cli-release #26

Workflow file for this run

.github/workflows/cli_release.yaml at 13e953a

	---
	name: cli-release
	on:
	push:
	tags:
	- release/cli/**
	permissions:
	contents: read
	env:
	VERSIONS_FILE: "VERSIONS.json"
	jobs:
	get-dev-image:
	uses: ./.github/workflows/get_image.yaml
	with:
	image-base-name: "dev_image_with_extras"
	build-release:
	name: Build Release
	runs-on: ubuntu-latest-16-cores
	needs: get-dev-image
	container:
	image: ${{ needs.get-dev-image.outputs.image-with-tag }}
	env:
	ARTIFACT_UPLOAD_LOG: "artifact_uploads.json"
	steps:
	- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
	with:
	fetch-depth: 0
	- name: Add pwd to git safe dir
	run: git config --global --add safe.directory `pwd`
	- name: get bazel config
	uses: ./.github/actions/bazelrc
	with:
	download_toplevel: 'true'
	BB_API_KEY: ${{ secrets.BB_IO_API_KEY }}
	- name: Setup podman
	run: \|
	# With some kernel configs (eg. COS), podman only works with legacy iptables.
	update-alternatives --set iptables /usr/sbin/iptables-legacy
	update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
	- name: Import GPG key
	env:
	BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }}
	run: \|
	echo "${BUILDBOT_GPG_KEY_B64}" \| base64 --decode \| gpg --no-tty --batch --import
	- id: gcloud-creds
	uses: ./.github/actions/gcloud_creds
	with:
	SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }}
	- name: Build & Push Artifacts
	env:
	REF: ${{ github.event.ref }}
	BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	BUILD_NUMBER: ${{ github.run_attempt }}
	JOB_NAME: ${{ github.job }}
	GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}
	shell: bash
	run: \|
	export TAG_NAME="${REF#*/tags/}"
	mkdir -p "artifacts/"
	export ARTIFACTS_DIR="$(realpath artifacts/)"
	./ci/save_version_info.sh
	./ci/cli_build_release.sh
	- name: Upload Github Artifacts
	uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
	with:
	name: linux-artifacts
	path: artifacts/
	- name: Update GCS Manifest
	env:
	ARTIFACT_MANIFEST_BUCKET: "pixie-dev-public"
	# Use the old style versions file instead of the new updates for the gcs manifest.
	MANIFEST_UPDATES: ""
	GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}
	run: ./ci/update_artifact_manifest.sh
	- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
	with:
	name: artifact-upload-log
	path: ${{ env.ARTIFACT_UPLOAD_LOG }}
	sign-release:
	name: Sign Release for MacOS
	runs-on: macos-latest
	needs: build-release
	steps:
	- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
	with:
	fetch-depth: 0
	- name: Add pwd to git safe dir
	run: git config --global --add safe.directory `pwd`
	- name: Install gon
	run: brew install Bearer/tap/gon
	- name: Sign CLI release
	env:
	REF: ${{ github.event.ref }}
	AC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
	KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
	CERT_BASE64: ${{ secrets.APPLE_SIGN_CERT_B64 }}
	CERT_PASSWORD: ${{ secrets.APPLE_SIGN_CERT_PASSWORD }}
	shell: bash
	run: \|
	export CERT_PATH="pixie.cert"
	echo -n "$CERT_BASE64" \| base64 --decode -o "$CERT_PATH"
	export TAG_NAME="${REF#*/tags/}"
	mkdir -p "artifacts/"
	export ARTIFACTS_DIR="$(pwd)/artifacts"
	./ci/cli_merge_sign.sh
	- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
	with:
	name: macos-artifacts
	path: artifacts/
	push-signed-artifacts:
	name: Push Signed Artifacts for MacOS
	runs-on: ubuntu-latest
	needs: [get-dev-image, sign-release]
	container:
	image: ${{ needs.get-dev-image.outputs.image-with-tag }}
	env:
	MANIFEST_UPDATES: "manifest_updates.json"
	steps:
	- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
	with:
	fetch-depth: 0
	- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
	with:
	name: macos-artifacts
	- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
	with:
	name: artifact-upload-log
	- name: Import GPG key
	env:
	BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }}
	run: \|
	echo "${BUILDBOT_GPG_KEY_B64}" \| base64 --decode \| gpg --no-tty --batch --import
	- id: gcloud-creds
	uses: ./.github/actions/gcloud_creds
	with:
	SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }}
	- name: Upload signed CLI
	env:
	REF: ${{ github.event.ref }}
	BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
	GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}
	ARTIFACT_UPLOAD_LOG: "artifact_uploads.json"
	shell: bash
	run: \|
	export TAG_NAME="${REF#*/tags/}"
	mkdir -p "artifacts/"
	export ARTIFACTS_DIR="$(pwd)/artifacts"
	./ci/cli_upload_signed.sh
	- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
	with:
	name: macos-artifacts
	path: artifacts/
	- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
	with:
	name: manifest-updates
	path: ${{ env.MANIFEST_UPDATES }}
	create-github-release:
	name: Create Release on Github
	runs-on: ubuntu-latest
	needs: push-signed-artifacts
	permissions:
	contents: write
	steps:
	- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
	with:
	fetch-depth: 0
	- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
	- name: Create Release
	env:
	REF: ${{ github.event.ref }}
	GH_TOKEN: ${{ secrets.BUILDBOT_GH_API_TOKEN }}
	shell: bash
	run: \|
	export TAG_NAME="${REF#*/tags/}"
	# actions/checkout doesn't get the tag annotation properly.
	git fetch origin tag "${TAG_NAME}" -f
	export changelog="$(git tag -l --format='%(contents)' "${TAG_NAME}")"
	prerelease=()
	if [[ "${REF}" == "-" ]]; then
	prerelease=("--prerelease")
	fi
	gh release create "${TAG_NAME}" "${prerelease[@]}" \
	--title "CLI ${TAG_NAME#release/cli/}" \
	--notes $'Pixie CLI Release:\n'"${changelog}"
	gh release upload "${TAG_NAME}" linux-artifacts/* macos-artifacts/*
	update-gh-artifacts-manifest:
	runs-on: ubuntu-latest-8-cores
	needs: [get-dev-image, create-github-release]
	container:
	image: ${{ needs.get-dev-image.outputs.image-with-tag }}
	concurrency: gh-pages
	permissions:
	contents: write
	steps:
	- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
	with:
	fetch-depth: 0
	- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
	with:
	ref: gh-pages
	path: gh-pages
	- name: Add pwd to git safe dir
	run: \|
	git config --global --add safe.directory `pwd`
	git config --global --add safe.directory "$(pwd)/gh-pages"
	- name: Import GPG key
	env:
	BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }}
	run: \|
	echo "${BUILDBOT_GPG_KEY_B64}" \| base64 --decode \| gpg --no-tty --batch --import
	- name: Setup git
	shell: bash
	env:
	BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
	run: \|
	git config --global user.name 'pixie-io-buildbot'
	git config --global user.email '[email protected]'
	git config --global user.signingkey "${BUILDBOT_GPG_KEY_ID}"
	git config --global commit.gpgsign true
	- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
	id: download-artifact
	with:
	name: manifest-updates
	- name: Update gh-pages Manifest
	env:
	ARTIFACT_MANIFEST_PATH: "gh-pages/artifacts/manifest.json"
	MANIFEST_UPDATES: "manifest_updates.json"
	run: \|
	./ci/update_artifact_manifest.sh
	cd gh-pages
	export ARTIFACT_MANIFEST_PATH="${ARTIFACT_MANIFEST_PATH##gh-pages/}"
	git add "${ARTIFACT_MANIFEST_PATH}" "${ARTIFACT_MANIFEST_PATH}.sha256"
	git commit -s -m "Update artifact manifest"
	git push origin "gh-pages"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cli-release #26

Workflow file

cli-release #26

Jobs

Run details

Workflow file for this run