CLOUDP-238190: certify-openshift-images/Dockerfile: bump preflight check version #1289
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# GitHub workflow for createing release. | |
# Trigger release branch should be merge into main | |
# TODO add e2e/smoke test for autogen configuration | |
name: Create Release | |
on: | |
pull_request: | |
types: [ closed ] | |
workflow_dispatch: | |
inputs: | |
version: | |
description: "Release version (Be sure `Release-branch` is successful):" | |
required: true | |
branch: | |
description: "Name of the branch to release, defaults to 'main'" | |
default: main | |
required: true | |
image_repo: | |
type: choice | |
description: "Target image repository for built images" | |
default: mongodb/mongodb-atlas-kubernetes-operator-prerelease | |
required: true | |
options: | |
- mongodb/mongodb-atlas-kubernetes-operator-prerelease | |
- mongodb/mongodb-atlas-kubernetes-operator | |
release_helm: | |
type: choice | |
description: "Whether or not to trigger the Helm release as well. Skip by default for tests" | |
default: 'false' | |
required: true | |
options: | |
- true | |
- false | |
certify: | |
type: choice | |
description: "Whether or not to certify the OpenShift images. Skip by default for tests" | |
default: 'false' | |
required: true | |
options: | |
- true | |
- false | |
release_to_github: | |
type: choice | |
description: "Whether or not to create the GitHub release. Skip by default for tests" | |
default: 'false' | |
required: true | |
options: | |
- true | |
- false | |
jobs: | |
create-release: | |
environment: release | |
name: Create Release | |
if: ${{ (github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/')) || github.event.inputs.version != '' }} | |
runs-on: ubuntu-latest | |
env: | |
IMAGE_REPOSITORY: ${{ github.event.inputs.image_repo || 'mongodb/mongodb-atlas-kubernetes-operator' }} | |
RELEASE_HELM: ${{ github.event.inputs.release_helm || 'true' }} | |
CERTIFY: ${{ github.event.inputs.certify || 'true' }} | |
RELEASE_TO_GITHUB: ${{ github.event.inputs.release_to_github || 'true' }} | |
BRANCH: ${{ github.event.inputs.branch || 'main' }} | |
steps: | |
- name: Free disk space | |
run: | | |
sudo swapoff -a | |
sudo rm -f /swapfile | |
sudo apt clean | |
docker rmi $(docker image ls -aq) | |
df -h | |
- name: Print Env and Get version | |
id: tag | |
env: | |
VERSION: ${{ github.event.inputs.version }} | |
run: | | |
version=$VERSION | |
if [[ "$version" == "" ]]; then | |
version=$(echo $BRANCH | awk -F '/' '{print $2}') | |
fi | |
echo "VERSION:$version" | |
tag="v${version}" | |
certified_version="${version}-certified" | |
echo "version=$version" >> $GITHUB_OUTPUT | |
echo "tag=$tag" >> $GITHUB_OUTPUT | |
echo "certified_version=$certified_version" >> $GITHUB_OUTPUT | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
submodules: true | |
fetch-depth: 0 | |
ref: ${{ env.BRANCH }} | |
- name: Set up Go | |
if: ${{ env.RELEASE_HELM == 'true' }} | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: "${{ github.workspace }}/tools/makejwt/go.mod" | |
cache: false | |
- name: Set up Go (skip JWT) | |
if: ${{ env.RELEASE_HELM == 'false' }} | |
uses: actions/setup-go@v5 | |
with: | |
cache: false | |
- name: Trigger helm post release workflow | |
if: ${{ env.RELEASE_HELM == 'true' }} | |
run: | | |
make release-helm JWT_RSA_PEM_KEY_BASE64="${{ secrets.AKO_RELEASER_RSA_KEY_BASE64 }}" \ | |
JWT_APP_ID="${{ secrets.AKO_RELEASER_APP_ID }}" \ | |
VERSION="${{ steps.tag.outputs.version }}" | |
- name: Choose Dockerfile | |
