Create Release #1327
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# GitHub workflow for creating release. | |
# Trigger release branch should be merge into main | |
# TODO add e2e/smoke test for autogen configuration | |
name: Create Release | |
on: | |
push: | |
tags: | |
- 'v*' | |
workflow_call: | |
inputs: | |
tag: | |
type: string | |
description: "Name of existing tag to release (format should be 'v*')" | |
required: true | |
workflow_dispatch: | |
inputs: | |
tag: | |
type: string | |
description: "Name of existing tag (or branch) to release (format should be 'v*')" | |
required: true | |
image_repo: | |
type: choice | |
description: "Target image repository for built images" | |
default: mongodb/mongodb-atlas-kubernetes-operator-prerelease | |
required: true | |
options: | |
- mongodb/mongodb-atlas-kubernetes-operator-prerelease | |
- mongodb/mongodb-atlas-kubernetes-operator | |
release_helm: | |
type: choice | |
description: "Whether or not to trigger the Helm release as well. Skip by default for tests" | |
default: 'false' | |
required: true | |
options: | |
- true | |
- false | |
certify: | |
type: choice | |
description: "Whether or not to certify the OpenShift images. Skip by default for tests" | |
default: 'false' | |
required: true | |
options: | |
- true | |
- false | |
release_to_github: | |
type: choice | |
description: "Whether or not to create the GitHub release. Skip by default for tests" | |
default: 'false' | |
required: true | |
options: | |
- true | |
- false | |
jobs: | |
create-release: | |
environment: release | |
name: Create Release | |
runs-on: ubuntu-latest | |
env: | |
RELEASE_HELM: ${{ github.event.inputs.release_helm || 'true' }} | |
CERTIFY: ${{ github.event.inputs.certify || 'true' }} | |
RELEASE_TO_GITHUB: ${{ github.event.inputs.release_to_github || 'true' }} | |
TAG: ${{ inputs.tag || github.head_ref || github.ref_name }} | |
steps: | |
- name: Free disk space | |
run: | | |
sudo swapoff -a | |
sudo rm -f /swapfile | |
sudo apt clean | |
docker rmi $(docker image ls -aq) | |
df -h | |
- name: Compute release tag and options | |
id: tag | |
run: | | |
version=$(echo "${TAG}" |awk -F'^v' '{print $2}') | |
prerelease_tail=$(echo "${version}" | awk -F'-' '{print $2}') | |
if [[ "$prerelease_tail" == "" ]]; then | |
echo "Releasing version $version..." | |
repo="mongodb/mongodb-atlas-kubernetes-operator" | |
else | |
echo "Pre-releasing version $version..." | |
repo="mongodb/mongodb-atlas-kubernetes-operator-prerelease" | |
RELEASE_HELM=false | |
CERTIFY=false | |
RELEASE_TO_GITHUB=false | |
fi | |
echo "release_helm=${RELEASE_HELM}" >> "$GITHUB_OUTPUT" | |
echo "certify=${CERTIFY}" >> "$GITHUB_OUTPUT" | |
echo "release_to_github=${RELEASE_TO_GITHUB}" >> "$GITHUB_OUTPUT" | |
echo "repo=${repo}" >> "$GITHUB_OUTPUT" | |
echo "version=${version}" >> "$GITHUB_OUTPUT" | |
echo "certified_version=${version}-certified" >> "$GITHUB_OUTPUT" | |
cat "$GITHUB_OUTPUT" | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
submodules: true | |
fetch-depth: 0 | |
ref: ${{ env.TAG }} | |
- name: Set up Go | |
if: ${{ steps.tag.outputs.release_helm == 'true' }} | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: "${{ github.workspace }}/tools/makejwt/go.mod" | |
cache: false | |
- name: Set up Go (skip JWT) | |
if: ${{ steps.tag.outputs.release_helm == 'false' }} | |
uses: actions/setup-go@v5 | |
with: | |
cache: false | |
- name: Trigger helm post release workflow | |
if: ${{ steps.tag.outputs.release_helm == 'true' }} | |
run: | | |
make release-helm JWT_RSA_PEM_KEY_BASE64="${{ secrets.AKO_RELEASER_RSA_KEY_BASE64 }}" \ | |
JWT_APP_ID="${{ secrets.AKO_RELEASER_APP_ID }}" \ | |
VERSION="${{ steps.tag.outputs.version }}" | |
- name: Choose Dockerfile | |
id: pick-dockerfile | |
run: | | |
if test -f "fast.Dockerfile"; then | |
echo "dockerfile=fast.Dockerfile" >> $GITHUB_OUTPUT | |
else | |
