Merge pull request #1619 from devanshuVmware/v0-50-x-release #146
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: kapp-controller release | |
on: | |
workflow_dispatch: | |
push: | |
tags: | |
- 'v*' | |
jobs: | |
kapp-controller-release: | |
name: kapp-controller release | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
packages: write | |
id-token: write | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Carvel Tools | |
run: ./hack/install-deps.sh | |
- name: Install imgpkg | |
uses: carvel-dev/setup-action@v2 | |
with: | |
only: imgpkg | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Login to GitHub Container Registry | |
uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set up Go 1.x | |
uses: actions/setup-go@v4 | |
with: | |
go-version: 1.21.9 | |
- name: Set up Cosign | |
uses: sigstore/[email protected] | |
- name: Run release script | |
run: | | |
set -e -x | |
minikube start --driver=docker --wait=all | |
docker buildx create --name minikube --use --driver=kubernetes --bootstrap | |
./hack/build-release.sh | |
# Create release folder to store all the output artifacts | |
mkdir release | |
cp ./tmp/release.yml release/release.yml | |
cd cli | |
./hack/build-binaries.sh | |
cp ./kctrl-* ../release/ | |
- name: Sign kapp-controller OCI image | |
run: | | |
image_url=`yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' release/release.yml` | |
cosign sign --yes "$image_url" | |
- name: Verify signature on Kapp-controller OCI image | |
run: | | |
image_url=`yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' release/release.yml` | |
cosign verify \ | |
$image_url \ | |
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com | |
- name: Run Package build | |
run: | | |
constraintVersion="${{ github.ref_name }}" | |
./cli/kctrl-linux-amd64 pkg release -y -v ${constraintVersion:1} --debug | |
mv ./carvel-artifacts/packages/kapp-controller.carvel.dev/metadata.yml ./carvel-artifacts/packages/kapp-controller.carvel.dev/package-metadata.yml | |
mv ./carvel-artifacts/packages/kapp-controller.carvel.dev/* release/ | |
- name: Sign kapp-controller-package-bundle OCI image | |
run: | | |
image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml` | |
cosign sign --yes "$image_url" | |
- name: Verify signature on kapp-controller-package-bundle OCI image | |
run: | | |
image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml` | |
cosign verify \ | |
$image_url \ | |
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com | |
- name: Generate release notes | |
run: | | |
RELEASE_TAG=$(git describe --tags --abbrev=0) | |
KAPP_CONTROLLER_IMAGE=$(yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' release/release.yml) | |
KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE=$(yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml) | |
RELEASE_NOTES=" | |
<details> | |
<summary><h2>Installation and signature verification</h2></summary> | |
## Installation of kctrl | |
#### By downloading binary from the release | |
For instance, if you are using Linux on an AMD64 architecture: | |
\`\`\`shell | |
# Download the binary | |
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/kctrl-linux-amd64 | |
# Move the binary in to your PATH | |
mv kctrl-linux-amd64 /usr/local/bin/kctrl | |
# Make the binary executable | |
chmod +x /usr/local/bin/kctrl | |
\`\`\` | |
#### Via Homebrew (macOS or Linux) | |
\`\`\`shell | |
$ brew tap carvel-dev/carvel | |
$ brew install kctrl | |
$ kctrl version | |
\`\`\` | |
## Verify checksums file signature | |
Install cosign on your system https://docs.sigstore.dev/system_config/installation/ | |
The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands: | |
\`\`\`shell | |
# Download the checksums file, certificate, and signature | |
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt | |
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.pem | |
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.sig | |
### Verify the checksums file | |
cosign verify-blob checksums.txt \ | |
--certificate checksums.txt.pem \ | |
--signature checksums.txt.sig \ | |
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com | |
\`\`\` | |
### Verify binary integrity | |
To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature. For instance, if you are using Linux on an AMD64 architecture: | |
\`\`\`shell | |
# Verify the binary using the checksums file | |
sha256sum -c checksums.txt --ignore-missing | |
\`\`\` | |
## Installation of kapp-controller | |
kapp-controller can be installed by using kapp | |
\`\`\`shell | |
kapp deploy -a kc -f https://github.com/carvel-dev/kapp-controller/releases/download/$RELEASE_TAG/release.yml | |
