Skip to content

Daily build

Daily build #714

# Github workflow that rebuilds already released images
name: Daily build
on:
schedule:
- cron: "0 1 * * 1-5"
workflow_dispatch:
inputs:
image_repo:
type: choice
description: "Target image repository for built images"
default: mongodb/mongodb-atlas-kubernetes-operator-prerelease
required: true
options:
- mongodb/mongodb-atlas-kubernetes-operator-prerelease
- mongodb/mongodb-atlas-kubernetes-operator
releases:
type: string
description: "Custom list of releases to rebuild"
default: ""
required: false
jobs:
read-versions:
name: Read config file
runs-on: ubuntu-latest
outputs:
date: ${{ steps.set-date.outputs.date }}
releases: ${{ steps.releases.outputs.releases }}
steps:
- name: Check out code
uses: actions/checkout@v4
with:
submodules: true
fetch-depth: 0
- name: Set date
id: set-date
run: |
DATE=$(date +'%Y-%m-%d')
echo date=${DATE} >> $GITHUB_OUTPUT
- name: Releases
id: releases
run: |
if [ "${{ github.event.inputs.releases }}" == "" ]; then
echo "Computing supported releases..."
git fetch --tags
echo "releases=$(./scripts/supported-releases.sh)" | tee -a $GITHUB_OUTPUT
else
echo "Formatting ${{ github.event.inputs.releases }} as JSON array"
json_releases=$(echo "${{ github.event.inputs.releases }}" |tr "," "\n" |xargs -n1 |awk '{print "\""$1"\""}' |tr "\n" "," |sed 's/,$//' |awk '{print "["$1"]"}')
echo "releases=$json_releases" | tee -a $GITHUB_OUTPUT
fi
build-and-publish-image:
environment: release
runs-on: ubuntu-latest
needs:
- read-versions
env:
IMAGE_REPOSITORY: ${{ github.event.inputs.image_repo || 'mongodb/mongodb-atlas-kubernetes-operator' }}
QUAY_ROBOT_NAME: mongodb+mongodb_atlas_kubernetes
PLATFORMS: "linux/arm64,linux/amd64"
strategy:
matrix:
version: ${{ fromJSON(needs.read-versions.outputs.releases) }}
steps:
- name: Print daily tag
id: daily-tag
run: |
DAILY_TAG="${{ matrix.version }}-${{needs.read-versions.outputs.date}}"
echo "daily-tag=${DAILY_TAG}" >> $GITHUB_OUTPUT
- name: Rebuild ${{matrix.version}}
run: |
echo "Building ${{matrix.version}} version"
- name: Check out code
uses: actions/checkout@v4
with:
ref: "v${{ matrix.version }}"
submodules: true
fetch-depth: 0
- name: Choose Dockerfile & patch as needed
id: pick-dockerfile
run: |
if test -f "fast.Dockerfile"; then
echo "dockerfile=fast.Dockerfile" >> $GITHUB_OUTPUT
else
# This is ugly, but using a heredoc did not work
# An external file cannot be used as this code works on a older tag
# which is not the one holding this workflow version
# TODO: Once versions 1.9.x go away this can be removed
echo "diff --git a/Dockerfile b/Dockerfile" > docker.patch
echo "index ffffa7bf..e82f0402 100644" >> docker.patch
echo "--- a/Dockerfile" >> docker.patch
echo "+++ b/Dockerfile" >> docker.patch
echo "@@ -1,5 +1,6 @@" >> docker.patch
echo " # Build the manager binary" >> docker.patch
echo " FROM golang:1.21 as builder" >> docker.patch
echo "+ARG GOTOOLCHAIN=auto" >> docker.patch
echo " " >> docker.patch
echo " WORKDIR /workspace" >> docker.patch
echo " # Copy the Go Modules manifests" >> docker.patch
patch Dockerfile docker.patch
echo "dockerfile=Dockerfile" >> $GITHUB_OUTPUT
fi
- name: Check signing supported
id: check-signing-support
run: |
if test -f "./scripts/sign-multiarch.sh"; then
echo "sign=true" >> $GITHUB_OUTPUT
else
echo "sign=false" >> $GITHUB_OUTPUT
fi
- name: Check for devbox
id: check-devbox
run: |
if test -f "devbox.json"; then
echo "devbox-build=true" >> $GITHUB_OUTPUT
else
echo "devbox-build=false" >> $GITHUB_OUTPUT
fi
- name: Set up Go (Non Devbox)
uses: actions/setup-go@v5
if: steps.check-devbox.outputs.devbox-build == 'false'
with:
go-version-file: "${{ github.workspace }}/go.mod"
cache: false
- name: Setup cache (Non Devbox)
uses: actions/cache@v4
if: steps.check-devbox.outputs.devbox-build == 'false'