echo "dockerfile=Dockerfile" >> $GITHUB_OUTPUT | |
fi | |
- name: Check signing supported | |
id: check-signing-support | |
run: | | |
if test -f "./scripts/sign-multiarch.sh"; then | |
echo "sign=true" >> $GITHUB_OUTPUT | |
else | |
echo "sign=false" >> $GITHUB_OUTPUT | |
fi | |
- name: Build all platforms & check version | |
if: steps.pick-dockerfile.outputs.dockerfile == 'fast.Dockerfile' | |
run: | | |
make all-platforms VERSION=${{ steps.tag.outputs.version }} | |
# not all versions Makefiles support the version check | |
if make | grep -q check-version; then | |
make check-version VERSION=${{ steps.tag.outputs.version }} | |
fi | |
- name: Build and Push image | |
uses: ./.github/actions/build-push-image | |
with: | |
repository: ${{ steps.tag.outputs.repo }} | |
file: ${{ steps.pick-dockerfile.outputs.dockerfile }} | |
version: ${{ steps.tag.outputs.version }} | |
certified_version: ${{ steps.tag.outputs.certified_version }} | |
platforms: linux/amd64,linux/arm64 | |
docker_username: ${{ secrets.DOCKER_USERNAME }} | |
docker_password: ${{ secrets.DOCKER_PASSWORD }} | |
push_to_quay: true | |
quay_username: mongodb+mongodb_atlas_kubernetes | |
quay_password: ${{ secrets.QUAY_PASSWORD }} | |
tags: | | |
${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }} | |
quay.io/${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }} | |
quay.io/${{ steps.tag.outputs.repo }}:${{ steps.tag.outputs.version }}-certified | |
- name: Certify Openshift images | |
if: ${{ steps.tag.outputs.certify == 'true' }} | |
uses: ./.github/actions/certify-openshift-images | |
with: | |
repository: ${{ steps.tag.outputs.repo }} | |
version: ${{ steps.tag.outputs.certified_version }} | |
quay_password: ${{ secrets.QUAY_PASSWORD }} | |
rhcc_token: ${{ secrets.RH_CERTIFICATION_PYXIS_API_TOKEN }} | |
rhcc_project: ${{ secrets.RH_CERTIFICATION_OSPID }} | |
- name: Login to artifactory.corp.mongodb.com | |
if: steps.check-signing-support.outputs.sign == 'true' | |
uses: docker/login-action@v3 | |
with: | |
registry: artifactory.corp.mongodb.com | |
username: ${{ secrets.MDB_ARTIFACTORY_USERNAME }} | |
password: ${{ secrets.MDB_ARTIFACTORY_PASSWORD }} | |
- name: Sign images | |
if: steps.check-signing-support.outputs.sign == 'true' | |
env: | |
PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
IMAGE_REPOSITORY: ${{ steps.tag.outputs.repo }} | |
run: | | |
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=mongodb/signatures | |
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=mongodb/signatures | |
- name: Self-verify images | |
if: steps.check-signing-support.outputs.sign == 'true' | |
env: | |
PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
IMAGE_REPOSITORY: ${{ steps.tag.outputs.repo }} | |
run: | | |
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }} | |
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}" SIGNATURE_REPO=mongodb/signatures | |
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.tag.outputs.version }}-certified" SIGNATURE_REPO=mongodb/signatures | |
- name: Create configuration package | |
run: | | |
set -x | |
tar czvf atlas-operator-all-in-one-${{ steps.tag.outputs.version }}.tar.gz -C deploy all-in-one.yaml | |
- name: Create Release | |
if: steps.tag.outputs.release_to_github == 'true' | |
id: create_release | |
uses: actions/create-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: ${{ env.TAG }} | |
release_name: ${{ env.TAG }} | |
body_path: docs/release-notes/release-notes-template.md | |
draft: true | |
prerelease: false | |
- name: Upload Release Asset | |
if: steps.tag.outputs.release_to_github == 'true' | |
id: upload-release-asset | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
asset_path: ./atlas-operator-all-in-one-${{ steps.tag.outputs.version }}.tar.gz | |
asset_name: atlas-operator-all-in-one-${{ steps.tag.outputs.version }}.tar.gz | |
asset_content_type: application/tgz |