Release Image #244
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Image | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: "Release version (without v prefix)" | |
| required: true | |
| type: string | |
| authors: | |
| description: "Comma-separated list of author emails" | |
| required: true | |
| type: string | |
| image_sha: | |
| description: "7-digit commit SHA used for the promoted image (e.g. 3e79a3f or 'latest')" | |
| required: false | |
| default: "latest" | |
| type: string | |
| release_type: | |
| description: "Official releases post to official registries, otherwise post to pre-release registries" | |
| type: choice | |
| options: | |
| - official-release | |
| - pre-release | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| # Image2commit: Creates a mapping between the image_sha given as input and the actual git commit | |
| # This is necessary for the release-image step that requires checking out that exact git commit | |
| image2commit: | |
| name: Resolve Commit SHA from Image | |
| runs-on: ubuntu-latest | |
| environment: release | |
| outputs: | |
| commit_sha: ${{ steps.resolve.outputs.commit_sha }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Log in to Docker registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: docker.io | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Run image2commit | |
| id: resolve | |
| uses: ./.github/actions/image2commit | |
| with: | |
| registry: docker.io | |
| repo: mongodb/mongodb-atlas-kubernetes-operator-prerelease | |
| image_sha: ${{ github.event.inputs.image_sha }} | |
| # Check-commit: Outputs the commit used when someone wants to use latest image_sha | |
| # and does not know what version of operator will end up using | |
| check-commit: | |
| name: Check resolved commit | |
| runs-on: ubuntu-latest | |
| needs: image2commit | |
| steps: | |
| - name: Echo resolved commit | |
| run: | | |
| echo "Resolved commit: ${{ needs.image2commit.outputs.commit_sha }}" | |
| # Computes the release repo depending on release_type | |
| # official-release is mongodb/mongodb-atlas-kubernetes-operator | |
| # pre-release is mongodb/mongodb-atlas-kubernetes-operator-prerelease | |
| compute-repo: | |
| name: Compute target repos | |
| runs-on: ubuntu-latest | |
| env: | |
| RELEASE_TYPE: ${{ github.event.inputs.release_type }} | |
| outputs: | |
| repo: ${{ steps.compute.outputs.repo }} | |
| version: ${{ steps.read_version.outputs.version }} | |
| steps: | |
| - name: Compute | |
| id: compute | |
| run: | | |
| if [ "${RELEASE_TYPE}" == "official-release" ]; then | |
| echo "Setting official release repo mongodb/mongodb-atlas-kubernetes-operator" | |
| echo "repo=mongodb/mongodb-atlas-kubernetes-operator" | tee -a $GITHUB_OUTPUT | |
| else | |
| echo "Setting pre-release repo mongodb/mongodb-atlas-kubernetes-operator-prerelease" | |
| echo "repo=mongodb/mongodb-atlas-kubernetes-operator-prerelease" | tee -a $GITHUB_OUTPUT | |
| fi | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ needs.image2commit.outputs.commit_sha }} | |
| - name: Read the next release version | |
| id: read_version | |
| env: | |
| INPUT_VERSION: ${{ github.event.inputs.version }} | |
| run: | | |
| VERSION=$(jq -r '.next' version.json) | |
| if [[ "$INPUT_VERSION" != "$VERSION" ]]; then | |
| echo "::error::Input version '$INPUT_VERSION' does not match the expected 'next' version '$VERSION' from version.json." | |
| exit 1 | |
| fi | |
| echo "version=${VERSION}" >> "${GITHUB_OUTPUT}" | |
| # Release-image: Created and uploads a release for the specified operator version given in the image_sha | |
| # Note, with new releases, all the release artifacts will be stored within docs/releases/{version} | |
| release-image: | |
| name: Release images | |
| runs-on: ubuntu-latest | |
| environment: release | |
| needs: | |
| - image2commit | |
| - compute-repo | |
| env: | |
| VERSION: ${{ needs.compute-repo.outputs.version }} | |
| RELEASE_TAG: v${{ github.event.inputs.version }} | |
| AUTHORS: ${{ github.event.inputs.authors }} | |
| IMAGE_SHA: ${{ github.event.inputs.image_sha }} | |
| DOCKER_SIGNATURE_REPO: docker.io/mongodb/signatures | |
| DOCKER_RELEASE_REPO: ${{ needs.compute-repo.outputs.repo }} | |
| DOCKER_PRERELEASE_REPO: docker.io/mongodb/mongodb-atlas-kubernetes-operator-prerelease | |
| QUAY_RELEASE_REPO: quay.io/${{ needs.compute-repo.outputs.repo }} | |
| QUAY_PRERELEASE_REPO: quay.io/mongodb/mongodb-atlas-kubernetes-operator-prerelease | |
| PROMOTED_TAG: promoted-${{ github.event.inputs.image_sha }} | |
| CERTIFIED_TAG: ${{ github.event.inputs.version }}-certified | |
| DOCKER_IMAGE_URL: ${{ needs.compute-repo.outputs.repo }}:${{ github.event.inputs.version }} | |
| QUAY_IMAGE_URL: quay.io/${{ needs.compute-repo.outputs.repo }}:${{ github.event.inputs.version }} | |
| QUAY_CERTIFIED_IMAGE_URL: quay.io/${{ needs.compute-repo.outputs.repo }}:${{ github.event.inputs.version }}-certified | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ needs.image2commit.outputs.commit_sha }} | |
| - name: Generate GitHub App Token | |
| id: generate_token | |
| uses: actions/create-github-app-token@v2 | |
| with: | |
| app-id: ${{ secrets.AKO_RELEASER_APP_ID }} | |
| private-key: ${{ secrets.AKO_RELEASER_RSA_KEY }} | |
| owner: ${{ github.repository_owner }} | |
| repositories: | | |
| mongodb-atlas-kubernetes | |
| helm-charts | |
| # Login in into all registries | |
| - name: Log in to Docker registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: docker.io | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Log in to Quay registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_USERNAME }} | |
| password: ${{ secrets.QUAY_PASSWORD }} | |
| - name: Log in to Artifactory | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: artifactory.corp.mongodb.com | |
| username: ${{ secrets.MDB_ARTIFACTORY_USERNAME }} | |
| password: ${{ secrets.MDB_ARTIFACTORY_PASSWORD }} | |
| - name: Install devbox | |
| uses: jetify-com/[email protected] | |
| # Trigger the helm release workflow to sync | |
| - name: Trigger helm post release workflow | |
| env: | |
| GH_TOKEN: ${{ steps.generate_token.outputs.token }} | |
| run: | | |
| gh workflow run post-atlas-operator-release.yaml \ | |
| --repo mongodb/helm-charts \ | |
| --ref main \ | |
| --field version="${{ env.VERSION }}" | |
| # Move prerelease images to official release registries in Docker Hub and Quay | |
| - name: Move image to Docker registry release from prerelease | |
| run: devbox run -- ./scripts/move-image.sh | |
| env: | |
| IMAGE_SRC_REPO: ${{ env.DOCKER_PRERELEASE_REPO }} | |
| IMAGE_DEST_REPO: ${{ env.DOCKER_RELEASE_REPO }} | |
| IMAGE_SRC_TAG: ${{ env.PROMOTED_TAG }} | |
| IMAGE_DEST_TAG: ${{ env.VERSION }} | |
| - name: Move image to Quay registry release from prerelease | |
| run: devbox run -- ./scripts/move-image.sh | |
| env: | |
| IMAGE_SRC_REPO: ${{ env.QUAY_PRERELEASE_REPO }} | |
| IMAGE_DEST_REPO: ${{ env.QUAY_RELEASE_REPO }} | |
| IMAGE_SRC_TAG: ${{ env.PROMOTED_TAG }} | |
| IMAGE_DEST_TAG: ${{ env.VERSION }} | |
| # Create Openshift certified images | |
| - name: Create OpenShift certified image on Quay | |
| run: devbox run -- ./scripts/move-image.sh | |
| env: | |
| IMAGE_SRC_REPO: ${{ env.QUAY_PRERELEASE_REPO }} | |
| IMAGE_DEST_REPO: ${{ env.QUAY_RELEASE_REPO }} | |
| IMAGE_SRC_TAG: ${{ env.PROMOTED_TAG }} | |
| IMAGE_DEST_TAG: ${{ env.CERTIFIED_TAG }} | |
| - name: Certify Openshift images | |
| uses: ./.github/actions/certify-openshift-images | |
| if: github.event.inputs.release_type == 'official-release' | |
| with: | |
| registry: quay.io | |
| repository: ${{ needs.compute-repo.outputs.repo }} | |
| version: ${{ env.CERTIFIED_TAG }} | |
| registry_password: ${{ secrets.QUAY_PASSWORD }} | |
| rhcc_project: ${{ secrets.RH_CERTIFICATION_OSPID }} | |
| rhcc_token: ${{ secrets.RH_CERTIFICATION_PYXIS_API_TOKEN }} | |
| submit: true | |
| # Link updates to pr: all-in-one.yml, helm-updates, sdlc requirements | |
| - name: Generate deployment configurations | |
| uses: ./.github/actions/gen-install-scripts | |
| with: | |
| ENV: prod | |
| VERSION: ${{ env.VERSION }} | |
| IMAGE_URL: ${{ env.DOCKER_IMAGE_URL }} | |
| - name: Bump Helm chart version | |
| run: devbox run -- ./scripts/bump-helm-chart-version.sh | |
| # Prepare SDLC requirement: signatures, sboms, compliance reports | |
| # Note, signed images will live in mongodb/release and mongodb/signature repos | |
| - name: Sign released images | |
| run: | | |
| devbox run -- make sign IMG="${{ env.DOCKER_IMAGE_URL }}" SIGNATURE_REPO="${{ env.DOCKER_RELEASE_REPO }}" | |
| devbox run -- make sign IMG="${{ env.QUAY_IMAGE_URL }}" SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}" | |
| devbox run -- make sign IMG="${{ env.DOCKER_IMAGE_URL }}" SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}" | |
| devbox run -- make sign IMG="${{ env.QUAY_CERTIFIED_IMAGE_URL }}" SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}" | |
| devbox run -- make sign IMG="${{ env.QUAY_CERTIFIED_IMAGE_URL }}" SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}" | |
| env: | |
| PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
| GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
| GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
| - name: Self-verify released image signatures | |
| run: | | |
| devbox run -- make verify IMG="${{ env.DOCKER_IMAGE_URL }}" SIGNATURE_REPO="${{ env.DOCKER_RELEASE_REPO }}" | |
| devbox run -- make verify IMG="${{ env.QUAY_IMAGE_URL }}" SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}" | |
| devbox run -- make verify IMG="${{ env.DOCKER_IMAGE_URL }}" SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}" | |
| devbox run -- make verify IMG="${{ env.QUAY_CERTIFIED_IMAGE_URL }}" SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}" | |
| devbox run -- make verify IMG="${{ env.QUAY_CERTIFIED_IMAGE_URL }}" SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}" | |
| env: | |
| PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
| GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
| GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
| - name: Generate SBOMs | |
| run: devbox run -- make generate-sboms RELEASED_OPERATOR_IMAGE="${{ env.DOCKER_RELEASE_REPO }}" | |
| - name: Create SDLC report | |
| run: devbox run -- make gen-sdlc-checklist | |
| - name: Generate licenses.csv | |
| run: | | |
| devbox run -- 'make build-licenses.csv' | |
| - name: Bump version.json | |
| run: | | |
| devbox run -- 'make bump-version-file' | |
| # Create PR on release branch with all updates generated | |
| - name: Create release pr with all updated artefacts | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| export BRANCH="new-release/${RELEASE_TAG}" | |
| export COMMIT_MESSAGE="feat: release ${RELEASE_TAG}" | |
| export RELEASE_DIR="releases/${RELEASE_TAG}" | |
| git config --global user.name "release-bot[bot]" | |
| git config --global user.email "456789+release-bot[bot]@users.noreply.github.com" | |
| # Create release directory | |
| mkdir -p "$RELEASE_DIR" | |
| cp -rf deploy "$RELEASE_DIR/" | |
| cp -rf bundle "$RELEASE_DIR/" | |
| cp -rf helm-charts "$RELEASE_DIR/" | |
| cp bundle.Dockerfile "$RELEASE_DIR/bundle.Dockerfile" | |
| cp licenses.csv "$RELEASE_DIR/" | |
| git fetch origin | |
| git checkout -f -b "$BRANCH" origin/main | |
| git push -f origin "$BRANCH" | |
| # Update Helm Charts on main | |
| cp -r "$RELEASE_DIR/helm-charts" . | |
| git add -f "$RELEASE_DIR" helm-charts | |
| scripts/create-signed-commit.sh | |
| # FIX: Add this line to unstage any accidental workflow changes | |
| git reset .github/ | |
| gh pr create \ | |
| --draft \ | |
| --base main \ | |
| --head "$BRANCH" \ | |
| --title "$COMMIT_MESSAGE" \ | |
| --body "This is an autogenerated PR to prepare for the release" | |
| # Create release artefacts on GitHub by tagging and pushing a tag | |
| - name: Create configuration package | |
| run: | | |
| set -x | |
| tar czvf atlas-operator-all-in-one-${{ env.VERSION }}.tar.gz -C releases/${{ env.RELEASE_TAG }}/deploy all-in-one.yaml | |
| - name: Tag the release assets | |
| run: | | |
| git fetch --tags | |
| git tag -f ${{ env.RELEASE_TAG }} ${{ needs.image2commit.outputs.commit_sha }} | |
| git push -f origin ${{ env.RELEASE_TAG }} | |
| - name: Create release on GitHub | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| draft: true | |
| prerelease: false | |
| tag_name: "${{ env.RELEASE_TAG }}" | |
| name: "${{ env.RELEASE_TAG }}" | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| body_path: docs/release-notes/release-notes-template.md | |
| files: | | |
| ./atlas-operator-all-in-one-${{ env.VERSION }}.tar.gz | |
| ./docs/releases/v${{ env.VERSION }}/sdlc-compliance.md | |
| ./docs/releases/v${{ env.VERSION }}/linux_amd64.sbom.json | |
| ./docs/releases/v${{ env.VERSION }}/linux_arm64.sbom.json |