init-release run manifests-local with env vars #318
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Image | |
| on: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| branches: | |
| - master | |
| types: [labeled, unlabeled, opened, synchronize, reopened] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: {} | |
| jobs: | |
| set-vars: | |
| permissions: | |
| contents: read | |
| # Always run to calculate variables - other jobs check outputs | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| image-tag: ${{ steps.image.outputs.tag}} | |
| platforms: ${{ steps.platforms.outputs.platforms }} | |
| image_namespace: ${{ steps.image.outputs.image_namespace }} | |
| image_repository: ${{ steps.image.outputs.image_repository }} | |
| quay_image_name: ${{ steps.image.outputs.quay_image_name }} | |
| ghcr_image_name: ${{ steps.image.outputs.ghcr_image_name }} | |
| ghcr_provenance_image: ${{ steps.image.outputs.ghcr_provenance_image }} | |
| allow_ghcr_publish: ${{ steps.image.outputs.allow_ghcr_publish }} | |
| steps: | |
| - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| - name: Set image tag and names | |
| run: | | |
| # Calculate image tag | |
| TAG="$(cat ./VERSION)-${GITHUB_SHA::8}" | |
| echo "tag=$TAG" >> $GITHUB_OUTPUT | |
| # Calculate image names with defaults | |
| IMAGE_NAMESPACE="${{ vars.IMAGE_NAMESPACE || 'argoproj' }}" | |
| IMAGE_REPOSITORY="${{ vars.IMAGE_REPOSITORY || 'argocd' }}" | |
| GHCR_NAMESPACE="${{ vars.GHCR_NAMESPACE || github.repository }}" | |
| GHCR_REPOSITORY="${{ vars.GHCR_REPOSITORY || 'argocd' }}" | |
| echo "image_namespace=$IMAGE_NAMESPACE" >> $GITHUB_OUTPUT | |
| echo "image_repository=$IMAGE_REPOSITORY" >> $GITHUB_OUTPUT | |
| # Construct image name | |
| echo "quay_image_name=quay.io/$IMAGE_NAMESPACE/$IMAGE_REPOSITORY:latest" >> $GITHUB_OUTPUT | |
| ALLOW_GHCR_PUBLISH=false | |
| if [[ "${{ github.repository }}" == "argoproj/argo-cd" || "$GHCR_NAMESPACE" != argoproj/* ]]; then | |
| ALLOW_GHCR_PUBLISH=true | |
| echo "ghcr_image_name=ghcr.io/$GHCR_NAMESPACE/$GHCR_REPOSITORY:$TAG" >> $GITHUB_OUTPUT | |
| echo "ghcr_provenance_image=ghcr.io/$GHCR_NAMESPACE/$GHCR_REPOSITORY" >> $GITHUB_OUTPUT | |
| else | |
| echo "GhCR publish skipped: refusing to push to namespace '$GHCR_NAMESPACE'. Please override GHCR_* for forks." >&2 | |
| echo "ghcr_image_name=" >> $GITHUB_OUTPUT | |
| echo "ghcr_provenance_image=" >> $GITHUB_OUTPUT | |
| fi | |
| echo "allow_ghcr_publish=$ALLOW_GHCR_PUBLISH" >> $GITHUB_OUTPUT | |
| id: image | |
| - name: Determine image platforms to use | |
| id: platforms | |
| run: | | |
| IMAGE_PLATFORMS=linux/amd64 | |
| if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-multi-image') }}" == "true" ]] | |
| then | |
| IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le | |
| fi | |
| echo "Building image for platforms: $IMAGE_PLATFORMS" | |
| echo "platforms=$IMAGE_PLATFORMS" >> $GITHUB_OUTPUT | |
| build-only: | |
| needs: [set-vars] | |
| permissions: | |
| contents: read | |
| packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags | |
| id-token: write # for creating OIDC tokens for signing. | |
| if: ${{ (github.repository == 'argoproj/argo-cd' || needs.set-vars.outputs.image_namespace != 'argoproj') && github.event_name != 'push' }} | |
| uses: ./.github/workflows/image-reuse.yaml | |
| with: | |
| # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) | |
| # renovate: datasource=golang-version packageName=golang | |
| go-version: 1.25.3 | |
| platforms: ${{ needs.set-vars.outputs.platforms }} | |
| push: false | |
| build-and-publish: | |
| needs: [set-vars] | |
| permissions: | |
| contents: read | |
| packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags | |
| id-token: write # for creating OIDC tokens for signing. | |
| if: ${{ (github.repository == 'argoproj/argo-cd' || needs.set-vars.outputs.image_namespace != 'argoproj') && github.event_name == 'push' }} | |
| uses: ./.github/workflows/image-reuse.yaml | |
| with: | |
| quay_image_name: ${{ needs.set-vars.outputs.quay_image_name }} | |
| ghcr_image_name: ${{ needs.set-vars.outputs.ghcr_image_name }} | |
| # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) | |
| # renovate: datasource=golang-version packageName=golang | |
| go-version: 1.25.3 | |
| platforms: ${{ needs.set-vars.outputs.platforms }} | |
| push: true | |
| secrets: | |
| quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }} | |
| quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }} | |
| ghcr_username: ${{ github.actor }} | |
| ghcr_password: ${{ secrets.GITHUB_TOKEN }} | |
| build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io | |
| needs: | |
| - set-vars | |
| - build-and-publish | |
| permissions: | |
| actions: read # for detecting the Github Actions environment. | |
| id-token: write # for creating OIDC tokens for signing. | |
| packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) | |
| if: ${{ (github.repository == 'argoproj/argo-cd' || needs.set-vars.outputs.image_namespace != 'argoproj') && github.event_name == 'push' && needs.set-vars.outputs.allow_ghcr_publish == 'true'}} | |
| # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| with: | |
| image: ${{ needs.set-vars.outputs.ghcr_provenance_image }} | |
| digest: ${{ needs.build-and-publish.outputs.image-digest }} | |
| registry-username: ${{ github.actor }} | |
| secrets: | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| Deploy: | |
| needs: | |
| - build-and-publish | |
| - set-vars | |
| permissions: | |
| contents: write # for git to push upgrade commit if not already deployed | |
| packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags | |
| if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| - run: git clone "https://[email protected]/argoproj/argoproj-deployments" | |
| env: | |
| TOKEN: ${{ secrets.TOKEN }} | |
| - run: | | |
| docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} | |
| git config --global user.email '[email protected]' | |
| git config --global user.name 'CI' | |
| git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ needs.set-vars.outputs.image-tag }}' && git push) | |
| working-directory: argoproj-deployments/argocd |