Merge pull request #4001 from k0sproject/backport-3989-to-release-1.29 #428
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
push: | |
tags: | |
- v* # Push events to matching v*, i.e. v1.0, v20.15.10 | |
jobs: | |
release: | |
env: | |
TF_VAR_k0s_binary_path: "${{ github.workspace }}/k0s" | |
KUBECONFIG: ${{ github.workspace }}/kubeconfig | |
name: release | |
runs-on: ubuntu-latest | |
outputs: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} | |
tag_name: ${{ steps.branch_name.outputs.TAG_NAME }} | |
release_id: ${{ steps.create_release.outputs.id }} | |
image_tag: ${{ steps.image_tag.outputs.IMAGE_TAGS }} | |
steps: | |
# Ugly hack to get the tag name | |
# github.ref gives the full reference like refs.tags.v0.0.1-beta1 | |
- name: Branch name | |
id: branch_name | |
run: | | |
echo TAG_NAME="${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT | |
- name: Create Release | |
id: create_release | |
uses: shogo82148/[email protected] | |
with: | |
release_name: ${{ steps.branch_name.outputs.TAG_NAME }} | |
draft: true # So we can manually edit before publishing | |
prerelease: ${{ contains(github.ref, '-') }} # v0.1.2-beta1, 1.2.3-rc1 | |
- name: Prepare image tags | |
id: image_tag | |
env: | |
TAGS: ${{ steps.branch_name.outputs.TAG_NAME }} | |
# Basically just replace the '+' with '-' as '+' is not allowed in tags | |
run: | | |
echo IMAGE_TAGS="${TAGS//+/-}" >> $GITHUB_OUTPUT | |
x64: | |
needs: release | |
runs-on: [self-hosted, linux, x64] | |
env: | |
SEGMENT_TOKEN: ${{ secrets.SEGMENT_WRITE_KEY_PROD }} | |
EULA_NOTICE: ${{ secrets.EULA_NOTICE }} | |
steps: | |
- name: Clean Docker before build | |
run: | | |
docker system prune --all --volumes --force | |
# https://github.com/actions/checkout/issues/273#issuecomment-642908752 (see below) | |
- name: "Pre: Fixup directories" | |
run: find . -type d -not -perm /u+w -exec chmod u+w '{}' \; | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v4 | |
- name: Prepare build environment | |
run: .github/workflows/prepare-build-env.sh | |
- name: Build | |
run: make EMBEDDED_BINS_BUILDMODE=docker | |
env: | |
VERSION: ${{ needs.release.outputs.tag_name }} | |
- name: Set up Go for smoke tests | |
uses: actions/setup-go@v3 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Run basic smoke test | |
run: make check-basic | |
- name: Create airgap image bundle | |
run: make airgap-image-bundle-linux-amd64.tar | |
- name: Collect smoke test logs | |
if: failure() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs | |
path: tests/*.log | |
- name: Sign binary | |
env: | |
COSIGN_KEY: ${{ secrets.COSIGN_KEY }} | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
run: | | |
curl -sSLo cosign https://github.com/sigstore/cosign/releases/download/v2.2.0/cosign-linux-amd64 | |
chmod +x ./cosign | |
COSIGN_KEY="$(printf %s "$COSIGN_KEY" | base64 -d)" ./cosign sign-blob --key env://COSIGN_KEY --tlog-upload=false --output-file=k0s.sig k0s | |
cat k0s.sig | |
- name: Upload Release Assets - Binary | |
uses: shogo82148/[email protected] | |
with: | |
upload_url: ${{ needs.release.outputs.upload_url }} | |
asset_path: ./k0s | |
asset_name: k0s-${{ needs.release.outputs.tag_name }}-amd64 | |
asset_content_type: application/octet-stream | |
- name: Upload Release Assets - Signature | |
uses: shogo82148/[email protected] | |
with: | |
upload_url: ${{ needs.release.outputs.upload_url }} | |
asset_path: ./k0s.sig | |
asset_name: k0s-${{ needs.release.outputs.tag_name }}-amd64.sig | |
asset_content_type: application/octet-stream | |
- name: Upload Artifact for use in other Jobs | |
uses: actions/upload-artifact@v4 | |
with: | |
name: k0s-amd64 | |
path: ./k0s | |
- name: Upload Release Assets - Bundle | |
uses: shogo82148/[email protected] | |
with: | |
upload_url: ${{ needs.release.outputs.upload_url }} | |
