chore(deps): update registry.access.redhat.com/ubi9-micro docker tag … #207
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - v[0-9]+.[0-9]+.[0-9]+ | |
| - v[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+ # include prerelease tags too | |
| env: | |
| GOOGLE_MARKETPLACE_ANNOTATION: com.googleapis.cloudmarketplace.product.service.name=services/dynatrace-operator-dynatrace-marketplace-prod.cloudpartnerservices.goog | |
| PLATFORMS: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x | |
| DEPLOYER_PLATFORMS: linux/amd64 | |
| jobs: | |
| prepare: | |
| permissions: | |
| contents: read | |
| id-token: write | |
| name: Prepare properties | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Prepare build parameters | |
| id: prep | |
| run: | | |
| hack/build/ci/prepare-build-variables.sh | |
| outputs: | |
| labels: ${{ steps.prep.outputs.docker_image_labels }} | |
| version: ${{ steps.prep.outputs.docker_image_tag }} | |
| version_without_prefix: ${{ steps.prep.outputs.docker_image_tag_without_prefix }} | |
| build-push: | |
| name: Build images | |
| environment: Release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| needs: [prepare] | |
| env: | |
| GCR_IMAGE: gcr.io/${{ secrets.GCR_REPOSITORY }}:${{ needs.prepare.outputs.version }} | |
| ECR_IMAGE: public.ecr.aws/${{ secrets.ECR_REPOSITORY }}:${{ needs.prepare.outputs.version }} | |
| RHCC_IMAGE: quay.io/${{ secrets.RHCC_REPOSITORY }}:${{ needs.prepare.outputs.version }} | |
| DOCKER_IMAGE: docker.io/${{ secrets.DOCKERHUB_REPOSITORY }}:${{ needs.prepare.outputs.version }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Golang | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version-file: "${{ github.workspace }}/go.mod" | |
| - name: Prepare SBOM # Needs setup-go, uses a binary installed via `go install` | |
| id: sbom | |
| run: | | |
| make release/gen-sbom | |
| - name: Login to GCR | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| with: | |
| registry: gcr.io | |
| username: ${{ secrets.GCR_USERNAME }} | |
| password: ${{ secrets.GCR_JSON_KEY }} | |
| - name: Login to RHCC | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.RHCC_USERNAME }} | |
| password: ${{ secrets.RHCC_PASSWORD }} | |
| - name: Login to Docker | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| with: | |
| registry: docker.io | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| - name: Configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 | |
| with: | |
| role-to-assume: ${{ secrets.ECR_IMAGEPUSH_ROLE }} | |
| aws-region: us-east-1 | |
| - name: Login to Amazon ECR | |
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 | |
| with: | |
| registry-type: public | |
| - name: Build image | |
| id: build-image | |
| uses: ./.github/actions/build-push-image | |
| with: | |
| platforms: ${{ env.PLATFORMS }} | |
| labels: ${{ needs.prepare.outputs.labels }} | |
| tags: ${{ env.RHCC_IMAGE }},${{ env.GCR_IMAGE }},${{ env.ECR_IMAGE }},${{ env.DOCKER_IMAGE }} | |
| annotation: ${{ env.GOOGLE_MARKETPLACE_ANNOTATION }} | |
| outputs: | |
| digest: ${{steps.build-image.outputs.digest}} | |
| signing: | |
| name: Sign the image index/manifests + Add SBOM | |
| environment: Release | |
| needs: [prepare, build-push] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| strategy: | |
| matrix: | |
| registry: [gcr, dockerhub, amazon-ecr, rhcc] | |
| include: | |
| - registry: gcr | |
| url: gcr.io | |
| repository: GCR_REPOSITORY | |
| username: GCR_USERNAME | |
| password: GCR_JSON_KEY | |
| - registry: dockerhub | |
| url: docker.io | |
| repository: DOCKERHUB_REPOSITORY | |
| username: DOCKERHUB_USERNAME | |
| password: DOCKERHUB_PASSWORD | |
| - registry: amazon-ecr | |
| url: public.ecr.aws | |
| repository: ECR_REPOSITORY | |
| - registry: rhcc | |
| url: quay.io | |
| username: RHCC_USERNAME | |
| password: RHCC_PASSWORD | |
| repository: RHCC_REPOSITORY | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Login to Registry | |
| if: ${{ matrix.registry != 'amazon-ecr' }} | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| with: | |
| registry: ${{ matrix.url }} | |
| username: ${{ secrets[matrix.username] }} | |
| password: ${{ secrets[matrix.password] }} | |
| - name: Configure aws credentials | |
| if: ${{ matrix.registry == 'amazon-ecr' }} | |
| uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 | |
| with: | |
| role-to-assume: ${{ secrets.ECR_IMAGEPUSH_ROLE }} | |
| aws-region: us-east-1 | |
| - name: Login to Amazon ECR | |
| if: ${{ matrix.registry == 'amazon-ecr' }} | |
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 | |
| with: | |
| registry-type: public | |
