chore: add support for testing release workflow

Signed-off-by: Carlos Salas <carlos.salas@suse.com>
salasberryfin · Oct 26, 2023 · 94aba8e · 94aba8e
1 parent a7518f5
commit 94aba8e
Show file tree

Hide file tree

Showing 2 changed files with 215 additions and 6 deletions.
diff --git a/.github/workflows/nightly-test-release.yaml b/.github/workflows/nightly-test-release.yaml
@@ -0,0 +1,209 @@
+name: Test release process nightly
+
+on:
+  push:
+    branches:
+      - 'run-release-workflow-periodically'
+  schedule:
+    - cron: "0 0 * * *" # Run every day at midnight (UTC)
+  workflow_dispatch: # Allow running manually on demand
+
+env:
+  RELEASE_TAG: t9.9.9-fake
+
+jobs:
+  nightly-test-release:
+    name: Test release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          #ref: main
+          ref: run-release-workflow-periodically
+          fetch-depth: 0
+      - name: Set and push fake tag for release
+        run: |
+          git tag ${{ env.RELEASE_TAG }}
+      - name: Push changes
+        uses: ad-m/github-push-action@master
+        with:
+          tags: true
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+  build:
+    runs-on: ubuntu-latest
+    needs: [nightly-test-release]
+    permissions:
+      actions: read
+      packages: write
+    strategy:
+      matrix:
+        destination: [ghcr]
+        arch: [amd64, arm64, s390x]
+        #org: [rancher-sandbox]
+        org: [salasberryfin]
+        include:
+          - destination: ghcr
+            tag: t9.9.9-fake
+            registry: ghcr.io
+            username: ${{ github.actor }}
+            password: GITHUB_TOKEN
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.RELEASE_TAG }}
+          fetch-depth: 0
+      - name: Build the image
+        id: image
+        uses: ./.github/workflows/release_build
+        with:
+          arch: ${{ matrix.arch }}
+          tag: ${{ env.RELEASE_TAG }}
+          org: ${{ matrix.org }}
+          registry: ${{ matrix.registry }}
+          username: ${{ matrix.username }}
+          password: ${{ secrets[matrix.password] }}
+      - uses: cloudposse/github-action-matrix-outputs-write@main
+        id: out
+        with:
+          matrix-step-name: ${{ github.job }}
+          matrix-key: ${{ matrix.destination }}-${{ matrix.arch }}
+          outputs: |-
+            image: ${{ steps.image.outputs.image }}
+            digest: ${{ steps.image.outputs.digest }}
+            username: ${{ matrix.username }}
+            password: ${{ matrix.password }}
+            registry: ${{ matrix.registry }}
+            tag: ${{ matrix.tag }}
+
+  build-result:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: cloudposse/github-action-matrix-outputs-read@main
+        id: read
+        with:
+          matrix-step-name: build
+    outputs:
+      result: "${{ steps.read.outputs.result }}"
+
+  sign:
+    runs-on: ubuntu-latest
+    needs: [build-result]
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    strategy:
+      matrix:
+        destination: [ghcr]
+        arch: [amd64, arm64, s390x]
+    env:
+      key: ${{ matrix.destination }}-${{ matrix.arch }}
+      data: ${{ needs.build-result.outputs.result }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.RELEASE_TAG }}
+          fetch-depth: 0
+      - name: Sign image with cosign
+        uses: ./.github/workflows/release_sign
+        with:
+          image: ${{ fromJson(env.data).image[env.key] }}
+          digest: ${{ fromJson(env.data).digest[env.key] }}
+          identity: https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ fromJson(env.data).tag[env.key] }}
+          oids-issuer: https://token.actions.githubusercontent.com
+          registry: ${{ fromJson(env.data).registry[env.key] }}
+          username: ${{ fromJson(env.data).username[env.key] }}
+          password: ${{ secrets[fromJson(env.data).password[env.key]] }}
+
+  provenance:
+    needs: [build-result, sign]
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    strategy:
+      matrix:
+        destination: [ghcr]
+        arch: [amd64, arm64, s390x]
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: ${{ fromJson(needs.build-result.outputs.result).image[format('{0}-{1}', matrix.destination, matrix.arch)] }}
+      digest: ${{ fromJson(needs.build-result.outputs.result).digest[format('{0}-{1}', matrix.destination, matrix.arch)] }}
+    secrets:
+      registry-username: ${{ fromJson(needs.build-result.outputs.result).username[format('{0}-{1}', matrix.destination, matrix.arch)] }}
+      registry-password: ${{ secrets[fromJson(needs.build-result.outputs.result).password[format('{0}-{1}', matrix.destination, matrix.arch)] ] }}
+
+  release:
+    name: Create helm release
+    needs: [provenance]
+    runs-on: ubuntu-latest
+    env:
+      PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }}
+      #PROD_ORG: rancher-sandbox
+      PROD_ORG: salasberryfin
+      RELEASE_DIR: .cr-release-packages
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.RELEASE_TAG }}
+          fetch-tags: true
+          fetch-depth: 0
+      - name: Package operator chart
+        run: RELEASE_TAG=${{ env.RELEASE_TAG }} CHART_PACKAGE_DIR=${RELEASE_DIR} REGISTRY=${{ env.PROD_REGISTRY }} ORG=${{ env.PROD_ORG }} make release
+
+  notify-failure:
+    name: Notify failure in Slack
+    needs: [release]
+    if: failure()
+    runs-on: ubuntu-latest
+    steps:
+      - uses: slackapi/slack-github-action@v1.24.0
+        with:
+          payload: |
+            {
+              "blocks": [
+                {
+                  "type": "section",
+                    "text": {
+                      "type": "mrkdwn",
+                      "text": "Rancher turtles RELEASE test failed."
+                    },
+                    "accessory": {
+                      "type": "button",
+                      "text": {
+                        "type": "plain_text",
+                        "text": ":github:",
+                          "emoji": true
+                        },
+                      "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+                    }
+                  }
+              ]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
+
+  clean-up:
+    name: Release testing clean up
+    needs: [release]
+    if: always()
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: dev-drprasad/delete-tag-and-release@v1.0
+        with:
+          tag_name: ${{ env.RELEASE_TAG }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          delete_release: false
diff --git a/.github/workflows/release_sign/action.yaml b/.github/workflows/release_sign/action.yaml
@@ -50,9 +50,9 @@ runs:
       COSIGN_EXPERIMENTAL: 1
     run: |
       cosign sign --yes ${{ inputs.image }}@${{ inputs.digest }} --oidc-provider=${{ inputs.oidc-provider }}
-  - name: Verify pushed ghcr images
-    shell: bash
-    env:
-      COSIGN_EXPERIMENTAL: 1
-    run: |
-      cosign verify ${{ inputs.image }}@${{ inputs.digest }} --certificate-identity={{ inputs.identity }} --certificate-oidc-issuer=${{ inputs.oids-issuer }}
+  #- name: Verify pushed ghcr images
+  #  shell: bash
+  #  env:
+  #    COSIGN_EXPERIMENTAL: 1
+  #  run: |
+  #    cosign verify ${{ inputs.image }}@${{ inputs.digest }} --certificate-identity={{ inputs.identity }} --certificate-oidc-issuer=${{ inputs.oids-issuer }}