
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
- name: Install Slsactl
uses: rancherlabs/slsactl/actions/install-slsactl@a5177a3699b7cabfa4797e883314dde7e40523cc # v0.1.22
with:
# renovate: datasource=github-releases depName=rancherlabs/slsactl
version: v0.1.22
- name: "Read Vault Secrets"
uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | STAGE_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | STAGE_REGISTRY_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials registry | STAGE_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
- name: Prepare Docker environment to support sbom/provenance parameters
run: |
sudo bash -c 'echo "{\"features\": {\"containerd-snapshotter\": true}}" > /etc/docker/daemon.json'
sudo systemctl restart docker
- name: Log into Docker Container registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
if: ${{ env.IS_HOTFIX == 'false' }}
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_PASSWORD }}
- name: Log into Staging registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
username: ${{ env.STAGE_REGISTRY_USERNAME }}
password: ${{ env.STAGE_REGISTRY_PASSWORD }}
registry: ${{ env.STAGE_REGISTRY }}
- name: Setup goreleaser
shell: bash
run: |
set -euo pipefail
OS="Linux"
if [[ ${RUNNER_OS} != "Linux" ]]; then
echo "Unsupported OS: ${RUNNER_OS}"
exit 1
fi
# renovate-local: goreleaser-x86_64
GORELEASER_VERSION="v2.14.3"
# renovate-local: goreleaser-x86_64=v2.14.3
GORELEASER_CHECKSUM_x86_64="dc7faeeeb6da8bdfda788626263a4ae725892a8c7504b975c3234127d4a44579"
ARCH=$(uname -m)
CHECKSUM="${GORELEASER_CHECKSUM_x86_64}"
if [[ "${ARCH}" != "x86_64" ]]; then
echo "Unsupported architecture: ${ARCH}"
exit 1
fi
FILE="goreleaser_${OS}_${ARCH}.tar.gz"
echo "Installing ${FILE}"
curl --fail --location -O "https://github.com/goreleaser/goreleaser/releases/download/${GORELEASER_VERSION}/${FILE}"
echo "${CHECKSUM} ${FILE}" | sha256sum -c
tar -xf "${FILE}" goreleaser
mkdir -p "${HOME}/.local/bin"
install -m 755 goreleaser "${HOME}/.local/bin/goreleaser"
echo "${HOME}/.local/bin" >> "${GITHUB_PATH}"
rm -f "${FILE}" goreleaser
- name: Run GoReleaser
id: goreleaser
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: ${{ env.RELEASE_TAG }}
STAGE_REGISTRY: ${{ env.STAGE_REGISTRY }}
PRIME_REGISTRY: ${{ env.PRIME_REGISTRY }}
shell: bash
run: |
set -euo pipefail
goreleaser release --clean --draft --verbose
if [[ ! -f dist/metadata.json ]] || [[ ! -s dist/metadata.json ]]; then
echo "ERROR: dist/metadata.json not found or empty after GoReleaser run"
exit 1
fi
if [[ ! -f dist/artifacts.json ]] || [[ ! -s dist/artifacts.json ]]; then
echo "ERROR: dist/artifacts.json not found or empty after GoReleaser run"
exit 1
fi
echo "metadata=$(tr -d '\n\r' < dist/metadata.json)" >> "${GITHUB_OUTPUT}"
echo "artifacts=$(tr -d '\n\r' < dist/artifacts.json)" >> "${GITHUB_OUTPUT}"