| - name: Sign images for ${{matrix.registry}} | |
| uses: ./.github/actions/sign-image | |
| with: | |
| image: ${{ matrix.url }}/${{ secrets[matrix.repository] }}:${{ needs.prepare.outputs.version }}@${{ needs.build-push.outputs.digest }} | |
| signing-key: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| signing-password: ${{ secrets.COSIGN_PASSWORD }} | |
| - name: Create sbom for ${{matrix.registry}} | |
| id: sbom | |
| uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # 0.31.0 | |
| with: | |
| image-ref: ${{ matrix.url }}/${{ secrets[matrix.repository] }}:${{ needs.prepare.outputs.version }}@${{ needs.build-push.outputs.digest }} | |
| format: 'cyclonedx' | |
| output: 'result.json' | |
| skip-dirs: '/usr/share/dynatrace-operator/third_party_licenses' | |
| skip-files: '/usr/local/bin/dynatrace-operator' | |
| - name: Upload sbom to ${{matrix.registry}} | |
| uses: ./.github/actions/upload-sbom | |
| with: | |
| image: ${{ matrix.url }}/${{ secrets[matrix.repository] }}:${{ needs.prepare.outputs.version }}@${{ needs.build-push.outputs.digest }} | |
| sbom: 'result.json' | |
| signing-key: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| signing-password: ${{ secrets.COSIGN_PASSWORD }} | |
| build-gcr-deployer: | |
| name: Build GCR deployer image | |
| environment: Release | |
| runs-on: ubuntu-latest | |
| needs: [ prepare ] | |
| env: | |
| IMAGE: gcr.io/${{ secrets.GCR_REPOSITORY_DEPLOYER }}:${{ needs.prepare.outputs.version }} | |
| IMAGE_NO_PREFIX: gcr.io/${{ secrets.GCR_REPOSITORY_DEPLOYER }}:${{ needs.prepare.outputs.version_without_prefix }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| with: | |
| registry: gcr.io | |
| username: ${{ secrets.GCR_USERNAME }} | |
| password: ${{ secrets.GCR_JSON_KEY }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # 3.10.0 | |
| - name: Build and push | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # 6.18.0 | |
| with: | |
| platforms: ${{ env.DEPLOYER_PLATFORMS }} | |
| provenance: false | |
| context: ./config/helm | |
| file: ./config/helm/Dockerfile | |
| push: true | |
| tags: ${{ env.IMAGE }},${{ env.IMAGE_NO_PREFIX }} | |
| annotations: | | |
| ${{ env.GOOGLE_MARKETPLACE_ANNOTATION }} | |
| run-preflight-rhcc: | |
| name: Run preflight for rhcc | |
| environment: Release | |
| needs: [ prepare, build-push] | |
| runs-on: ubuntu-latest | |
| env: | |
| SCAN_REGISTRY: "quay.io" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Login to Registry | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| with: | |
| registry: ${{ env.SCAN_REGISTRY }} | |
| username: ${{ secrets.RHCC_USERNAME }} | |
| password: ${{ secrets.RHCC_PASSWORD }} | |
| - name: Run preflight | |
| uses: ./.github/actions/preflight | |
| with: | |
| version: ${{ needs.prepare.outputs.version }} | |
| registry: ${{ env.SCAN_REGISTRY }} | |
| repository: ${{ secrets.RHCC_REPOSITORY }} | |
| report-name: "preflight.json" | |
| redhat-project-id: ${{ secrets.REDHAT_PROJECT_ID }} | |
| pyxis-api-token: ${{ secrets.PYXIS_API_TOKEN }} | |
| should-submit: "true" | |
| release: | |
| name: Create release | |
| needs: [prepare, build-push, signing, run-preflight-rhcc] | |
| environment: Release | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Golang | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version-file: "${{ github.workspace }}/go.mod" | |
| - name: Generate release notes | |
| shell: bash | |
| env: | |
| PRE_RELEASE: ${{ contains(github.ref, '-rc.') }} | |
| run: | | |
| hack/build/ci/generate-release-notes.sh | |
| - name: Generate K8s manifests | |
| shell: bash | |
| env: | |
| VERSION_WITHOUT_PREFIX: ${{ needs.prepare.outputs.version_without_prefix }} | |
| VERSION: ${{ needs.prepare.outputs.version }} | |
| run: | | |
| make manifests/crd/release CHART_VERSION="${VERSION_WITHOUT_PREFIX}" | |
| make manifests/kubernetes/olm IMAGE="public.ecr.aws/dynatrace/dynatrace-operator" TAG="${VERSION}@${{needs.build-push.outputs.digest}}" | |
| make manifests/kubernetes IMAGE="public.ecr.aws/dynatrace/dynatrace-operator" TAG="${VERSION}@${{needs.build-push.outputs.digest}}" | |
| make manifests/openshift/olm IMAGE="registry.connect.redhat.com/dynatrace/dynatrace-operator" TAG="${VERSION}@${{needs.build-push.outputs.digest}}" | |
| make manifests/openshift IMAGE="registry.connect.redhat.com/dynatrace/dynatrace-operator" TAG="${VERSION}@${{needs.build-push.outputs.digest}}" | |
| cp config/deploy/kubernetes/kubernetes.yaml config/deploy/kubernetes/gke-autopilot.yaml | |
| - name: Build helm packages | |
| uses: ./.github/actions/build-helm | |
| with: | |
