Skip to content

CLOUDP-238743: Use mongodb/signatures #1307

CLOUDP-238743: Use mongodb/signatures

CLOUDP-238743: Use mongodb/signatures #1307

# GitHub workflow for creating release.
# Trigger release branch should be merge into main
# TODO add e2e/smoke test for autogen configuration
name: Create Release
on:
pull_request:
types:
- closed
workflow_dispatch:
inputs:
version:
description: "Release version (Be sure `Release-branch` is successful):"
required: true
branch:
description: "Name of the branch to release, defaults to 'main'"
default: main
required: true
image_repo:
type: choice
description: "Target image repository for built images"
default: mongodb/mongodb-atlas-kubernetes-operator-prerelease
required: true
options:
- mongodb/mongodb-atlas-kubernetes-operator-prerelease
- mongodb/mongodb-atlas-kubernetes-operator
release_helm:
type: choice
description: "Whether or not to trigger the Helm release as well. Skip by default for tests"
default: 'false'
required: true
options:
- true
- false
certify:
type: choice
description: "Whether or not to certify the OpenShift images. Skip by default for tests"
default: 'false'
required: true
options:
- true
- false
release_to_github:
type: choice
description: "Whether or not to create the GitHub release. Skip by default for tests"
default: 'false'
required: true
options:
- true
- false
jobs:
create-release:
environment: release
name: Create Release
runs-on: ubuntu-latest
env:
IMAGE_REPOSITORY: ${{ github.event.inputs.image_repo }}
RELEASE_HELM: ${{ github.event.inputs.release_helm || 'true' }}
CERTIFY: ${{ github.event.inputs.certify || 'true' }}
RELEASE_TO_GITHUB: ${{ github.event.inputs.release_to_github || 'true' }}
BRANCH: ${{ github.event.inputs.branch || github.head_ref || github.ref_name || 'main' }}
VERSION: ${{ github.event.inputs.version }}
steps:
- name: Free disk space
run: |
sudo swapoff -a
sudo rm -f /swapfile
sudo apt clean
docker rmi $(docker image ls -aq)
df -h
- name: Check release and show environment & version
id: tag
run: |
version="$VERSION"
if [[ "$version" == "" ]]; then
version=$(echo "$BRANCH" | awk -F '/' '{print $2}')
release=$(echo "$BRANCH" | awk -F '/' '{print $1}')
if [[ "$release" == "release" ]]; then
echo "Releasing version $version..."
repo="mongodb/mongodb-atlas-kubernetes-operator"
elif [[ "$release" == "pre-release" ]]; then
echo "Pre-releasing version $version..."
repo="mongodb/mongodb-atlas-kubernetes-operator-prerelease"
RELEASE_HELM=false
CERTIFY=false
RELEASE_TO_GITHUB=true
else
echo "Release branch must be 'release/...' or 'pre-release/...' but got: $release"
exit 1
fi
fi
tag="v${version}"
certified_version="${version}-certified"
echo "release_helm=$RELEASE_HELM" >> "$GITHUB_OUTPUT"
echo "certify=$CERTIFY" >> "$GITHUB_OUTPUT"
echo "release_to_github=$RELEASE_TO_GITHUB" >> "$GITHUB_OUTPUT"
echo "repo=$repo" >> "$GITHUB_OUTPUT"
echo "version=$version" >> "$GITHUB_OUTPUT"
echo "tag=$tag" >> "$GITHUB_OUTPUT"
echo "certified_version=$certified_version" >> "$GITHUB_OUTPUT"
- name: Check out code
uses: actions/checkout@v4
with:
submodules: true
fetch-depth: 0
ref: ${{ env.BRANCH }}
- name: Set up Go
if: ${{ steps.tag.outputs.release_helm == 'true' }}
uses: actions/setup-go@v5
with:
go-version-file: "${{ github.workspace }}/tools/makejwt/go.mod"
cache: false
- name: Set up Go (skip JWT)
if: ${{ steps.tag.outputs.release_helm == 'false' }}
uses: actions/setup-go@v5
with:
cache: false
- name: Trigger helm post release workflow
if: ${{ steps.tag.outputs.release_helm == 'true' }}
run: |
make release-helm JWT_RSA_PEM_KEY_BASE64="${{ secrets.AKO_RELEASER_RSA_KEY_BASE64 }}" \