# Workaround until `docker manifest create` supports provenance meta data
# Background: https://stackoverflow.com/questions/75521775/buildx-docker-image-claims-to-be-a-manifest-list
# Released images will eventually be moved into the Prime registry, hence their signatures must match that registry.
- name: Create Docker manifest for Staging and sign it for the Prime registry
shell: bash
env:
STAGE_REGISTRY: ${{ env.STAGE_REGISTRY }}
PRIME_REGISTRY: ${{ env.PRIME_REGISTRY }}
run: |
for IMAGE in fleet fleet-agent; do
URL="${{ env.STAGE_REGISTRY }}/rancher/${IMAGE}:${{ github.ref_name }}"
docker buildx imagetools create -t "${URL}" \
"${URL}-linux-amd64" \
"${URL}-linux-arm64"
cosign sign \
--oidc-provider=github-actions \
--yes \
--sign-container-identity="${{ env.PRIME_REGISTRY }}/rancher/${IMAGE}" \
"${URL}"
# Pull the manifest locally to make it available for inspection
docker pull "${URL}"
done
- name: Attest provenance
shell: bash
run: |
IMAGES=$(yq e '.dockers[].image_templates[0]' .goreleaser.yaml | grep STAGE_REGISTRY | sed "s/{{ .Env.STAGE_REGISTRY }}/${{ env.STAGE_REGISTRY }}/g" | sed "s/{{ .Tag }}/${{ github.ref_name }}/g")
for IMG_NAME in $IMAGES; do
DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "${IMG_NAME}" | cut -d'@' -f2)
# Construct fully qualified image name with both tag and digest
URL="${IMG_NAME}@${DIGEST}"
max_retries=3
retry_delay=5
for ((i=0; i<max_retries; i++)); do
if [[ "${IMG_NAME}" =~ -linux-([^-]+)$ ]]; then
PLATFORM="linux/${BASH_REMATCH[1]}"
else
PLATFORM="linux/amd64"
fi
if slsactl download provenance --format=slsav1 --platform="${PLATFORM}" "${URL}" > provenance-slsav1.json; then
break
fi
if [ "${i}" -eq "$(( max_retries - 1 ))" ]; then
echo "ERROR: Failed to generate slsav1 provenance. Check whether the image is present in the Staging registry."
exit 1
fi
sleep "${retry_delay}"
done
cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${URL}"
done
- name: Add charts to branch
if: ${{ env.IS_HOTFIX == 'false' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
version=$(jq -r '.version' <<< '${{ steps.goreleaser.outputs.metadata }}')
branch_version=v$(cut -d'.' -f1,2 <<< "$version")
charts_branch=charts/$branch_version
if [ ! -e ~/.gitconfig ]; then
git config --global user.name "fleet-bot"
git config --global user.email fleet@suse.de
fi
echo "publishing helm chart in the branch $charts_branch"
if ! git ls-remote --exit-code --heads origin "$charts_branch"; then
git checkout --orphan "$charts_branch"
git rm -rf .
echo "# Fleet Helm Charts for $branch_version versions" > README.md
echo "The documentation is centralized in a unique place, checkout https://fleet.rancher.io/." >> README.md
git checkout origin/main -- LICENSE .gitignore
git add README.md LICENSE .gitignore
git commit -m "Initial commit for $charts_branch"
else
git checkout .
git checkout "$charts_branch"
fi
mkdir -p charts
find .charts/ -name '*.tgz' -exec tar -xf {} -C charts/ \;
git add charts/**/*
git commit -m "Update charts to version $version"
git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git"
git push origin "$charts_branch"
- name: Publish Release
if: ${{ env.IS_HOTFIX == 'false' }}
run: gh release edit "${RELEASE_TAG}" --draft=false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
dispatch-charts-bump:
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
timeout-minutes: 10
needs: release-fleet
# Skip hotfix releases; they follow a separate process.
if: github.repository == 'rancher/fleet' && !contains(github.ref, '-hotfix-')
steps:
- name: Read App Secrets
uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/github/workflow-dispatcher/app-credentials appId | APP_ID ;
secret/data/github/repo/${{ github.repository }}/github/workflow-dispatcher/app-credentials privateKey | PRIVATE_KEY
- name: Create App Token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
id: app-token
with:
app-id: ${{ env.APP_ID }}
private-key: ${{ env.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: |
charts
fleet-helm-charts
permission-actions: write
- name: Dispatch to rancher/charts
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
FLEET_TAG: ${{ github.ref_name }}
run: |
set -euo pipefail
if [[ "$FLEET_TAG" =~ ^v([0-9]+)\.([0-9]+)([.-].*)?$ ]]; then
fleet_minor="${BASH_REMATCH[2]}"
else
echo "Error: unexpected Fleet tag format '${FLEET_TAG}'. Expected tags starting with v<major>.<minor>." >&2
exit 1
fi
if (( fleet_minor < 1 )); then
echo "Error: Fleet tag '${FLEET_TAG}' has minor version ${fleet_minor}; cannot derive a valid rancher/charts target branch." >&2
exit 1
fi
rancher_minor=$((fleet_minor - 1))
target_branch="dev-v2.${rancher_minor}"
echo "Dispatching auto-bump for Fleet ${FLEET_TAG} to rancher/charts branch ${target_branch}"
gh workflow run "Manual Trigger for Auto Bump" \
--repo rancher/charts \
--ref "$target_branch" \
-F chart=fleet \
-F branch="$target_branch" \
-F multi-rc=true \
-F auto-merge=true
- name: Dispatch to rancher/fleet-helm-charts
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
set -euo pipefail
gh workflow run sync-fleet-releases.yml \
--repo rancher/fleet-helm-charts