\`\`\` | |
or by using kubectl | |
\`\`\`shell | |
kubectl deploy -f https://github.com/carvel-dev/kapp-controller/releases/download/$RELEASE_TAG/release.yml | |
\`\`\` | |
### Container Images | |
Kapp-controller and Kapp-controller-package-bundle images are available in Github Container Registry. | |
### OCI Image URLs | |
- $KAPP_CONTROLLER_IMAGE | |
- $KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE | |
### Verify container image signature | |
The container images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of OCI images, run the following commands: | |
\`\`\`shell | |
# Verifying kapp-controller image | |
cosign verify $KAPP_CONTROLLER_IMAGE \ | |
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | |
-o text | |
# Verifying kapp-controller-package-bundle image | |
cosign verify $KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE \ | |
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | |
-o text | |
\`\`\` | |
</summary> | |
</details> | |
" | |
echo "$RELEASE_NOTES" > ./tmp/release_notes.txt | |
- name: Create formatted checksum and add it to release notes | |
run: | | |
pushd release | |
shasum -a 256 ./release.yml ./kctrl-* ./package.yml ./package-metadata.yml | tee ../tmp/checksums.txt | |
popd | |
echo "# :open_file_folder: Files Checksum" | tee ./tmp/checksums-formatted.txt | |
echo '```' | tee -a ./tmp/checksums-formatted.txt | |
cat ./tmp/checksums.txt | tee -a ./tmp/checksums-formatted.txt | |
echo '```' | tee -a ./tmp/checksums-formatted.txt | |
cat ./tmp/checksums-formatted.txt | tee -a ./tmp/release_notes.txt | |
- name: Sign checksums.txt | |
run: | | |
cosign sign-blob --yes ./tmp/checksums.txt --output-certificate release/checksums.txt.pem --output-signature release/checksums.txt.sig | |
- name: Verify checksums signature | |
run: | | |
cosign verify-blob \ | |
--cert release/checksums.txt.pem \ | |
--signature release/checksums.txt.sig \ | |
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com ./tmp/checksums.txt | |
- name: Create release draft and upload release yaml | |
uses: softprops/[email protected] | |
with: | |
name: ${{ github.ref_name }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
body_path: ./tmp/release_notes.txt | |
files: | | |
./release/* | |
./tmp/checksums.txt | |
draft: true | |
prerelease: true | |
- name: Get uploaded release YAML checksum | |
uses: actions/[email protected] | |
id: get-checksums-from-draft-release | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
github-token: ${{secrets.GITHUB_TOKEN}} | |
result-encoding: string | |
script: | | |
var crypto = require('crypto'); | |
const { owner, repo } = context.repo; | |
// https://docs.github.com/en/rest/reference/repos#list-releases | |
// https://octokit.github.io/rest.js/v18#repos-list-releases | |
var releases = await github.rest.repos.listReleases({ | |
owner: owner, | |
repo: repo | |
}); | |
var crypto = require('crypto') | |
var fs = require('fs') | |
const url = require('url'); | |
const https = require('https'); | |
checksums = {} | |
for (const r of releases["data"]) { | |
if (r.draft && `refs/tags/${r.tag_name}` == "${{ github.ref }}") { | |
for (const asset of r.assets) { | |
var release_asset = await github.rest.repos.getReleaseAsset({ headers: {accept: `application/octet-stream`}, accept: `application/octet-stream`, owner: owner, repo: repo, asset_id: asset.id }); | |
const hash = crypto.createHash('sha256'); | |
let http_promise = new Promise((resolve, reject) => { | |
https.get(release_asset.url, (stream) => { | |
stream.on('data', function (data) { | |
hash.update(data); | |
}); | |
stream.on('end', function () { | |
checksums[asset.name]= hash.digest('hex'); | |
resolve(`${asset.name}`); | |
}); | |
}); | |
}); | |
await http_promise; | |
} | |
} | |
} | |
console.log(checksums) | |
return `${checksums['release.yml']} ./release.yml | |
${checksums['kctrl-darwin-amd64']} ./kctrl-darwin-amd64 | |
${checksums['kctrl-darwin-arm64']} ./kctrl-darwin-arm64 | |
${checksums['kctrl-linux-amd64']} ./kctrl-linux-amd64 | |
${checksums['kctrl-linux-arm64']} ./kctrl-linux-arm64 | |
${checksums['kctrl-windows-amd64.exe']} ./kctrl-windows-amd64.exe | |
${checksums['package.yml']} ./package.yml | |
${checksums['package-metadata.yml']} ./package-metadata.yml` | |
- name: Verify uploaded artifacts | |
if: startsWith(github.ref, 'refs/tags/') | |
env: | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
run: | | |
set -e -x | |
cat ./tmp/checksums.txt | |
diff ./tmp/checksums.txt <(cat <<EOF | |
${{steps.get-checksums-from-draft-release.outputs.result}} | |
EOF | |
) |