asset_path: ./airgap-image-bundle-linux-amd64.tar | |
asset_name: k0s-airgap-bundle-${{ needs.release.outputs.tag_name }}-amd64 | |
asset_content_type: application/octet-stream | |
- name: Clean Docker after build | |
if: always() | |
run: | | |
docker system prune --all --volumes --force | |
# https://github.com/actions/checkout/issues/273#issuecomment-642908752 | |
# Golang mod cache tends to set directories to read-only, which breaks any | |
# attempts to simply remove those directories. The `make clean-gocache` | |
# target takes care of this, but the mod cache can't be deleted here, | |
# since it shall be cached across builds, and caching takes place as a | |
# post build action. So, as a workaround, ensure that all subdirectories | |
# are writable. | |
- name: "Post: Fixup directories" | |
if: always() | |
run: find . -type d -not -perm /u+w -exec chmod u+w '{}' \; | |
windows: | |
needs: release | |
runs-on: [self-hosted, linux, x64] | |
env: | |
SEGMENT_TOKEN: ${{ secrets.SEGMENT_WRITE_KEY_PROD }} | |
EULA_NOTICE: ${{ secrets.EULA_NOTICE }} | |
TARGET_OS: windows | |
steps: | |
# https://github.com/actions/checkout/issues/273#issuecomment-642908752 (see below) | |
- name: "Pre: Fixup directories" | |
run: find . -type d -not -perm /u+w -exec chmod u+w '{}' \; | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v4 | |
- name: Build | |
run: make EMBEDDED_BINS_BUILDMODE=docker k0s.exe | |
env: | |
VERSION: ${{ needs.release.outputs.tag_name }} | |
- name: Sign binary | |
env: | |
COSIGN_KEY: ${{ secrets.COSIGN_KEY }} | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
run: | | |
curl -sSLo cosign https://github.com/sigstore/cosign/releases/download/v2.2.0/cosign-linux-amd64 | |
chmod +x ./cosign | |
COSIGN_KEY="$(printf %s "$COSIGN_KEY" | base64 -d)" ./cosign sign-blob --key env://COSIGN_KEY --tlog-upload=false --output-file=k0s.exe.sig k0s.exe | |
cat k0s.exe.sig | |
- name: Clean Docker | |
run: | | |
docker system prune --all --volumes --force | |
- name: Upload Release Assets | |
uses: shogo82148/[email protected] | |
with: | |
upload_url: ${{ needs.release.outputs.upload_url }} | |
asset_path: ./k0s.exe | |
asset_name: k0s-${{ needs.release.outputs.tag_name }}-amd64.exe | |
asset_content_type: application/octet-stream | |
- name: Upload Release Assets - Signature | |
uses: shogo82148/[email protected] | |
with: | |
upload_url: ${{ needs.release.outputs.upload_url }} | |
asset_path: ./k0s.exe.sig | |
asset_name: k0s-${{ needs.release.outputs.tag_name }}-amd64.exe.sig | |
asset_content_type: application/octet-stream | |
# https://github.com/actions/checkout/issues/273#issuecomment-642908752 | |
# Golang mod cache tends to set directories to read-only, which breaks any | |
# attempts to simply remove those directories. The `make clean-gocache` | |
# target takes care of this, but the mod cache can't be deleted here, | |
# since it shall be cached across builds, and caching takes place as a | |
# post build action. So, as a workaround, ensure that all subdirectories | |
# are writable. | |
- name: "Post: Fixup directories" | |
if: always() | |
run: find . -type d -not -perm /u+w -exec chmod u+w '{}' \; | |
arm64: | |
needs: release | |
runs-on: [self-hosted, linux, arm64] | |
env: | |
SEGMENT_TOKEN: ${{ secrets.SEGMENT_WRITE_KEY_PROD }} | |
EULA_NOTICE: ${{ secrets.EULA_NOTICE }} | |
steps: | |
# https://github.com/actions/checkout/issues/273#issuecomment-642908752 (see below) | |
- name: "Pre: Fixup directories" | |
run: find . -type d -not -perm /u+w -exec chmod u+w '{}' \; | |
- name: Clean Docker before build | |
run: | | |
docker system prune --all --volumes --force | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v4 | |
- name: Prepare build environment | |
run: .github/workflows/prepare-build-env.sh | |
working-directory: ./ | |
- name: Build | |
run: make EMBEDDED_BINS_BUILDMODE=docker | |
env: | |
VERSION: ${{ needs.release.outputs.tag_name }} | |
- name: Sign binary | |
env: | |
COSIGN_KEY: ${{ secrets.COSIGN_KEY }} | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
run: | | |
curl -sSLo cosign https://github.com/sigstore/cosign/releases/download/v2.2.0/cosign-linux-arm64 | |
chmod +x ./cosign | |
COSIGN_KEY="$(printf %s "$COSIGN_KEY" | base64 -d)" ./cosign sign-blob --key env://COSIGN_KEY --tlog-upload=false --output-file=k0s.sig k0s | |
cat k0s.sig | |
- name: Set up Go for smoke tests | |
uses: actions/setup-go@v3 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Run basic smoke test | |
run: make check-basic | |
- name: Create airgap image bundle | |
run: make airgap-image-bundle-linux-arm64.tar | |
- name: Collect smoke test logs | |
if: failure() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs | |
path: tests/*.log | |
- name: Upload Release Assets - Binary | |
uses: shogo82148/[email protected] | |
with: | |
upload_url: ${{ needs.release.outputs.upload_url }} | |
asset_path: ./k0s | |
asset_name: k0s-${{ needs.release.outputs.tag_name }}-arm64 | |
asset_content_type: application/octet-stream | |
- name: Upload Release Assets - Signature | |
uses: shogo82148/[email protected] | |
with: | |
upload_url: ${{ needs.release.outputs.upload_url }} | |
asset_path: ./k0s.sig | |
asset_name: k0s-${{ needs.release.outputs.tag_name }}-arm64.sig | |
asset_content_type: application/octet-stream | |
- name: Upload Artifact for use in other Jobs | |
uses: actions/upload-artifact@v4 | |
with: | |
name: k0s-arm64 | |
path: ./k0s | |
- name: Upload Release Assets - Bundle | |
uses: shogo82148/[email protected] | |
with: | |
upload_url: ${{ needs.release.outputs.upload_url }} | |
asset_path: ./airgap-image-bundle-linux-arm64.tar | |
asset_name: k0s-airgap-bundle-${{ needs.release.outputs.tag_name }}-arm64 | |
asset_content_type: application/octet-stream | |
- name: Clean Docker after build | |
if: always() | |
run: | | |
docker system prune --all --volumes --force | |
# https://github.com/actions/checkout/issues/273#issuecomment-642908752 | |
# Golang mod cache tends to set directories to read-only, which breaks any | |
# attempts to simply remove those directories. The `make clean-gocache` | |
# target takes care of this, but the mod cache can't be deleted here, | |
# since it shall be cached across builds, and caching takes place as a | |
# post build action. So, as a workaround, ensure that all subdirectories | |
# are writable. | |
- name: "Post: Fixup directories" | |
if: always() | |
run: find . -type d -not -perm /u+w -exec chmod u+w '{}' \; | |
armv7: | |
needs: release | |
runs-on: [self-hosted, linux, arm] | |
env: | |
SEGMENT_TOKEN: ${{ secrets.SEGMENT_WRITE_KEY_PROD }} | |
EULA_NOTICE: ${{ secrets.EULA_NOTICE }} | |
steps: | |
# https://github.com/actions/checkout/issues/273#issuecomment-642908752 (see below) | |
- name: "Pre: Fixup directories" | |
run: find . -type d -not -perm /u+w -exec chmod u+w '{}' \; | |
- name: Clean Docker before build | |
run: | | |
docker system prune --all --volumes --force | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v4 | |
- name: Prepare build environment | |
run: .github/workflows/prepare-build-env.sh | |
working-directory: ./ | |
- name: Build | |
run: make EMBEDDED_BINS_BUILDMODE=docker | |
env: | |
VERSION: ${{ needs.release.outputs.tag_name }} | |
- name: Sign binary | |
env: | |
COSIGN_KEY: ${{ secrets.COSIGN_KEY }} | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
run: | | |
curl -sSLo cosign https://github.com/sigstore/cosign/releases/download/v2.2.0/cosign-linux-arm | |
chmod +x ./cosign | |
COSIGN_KEY="$(printf %s "$COSIGN_KEY" | base64 -d)" ./cosign sign-blob --key env://COSIGN_KEY --tlog-upload=false --output-file=k0s.sig k0s | |