id: pick-dockerfile | |
run: | | |
if test -f "fast.Dockerfile"; then | |
echo "dockerfile=fast.Dockerfile" >> $GITHUB_OUTPUT | |
else | |
echo "dockerfile=Dockerfile" >> $GITHUB_OUTPUT | |
fi | |
- name: Check signing supported | |
id: check-signing-support | |
run: | | |
if test -f "./scripts/sign-multiarch.sh"; then | |
echo "sign=true" >> $GITHUB_OUTPUT | |
else | |
echo "sign=false" >> $GITHUB_OUTPUT | |
fi | |
- name: Build all platforms & check version | |
if: steps.pick-dockerfile.outputs.dockerfile == 'fast.Dockerfile' | |
run: | | |
make all-platforms VERSION=${{ steps.tag.outputs.version }} | |
# not all versions Makefiles support the version check | |
if make | grep -q check-version; then | |
make check-version VERSION=${{ steps.tag.outputs.version }} | |
fi | |
- name: Build and Push image | |
uses: ./.github/actions/build-push-image | |
with: | |
repository: ${{ env.IMAGE_REPOSITORY }} | |
file: ${{ steps.pick-dockerfile.outputs.dockerfile }} | |
version: ${{ steps.tag.outputs.version }} | |
certified_version: ${{ steps.tag.outputs.certified_version }} | |
platforms: linux/amd64,linux/arm64 | |
docker_username: ${{ secrets.DOCKER_USERNAME }} | |
docker_password: ${{ secrets.DOCKER_PASSWORD }} | |
push_to_quay: true | |
quay_username: mongodb+mongodb_atlas_kubernetes | |
quay_password: ${{ secrets.QUAY_PASSWORD }} | |
tags: | | |
${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }} | |
quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }} | |
quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified | |
- name: Certify Openshift images | |
if: ${{ env.CERTIFY == 'true' }} | |
uses: ./.github/actions/certify-openshift-images | |
with: | |
repository: ${{ env.IMAGE_REPOSITORY }} | |
version: ${{ steps.tag.outputs.certified_version }} | |
quay_password: ${{ secrets.QUAY_PASSWORD }} | |
rhcc_token: ${{ secrets.RH_CERTIFICATION_PYXIS_API_TOKEN }} | |
rhcc_project: ${{ secrets.RH_CERTIFICATION_OSPID }} | |
- name: Login to artifactory.corp.mongodb.com | |
if: steps.check-signing-support.outputs.sign == 'true' | |
uses: docker/login-action@v3 | |
with: | |
registry: artifactory.corp.mongodb.com | |
username: ${{ secrets.MDB_ARTIFACTORY_USERNAME }} | |
password: ${{ secrets.MDB_ARTIFACTORY_PASSWORD }} | |
- name: Sign images | |
if: steps.check-signing-support.outputs.sign == 'true' | |
env: | |
PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
run: | | |
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
- name: Self-verify images | |
if: steps.check-signing-support.outputs.sign == 'true' | |
env: | |
PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
run: | | |
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
- name: Create configuration package | |
run: | | |
set -x | |
tar czvf atlas-operator-all-in-one-${{ steps.tag.outputs.version }}.tar.gz -C deploy all-in-one.yaml | |
- name: Create Release | |
if: ${{ env.RELEASE_TO_GITHUB == 'true' }} | |
id: create_release | |
uses: actions/create-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: ${{ steps.tag.outputs.tag }} | |
release_name: ${{ steps.tag.outputs.tag }} | |
body_path: docs/release-notes/release-notes.md | |
draft: true | |
prerelease: false | |
- name: Upload Release Asset | |
if: ${{ env.RELEASE_TO_GITHUB == 'true' }} | |
id: upload-release-asset | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
asset_path: ./atlas-operator-all-in-one-${{ steps.tag.outputs.version }}.tar.gz | |
asset_name: atlas-operator-all-in-one-${{ steps.tag.outputs.version }}.tar.gz | |
asset_content_type: application/tgz |