-
Notifications
You must be signed in to change notification settings - Fork 74
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Loading status checks…
Merge pull request #195 from inteon/cicd
Make `Makefile`s reusable and automate release process
Showing
89 changed files
with
5,206 additions
and
1,805 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,20 @@ | ||
# Update Go dependencies and GitHub Actions dependencies weekly. | ||
# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. | ||
# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/dependabot.yaml instead. | ||
|
||
# Update Go dependencies and GitHub Actions dependencies daily. | ||
version: 2 | ||
updates: | ||
- package-ecosystem: gomod | ||
directory: / | ||
schedule: | ||
interval: weekly | ||
interval: daily | ||
groups: | ||
all: | ||
patterns: ["*"] | ||
- package-ecosystem: github-actions | ||
directory: / | ||
schedule: | ||
interval: weekly | ||
interval: daily | ||
groups: | ||
all: | ||
patterns: ["*"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
name: debian-trust-package-release | ||
on: | ||
push: | ||
branches: ['main'] | ||
paths: | ||
- make/00_debian_version.mk | ||
|
||
jobs: | ||
build_images: | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
contents: read # needed for checkout | ||
packages: write # needed for push images | ||
id-token: write # needed for keyless signing | ||
|
||
steps: | ||
- uses: actions/checkout@v4 | ||
|
||
- uses: docker/login-action@v3 | ||
with: | ||
registry: quay.io | ||
username: ${{ secrets.QUAY_USERNAME }} | ||
password: ${{ secrets.QUAY_PASSWORD }} | ||
|
||
- uses: actions/setup-go@v4 | ||
with: | ||
go-version-file: go.mod | ||
|
||
- id: release | ||
run: make release-debian-trust-package | ||
|
||
outputs: | ||
RELEASE_OCI_MANAGER_IMAGE: ${{ steps.release.outputs.RELEASE_OCI_MANAGER_IMAGE }} | ||
RELEASE_OCI_MANAGER_TAG: ${{ steps.release.outputs.RELEASE_OCI_MANAGER_TAG }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
name: debian-trust-package-upgrade | ||
concurrency: debian-trust-package-upgrade | ||
on: | ||
workflow_dispatch: {} | ||
schedule: | ||
- cron: '0 0 * * *' | ||
|
||
jobs: | ||
debian-trust-package-upgrade: | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
contents: write | ||
pull-requests: write | ||
|
||
env: | ||
SOURCE_BRANCH: "${{ github.ref_name }}" | ||
SELF_UPGRADE_BRANCH: "debian-trust-package-upgrade-${{ github.ref_name }}" | ||
|
||
steps: | ||
- name: Fail if branch is not head of branch. | ||
if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }} | ||
run: | | ||
echo "This workflow should not be run on a non-branch-head." | ||
exit 1 | ||
- uses: actions/checkout@v4 | ||
|
||
- id: go-version | ||
run: | | ||
make print-go-version >> "$GITHUB_OUTPUT" | ||
- uses: actions/setup-go@v5 | ||
with: | ||
go-version: ${{ steps.go-version.outputs.result }} | ||
|
||
- run: | | ||
git checkout -B "$SELF_UPGRADE_BRANCH" | ||
- run: | | ||
make -j upgrade-debian-trust-package-version | ||
- id: is-up-to-date | ||
shell: bash | ||
run: | | ||
git_status=$(git status -s) | ||
is_up_to_date="true" | ||
if [ -n "$git_status" ]; then | ||
is_up_to_date="false" | ||
echo "The following changes will be committed:" | ||
echo "$git_status" | ||
fi | ||
echo "result=$is_up_to_date" >> "$GITHUB_OUTPUT" | ||
- if: ${{ steps.is-up-to-date.outputs.result != 'true' }} | ||
run: | | ||
git config --global user.name "cert-manager-bot" | ||
git config --global user.email "cert-manager-bot@users.noreply.github.com" | ||
git add -A && git commit -m "BOT: run 'make upgrade-klone' and 'make generate'" --signoff | ||
git push -f origin "$SELF_UPGRADE_BRANCH" | ||
- if: ${{ steps.is-up-to-date.outputs.result != 'true' }} | ||
uses: actions/github-script@v7 | ||