cat k0s.sig | |
- name: Set up Go for smoke tests | |
uses: actions/setup-go@v3 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Run basic smoke test | |
run: make check-basic | |
- name: Create airgap image bundle | |
run: make airgap-image-bundle-linux-arm.tar | |
- name: Collect smoke test logs | |
if: failure() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs | |
path: tests/*.log | |
- name: Upload Release Assets - Binary | |
uses: shogo82148/[email protected] | |
with: | |
upload_url: ${{ needs.release.outputs.upload_url }} | |
asset_path: ./k0s | |
asset_name: k0s-${{ needs.release.outputs.tag_name }}-arm | |
asset_content_type: application/octet-stream | |
- name: Upload Release Assets - Signature | |
uses: shogo82148/[email protected] | |
with: | |
upload_url: ${{ needs.release.outputs.upload_url }} | |
asset_path: ./k0s.sig | |
asset_name: k0s-${{ needs.release.outputs.tag_name }}-arm.sig | |
asset_content_type: application/octet-stream | |
- name: Upload Artifact for use in other Jobs | |
uses: actions/upload-artifact@v4 | |
with: | |
name: k0s-arm | |
path: ./k0s | |
- name: Upload Release Assets - Bundle | |
uses: shogo82148/[email protected] | |
with: | |
upload_url: ${{ needs.release.outputs.upload_url }} | |
asset_path: ./airgap-image-bundle-linux-arm.tar | |
asset_name: k0s-airgap-bundle-${{ needs.release.outputs.tag_name }}-arm | |
asset_content_type: application/octet-stream | |
- name: Clean Docker after build | |
if: always() | |
run: | | |
docker system prune --all --volumes --force | |
# https://github.com/actions/checkout/issues/273#issuecomment-642908752 | |
# Golang mod cache tends to set directories to read-only, which breaks any | |
# attempts to simply remove those directories. The `make clean-gocache` | |
# target takes care of this, but the mod cache can't be deleted here, | |
# since it shall be cached across builds, and caching takes place as a | |
# post build action. So, as a workaround, ensure that all subdirectories | |
# are writable. | |
- name: "Post: Fixup directories" | |
if: always() | |
run: find . -type d -not -perm /u+w -exec chmod u+w '{}' \; | |
checksums: | |
needs: | |
- release | |
- x64 | |
- arm64 | |
- armv7 | |
runs-on: ubuntu-latest | |
steps: | |
- name: Download assets for generating checksums | |
uses: robinraju/[email protected] | |
with: | |
releaseId: ${{ needs.release.outputs.release_id }} | |
filename: "*" | |
out-file-path: release_assets | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Generate checksums | |
run: | | |
cd release_assets && sha256sum -b * > ../sha256sums.txt | |
- name: Upload sha256sums.txt | |
uses: shogo82148/[email protected] | |
with: | |
upload_url: ${{ needs.release.outputs.upload_url }} | |
asset_path: sha256sums.txt | |
asset_name: sha256sums.txt | |
asset_content_type: text/plain | |
overwrite: true | |
build-image: | |
needs: | |
- release | |
- x64 | |
- arm64 | |
- armv7 | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Run git checkout | |
uses: actions/checkout@v4 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Login to DockerHub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Fetch k0s amd64 | |
uses: actions/download-artifact@v4 | |
with: | |
name: k0s-amd64 | |
path: ./k0s-amd64 | |
- name: Fetch k0s arm64 | |
uses: actions/download-artifact@v4 | |
with: | |
name: k0s-arm64 | |
path: ./k0s-arm64 | |
- name: Fetch k0s arm | |
uses: actions/download-artifact@v4 | |
with: | |
name: k0s-arm | |
path: ./k0s-arm | |
- name: Make binaries executable | |
run: chmod +x ./k0s-*/k0s | |
- name: Fetch Alpine version to use | |
run: | | |
alpinePatchVersion="$(./vars.sh alpine_patch_version)" | |
echo "ALPINE_PATCH_VERSION=$alpinePatchVersion" >>"$GITHUB_ENV" | |
- name: Build image and push to Docker Hub and GitHub image registry | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
platforms: linux/amd64,linux/arm64,linux/arm/v7 | |
tags: | | |
ghcr.io/k0sproject/k0s:${{ needs.release.outputs.image_tag }} | |
docker.io/k0sproject/k0s:${{ needs.release.outputs.image_tag }} | |
build-args: | | |
ALPINE_VERSION=${{ env.ALPINE_PATCH_VERSION }} | |
push: true | |
sbom: | |
needs: | |
- release | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Run git checkout | |
uses: actions/checkout@v4 | |
- name: Generate SBOM | |
env: | |
COSIGN_KEY: ${{ secrets.COSIGN_KEY }} | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
run: | | |
mkdir -p sbom && chmod 777 sbom | |
echo $COSIGN_KEY | base64 -d > cosign.key | |
make sign-sbom | |
make sign-pub-key | |
- name: Upload Release Assets - SBOM | |
uses: shogo82148/[email protected] | |
with: | |
upload_url: ${{ needs.release.outputs.upload_url }} | |
asset_path: ./sbom/* | |
asset_content_type: application/octet-stream | |
conformance-test: | |
needs: | |
- release | |
- x64 | |
- arm64 | |
strategy: | |
matrix: | |
arch: [ amd64, arm64 ] | |
include: | |
- arch: amd64 | |
instance-type: c4.xlarge | |
- arch: arm64 | |
instance-type: c7g.xlarge | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_TERRAFORM_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_TERRAFORM_KEY }} | |
AWS_DEFAULT_REGION: eu-west-1 | |
TF_VERSION: 1.2.2 | |
TF_VAR_k0s_binary_path: ${{ github.workspace }}/k0s/k0s | |
TF_VAR_instance_arch: ${{ matrix.arch }} | |
TF_VAR_instance_type: ${{ matrix.instance-type }} | |
KUBECONFIG: ${{ github.workspace }}/kubeconfig | |
name: "K8s Conformance Testing" | |
runs-on: ubuntu-latest | |
defaults: | |
run: | |
working-directory: ./inttest/sonobuoy/terraform | |
steps: | |
- name: Run git checkout | |
uses: actions/checkout@v4 | |
- name: Prepare build environment | |
working-directory: ./ | |
run: .github/workflows/prepare-build-env.sh | |
- name: Set up Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: ${{ env.TF_VERSION }} | |
- name: Terraform Init | |
run: terraform init | |
- name: Fetch k0s Artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: k0s-${{ matrix.arch }} | |
path: ${{ github.workspace }}/k0s | |
- name: Launch Test Environment | |
env: | |
TF_VAR_cluster_name: "k0s_conformance" | |
TF_VAR_k0s_version: ${{ needs.release.outputs.tag_name }} | |
run: | | |
# Start SSH Agent | |
eval `ssh-agent -s` | |
terraform apply -auto-approve | |
- name: Create k0s Cluster using k0sctl | |
run: | | |
# download k0sctl | |
curl --silent -L "https://github.com/k0sproject/k0sctl/releases/download/${K0SCTL_VERSION}/k0sctl-linux-x64" -o k0sctl | |
chmod +x ./k0sctl | |
./k0sctl apply -c k0sctl.yaml | |
# save kubeconfig file | |
./k0sctl kubeconfig > $KUBECONFIG | |
- name: Run Full Conformance Check | |
run: make check-conformance | |
working-directory: ./inttest | |
- name: Retrieve Sonobuoy Results | |
run: | | |
make get-conformance-results | |
working-directory: ./inttest | |
- name: Upload conformance test result to Release Assets | |
uses: shogo82148/[email protected] # Allows us to upload a file with wildcard patterns | |
with: | |
upload_url: ${{ needs.release.outputs.upload_url }} | |
asset_path: inttest/*_sonobuoy_*.tar.gz | |
asset_name: sonobuoy-conformance-results-${{ matrix.arch }}-${{ needs.release.outputs.tag_name }}.tar.gz | |
asset_content_type: application/gzip | |
overwrite: true # In case we need to re-run the conformance this let's us to overwrite the results tarball | |
if: ${{ always() }} | |
- name: Clean-Up Environment | |
env: | |
TF_VAR_cluster_name: "k0s_conformance" | |
TF_VAR_k0s_version: ${{ needs.release.outputs.tag_name }} | |
run: | | |
terraform destroy -auto-approve | |
if: ${{ always() }} |