| version_without_prefix: ${{ needs.prepare.outputs.version_without_prefix }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| secring: ${{ secrets.HELM_SECRING }} | |
| passphrase: ${{ secrets.HELM_PASSPHRASE }} | |
| output-dir: "./helm-pkg" | |
| - name: Login Helm to dockerhub | |
| shell: bash | |
| run: | | |
| helm registry login -u "${{ secrets.DOCKERHUB_USERNAME }}" -p "${{ secrets.DOCKERHUB_PASSWORD }}" "registry.hub.docker.com" | |
| - name: Login Docker to dockerhub | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| with: | |
| registry: docker.io | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| - name: Upload and sign helm package to dockerhub | |
| uses: ./.github/actions/upload-helm | |
| with: | |
| version: ${{ needs.prepare.outputs.version }} | |
| version-without-prefix: ${{ needs.prepare.outputs.version_without_prefix }} | |
| cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| cosign-password: ${{ secrets.COSIGN_PASSWORD }} | |
| - name: Configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 | |
| with: | |
| role-to-assume: ${{ secrets.ECR_IMAGEPUSH_ROLE }} | |
| aws-region: us-east-1 | |
| - name: Login to Amazon ECR | |
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 | |
| with: | |
| registry-type: public | |
| - name: Upload and sign helm package to Amazon ECR | |
| uses: ./.github/actions/upload-helm | |
| with: | |
| registry-url: public.ecr.aws | |
| image-base-url: public.ecr.aws | |
| version: ${{ needs.prepare.outputs.version }} | |
| version-without-prefix: ${{ needs.prepare.outputs.version_without_prefix }} | |
| cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| cosign-password: ${{ secrets.COSIGN_PASSWORD }} | |
| - name: Prepare cosign.pub artifact | |
| env: | |
| COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} | |
| run: | | |
| mkdir -p tmp | |
| echo ${COSIGN_PUBLIC_KEY} | base64 -d > tmp/cosign.pub | |
| - name: Create pre-release | |
| uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2 | |
| if: ${{ contains(github.ref, '-rc.') }} | |
| with: | |
| body_path: ./CHANGELOG.md | |
| files: | | |
| tmp/cosign.pub | |
| config/deploy/dynatrace-operator-crd.yaml | |
| config/deploy/kubernetes/kubernetes.yaml | |
| config/deploy/openshift/openshift.yaml | |
| config/deploy/kubernetes/kubernetes-csi.yaml | |
| config/deploy/openshift/openshift-csi.yaml | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| prerelease: true | |
| draft: true | |
| fail_on_unmatched_files: true | |
| - name: Create release | |
| uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2 | |
| if: ${{ !contains(github.ref, '-rc.') }} | |
| with: | |
| body_path: ./CHANGELOG.md | |
| files: | | |
| tmp/cosign.pub | |
| config/deploy/dynatrace-operator-crd.yaml | |
| config/deploy/kubernetes/kubernetes.yaml | |
| config/deploy/kubernetes/gke-autopilot.yaml | |
| config/deploy/openshift/openshift.yaml | |
| config/deploy/kubernetes/kubernetes-csi.yaml | |
| config/deploy/openshift/openshift-csi.yaml | |
| helm-pkg/dynatrace-operator-${{ needs.prepare.outputs.version_without_prefix }}.tgz | |
| helm-pkg/dynatrace-operator-${{ needs.prepare.outputs.version_without_prefix }}.tgz.prov | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| prerelease: false | |
| draft: true | |
| fail_on_unmatched_files: true | |
| - name: Update index helm file | |
| if: ${{ !contains(github.ref, '-rc.') }} | |
| env: | |
| VERSION_WITHOUT_PREFIX: ${{ needs.prepare.outputs.version_without_prefix }} | |
| run: | | |
| echo "Getting index.yaml from main branch" | |
| git fetch origin main | |
| git restore --source origin/main -- config/helm/repos/stable/index.yaml | |
| echo "Updating Helm repo index" | |
| hack/build/ci/generate-new-helm-index-yaml.sh "helm-pkg" ${{ needs.prepare.outputs.version_without_prefix }} | |
| - name: Create pull request for adding helm index to main branch | |
| if: ${{ !contains(github.ref, '-rc.') }} | |
| uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 | |
| with: | |
| base: main | |
| delete-branch: true | |
| branch: create-pull-request/update-helm-index | |
| branch-suffix: short-commit-hash | |
| add-paths: | | |
| ./config/helm/repos/stable/index.yaml | |
| ./config/helm/repos/stable/index.yaml.previous | |
| title: '[Automatic] Update index for ${{ github.ref }} release' | |
| commit-message: Update index.yaml | |
| committer: GitHub <noreply@github.com> | |
| author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> | |
| body: | | |
| # Description | |
| Upgrade `index.yaml` to include latest version of the helm chart. | |
| ## How can this be tested? | |
| Helm upgrade to and install of `${{ github.ref }}` works. | |
| ## Checklist | |
| - [x] PR is labeled accordingly |