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-build-${{ hashFiles('**/go.sum', '**/go.mod') }}
- name: Download go build dependencies (Non Devbox)
if: steps.check-devbox.outputs.devbox-build == 'false'
shell: bash
run: |
go mod download
- name: Build all platforms & check version (Non Devbox)
if: steps.pick-dockerfile.outputs.dockerfile == 'fast.Dockerfile' && steps.check-devbox.outputs.devbox-build == 'false'
run: |
make all-platforms VERSION=${{ matrix.version }}
# not all versions Makefiles support the version check
if make |grep -q check-version; then
echo "Checking version..."
make check-version VERSION=${{ matrix.version }}
else
echo "Skipped version check"
fi
- name: Install devbox
uses: jetify-com/[email protected]
with:
enable-cache: 'true'
if: steps.check-devbox.outputs.devbox-build == 'true'
- name: Download Go build dependencies (Devbox)
run: devbox run -- 'go mod download'
if: steps.check-devbox.outputs.devbox-build == 'true'
shell: bash
- name: Build all platforms & check version (Devbox)
run: |
devbox run -- '
make all-platforms VERSION=${{ matrix.version }}
# Not all versions of Makefiles support the version check
if make -n | grep -q check-version; then
echo "Checking version..."
make check-version VERSION=${{ matrix.version }}
else
echo "Skipped version check"
fi'
if: steps.check-devbox.outputs.devbox-build == 'true'
shell: bash
- name: "Set up Docker Buildx"
uses: docker/setup-buildx-action@v3
with:
platforms: ${{ env.PLATFORMS }}
- name: Login to docker registry
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to quay.io registry
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ env.QUAY_ROBOT_NAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Build and push operator to the DockerHub (daily-tag & release-tag)
uses: docker/build-push-action@v6
with:
context: .
file: ${{ steps.pick-dockerfile.outputs.dockerfile }}
build-args: VERSION=${{ matrix.version }}
platforms: ${{ env.PLATFORMS }}
cache-from: type=gha
cache-to: type=gha,mode=max
push: true
sbom: true
tags: |
${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}
${{ env.IMAGE_REPOSITORY }}:${{ matrix.version }}
quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}
quay.io/${{ env.IMAGE_REPOSITORY }}:${{ matrix.version }}
- name: Login to artifactory.corp.mongodb.com
if: steps.check-signing-support.outputs.sign == 'true'
uses: docker/login-action@v3
with:
registry: artifactory.corp.mongodb.com
username: ${{ secrets.MDB_ARTIFACTORY_USERNAME }}
password: ${{ secrets.MDB_ARTIFACTORY_PASSWORD }}
- name: Sign images (Non Devbox)
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'false'
env:
PKCS11_URI: ${{ secrets.PKCS11_URI }}
GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
run: |
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures
- name: Self-verify images (Non Devbox)
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'false'
env:
PKCS11_URI: ${{ secrets.PKCS11_URI }}
GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
run: |
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures
- name: Sign images (Devbox)
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'true'
env:
PKCS11_URI: ${{ secrets.PKCS11_URI }}
GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
run: |
devbox run -- 'make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}'
devbox run -- 'make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}'
devbox run -- 'make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures'
- name: Self-verify images (Devbox)
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'true'
env:
PKCS11_URI: ${{ secrets.PKCS11_URI }}
GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
run: |
devbox run -- 'make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}'
devbox run -- 'make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}'
devbox run -- 'make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures'