build: Parameterized build system for company forks (#4605)

* build: started parameterized release process

Signed-off-by: Kostis Kapelonis <[email protected]>

* build: custom step for registry name

Signed-off-by: Kostis Kapelonis <[email protected]>

* build: document releases from internal forks

Signed-off-by: Kostis Kapelonis <[email protected]>

* build: also pass custom registry to manifests

Signed-off-by: Kostis Kapelonis <[email protected]>

---------

Signed-off-by: Kostis Kapelonis <[email protected]>

Author: kostis-codefresh

.github/workflows/docker-publish.yml

@@ -15,6 +15,10 @@ concurrency:
 
 permissions: {}
 
+env:
+  # Registry namespace - defaults to 'argoproj', override via GitHub vars
+  REGISTRY_NAMESPACE: ${{ vars.REGISTRY_NAMESPACE || 'argoproj' }}
+
 jobs:
   set-vars:
     permissions:
@@ -31,7 +35,7 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: |
-            quay.io/argoproj/argo-rollouts
+            quay.io/${{ env.REGISTRY_NAMESPACE }}/argo-rollouts
           tags: |
             type=ref,event=branch,enable=${{ github.ref != 'refs/heads/master'}}
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
@@ -41,7 +45,7 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: |
-            quay.io/argoproj/kubectl-argo-rollouts
+            quay.io/${{ env.REGISTRY_NAMESPACE }}/kubectl-argo-rollouts
           tags: |
             type=ref,event=branch,enable=${{ github.ref != 'refs/heads/master'}}
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}

.github/workflows/release.yaml

@@ -10,14 +10,30 @@ env:
   GOLANG_VERSION: '1.24' # Note: go-version must also be set in job controller-image.with.go-version & plugin-image.with.go-version.
 
 jobs:
+  # Central registry namespace configuration - Allows override of the registry namespace via GitHub vars. Defaults to 'argoproj'
+  set-registry-namespace:
+    runs-on: ubuntu-latest
+    outputs:
+      registry_namespace: ${{ steps.set.outputs.registry_namespace }}
+    steps:
+      - name: Set registry namespace
+        id: set
+        run: |
+          REGISTRY_NAMESPACE="${{ vars.REGISTRY_NAMESPACE }}"
+          if [ -z "$REGISTRY_NAMESPACE" ]; then
+            REGISTRY_NAMESPACE="argoproj"
+          fi
+          echo "registry_namespace=$REGISTRY_NAMESPACE" >> $GITHUB_OUTPUT
+
   controller-image:
+    needs: set-registry-namespace
     permissions:
       contents: read
       packages: write # Required and used to push images to `ghcr.io` if used.
       id-token: write # For creating OIDC tokens for signing.
     uses: ./.github/workflows/image-reuse.yaml
     with:
-      quay_image_name: quay.io/argoproj/argo-rollouts:${{ github.ref_name }}
+      quay_image_name: quay.io/${{ needs.set-registry-namespace.outputs.registry_namespace }}/argo-rollouts:${{ github.ref_name }}
       # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
       go-version: '1.24'
       platforms: linux/amd64,linux/arm64
@@ -27,13 +43,14 @@ jobs:
       quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }}
 
   plugin-image:
+    needs: set-registry-namespace
     permissions:
       contents: read
       packages: write # Required and used to push images to `ghcr.io` if used.
       id-token: write # For creating OIDC tokens for signing.
     uses: ./.github/workflows/image-reuse.yaml
     with:
-      quay_image_name: quay.io/argoproj/kubectl-argo-rollouts:${{ github.ref_name }}
+      quay_image_name: quay.io/${{ needs.set-registry-namespace.outputs.registry_namespace }}/kubectl-argo-rollouts:${{ github.ref_name }}
       # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
       go-version: '1.24'
       platforms: linux/amd64,linux/arm64
@@ -46,14 +63,15 @@ jobs:
   controller-image-provenance:
     needs:
       - controller-image
+      - set-registry-namespace
     permissions:
       actions: read # for detecting the Github Actions environment.
       id-token: write # for creating OIDC tokens for signing.
       packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
     # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
     uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
     with:
-      image: quay.io/argoproj/argo-rollouts
+      image: quay.io/${{ needs.set-registry-namespace.outputs.registry_namespace }}/argo-rollouts
       digest: ${{ needs.controller-image.outputs.image-digest }}
     secrets:
       registry-username: ${{ secrets.QUAY_USERNAME }}
@@ -62,20 +80,22 @@ jobs:
   plugin-image-provenance:
     needs:
       - plugin-image
+      - set-registry-namespace
     permissions:
       actions: read # for detecting the Github Actions environment.
       id-token: write # for creating OIDC tokens for signing.
       packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
     # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
     uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
     with:
-      image: quay.io/argoproj/kubectl-argo-rollouts
+      image: quay.io/${{ needs.set-registry-namespace.outputs.registry_namespace }}/kubectl-argo-rollouts
       digest: ${{ needs.plugin-image.outputs.image-digest }}
     secrets:
       registry-username: ${{ secrets.QUAY_USERNAME }}
       registry-password: ${{ secrets.QUAY_ROBOT_TOKEN }}
 
   release-artifacts:
+    needs: set-registry-namespace
     permissions:
       contents: write # for softprops/action-gh-release to create GitHub release
     runs-on: ubuntu-latest
@@ -104,7 +124,7 @@ jobs:
         run: |
           make release-plugins
           make checksums
-          make manifests IMAGE_TAG=${{ github.ref_name }}
+          make manifests IMAGE_TAG=${{ github.ref_name }} REGISTRY_NAMESPACE=${{ needs.set-registry-namespace.outputs.registry_namespace }}
 
       - name: Draft release
         uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v0.1.15
@@ -151,6 +171,7 @@ jobs:
     needs:
       - release-artifacts
       - release-artifacts-provenance
+      - set-registry-namespace
     permissions:
       contents: write # Needed for release uploads
       id-token: write # Needed for signing Sbom
@@ -183,7 +204,7 @@ jobs:
           # managers (gomod, yarn, npm).
           PROJECT_FOLDERS: '.,./ui'
           # full qualified name of the container image to be inspected
-          CONTAINER_IMAGE: quay.io/argoproj/argo-rollouts:${{ github.event.inputs.tag }}
+          CONTAINER_IMAGE: quay.io/${{ needs.set-registry-namespace.outputs.registry_namespace }}/argo-rollouts:${{ github.ref_name }}
 
         run: |
           yarn install --cwd ./ui

Makefile

@@ -291,7 +291,7 @@ coverage: test ## run coverage tests
 
 .PHONY: manifests
 manifests: ## generate manifests e.g. CRD, RBAC etc.
-	./hack/update-manifests.sh
+	REGISTRY_NAMESPACE=$(REGISTRY_NAMESPACE) IMAGE_TAG=$(IMAGE_TAG) ./hack/update-manifests.sh
 
 .PHONY: clean
 clean: ## clean up build artifacts

docs/releasing.md

@@ -68,3 +68,21 @@ execution. You can follow its progress under the [Actions](https://github.com/ar
     brew upgrade kubectl-argo-rollouts
     kubectl argo rollouts version
     ```
+
+### Releasing from your own fork of Argo Rollouts
+
+It is also possible to release from your own personal/company fork. This is useful if your organization keeps [a second copy of Argo Rollouts](https://github.com/argoproj/argo-rollouts/blob/master/docs/proposals/parameterized-build-system.md) for hot-fixes or security updates.
+
+1. Sign-up for a RedHat account so that you get acess to [Quay Registry](http://quay.io)
+2. Login and create two repositories called `argo-rollouts` and `kubectl-argo-rollouts` (for the CLI)
+3. Under "Account settings" create a "Robot account" for CI automation with any name you want. A token will be generated for you
+
+Then enter your GitHub account in your own forked repo and under Settings -> "Secrets and Variables" -> actions:
+
+* Add `QUAY_USERNAME` and `QUAY_ROBOT_TOKEN` as "Repository Secrets" with the values you created from the previous step 
+* Add `REGISTRY_NAMESPACE` with your own Quay username/organization as "Repository variables"
+
+Now follow any of the instructions from the previous section and you will see released images in your own Quay repository.
+
+!!! tip
+    The `trigger-release.sh` does some basic checks for the name of the tag. If you want to release with a tag that doesn't follow the expected naming convention you can skip this script and just push a tag on your own directly to GitHub.

hack/update-manifests.sh

@@ -6,17 +6,16 @@ set -e
 SRCROOT="$( CDPATH='' cd -- "$(dirname "$0")/.." && pwd -P )"
 AUTOGENMSG="# This is an auto-generated file. DO NOT EDIT"
 
-if [ ! -z "${IMAGE_NAMESPACE}" ]; then
-  SET_IMAGE_NAMESPACE="=${IMAGE_NAMESPACE}"
-fi
+# Default to 'argoproj' if not set
+REGISTRY_NAMESPACE="${REGISTRY_NAMESPACE:-argoproj}"
 
 if [ ! -z "${IMAGE_TAG}" ]; then
   SET_IMAGE_TAG=":${IMAGE_TAG}"
 fi
 
-if [ ! -z "${SET_IMAGE_NAMESPACE}" ] || [ ! -z "${SET_IMAGE_TAG}" ]; then
-  (cd ${SRCROOT}/manifests/base && kustomize edit set image quay.io/argoproj/argo-rollouts${SET_IMAGE_NAMESPACE}${SET_IMAGE_TAG})
-  (cd ${SRCROOT}/manifests/dashboard-install && kustomize edit set image quay.io/argoproj/kubectl-argo-rollouts${SET_IMAGE_NAMESPACE}${SET_IMAGE_TAG})
+if [ ! -z "${SET_IMAGE_TAG}" ]; then
+  (cd ${SRCROOT}/manifests/base && kustomize edit set image quay.io/${REGISTRY_NAMESPACE}/argo-rollouts${SET_IMAGE_TAG})
+  (cd ${SRCROOT}/manifests/dashboard-install && kustomize edit set image quay.io/${REGISTRY_NAMESPACE}/kubectl-argo-rollouts${SET_IMAGE_TAG})
 fi
 
 kust_cmd="kustomize build --load-restrictor LoadRestrictionsNone"