name: Image on: push: branches: - master pull_request: branches: - master types: [ labeled, unlabeled, opened, synchronize, reopened ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true permissions: {} jobs: set-vars: permissions: contents: read if: github.repository == 'argoproj/argo-cd' runs-on: ubuntu-22.04 outputs: image-tag: ${{ steps.image.outputs.tag}} platforms: ${{ steps.platforms.outputs.platforms }} steps: - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0 - name: Set image tag for ghcr run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT id: image - name: Determine image platforms to use id: platforms run: | IMAGE_PLATFORMS=linux/amd64 if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-multi-image') }}" == "true" ]] then IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le fi echo "Building image for platforms: $IMAGE_PLATFORMS" echo "platforms=$IMAGE_PLATFORMS" >> $GITHUB_OUTPUT build-only: needs: [set-vars] permissions: contents: read packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags id-token: write # for creating OIDC tokens for signing. if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name != 'push' }} uses: ./.github/workflows/image-reuse.yaml with: # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) # renovate: datasource=golang-version packageName=golang go-version: 1.23.3 platforms: ${{ needs.set-vars.outputs.platforms }} push: false build-and-publish: needs: [set-vars] permissions: contents: read packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags id-token: write # for creating OIDC tokens for signing. if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} uses: ./.github/workflows/image-reuse.yaml with: quay_image_name: quay.io/argoproj/argocd:latest ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) # renovate: datasource=golang-version packageName=golang go-version: 1.23.3 platforms: ${{ needs.set-vars.outputs.platforms }} push: true secrets: quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }} quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }} ghcr_username: ${{ github.actor }} ghcr_password: ${{ secrets.GITHUB_TOKEN }} build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io needs: - build-and-publish permissions: actions: read # for detecting the Github Actions environment. id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/argoproj/argo-cd/argocd digest: ${{ needs.build-and-publish.outputs.image-digest }} registry-username: ${{ github.actor }} secrets: registry-password: ${{ secrets.GITHUB_TOKEN }} Deploy: needs: - build-and-publish - set-vars permissions: contents: write # for git to push upgrade commit if not already deployed packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} runs-on: ubuntu-22.04 steps: - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0 - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments" env: TOKEN: ${{ secrets.TOKEN }} - run: | docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} git config --global user.email 'ci@argoproj.com' git config --global user.name 'CI' git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ needs.set-vars.outputs.image-tag }}' && git push) working-directory: argoproj-deployments/argocd