From bdc5ae4573d8ab40f015b17b84561a264df35bd2 Mon Sep 17 00:00:00 2001
From: Stefan Prodan <stefan.prodan@gmail.com>
Date: Fri, 9 Sep 2022 14:07:55 +0300
Subject: [PATCH] Publish install manifests to GHCR and DockerHub as OCI
artifacts Add workflow to build and push the install manifests to: -
ghcr.io/fluxcd/flux-manifests - docker.io/fluxcd/flux-manifests The OCI
artifacts are signed with Cosign and GitHub OIDC (keyless). The manifests
pushed to GHCR have the container images set to
ghcr.io/fluxcd/<controller-name> while the manifests pushed to DockerHub have
the controller images set to docker.io/fluxcd/<controller-name>.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
---
.github/workflows/release-manifests.yml | 73 +++++++++++++++++++++++++
1 file changed, 73 insertions(+)
create mode 100644 .github/workflows/release-manifests.yml
diff --git a/.github/workflows/release-manifests.yml b/.github/workflows/release-manifests.yml
new file mode 100644
index 00000000..178f3642
--- /dev/null
+++ b/.github/workflows/release-manifests.yml
@@ -0,0 +1,73 @@
+name: release-manifests
+on:
+ release:
+ types: [published]
+ workflow_dispatch:
+
+permissions:
+ id-token: write # needed for keyless signing
+ packages: write # needed for ghcr access
+
+jobs:
+ build-push:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - name: Setup Kustomize
+ uses: fluxcd/pkg/actions/kustomize@main
+ - name: Setup Flux CLI
+ uses: ./action/
+ - name: Prepare
+ id: prep
+ run: |
+ VERSION=$(flux version --client | awk '{ print $NF }')
+ echo ::set-output name=VERSION::${VERSION}
+ - name: Login to GHCR
+ uses: docker/login-action@v2
+ with:
+ registry: ghcr.io
+ username: fluxcdbot
+ password: ${{ secrets.GHCR_TOKEN }}
+ - name: Login to DockerHub
+ uses: docker/login-action@v2
+ with:
+ username: fluxcdbot
+ password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+ - name: Push manifests to GHCR
+ run: |
+ mkdir -p ./ghcr.io/flux-system
+ flux install --registry=ghcr.io/fluxcd \
+ --components-extra=image-reflector-controller,image-automation-controller \
+ --export > ./ghcr.io/flux-system/gotk-components.yaml
+
+ cd ./ghcr.io && flux push artifact \
+ oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
+ --path="./flux-system" \
+ --source=${{ github.repositoryUrl }} \
+ --revision="${{ github.ref_name }}/${{ github.sha }}"
+ - name: Push manifests to DockerHub
+ run: |
+ mkdir -p ./docker.io/flux-system
+ flux install --registry=docker.io/fluxcd \
+ --components-extra=image-reflector-controller,image-automation-controller \
+ --export > ./docker.io/flux-system/gotk-components.yaml
+
+ cd ./docker.io && flux push artifact \
+ oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
+ --path="./flux-system" \
+ --source=${{ github.repositoryUrl }} \
+ --revision="${{ github.ref_name }}/${{ github.sha }}"
+ - uses: sigstore/cosign-installer@main
+ - name: Sign manifests
+ env:
+ COSIGN_EXPERIMENTAL: 1
+ run: |
+ cosign sign ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }}
+ cosign sign docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }}
+ - name: Tag manifests
+ run: |
+ flux tag artifact oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
+ --tag latest
+
+ flux tag artifact oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
+ --tag latest
--
GitLab