Daily build #777
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Github workflow that rebuilds already released images | |
name: Daily build | |
on: | |
schedule: | |
- cron: "0 1 * * 1-5" | |
workflow_dispatch: | |
inputs: | |
image_repo: | |
type: choice | |
description: "Target image repository for built images" | |
default: mongodb/mongodb-atlas-kubernetes-operator-prerelease | |
required: true | |
options: | |
- mongodb/mongodb-atlas-kubernetes-operator-prerelease | |
- mongodb/mongodb-atlas-kubernetes-operator | |
releases: | |
type: string | |
description: "Custom list of releases to rebuild" | |
default: "" | |
required: false | |
jobs: | |
read-versions: | |
name: Read config file | |
runs-on: ubuntu-latest | |
outputs: | |
date: ${{ steps.set-date.outputs.date }} | |
releases: ${{ steps.releases.outputs.releases }} | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
submodules: true | |
fetch-depth: 0 | |
- name: Set date | |
id: set-date | |
run: | | |
DATE=$(date +'%Y-%m-%d') | |
echo date=${DATE} >> $GITHUB_OUTPUT | |
- name: Releases | |
id: releases | |
run: | | |
if [ "${{ github.event.inputs.releases }}" == "" ]; then | |
echo "Computing supported releases..." | |
git fetch --tags | |
echo "releases=$(./scripts/supported-releases.sh)" | tee -a $GITHUB_OUTPUT | |
else | |
echo "Formatting ${{ github.event.inputs.releases }} as JSON array" | |
json_releases=$(echo "${{ github.event.inputs.releases }}" |tr "," "\n" |xargs -n1 |awk '{print "\""$1"\""}' |tr "\n" "," |sed 's/,$//' |awk '{print "["$1"]"}') | |
echo "releases=$json_releases" | tee -a $GITHUB_OUTPUT | |
fi | |
build-and-publish-image: | |
environment: release | |
runs-on: ubuntu-latest | |
needs: | |
- read-versions | |
env: | |
IMAGE_REPOSITORY: ${{ github.event.inputs.image_repo || 'mongodb/mongodb-atlas-kubernetes-operator' }} | |
QUAY_ROBOT_NAME: mongodb+mongodb_atlas_kubernetes | |
PLATFORMS: "linux/arm64,linux/amd64" | |
strategy: | |
fail-fast: false | |
matrix: | |
version: ${{ fromJSON(needs.read-versions.outputs.releases) }} | |
steps: | |
- name: Print daily tag | |
id: daily-tag | |
run: | | |
DAILY_TAG="${{ matrix.version }}-${{needs.read-versions.outputs.date}}" | |
echo "daily-tag=${DAILY_TAG}" >> $GITHUB_OUTPUT | |
- name: Rebuild ${{matrix.version}} | |
run: | | |
echo "Building ${{matrix.version}} version" | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
ref: "v${{ matrix.version }}" | |
submodules: true | |
fetch-depth: 0 | |
- name: Choose Dockerfile & patch as needed | |
id: pick-dockerfile | |
run: | | |
if test -f "fast.Dockerfile"; then | |
echo "dockerfile=fast.Dockerfile" >> $GITHUB_OUTPUT | |
else | |
# This is ugly, but using a heredoc did not work | |
# An external file cannot be used as this code works on a older tag | |
# which is not the one holding this workflow version | |
# TODO: Once versions 1.9.x go away this can be removed | |
echo "diff --git a/Dockerfile b/Dockerfile" > docker.patch | |
echo "index ffffa7bf..e82f0402 100644" >> docker.patch | |
echo "--- a/Dockerfile" >> docker.patch | |
echo "+++ b/Dockerfile" >> docker.patch | |
echo "@@ -1,5 +1,6 @@" >> docker.patch | |
echo " # Build the manager binary" >> docker.patch | |
echo " FROM golang:1.21 as builder" >> docker.patch | |
echo "+ARG GOTOOLCHAIN=auto" >> docker.patch | |
echo " " >> docker.patch | |
echo " WORKDIR /workspace" >> docker.patch | |
echo " # Copy the Go Modules manifests" >> docker.patch | |
patch Dockerfile docker.patch | |
echo "dockerfile=Dockerfile" >> $GITHUB_OUTPUT | |
fi | |
- name: Check signing supported | |
id: check-signing-support | |
run: | | |
if test -f "./scripts/sign-multiarch.sh"; then | |
echo "sign=true" >> $GITHUB_OUTPUT | |
else | |
echo "sign=false" >> $GITHUB_OUTPUT | |
fi | |
- name: Check for devbox | |
id: check-devbox | |
run: | | |
if test -f "devbox.json"; then | |
echo "devbox-build=true" >> $GITHUB_OUTPUT | |
else | |
echo "devbox-build=false" >> $GITHUB_OUTPUT | |
fi | |
- name: Set up Go (Non Devbox) | |
uses: actions/setup-go@v5 | |
if: steps.check-devbox.outputs.devbox-build == 'false' | |
with: | |
go-version-file: "${{ github.workspace }}/go.mod" | |
cache: false | |
- name: Setup cache (Non Devbox) | |