JWT_APP_ID="${{ secrets.AKO_RELEASER_APP_ID }}" \
VERSION="${{ steps.tag.outputs.version }}"
- name: Choose Dockerfile
id: pick-dockerfile
run: |
if test -f "fast.Dockerfile"; then
echo "dockerfile=fast.Dockerfile" >> $GITHUB_OUTPUT
else
echo "dockerfile=Dockerfile" >> $GITHUB_OUTPUT
fi
- name: Check signing supported
id: check-signing-support
run: |
if test -f "./scripts/sign-multiarch.sh"; then
echo "sign=true" >> $GITHUB_OUTPUT
else
echo "sign=false" >> $GITHUB_OUTPUT
fi
- name: Build all platforms & check version
if: steps.pick-dockerfile.outputs.dockerfile == 'fast.Dockerfile'
run: |
make all-platforms VERSION=${{ steps.tag.outputs.version }}
# not all versions Makefiles support the version check
if make | grep -q check-version; then
make check-version VERSION=${{ steps.tag.outputs.version }}
fi
- name: Build and Push image
uses: ./.github/actions/build-push-image
with:
repository: ${{ steps.tag.outputs.repo }}
file: ${{ steps.pick-dockerfile.outputs.dockerfile }}
version: ${{ steps.tag.outputs.version }}
certified_version: ${{ steps.tag.outputs.certified_version }}
platforms: linux/amd64,linux/arm64
docker_username: ${{ secrets.DOCKER_USERNAME }}
docker_password: ${{ secrets.DOCKER_PASSWORD }}
push_to_quay: true
quay_username: mongodb+mongodb_atlas_kubernetes
quay_password: ${{ secrets.QUAY_PASSWORD }}
tags: |
${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}
quay.io/${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}
quay.io/${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}-certified
- name: Certify Openshift images
if: ${{ steps.tag.outputs.certify == 'true' }}
uses: ./.github/actions/certify-openshift-images
with:
repository: ${{ steps.tag.outputs.repo }}
version: ${{ steps.tag.outputs.certified_version }}
quay_password: ${{ secrets.QUAY_PASSWORD }}
rhcc_token: ${{ secrets.RH_CERTIFICATION_PYXIS_API_TOKEN }}
rhcc_project: ${{ secrets.RH_CERTIFICATION_OSPID }}
- name: Login to artifactory.corp.mongodb.com
if: steps.check-signing-support.outputs.sign == 'true'
uses: docker/login-action@v3
with:
registry: artifactory.corp.mongodb.com
username: ${{ secrets.MDB_ARTIFACTORY_USERNAME }}
password: ${{ secrets.MDB_ARTIFACTORY_PASSWORD }}
- name: Sign images
if: steps.check-signing-support.outputs.sign == 'true'
env:
PKCS11_URI: ${{ secrets.PKCS11_URI }}
GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
run: |
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=mongodb/signatures
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=mongodb/signatures
- name: Self-verify images
if: steps.check-signing-support.outputs.sign == 'true'
env:
PKCS11_URI: ${{ secrets.PKCS11_URI }}
GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
run: |
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=mongodb/signatures
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=mongodb/signatures
- name: Create configuration package
run: |
set -x
tar czvf atlas-operator-all-in-one-${{ steps.tag.outputs.version }}.tar.gz -C deploy all-in-one.yaml
- name: Create Release
if: steps.tag.outputs.release_to_github == 'true'
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ steps.tag.outputs.tag }}
release_name: ${{ steps.tag.outputs.tag }}
body_path: docs/release-notes/release-notes.md
draft: true
prerelease: false
- name: Upload Release Asset
if: steps.tag.outputs.release_to_github == 'true'
id: upload-release-asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps
asset_path: ./atlas-operator-all-in-one-${{ steps.tag.outputs.version }}.tar.gz
asset_name: atlas-operator-all-in-one-${{ steps.tag.outputs.version }}.tar.gz
asset_content_type: application/tgz