-
Notifications
You must be signed in to change notification settings - Fork 77
259 lines (247 loc) · 11.1 KB
/
rebuild-released-images.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
# Github workflow that rebuilds already released images
name: Daily build
on:
schedule:
- cron: "0 1 * * 1-5"
workflow_dispatch:
inputs:
image_repo:
type: choice
description: "Target image repository for built images"
default: mongodb/mongodb-atlas-kubernetes-operator-prerelease
required: true
options:
- mongodb/mongodb-atlas-kubernetes-operator-prerelease
- mongodb/mongodb-atlas-kubernetes-operator
releases:
type: string
description: "Custom list of releases to rebuild"
default: ""
required: false
jobs:
read-versions:
name: Read config file
runs-on: ubuntu-latest
outputs:
date: ${{ steps.set-date.outputs.date }}
releases: ${{ steps.releases.outputs.releases }}
steps:
- name: Check out code
uses: actions/checkout@v4
with:
submodules: true
fetch-depth: 0
- name: Set date
id: set-date
run: |
DATE=$(date +'%Y-%m-%d')
echo date=${DATE} >> $GITHUB_OUTPUT
- name: Releases
id: releases
run: |
if [ "${{ github.event.inputs.releases }}" == "" ]; then
echo "Computing supported releases..."
git fetch --tags
echo "releases=$(./scripts/supported-releases.sh)" | tee -a $GITHUB_OUTPUT
else
echo "Formatting ${{ github.event.inputs.releases }} as JSON array"
json_releases=$(echo "${{ github.event.inputs.releases }}" |tr "," "\n" |xargs -n1 |awk '{print "\""$1"\""}' |tr "\n" "," |sed 's/,$//' |awk '{print "["$1"]"}')
echo "releases=$json_releases" | tee -a $GITHUB_OUTPUT
fi
build-and-publish-image:
environment: release
runs-on: ubuntu-latest
needs:
- read-versions
env:
IMAGE_REPOSITORY: ${{ github.event.inputs.image_repo || 'mongodb/mongodb-atlas-kubernetes-operator' }}
QUAY_ROBOT_NAME: mongodb+mongodb_atlas_kubernetes
PLATFORMS: "linux/arm64,linux/amd64"
strategy:
matrix:
version: ${{ fromJSON(needs.read-versions.outputs.releases) }}
steps:
- name: Print daily tag
id: daily-tag
run: |
DAILY_TAG="${{ matrix.version }}-${{needs.read-versions.outputs.date}}"
echo "daily-tag=${DAILY_TAG}" >> $GITHUB_OUTPUT
- name: Rebuild ${{matrix.version}}
run: |
echo "Building ${{matrix.version}} version"
- name: Check out code
uses: actions/checkout@v4
with:
ref: "v${{ matrix.version }}"
submodules: true
fetch-depth: 0
- name: Choose Dockerfile & patch as needed
id: pick-dockerfile
run: |
if test -f "fast.Dockerfile"; then
echo "dockerfile=fast.Dockerfile" >> $GITHUB_OUTPUT
else
# This is ugly, but using a heredoc did not work
# An external file cannot be used as this code works on a older tag
# which is not the one holding this workflow version
# TODO: Once versions 1.9.x go away this can be removed
echo "diff --git a/Dockerfile b/Dockerfile" > docker.patch
echo "index ffffa7bf..e82f0402 100644" >> docker.patch
echo "--- a/Dockerfile" >> docker.patch
echo "+++ b/Dockerfile" >> docker.patch
echo "@@ -1,5 +1,6 @@" >> docker.patch
echo " # Build the manager binary" >> docker.patch
echo " FROM golang:1.21 as builder" >> docker.patch
echo "+ARG GOTOOLCHAIN=auto" >> docker.patch
echo " " >> docker.patch
echo " WORKDIR /workspace" >> docker.patch
echo " # Copy the Go Modules manifests" >> docker.patch
patch Dockerfile docker.patch
echo "dockerfile=Dockerfile" >> $GITHUB_OUTPUT
fi
- name: Check signing supported
id: check-signing-support
run: |
if test -f "./scripts/sign-multiarch.sh"; then
echo "sign=true" >> $GITHUB_OUTPUT
else
echo "sign=false" >> $GITHUB_OUTPUT
fi
- name: Check for devbox
id: check-devbox
run: |
if test -f "devbox.json"; then
echo "devbox-build=true" >> $GITHUB_OUTPUT
else
echo "devbox-build=false" >> $GITHUB_OUTPUT
fi
- name: Set up Go (Non Devbox)
uses: actions/setup-go@v5
if: steps.check-devbox.outputs.devbox-build == 'false'
with:
go-version-file: "${{ github.workspace }}/go.mod"
cache: false
- name: Setup cache (Non Devbox)
uses: actions/cache@v4
if: steps.check-devbox.outputs.devbox-build == 'false'
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-build-${{ hashFiles('**/go.sum', '**/go.mod') }}
- name: Download go build dependencies (Non Devbox)
if: steps.check-devbox.outputs.devbox-build == 'false'
shell: bash
run: |
go mod download
- name: Build all platforms & check version (Non Devbox)
if: steps.pick-dockerfile.outputs.dockerfile == 'fast.Dockerfile' && steps.check-devbox.outputs.devbox-build == 'false'
run: |
make all-platforms VERSION=${{ matrix.version }}
# not all versions Makefiles support the version check
if make |grep -q check-version; then
echo "Checking version..."
make check-version VERSION=${{ matrix.version }}
else
echo "Skipped version check"
fi
- name: Install devbox
uses: jetify-com/[email protected]
with:
enable-cache: 'true'
if: steps.check-devbox.outputs.devbox-build == 'true'
- name: Download Go build dependencies (Devbox)
run: devbox run -- 'go mod download'
if: steps.check-devbox.outputs.devbox-build == 'true'
shell: bash
- name: Build all platforms & check version (Devbox)
run: |
devbox run -- '
make all-platforms VERSION=${{ matrix.version }}
# Not all versions of Makefiles support the version check
if make -n | grep -q check-version; then
echo "Checking version..."
make check-version VERSION=${{ matrix.version }}
else
echo "Skipped version check"
fi'
if: steps.check-devbox.outputs.devbox-build == 'true'
shell: bash
- name: "Set up Docker Buildx"
uses: docker/setup-buildx-action@v3
with:
platforms: ${{ env.PLATFORMS }}
- name: Login to docker registry
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to quay.io registry
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ env.QUAY_ROBOT_NAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Build and push operator to the DockerHub (daily-tag & release-tag)
uses: docker/build-push-action@v6
with:
context: .
file: ${{ steps.pick-dockerfile.outputs.dockerfile }}
build-args: VERSION=${{ matrix.version }}
platforms: ${{ env.PLATFORMS }}
cache-from: type=gha
cache-to: type=gha,mode=max
push: true
sbom: true
tags: |
${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}
${{ env.IMAGE_REPOSITORY }}:${{ matrix.version }}
quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}
quay.io/${{ env.IMAGE_REPOSITORY }}:${{ matrix.version }}
- name: Login to artifactory.corp.mongodb.com
if: steps.check-signing-support.outputs.sign == 'true'
uses: docker/login-action@v3
with:
registry: artifactory.corp.mongodb.com
username: ${{ secrets.MDB_ARTIFACTORY_USERNAME }}
password: ${{ secrets.MDB_ARTIFACTORY_PASSWORD }}
- name: Sign images (Non Devbox)
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'false'
env:
PKCS11_URI: ${{ secrets.PKCS11_URI }}
GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
run: |
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures
- name: Self-verify images (Non Devbox)
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'false'
env:
PKCS11_URI: ${{ secrets.PKCS11_URI }}
GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
run: |
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}
make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures
- name: Sign images (Devbox)
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'true'
env:
PKCS11_URI: ${{ secrets.PKCS11_URI }}
GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
run: |
devbox run -- 'make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}'
devbox run -- 'make sign IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}'
devbox run -- 'make sign IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures'
- name: Self-verify images (Devbox)
if: steps.check-signing-support.outputs.sign == 'true' && steps.check-devbox.outputs.devbox-build == 'true'
env:
PKCS11_URI: ${{ secrets.PKCS11_URI }}
GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
run: |
devbox run -- 'make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}'
devbox run -- 'make verify IMG="quay.io/${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=${{ env.IMAGE_REPOSITORY }}'
devbox run -- 'make verify IMG="${{ env.IMAGE_REPOSITORY }}:${{ steps.daily-tag.outputs.daily-tag }}" SIGNATURE_REPO=mongodb/signatures'