kyverno/.github/workflows/release.yaml

name: releaser
on:
  push:
    tags:
      - 'v*'

jobs:
  release-init-kyverno:
    permissions:
      contents: read
      packages: write
      id-token: write
    uses: ./.github/workflows/reuse.yaml
    with:
      publish_command: ko-publish-kyvernopre
      image_name: kyvernopre
      tag: release
      main: cmd/initContainer
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}

  release-kyverno:
    permissions:
      contents: read
      packages: write
      id-token: write
    uses: ./.github/workflows/reuse.yaml
    with:
      publish_command: ko-publish-kyverno
      image_name: kyverno
      tag: release
      main: cmd/kyverno
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}

  release-kyverno-cli:
    permissions:
      contents: read
      packages: write
      id-token: write
    uses: ./.github/workflows/reuse.yaml
    with:
      publish_command: ko-publish-cli
      image_name: kyverno-cli
      tag: release
      main: cmd/cli/kubectl-kyverno
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}

  create-release:
    runs-on: ubuntu-latest
    needs:
      - release-init-kyverno
      - release-kyverno
      - release-kyverno-cli
    steps:
      - name: Set version
        id: version
        run: echo "version=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT

      - name: Checkout
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # pin@v3.1.0
        with:
          fetch-depth: 0

      - name: Set up Go
        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # pin@v3.4.0
        with:
          go-version: ~1.18.6

      - name: Cache Go modules
        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # pin@v3
        with:
          path: |
            ~/.cache/go-build
            ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-

      - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # pin@v1.0

      - name: Make Release
        env:
          VERSION: ${{ steps.version.outputs.version }}
        run: |
          rm -rf release
          mkdir release
          make release-notes > release/release-notes.out
          cat release/release-notes.out

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # pin@v3.2.0
        with:
          version: latest
          args: release --rm-dist --debug --release-notes=release/release-notes.out
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}


  push-and-sign-install-manifest:
    runs-on: ubuntu-latest
    permissions:
      contents: write # needed to write releases
      id-token: write # needed for keyless signing
      packages: write # needed for ghcr access  
    needs:
      - create-release
    steps:
      - name: Set version
        id: version
        run: echo "version=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT

      - name: Checkout
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # pin@v3.1.0
        with:
          fetch-depth: 0

      - name: Set up Go
        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # pin@v3.4.0
        with:
          go-version: ~1.18.6

      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@1fa48bf916fa5ce5800190f8a0c9fdf7ae86559b # v0.35.0
        with:
          version: 0.35.0

      - name: Install Cosign
        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
        with:
          cosign-release: 'v1.13.0'

      - name: Build yaml manifest
        run: make codegen-release

      - name: Upload yaml manifest
        uses: svenstaro/upload-release-action@133984371c30d34e38222a64855679a414cb7575 # pin@v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: config/.release/install.yaml
          asset_name: install.yaml
          tag: ${{ github.ref }}

      - name: Login to GHCR
        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Push manifests to GHCR with Flux
        env:
          CR_PAT_ARTIFACTS:  ${{ secrets.CR_PAT_ARTIFACTS }}
        run: |
          set -e
          mkdir -p config/.release-manifests
          cp config/.release/install.yaml config/.release-manifests/install.yaml
          cd config/.release-manifests/ && \
          flux push artifact oci://ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ steps.version.outputs.version }} \
            --path="." \
            --source="$(git config --get remote.origin.url)" \
            --revision="${{ steps.version.outputs.version }}/$(git rev-parse HEAD)"

      - name: Sign manifests in GHCR with Cosign
        env:
          COSIGN_EXPERIMENTAL: 1
        run: |
          cosign sign ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ steps.version.outputs.version }}

  release-cli-via-krew:
    runs-on: ubuntu-latest
    needs:
      - create-release
    steps:
      - name: Checkout
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # pin@v3.1.0

      - name: Unshallow
        run: git fetch --prune --unshallow

      - name: Check Tag
        id: check-tag
        run: |
          if [[ ${{ github.event.ref }} =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
              echo "match=true" >> $GITHUB_OUTPUT
          fi

      - name: Update new version in krew-index
        if: steps.check-tag.outputs.match == 'true'
        uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # pin@v0.0.43