uses: actions/cache@v4 | |
if: steps.check-devbox.outputs.devbox-build == 'false' | |
with: | |
path: | | |
~/.cache/go-build | |
~/go/pkg/mod | |
key: ${{ runner.os }}-build-${{ hashFiles('**/go.sum', '**/go.mod') }} | |
- name: Download go build dependencies (Non Devbox) | |
if: steps.check-devbox.outputs.devbox-build == 'false' | |
shell: bash | |
run: | | |
go mod download | |
- name: Build all platforms & check version (Non Devbox) | |
if: steps.pick-dockerfile.outputs.dockerfile == 'fast.Dockerfile' && steps.check-devbox.outputs.devbox-build == 'false' | |
run: | | |
make all-platforms VERSION=${{ matrix.version }} | |
# not all versions Makefiles support the version check | |
if make |grep -q check-version; then | |
echo "Checking version..." | |
make check-version VERSION=${{ matrix.version }} | |
else | |
echo "Skipped version check" | |
fi | |
- name: Install devbox | |
uses: jetify-com/[email protected] | |
with: | |
enable-cache: 'true' | |
if: steps.check-devbox.outputs.devbox-build == 'true' | |
- name: Download Go build dependencies (Devbox) | |
run: devbox run -- 'go mod download' | |
if: steps.check-devbox.outputs.devbox-build == 'true' | |
shell: bash | |
- name: Build all platforms & check version (Devbox) | |
run: | | |
devbox run -- ' | |
make all-platforms VERSION=${{ matrix.version }} | |
# Not all versions of Makefiles support the version check | |
if make -n | grep -q check-version; then | |
echo "Checking version..." | |
make check-version VERSION=${{ matrix.version }} | |
else | |
echo "Skipped version check" | |
fi' | |
if: steps.check-devbox.outputs.devbox-build == 'true' | |
shell: bash | |
- name: "Set up Docker Buildx" | |
uses: docker/setup-buildx-action@v3 | |
with: | |
platforms: ${{ env.PLATFORMS }} | |
- name: Login to docker registry | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Login to quay.io registry | |
uses: docker/login-action@v3 | |
with: | |
registry: quay.io | |
username: ${{ env.QUAY_ROBOT_NAME }} | |
password: ${{ secrets.QUAY_PASSWORD }} | |
- name: Build and push operator to the DockerHub (daily-tag & release-tag) | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ${{ steps.pick-dockerfile.outputs.dockerfile }} | |
build-args: VERSION=${{ matrix.version }} | |
platforms: ${{ env.PLATFORMS }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
push: true | |
sbom: true | |
tags: | | |
${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }} | |
${{ env.IMAGE_REPOSITORY }}:${{ matrix.version }} | |
quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }} | |
quay.io/${{ env.IMAGE_REPOSITORY }}:${{ matrix.version }} | |
- name: Login to artifactory.corp.mongodb.com | |
if: steps.check-signing-support.outputs.sign == 'true' | |
uses: docker/login-action@v3 | |
with: | |
registry: artifactory.corp.mongodb.com | |
username: ${{ secrets.MDB_ARTIFACTORY_USERNAME }} | |
password: ${{ secrets.MDB_ARTIFACTORY_PASSWORD }} | |
- name: Sign images (Non Devbox) | |
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'false' | |
env: | |
PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
run: | | |
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures | |
- name: Self-verify images (Non Devbox) | |
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'false' | |
env: | |
PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
run: | | |
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures | |
- name: Sign images (Devbox) | |
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'true' | |
env: | |
PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
run: | | |
devbox run -- 'make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}' | |
devbox run -- 'make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}' | |
devbox run -- 'make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures' | |
- name: Self-verify images (Devbox) | |
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'true' | |
env: | |
PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
run: | | |
devbox run -- 'make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}' | |
devbox run -- 'make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}' | |
devbox run -- 'make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures' | |