Skip to content

unify machine buildx pipeline and enable sbom+provenance publish (#362) #30

unify machine buildx pipeline and enable sbom+provenance publish (#362)

unify machine buildx pipeline and enable sbom+provenance publish (#362) #30

Workflow file for this run

name: Release
on:
push:
tags:
- '*'
jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: true
matrix:
os: [linux]
arch: [amd64, arm64]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build binary
run: make build ARCH=${{ matrix.arch }}
- name: Package artifacts
run: make package ARCH=${{ matrix.arch }}
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: "rancher-machine-${{ matrix.arch }}.tar.gz"
path: "dist/artifacts/rancher-machine-${{ matrix.arch }}.tar.gz"
if-no-files-found: error
overwrite: true
publish:
runs-on: ubuntu-latest
needs:
- build
permissions:
contents: read
id-token: write # required for cosign signing
steps:
- name: Load Secrets from Vault
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials registry | PRIME_STG_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | PRIME_STG_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | PRIME_STG_REGISTRY_PASSWORD
- name: Checkout code
uses: actions/checkout@v4
- name: Build and push image to DockerHub and Prime Staging Registry
uses: rancher/ecm-distro-tools/actions/publish-image@master
with:
image: machine
tag: ${{ github.ref_name }}
platforms: linux/amd64,linux/arm64
public-registry: docker.io
public-repo: rancher
public-username: ${{ env.DOCKER_USERNAME }}
public-password: ${{ env.DOCKER_PASSWORD }}
push-to-prime: true
prime-registry: ${{ env.PRIME_STG_REGISTRY }}
prime-repo: rancher
prime-make-target: push-prime-image
prime-username: ${{ env.PRIME_STG_REGISTRY_USERNAME }}
prime-password: ${{ env.PRIME_STG_REGISTRY_PASSWORD }}
- name: Build and push image to Prime Prod Registry
uses: rancher/ecm-distro-tools/actions/publish-image@master
with:
image: machine
tag: ${{ github.ref_name }}
platforms: linux/amd64,linux/arm64
push-to-public: false
push-to-prime: true
prime-registry: ${{ env.PRIME_REGISTRY }}
prime-repo: rancher
prime-make-target: push-prime-image
prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
create-release:
runs-on: ubuntu-latest
needs:
- build
- publish
permissions:
contents: write # needed for creating the GH release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download assets
uses: actions/download-artifact@v4
with:
path: /tmp/assets
pattern: rancher-machine-*.tar.gz
merge-multiple: true
- name: (for testing) check files
run: ls -l /tmp/assets
- name: Create GH release
run: gh release create ${{ github.ref_name }} --verify-tag --generate-notes /tmp/assets/rancher-machine-*.tar.gz