name: Create Release on: workflow_dispatch: inputs: version: description: 'version to release, e.g. v1.5.13' required: true default: 'v0.1.0' source_ref: description: 'source ref to publish from. E.g.: main or release-x.y' required: true default: 'main' env: IMAGE_NAME: ghcr.io/${{ github.repository }} jobs: release: name: Create Release runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: fetch-depth: 0 ref: ${{ github.event.inputs.source_ref }} - name: Create Release uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 with: tag_name: ${{ github.event.inputs.version }} target_commitish: ${{ github.event.inputs.source_ref }} generate_release_notes: true body: | Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}` Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi` Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi-boringssl` env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - name: Configure Git run: | git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Update Docs if: github.ref == 'refs/heads/main' run: make docs.publish DOCS_VERSION=${{ github.event.inputs.version }} DOCS_ALIAS=latest env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" promote: name: Promote Container Image runs-on: ubuntu-latest strategy: matrix: include: - tag_suffix: "" # distroless image - tag_suffix: "-ubi" # ubi image - tag_suffix: "-ubi-boringssl" # ubi image permissions: id-token: write contents: write env: SOURCE_TAG: ${{ github.event.inputs.source_ref }}${{ matrix.tag_suffix }} RELEASE_TAG: ${{ github.event.inputs.version }}${{ matrix.tag_suffix }} steps: - name: Checkout uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: fetch-depth: 0 - name: Setup Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 id: setup-go with: go-version-file: "go.mod" - name: Download Go modules if: ${{ steps.setup-go.outputs.cache-hit != 'true' }} run: go mod download - name: Login to Docker uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ghcr.io username: ${{ secrets.GHCR_USERNAME }} password: ${{ secrets.GHCR_TOKEN }} - name: Promote Container Image run: make docker.promote - name: Build release manifests run: | # temporarily patch the version so we generate manifests with the new version yq e -i '.version = "${{ github.event.inputs.version }}"' ./deploy/charts/external-secrets/Chart.yaml yq e -i '.appVersion = "${{ github.event.inputs.version }}"' ./deploy/charts/external-secrets/Chart.yaml make manifests - name: Sign promoted image id: sign uses: ./.github/actions/sign with: image-name: ${{ env.IMAGE_NAME }} image-tag: ${{ env.RELEASE_TAG }} GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }} GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Update Release uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 with: tag_name: ${{ github.event.inputs.version }} files: | provenance.${{ env.RELEASE_TAG }}.intoto.jsonl sbom.${{ env.RELEASE_TAG }}.spdx.json bin/deploy/manifests/external-secrets.yaml env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"