ci: publish release-quality artifacts

This commit makes Nunki releases self-contained, in the sense that users only need the published artifacts in order to get a working coordinator, by making the following changes to the release process. * Update the embeddable coordinator policy hash on the release branch. * Publish the release variant of the CLI, including the embedded policy hash. * Include a coordinator deployment definition in the release that is compatible to the embedded coordinator hash. This does not address the users' need for initializers and service mesh sidecars yet.
edgelesssys · Feb 15, 2024 · b007063 · b007063
1 parent d541af6
commit b007063
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -170,9 +170,23 @@ jobs:
         run: |
           nix run .#push-coordinator -- "$container_registry/nunki/coordinator"
           nix run .#push-initializer -- "$container_registry/nunki/initializer"
+      - name: Create portable coordinator resource definitions
+        run: |
+          mkdir -p workspace
+          nix run .#write-coordinator-yaml -- "${container_registry}/nunki/coordinator" > workspace/coordinator.yaml
+      - name: Update coordinator policy hash
+        run: |
+          yq < workspace/coordinator.yaml \
+            'select(.kind == "Deployment") | .spec.template.metadata.annotations["io.katacontainers.config.agent.policy"]' |
+            base64 -d | sha256sum | cut -d " " -f1 > cli/assets/coordinator-policy-hash
+
+          git config --global user.name "edgelessci"
+          git config --global user.email "[email protected]"
+          git add cli/assets/coordinator-policy-hash
+          git diff --staged --quiet || git commit -m "release: update coordinator policy hash"
       - name: Build CLI
         run: |
-          nix build .#cli
+          nix build .#cli-release
       - name: Create draft release
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         with:
@@ -181,7 +195,8 @@ jobs:
           tag_name: ${{ inputs.version }}
           target_commitish: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
           files: |
-            result-cli/bin/nunki
+            result/bin/nunki
+            workspace/coordinator.yaml
       - name: Reset temporary changes
         run: |
           git reset --hard ${{ needs.process-inputs.outputs.WORKING_BRANCH }}