feat: adding back publish-image-and-sign support

Signed-off-by: NucleoFusion <[email protected]>

fix: adding back publish-release dependency on test-code

Signed-off-by: NucleoFusion <[email protected]>

test

Signed-off-by: NucleoFusion <[email protected]>

test

Signed-off-by: NucleoFusion <[email protected]>

test

Signed-off-by: NucleoFusion <[email protected]>

test

Signed-off-by: NucleoFusion <[email protected]>

test

Signed-off-by: NucleoFusion <[email protected]>

Author: NucleoFusion

.dagger/pipeline/apt-repo.go

@@ -60,7 +60,7 @@ EOF`,
         cd /repo
 
         git init
-        git remote add origin https://x-access-token:[email protected]/goharbor/harbor-cli.git
+        git remote add origin https://x-access-token:[email protected]/nucleofusion/harbor-cli.git
         git checkout -B gh-pages || git checkout --orphan gh-pages
 
         git config user.name "github-actions[bot]"

.dagger/publishimage.go

@@ -0,0 +1,206 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"dagger/harbor-cli/internal/dagger"
+)
+
+func (m *HarborCli) PublishImageAndSign(
+	ctx context.Context,
+	source *dagger.Directory,
+	registry string,
+	registryUsername string,
+	registryPassword *dagger.Secret,
+	imageTags []string,
+	// +optional
+	githubToken *dagger.Secret,
+	// +optional
+	actionsIdTokenRequestToken *dagger.Secret,
+	// +optional
+	actionsIdTokenRequestUrl string,
+) (string, error) {
+	m.init(ctx, source)
+
+	imageAddrs := m.PublishImage(ctx, registry, registryUsername, imageTags, registryPassword)
+
+	_, err := m.Sign(
+		ctx,
+		githubToken,
+		actionsIdTokenRequestUrl,
+		actionsIdTokenRequestToken,
+		registryUsername,
+		registryPassword,
+		imageAddrs[0],
+	)
+	if err != nil {
+		return "", fmt.Errorf("failed to sign image: %w", err)
+	}
+
+	fmt.Printf("Signed image: %s\n", imageAddrs)
+	return imageAddrs[0], nil
+}
+
+func (m *HarborCli) PublishImage(
+	ctx context.Context,
+	registry, registryUsername string,
+	// +optional
+	// +default=["latest"]
+	imageTags []string,
+	registryPassword *dagger.Secret,
+) []string {
+	version := getVersion(imageTags)
+	builders := m.build(ctx, version)
+	releaseImages := []*dagger.Container{}
+
+	for i, tag := range imageTags {
+		imageTags[i] = strings.TrimSpace(tag)
+		if strings.HasPrefix(imageTags[i], "v") {
+			imageTags[i] = strings.TrimPrefix(imageTags[i], "v")
+		}
+	}
+	fmt.Printf("provided tags: %s\n", imageTags)
+
+	// Get current time for image creation timestamp
+	creationTime := time.Now().UTC().Format(time.RFC3339)
+
+	for _, builder := range builders {
+		os, _ := builder.EnvVariable(ctx, "GOOS")
+		arch, _ := builder.EnvVariable(ctx, "GOARCH")
+
+		if os != "linux" {
+			continue
+		}
+
+		ctr := dag.Container(dagger.ContainerOpts{Platform: dagger.Platform(os + "/" + arch)}).
+			From("alpine:latest").
+			WithWorkdir("/").
+			WithFile("/harbor", builder.File("./harbor")).
+			WithExec([]string{"ls", "-al"}).
+			WithExec([]string{"./harbor", "version"}).
+			// Add required metadata labels for ArtifactHub
+			WithLabel("org.opencontainers.image.created", creationTime).
+			WithLabel("org.opencontainers.image.description", "Harbor CLI - A command-line interface for CNCF Harbor, the cloud native registry!").
+			WithLabel("io.artifacthub.package.readme-url", "https://raw.githubusercontent.com/goharbor/harbor-cli/main/README.md").
+			WithLabel("org.opencontainers.image.source", "https://github.com/goharbor/harbor-cli").
+			WithLabel("org.opencontainers.image.version", version).
+			WithLabel("io.artifacthub.package.license", "Apache-2.0").
+			WithEntrypoint([]string{"/harbor"})
+		releaseImages = append(releaseImages, ctr)
+	}
+
+	imageAddrs := []string{}
+	for _, imageTag := range imageTags {
+		addr, err := dag.Container().WithRegistryAuth(registry, registryUsername, registryPassword).
+			Publish(ctx,
+				fmt.Sprintf("%s/%s/harbor-cli:%s", registry, registryUsername, imageTag),
+				dagger.ContainerPublishOpts{PlatformVariants: releaseImages},
+			)
+		if err != nil {
+			panic(err)
+		}
+		fmt.Printf("Published image address: %s\n", addr)
+		imageAddrs = append(imageAddrs, addr)
+	}
+	return imageAddrs
+}
+
+func (m *HarborCli) build(
+	ctx context.Context,
+	version string,
+) []*dagger.Container {
+	var builds []*dagger.Container
+
+	fmt.Println("🛠️  Building with Dagger...")
+	oses := []string{"linux", "darwin", "windows"}
+	arches := []string{"amd64", "arm64"}
+
+	// temp container with git installed
+	temp := dag.Container().
+		From("alpine:latest").
+		WithMountedDirectory("/src", m.Source).
+		// --no-cache option is to avoid caching the apk package index
+		WithExec([]string{"apk", "add", "--no-cache", "git"}).
+		WithWorkdir("/src")
+
+	gitCommit, _ := temp.WithExec([]string{"git", "rev-parse", "--short", "HEAD", "--always"}).Stdout(ctx)
+	buildTime := time.Now().UTC().Format(time.RFC3339)
+	ldflagsArgs := fmt.Sprintf(`-X github.com/goharbor/harbor-cli/cmd/harbor/internal/version.Version=%s
+						  -X github.com/goharbor/harbor-cli/cmd/harbor/internal/version.GoVersion=%s
+						  -X github.com/goharbor/harbor-cli/cmd/harbor/internal/version.BuildTime=%s
+						  -X github.com/goharbor/harbor-cli/cmd/harbor/internal/version.GitCommit=%s
+				`, version, m.GoVersion, buildTime, gitCommit)
+
+	for _, goos := range oses {
+		for _, goarch := range arches {
+			bin_path := fmt.Sprintf("build/%s/%s/", goos, goarch)
+			builder := dag.Container().
+				From("golang:"+m.GoVersion+"-alpine").
+				WithMountedCache("/go/pkg/mod", dag.CacheVolume("go-mod-"+m.GoVersion)).
+				WithEnvVariable("GOMODCACHE", "/go/pkg/mod").
+				WithMountedCache("/go/build-cache", dag.CacheVolume("go-build-"+m.GoVersion)).
+				WithEnvVariable("GOCACHE", "/go/build-cache").
+				WithMountedDirectory("/src", m.Source).
+				WithWorkdir("/src").
+				WithEnvVariable("GOOS", goos).
+				WithEnvVariable("GOARCH", goarch).
+				WithExec([]string{"go", "build", "-ldflags", ldflagsArgs, "-o", bin_path + "harbor", "/src/cmd/harbor/main.go"}).
+				WithWorkdir(bin_path).
+				WithExec([]string{"ls"}).
+				WithEntrypoint([]string{"./harbor"})
+
+			builds = append(builds, builder)
+		}
+	}
+	return builds
+}
+
+// Sign signs a container image using Cosign, works also with GitHub Actions
+func (m *HarborCli) Sign(ctx context.Context,
+	// +optional
+	githubToken *dagger.Secret,
+	// +optional
+	actionsIdTokenRequestUrl string,
+	// +optional
+	actionsIdTokenRequestToken *dagger.Secret,
+	registryUsername string,
+	registryPassword *dagger.Secret,
+	imageAddr string,
+) (string, error) {
+	registryPasswordPlain, _ := registryPassword.Plaintext(ctx)
+
+	cosing_ctr := dag.Container().From("cgr.dev/chainguard/cosign")
+
+	// If githubToken is provided, use it to sign the image
+	if githubToken != nil {
+		if actionsIdTokenRequestUrl == "" || actionsIdTokenRequestToken == nil {
+			return "", fmt.Errorf("actionsIdTokenRequestUrl (exist=%s) and actionsIdTokenRequestToken (exist=%t) must be provided when githubToken is provided", actionsIdTokenRequestUrl, actionsIdTokenRequestToken != nil)
+		}
+		fmt.Printf("Setting the ENV Vars GITHUB_TOKEN, ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN to sign with GitHub Token")
+		cosing_ctr = cosing_ctr.WithSecretVariable("GITHUB_TOKEN", githubToken).
+			WithEnvVariable("ACTIONS_ID_TOKEN_REQUEST_URL", actionsIdTokenRequestUrl).
+			WithSecretVariable("ACTIONS_ID_TOKEN_REQUEST_TOKEN", actionsIdTokenRequestToken)
+	}
+
+	return cosing_ctr.WithSecretVariable("REGISTRY_PASSWORD", registryPassword).
+		WithExec([]string{"cosign", "env"}).
+		WithExec([]string{
+			"cosign", "sign", "--yes", "--recursive",
+			"--registry-username", registryUsername,
+			"--registry-password", registryPasswordPlain,
+			imageAddr,
+			"--timeout", "1m",
+		}).Stdout(ctx)
+}
+
+func getVersion(tags []string) string {
+	for _, tag := range tags {
+		if strings.HasPrefix(tag, "v") {
+			return tag
+		}
+	}
+	return "latest"
+}

.github/actions/publish-and-sign/action.yaml

@@ -31,7 +31,9 @@ runs:
       shell: bash
       env:
         GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }}
-      run: cosign env
+      run: |
+        echo $REGISTRY_PASSWORD
+        cosign env
 
     - name: Publish and Sign Snapshot Image
       uses: dagger/dagger-for-github@v7
@@ -45,10 +47,11 @@ runs:
         version: ${{ steps.dagger_version.outputs.version }}
         verb: call
         args: "publish-image-and-sign \
-          --registry='${{ env.REGISTRY_ADDRESS }}' \
-          --registry-username='${{ env.REGISTRY_USERNAME }}' \
-          --registry-password=env:REGISTRY_PASSWORD \
+          --source=.
+          --registry=${{ env.REGISTRY_ADDRESS }} \
+          --registry-username=${{ env.REGISTRY_USERNAME }} \
+          --registry-password=env://REGISTRY_PASSWORD \
           --image-tags='${{ env.IMAGE_TAGS}}' \
-          --github-token=env:GITHUB_TOKEN \
+          --github-token=env://GITHUB_TOKEN \
           --actions-id-token-request-url=$ACTIONS_ID_TOKEN_REQUEST_URL \
-          --actions-id-token-request-token=env:ACTIONS_ID_TOKEN_REQUEST_TOKEN"
+          --actions-id-token-request-token=env://ACTIONS_ID_TOKEN_REQUEST_TOKEN"

.github/workflows/default.yaml

@@ -168,47 +168,47 @@ jobs:
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
-      # - name: Build Binary
-      #   uses: dagger/dagger-for-github@v7
-      #   with:
-      #     version: ${{ steps.dagger_version.outputs.version }}
-      #     verb: call
-      #     args: build-dev --platform linux/amd64 export --path=./harbor-dev
+      - name: Build Binary
+        uses: dagger/dagger-for-github@v7
+        with:
+          version: ${{ steps.dagger_version.outputs.version }}
+          verb: call
+          args: build-dev --source=. --platform linux/amd64 export --path=./harbor-dev
 
-  # push-latest-images:
-  #   needs:
-  #     - lint
-  #     - test-code
-  #   permissions:
-  #     contents: read
-  #     id-token: write
-  #   runs-on: ubuntu-latest
-  #   if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-  #   steps:
-  #     - name: Print GitHub ref for debugging
-  #       run: |
-  #         echo "GitHub ref: $GITHUB_REF"
-  #
-  #     - name: Checkout repo
-  #       if: github.event_name == 'push' && (github.ref == 'refs/heads/main')
-  #       uses: actions/checkout@v4
-  #       with:
-  #         fetch-depth: 0
-  #
-  #     - name: Publish and Sign Snapshot Image
-  #       if: github.event_name == 'push' && (github.ref == 'refs/heads/main')
-  #       uses: ./.github/actions/publish-and-sign
-  #       with:
-  #         IMAGE_TAGS: latest
-  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  #         REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
-  #         REGISTRY_ADDRESS: ${{ vars.REGISTRY_ADDRESS }}
-  #         REGISTRY_USERNAME: ${{ vars.REGISTRY_USERNAME }}
+  push-latest-images:
+    needs:
+      - lint
+      - test-code
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - name: Print GitHub ref for debugging
+        run: |
+          echo "GitHub ref: $GITHUB_REF"
+
+      - name: Checkout repo
+        if: github.event_name == 'push' && (github.ref == 'refs/heads/main')
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Publish and Sign Snapshot Image
+        if: github.event_name == 'push' && (github.ref == 'refs/heads/main')
+        uses: ./.github/actions/publish-and-sign
+        with:
+          IMAGE_TAGS: latest
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          REGISTRY_ADDRESS: ${{ vars.REGISTRY_ADDRESS }}
+          REGISTRY_USERNAME: ${{ vars.REGISTRY_USERNAME }}
 
   publish-release:
     needs:
       - lint
-      # - test-code
+      - test-code
     permissions:
       contents: write
       packages: write
@@ -228,16 +228,6 @@ jobs:
         with:
           fetch-depth: 0
 
-      # - name: Push images
-      #   if: github.event_name == 'push' && (startsWith(github.ref, 'refs/tags/'))
-      #   uses: ./.github/actions/publish-and-sign
-      #   with:
-      #     IMAGE_TAGS: latest, ${{ github.ref_name }}
-      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      #     REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
-      #     REGISTRY_ADDRESS: ${{ vars.REGISTRY_ADDRESS }}
-      #     REGISTRY_USERNAME: ${{ vars.REGISTRY_USERNAME }}
-
       - name: Create Release
         if: github.event_name == 'push' && (startsWith(github.ref, 'refs/tags/'))
         uses: dagger/dagger-for-github@v7
@@ -248,12 +238,12 @@ jobs:
           verb: call
           args: "pipeline --source=. --github-token=env://GITHUB_TOKEN"
 
-      # - name: Publish and Sign Tagged Image
-      #   if: github.event_name == 'push' && (startsWith(github.ref, 'refs/tags/'))
-      #   uses: ./.github/actions/publish-and-sign
-      #   with:
-      #     IMAGE_TAGS: "latest, ${{ github.ref_name }}"
-      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      #     REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
-      #     REGISTRY_ADDRESS: ${{ vars.REGISTRY_ADDRESS }}
-      #     REGISTRY_USERNAME: ${{ vars.REGISTRY_USERNAME }}
+      - name: Publish and Sign Tagged Image
+        if: github.event_name == 'push' && (startsWith(github.ref, 'refs/tags/'))
+        uses: ./.github/actions/publish-and-sign
+        with:
+          IMAGE_TAGS: "latest, ${{ github.ref_name }}"
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          REGISTRY_ADDRESS: ${{ vars.REGISTRY_ADDRESS }}
+          REGISTRY_USERNAME: ${{ vars.REGISTRY_USERNAME }}