with: | ||
script: | | ||
const { repo, owner } = context.repo; | ||
const pulls = await github.rest.pulls.list({ | ||
owner: owner, | ||
repo: repo, | ||
head: owner + ':' + process.env.SELF_UPGRADE_BRANCH, | ||
base: process.env.SOURCE_BRANCH, | ||
state: 'open', | ||
}); | ||
if (pulls.data.length < 1) { | ||
await github.rest.pulls.create({ | ||
title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH, | ||
owner: owner, | ||
repo: repo, | ||
head: process.env.SELF_UPGRADE_BRANCH, | ||
base: process.env.SOURCE_BRANCH, | ||
body: [ | ||
'This PR is auto-generated to bump the Makefile modules.', | ||
].join('\n'), | ||
}); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. | ||
# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml instead. | ||
|
||
# Run govulncheck at midnight every night on the main branch, | ||
# to alert us to recent vulnerabilities which affect the Go code in this | ||
# project. | ||
name: govulncheck | ||
on: | ||
workflow_dispatch: {} | ||
schedule: | ||
- cron: '0 0 * * *' | ||
|
||
jobs: | ||
govulncheck: | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- uses: actions/checkout@v4 | ||
|
||
- id: go-version | ||
run: | | ||
make print-go-version >> "$GITHUB_OUTPUT" | ||
- uses: actions/setup-go@v5 | ||
with: | ||
go-version: ${{ steps.go-version.outputs.result }} | ||
|
||
- run: make verify-govulncheck |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. | ||
# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/workflows/make-self-upgrade.yaml instead. | ||
|
||
name: make-self-upgrade | ||
concurrency: make-self-upgrade | ||
on: | ||
workflow_dispatch: {} | ||
schedule: | ||
- cron: '0 0 * * *' | ||
|
||
jobs: | ||
self_upgrade: | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
contents: write | ||
pull-requests: write | ||
|
||
env: | ||
SOURCE_BRANCH: "${{ github.ref_name }}" | ||
SELF_UPGRADE_BRANCH: "self-upgrade-${{ github.ref_name }}" | ||
|
||
steps: | ||
- name: Fail if branch is not head of branch. | ||
if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }} | ||
run: | | ||
echo "This workflow should not be run on a non-branch-head." | ||
exit 1 | ||
- uses: actions/checkout@v4 | ||
|
||
- id: go-version | ||
run: | | ||
make print-go-version >> "$GITHUB_OUTPUT" | ||
- uses: actions/setup-go@v5 | ||
with: | ||
go-version: ${{ steps.go-version.outputs.result }} | ||
|
||
- run: | | ||
git checkout -B "$SELF_UPGRADE_BRANCH" | ||
- run: | | ||
make -j upgrade-klone | ||
make -j generate | ||
- id: is-up-to-date | ||
shell: bash | ||
run: | | ||
git_status=$(git status -s) | ||
is_up_to_date="true" | ||
if [ -n "$git_status" ]; then | ||
is_up_to_date="false" | ||
echo "The following changes will be committed:" | ||
echo "$git_status" | ||
fi | ||
echo "result=$is_up_to_date" >> "$GITHUB_OUTPUT" | ||
- if: ${{ steps.is-up-to-date.outputs.result != 'true' }} | ||
run: | | ||
git config --global user.name "cert-manager-bot" | ||
git config --global user.email "cert-manager-bot@users.noreply.github.com" | ||
git add -A && git commit -m "BOT: run 'make upgrade-klone' and 'make generate'" --signoff | ||
git push -f origin "$SELF_UPGRADE_BRANCH" | ||
- if: ${{ steps.is-up-to-date.outputs.result != 'true' }} | ||
uses: actions/github-script@v7 | ||
with: | ||
script: | | ||
const { repo, owner } = context.repo; | ||
const pulls = await github.rest.pulls.list({ | ||
owner: owner, | ||
repo: repo, | ||
head: owner + ':' + process.env.SELF_UPGRADE_BRANCH, | ||
base: process.env.SOURCE_BRANCH, | ||
state: 'open', | ||
}); | ||
if (pulls.data.length < 1) { | ||
await github.rest.pulls.create({ | ||
title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH, | ||
owner: owner, | ||
repo: repo, | ||
head: process.env.SELF_UPGRADE_BRANCH, | ||
base: process.env.SOURCE_BRANCH, | ||
body: [ | ||
'This PR is auto-generated to bump the Makefile modules.', | ||
].join('\n'), | ||
}); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
name: release | ||
on: | ||
push: | ||
tags: | ||
- "v*" | ||
|
||
env: | ||
VERSION: ${{ github.ref_name }} | ||
|
||
jobs: | ||
build_images: | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
contents: read # needed for checkout | ||
packages: write # needed for push images | ||
id-token: write # needed for keyless signing | ||
|
||
steps: | ||
- uses: actions/checkout@v4 | ||
|
||
- uses: docker/login-action@v3 | ||
with: | ||
registry: quay.io | ||
username: ${{ secrets.QUAY_USERNAME }} | ||
password: ${{ secrets.QUAY_PASSWORD }} | ||
|
||
- uses: actions/setup-go@v4 | ||
with: | ||
go-version-file: go.mod | ||
|
||
- id: release | ||
run: make release | ||
|
||
- uses: actions/upload-artifact@v3 | ||
with: | ||
name: trust-manager-${{ env.VERSION }}.tgz | ||
path: ${{ steps.release.outputs.RELEASE_HELM_CHART_TAR }} | ||
|
||
outputs: | ||
RELEASE_OCI_MANAGER_IMAGE: ${{ steps.release.outputs.RELEASE_OCI_MANAGER_IMAGE }} | ||
RELEASE_OCI_MANAGER_TAG: ${{ steps.release.outputs.RELEASE_OCI_MANAGER_TAG }} | ||
RELEASE_OCI_PACKAGE_DEBIAN_IMAGE: ${{ steps.release.outputs.RELEASE_OCI_PACKAGE_DEBIAN_IMAGE }} | ||
RELEASE_OCI_PACKAGE_DEBIAN_TAG: ${{ steps.release.outputs.RELEASE_OCI_PACKAGE_DEBIAN_TAG }} | ||
RELEASE_HELM_CHART_NAME: ${{ steps.release.outputs.RELEASE_HELM_CHART_NAME }} | ||
RELEASE_HELM_CHART_VERSION: ${{ steps.release.outputs.RELEASE_HELM_CHART_VERSION }} | ||
|
||
github_release: | ||
runs-on: ubuntu-latest | ||
|
||
needs: build_images | ||
|
||
permissions: | ||
contents: write # needed for creating a PR | ||
pull-requests: write # needed for creating a PR | ||
|
||
steps: | ||
- run: | | ||
touch .notes-file | ||
echo "OCI_MANAGER_IMAGE: ${{ needs.build_images.outputs.RELEASE_OCI_MANAGER_IMAGE }}" >> .notes-file | ||
echo "OCI_MANAGER_TAG: ${{ needs.build_images.outputs.RELEASE_OCI_MANAGER_TAG }}" >> .notes-file | ||
echo "OCI_PACKAGE_DEBIAN_IMAGE: ${{ needs.build_images.outputs.RELEASE_OCI_PACKAGE_DEBIAN_IMAGE }}" >> .notes-file | ||
echo "OCI_PACKAGE_DEBIAN_TAG: ${{ needs.build_images.outputs.RELEASE_OCI_PACKAGE_DEBIAN_TAG }}" >> .notes-file | ||
echo "HELM_CHART_NAME: ${{ needs.build_images.outputs.RELEASE_HELM_CHART_NAME }}" >> .notes-file | ||
echo "HELM_CHART_VERSION: ${{ needs.build_images.outputs.RELEASE_HELM_CHART_VERSION }}" >> .notes-file | ||
- id: chart_download | ||
uses: actions/download-artifact@v3 | ||
with: | ||
name: trust-manager-${{ env.VERSION }}.tgz | ||
|
||
- env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
run: | | ||
gh release create "$VERSION" \ | ||
--repo="$GITHUB_REPOSITORY" \ | ||
--title="${GITHUB_REPOSITORY#*/} ${VERSION#v}" \ | ||
--draft \ | ||
--verify-tag \ | ||
--notes-file .notes-file | ||
gh release upload "$VERSION" \ | ||
--repo="$GITHUB_REPOSITORY" \ | ||
"${{ steps.chart_download.outputs.download-path }}/trust-manager-$VERSION.tgz" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,31 @@ | ||
/bin | ||
/_artifacts | ||
/.vscode | ||
/.idea/ | ||
# Binaries for programs and plugins | ||
*.exe | ||
*.exe~ | ||
*.dll | ||
*.so | ||
*.dylib | ||
bin | ||
testbin/* | ||
|
||
# Test binary, build with `go test -c` | ||
*.test | ||
|
||
# Output of the go coverage tool, specifically when used with LiteIDE | ||
*.out | ||
|
||
# Kubernetes Generated files - skip generated files, except for vendored files | ||
!vendor/**/zz_generated.* | ||
|
||
# editor and IDE paraphernalia | ||
.idea | ||
*.swp | ||
*.swo | ||
*~ | ||
|
||
_bin | ||
_certs | ||
_artifacts | ||
.vscode | ||
|
||
# direnv files | ||
.envrc |
Oops, something went wrong.