fix: Apply deletion permission checks when syncing with replace (#14161) #29899
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Image | |
on: | |
push: | |
branches: | |
- master | |
pull_request: | |
branches: | |
- master | |
types: [ labeled, unlabeled, opened, synchronize, reopened ] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
permissions: {} | |
jobs: | |
set-vars: | |
permissions: | |
contents: read | |
if: github.repository == 'argoproj/argo-cd' | |
runs-on: ubuntu-22.04 | |
outputs: | |
image-tag: ${{ steps.image.outputs.tag}} | |
platforms: ${{ steps.platforms.outputs.platforms }} | |
steps: | |
- uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0 | |
- name: Set image tag for ghcr | |
run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT | |
id: image | |
- name: Determine image platforms to use | |
id: platforms | |
run: | | |
IMAGE_PLATFORMS=linux/amd64 | |
if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-multi-image') }}" == "true" ]] | |
then | |
IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le | |
fi | |
echo "Building image for platforms: $IMAGE_PLATFORMS" | |
echo "platforms=$IMAGE_PLATFORMS" >> $GITHUB_OUTPUT | |
build-only: | |
needs: [set-vars] | |
permissions: | |
contents: read | |
packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags | |
id-token: write # for creating OIDC tokens for signing. | |
if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name != 'push' }} | |
uses: ./.github/workflows/image-reuse.yaml | |
with: | |
# Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) | |
# renovate: datasource=golang-version packageName=golang | |
go-version: 1.23.2 | |
platforms: ${{ needs.set-vars.outputs.platforms }} | |
push: false | |
build-and-publish: | |
needs: [set-vars] | |
permissions: | |
contents: read | |
packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags | |
id-token: write # for creating OIDC tokens for signing. | |
if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} | |
uses: ./.github/workflows/image-reuse.yaml | |
with: | |
quay_image_name: quay.io/argoproj/argocd:latest | |
ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} | |
# Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) | |
# renovate: datasource=golang-version packageName=golang | |
go-version: 1.23.2 | |
platforms: ${{ needs.set-vars.outputs.platforms }} | |
push: true | |
secrets: | |
quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }} | |
quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }} | |
ghcr_username: ${{ github.actor }} | |
ghcr_password: ${{ secrets.GITHUB_TOKEN }} | |
build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io | |
needs: | |
- build-and-publish | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) | |
if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} | |
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
image: ghcr.io/argoproj/argo-cd/argocd | |
digest: ${{ needs.build-and-publish.outputs.image-digest }} | |
registry-username: ${{ github.actor }} | |
secrets: | |
registry-password: ${{ secrets.GITHUB_TOKEN }} | |
Deploy: | |
needs: | |
- build-and-publish | |
- set-vars | |
permissions: | |
contents: write # for git to push upgrade commit if not already deployed | |
packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags | |
if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }} | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0 | |
- run: git clone "https://[email protected]/argoproj/argoproj-deployments" | |
env: | |
TOKEN: ${{ secrets.TOKEN }} | |
- run: | | |
docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} | |
git config --global user.email '[email protected]' | |
git config --global user.name 'CI' | |
git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ needs.set-vars.outputs.image-tag }}' && git push) | |
working-directory: argoproj-deployments/argocd | |