.github/workflows/release.yml

on:
  release:
    types:
    - published
name: Build Release
permissions:
  contents: read
jobs:
  release-assests:
    permissions:
      contents: write  # for softprops/action-gh-release to create GitHub release
    name: release kubectl-karmada
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        target:
          - karmadactl
          - kubectl-karmada
        os:
          - linux
          - darwin
        arch:
          - amd64
          - arm64
    steps:
    - uses: actions/checkout@v4
    - name: Set up Go
      uses: actions/setup-go@v5
      with:
        go-version-file: go.mod
    - name: Making and packaging
      env:
        GOOS: ${{ matrix.os }}
        GOARCH: ${{ matrix.arch }}
      run: make release-${{ matrix.target }}
    - name: upload cli
      uses: actions/upload-artifact@v4
      with:
        name: cli-${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz
        path: _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz
    - name: Uploading assets...
      if: ${{ !env.ACT }}
      uses: softprops/action-gh-release@v2
      with:
        files: |
          _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz
          _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz.sha256
  generate-subject-for-cli-provenance:
    needs: [release-assests]
    runs-on: ubuntu-22.04
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - name: download cli
        uses: actions/download-artifact@v4
        with:
          path: _output/release
          pattern: cli-*
          merge-multiple: true
      - name: generate cli hash
        id: hash
        run: |
          cd _output/release
          # sha256sum generates sha256 hash for cli.
          # base64 -w0 encodes to base64 and outputs on a single line.
          echo "hashes=$(sha256sum *.tgz|base64 -w0)" >> "$GITHUB_OUTPUT"
  cli-provenance:
    needs: [generate-subject-for-cli-provenance]
    permissions:
      actions: read # for detecting the Github Actions environment
      id-token: write # Needed for provenance signing and ID
      contents: write #  Needed for release uploads
    # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      base64-subjects: "${{ needs.generate-subject-for-cli-provenance.outputs.hashes }}"
      provenance-name: "karmada-cli.intoto.jsonl"
      upload-assets: true
  release-crds-assests:
    permissions:
      contents: write  # for softprops/action-gh-release to create GitHub release
    name: release crds
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    runs-on: ubuntu-22.04
    steps:
    - uses: actions/checkout@v4
    - name: Rename the crds directory
      run: |
        mv ./charts/karmada/_crds ./charts/karmada/crds
    - name: Tar the crds
      uses: a7ul/tar-action@v1.2.0
      with:
        command: c
        cwd: ./charts/karmada/
        files: crds
        outPath: crds.tar.gz
    - name: generate crds hash
      id: hash
      run: |
        # sha256sum generates sha256 hash for crds.
        # base64 -w0 encodes to base64 and outputs on a single line.
        echo "hashes=$(sha256sum crds.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
    - name: Uploading crd assets...
      uses: softprops/action-gh-release@v2
      with:
        files: |
          crds.tar.gz
  crds-provenance:
    needs: [release-crds-assests]
    permissions:
      actions: read # for detecting the Github Actions environment
      id-token: write # Needed for provenance signing and ID
      contents: write #  Needed for release uploads
    # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      base64-subjects: "${{ needs.release-crds-assests.outputs.hashes }}"
      provenance-name: "karmada-crds.intoto.jsonl"
      upload-assets: true
  release-charts:
    permissions:
      contents: write  # for softprops/action-gh-release to create GitHub release
    name: Release charts
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    runs-on: ubuntu-22.04
    steps:
    - uses: actions/checkout@v4
    - name: Making helm charts
      env:
        VERSION: ${{ github.ref_name }}
      run: make package-chart
    - name: Uploading assets...
      if: ${{ !env.ACT }}
      uses: softprops/action-gh-release@v2
      with:
        files: |
          _output/charts/karmada-chart-${{ github.ref_name }}.tgz
          _output/charts/karmada-chart-${{ github.ref_name }}.tgz.sha256
          _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz
          _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz.sha256
    - name: generate charts hash
      id: hash
      run: |
        cd _output/charts
        echo "hashes=$(sha256sum *.tgz|base64 -w0)" >> "$GITHUB_OUTPUT"
  charts-provenance:
    needs: [release-charts]
    permissions:
      actions: read # for detecting the Github Actions environment
      id-token: write # Needed for provenance signing and ID
      contents: write #  Needed for release uploads
    # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      base64-subjects: "${{ needs.release-charts.outputs.hashes }}"
      provenance-name: "karmada-charts.intoto.jsonl"
      upload-assets: true
  sbom-assests:
    permissions:
      contents: write  # for softprops/action-gh-release to create GitHub release
    name: Release sbom
    outputs:
      hashes: ${{ steps.sbom-hash.outputs.hashes}}
    runs-on: ubuntu-22.04
    steps:
    - uses: actions/checkout@v4
    - name: Generate sbom for karmada file system
      uses: aquasecurity/trivy-action@0.29.0
      with:
        scan-type: 'fs'
        format: 'spdx'
        output: 'sbom-karmada.spdx'
        scan-ref: "${{ github.workspace }}/"
    - name: Tar the sbom files
      run: |
        tar -zcf sbom.tar.gz *.spdx
    - name: Generate SBOM hash
      shell: bash
      id: sbom-hash
      run: |
        # sha256sum generates sha256 hash for sbom.
        # base64 -w0 encodes to base64 and outputs on a single line.
        echo "hashes=$(sha256sum sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
    - name: Uploading sbom assets...
      uses: softprops/action-gh-release@v2
      with:
        files: |
          sbom.tar.gz
  sbom-provenance:
    needs: [sbom-assests]
    permissions:
      actions: read # for detecting the Github Actions environment
      id-token: write # Needed for provenance signing and ID
      contents: write #  Needed for release uploads
    # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      base64-subjects: "${{ needs.sbom-assests.outputs.hashes }}"
      provenance-name: "karmada-sbom.intoto.jsonl"
      upload-assets: true

  update-krew-index:
    env: 
      GH_TOKEN: ${{ github.token }}
    needs: 
    - release-assests
    # prevent job running from forked repository, otherwise
    # 1. running on the forked repository would use unnecessary GitHub Action time.
    # 2. running on the forked repository would open a PR to publish an inaccurate version of karmada in repo kubernetes-sigs/krew-index.
    if: ${{ github.repository == 'karmada-io/karmada' }}
    name: Update krew-index
    runs-on: ubuntu-22.04
    steps:
    - name: get latest tag
      id: get-latest-tag
      run: |
        export LATEST_TAG=`gh api repos/karmada-io/karmada/releases/latest | jq -r '.tag_name'`
        echo "Got the latest tag:$LATEST_TAG"
        echo "event.tag:"${{ github.event.release.tag_name }}
        echo "latestTag=$LATEST_TAG" >> "$GITHUB_OUTPUT"
    - uses: actions/checkout@v4
      if: steps.get-latest-tag.outputs.latestTag == github.event.release.tag_name
    - name: Update new version in krew-index
      if: steps.get-latest-tag.outputs.latestTag == github.event.release.tag_name
      uses: rajatjindal/krew-release-bot@v0.0.47