fix: Attempt to fix the CI failure, extract CI job push-sign-install-manifest (#5035)

* extract CI job push-sign-install-manifest Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix indent Signed-off-by: ShutingZhao <shuting@nirmata.com> * update env Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com>
2025-04-08 10:04:25 +00:00 · 2022-10-18 17:31:31 +08:00 · 2022-10-18 17:31:31 +08:00 · 994d207eb6
commit 994d207eb6
parent 632bd99612
1 changed files with 35 additions and 16 deletions
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -52,10 +52,6 @@ jobs:

  create-release:
    runs-on: ubuntu-latest
-    permissions:
-      contents: write # needed to write releases
-      id-token: write # needed for keyless signing
-      packages: write # needed for ghcr access  
    needs:
      - release-init-kyverno
      - release-kyverno
@ -75,16 +71,6 @@ jobs:
        with:
          go-version: ~1.18.6

-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@1fa48bf916fa5ce5800190f8a0c9fdf7ae86559b # v0.35.0
-        with:
-          version: 0.35.0
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@7cc35d7fdbe70d4278a0c96779081e6fac665f88 # v2.8.0
-        with:
-          cosign-release: 'v1.13.0'
-
      - name: Cache Go modules
        uses: actions/cache@fd5de65bc895cf536527842281bea11763fefd77 # pin@v3
        with:
@ -114,6 +100,36 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

+
+  push-and-sign-install-manifest:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access  
+    needs:
+      - create-release
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # pin@v2.4.0
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # pin@v2.1.5
+        with:
+          go-version: ~1.18.6
+
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@1fa48bf916fa5ce5800190f8a0c9fdf7ae86559b # v0.35.0
+        with:
+          version: 0.35.0
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@7cc35d7fdbe70d4278a0c96779081e6fac665f88 # v2.8.0
+        with:
+          cosign-release: 'v1.13.0'
+
      - name: Build yaml manifest
        run: make codegen-release

@ -126,6 +142,8 @@ jobs:
          tag: ${{ github.ref }}
      
      - name: Push manifests to GHCR with Flux
+        env:
+          CR_PAT_ARTIFACTS:  ${{ secrets.CR_PAT_ARTIFACTS }}
        run: |
            set -e
            cd config/.release/ && \
@ -133,14 +151,15 @@ jobs:
              --path="." \
              --source="$(git config --get remote.origin.url)" \
              --revision="(git tag --points-at HEAD)/$(git rev-parse HEAD)"
-              --creds flux:${{ secrets.CR_PAT_ARTIFACTS }}
+              --creds flux:${CR_PAT_ARTIFACTS}
      
      - name: Sign manifests in GHCR with Cosign
        env:
          COSIGN_EXPERIMENTAL: 1
+          CR_PAT_ARTIFACTS:  ${{ secrets.CR_PAT_ARTIFACTS }}
        run: |
            set -e
-            cosign login --username ${GITHUB_ACTOR} --password ${{ secrets.CR_PAT_ARTIFACTS }} ghcr.io
+            cosign login --username ${GITHUB_ACTOR} --password ${CR_PAT_ARTIFACTS} ghcr.io
            cosign sign ghcr.io/${{ github.repository_owner }}/manifests/kyverno:$(git rev-parse --short HEAD)

  release-cli-via-krew: