feat: create release pipeline

Author: andrpac

.github/actions/certify-openshift-images/action.yaml

@@ -11,6 +11,10 @@ inputs:
   version:
     description: The version of the image to be certified
     required: true
+  registry_username:
+    description: The username to access the registry
+    required: false
+    default: "mongodb+mongodb_atlas_kubernetes"
   registry_password:
     description: The password to access the quay.io registry
     required: true
@@ -31,6 +35,7 @@ runs:
     REGISTRY: ${{ inputs.registry }}
     REPOSITORY: ${{ inputs.repository }}
     VERSION: ${{ inputs.version }}
+    REGISTRY_USERNAME: ${{ inputs.registry_username }}
     REGISTRY_PASSWORD: ${{ inputs.registry_password }}
     RHCC_TOKEN: ${{ inputs.rhcc_token }}
     RHCC_PROJECT: ${{ inputs.rhcc_project }}

.github/actions/certify-openshift-images/entrypoint.sh

@@ -16,7 +16,7 @@
 
 set -eou pipefail
 
-docker login -u mongodb+mongodb_atlas_kubernetes -p "${REGISTRY_PASSWORD}" "${REGISTRY}"
+echo "${REGISTRY_PASSWORD}" | docker login -u "${REGISTRY_USERNAME}" --password-stdin "${REGISTRY}"
 
 submit_flag=--submit
 if [ "${SUBMIT}" == "false" ]; then
@@ -27,6 +27,6 @@ echo "Check and Submit result to RedHat Connect"
 # Send results to RedHat if preflight finished wthout errors
 preflight check container "${REGISTRY}/${REPOSITORY}:${VERSION}" \
   --pyxis-api-token="${RHCC_TOKEN}" \
-  --certification-project-id="${RHCC_PROJECT}" \
+  --certification-component-id="${RHCC_PROJECT}" \
   --docker-config="${HOME}/.docker/config.json" \
   ${submit_flag}

.github/workflows/cloud-tests-filter.yml

@@ -55,7 +55,7 @@ jobs:
             ACTOR: ${{ github.actor }}
           run: |
             # Evaluate whether or not cloud tests should run
-            RUN_CLOUD_TESTS='false'
+            RUN_CLOUD_TESTS='true'
             # Scheduled runs on default branch always run all tests
             if [ "${EVENT}" == "schedule" ];then
               RUN_CLOUD_TESTS='true'

.github/workflows/cloud-tests.yml

@@ -21,23 +21,7 @@ jobs:
       - name: allowed message
         run: echo "Allowed to run"
 
-  int-tests:
-    needs: allowed
-    uses: ./.github/workflows/test-int.yml
-    secrets: inherit
-
   e2e-tests:
     needs: allowed
     uses: ./.github/workflows/test-e2e.yml
     secrets: inherit
-
-  test-e2e-gov:
-    needs:
-      - allowed
-    uses: ./.github/workflows/test-e2e-gov.yml
-    secrets: inherit
-
-  openshift-upgrade-test:
-    needs: allowed
-    uses: ./.github/workflows/openshift-upgrade-test.yaml
-    secrets: inherit

.github/workflows/promote-image.yml

@@ -21,43 +21,39 @@ jobs:
       - name: Checkout PR commit
         uses: actions/checkout@v4
 
-      # Note, we have to be careful how we retrive the image. The event that pushed 
-      # the image to the ghcr.io repo was mainly a push/schedule that passed all the
-      # tests. This event has access to github.ref_name. However, the workflow_run
-      # event does not have access github.ref_name set up. 
-      # 
-      # Therefore, we need to manually specify the branch as main
-      - name: Prepare image tag
-        id: set_tag
-        uses: ./.github/actions/set-tag
-        with:
-          branch_name: ${{ github.event.workflow_run.head_branch }}
-          commit_sha: ${{ github.event.workflow_run.head_sha }}
-
       - name: Log in to the GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Pull unofficial image from GitHub Container Registry
-        run: |
-          docker pull ${{ env.GHCR_REPO }}:${{ steps.set_tag.outputs.tag }}
-
       - name: Login to Docker registry
         uses: docker/login-action@v3
         with:
           registry: docker.io
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-            
+      
       - name: Log in to Quay registry
         uses: docker/login-action@v3
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_PASSWORD }}
+
+      # Note, we have to be careful how we retrive the image. The event that pushed 
+      # the image to the ghcr.io repo was mainly a push/schedule that passed all the
+      # tests. This event has access to github.ref_name. However, the workflow_run
+      # event does not have access github.ref_name set up. 
+      # 
+      # Therefore, we need to manually specify the branch as main
+      - name: Prepare image tag
+        id: set_tag
+        uses: ./.github/actions/set-tag
+        with:
+          branch_name: ${{ github.event.workflow_run.head_branch }}
+          commit_sha: ${{ github.event.workflow_run.head_sha }}
 
       - name: Prepare tag for promoted image
         id: promoted_tag

.github/workflows/release-image.yml

@@ -0,0 +1,208 @@
+name: Release Image
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Release version (e.g., 1.2.3)"
+        required: true
+        type: string
+      authors:
+        description: "Comma-separated list of the release authors' emails"
+        required: true
+        type: string
+      commit_sha:
+        description: "Commit SHA to use for the image (e.g. 7c2a91 or latest)"
+        required: false
+        default: "latest"
+        type: string
+  push:
+    branches:
+      - '**'
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-image:
+    runs-on: ubuntu-latest
+    environment: release
+    env:
+      VERSION: test-0.0.1
+      AUTHORS: [email protected]
+      COMMIT_SHA: 99511c
+
+      DOCKER_RELEASE_REPO: docker.io/andrpac/mongodb-atlas-kubernetes-operator
+      DOCKER_PRERELEASE_REPO: docker.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease
+      DOCKER_SIGNATURE_REPO: docker.io/andrpac/signatures
+      QUAY_RELEASE_REPO: quay.io/andrpac/mongodb-atlas-kubernetes-operator
+      QUAY_PRERELEASE_REPO: quay.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Generate GitHub App Token
+        id: generate_token
+        uses: mongodb/apix-action/token@v8
+        with:
+          app-id: ${{ secrets.AKO_RELEASER_APP_ID }}
+          private-key: ${{ secrets.AKO_RELEASER_RSA_KEY }}
+        
+        # Login in into all registries
+      - name: Log in to Docker registry
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.ANDRPAC_DOCKER_USERNAME }}
+          password: ${{ secrets.ANDRPAC_DOCKER_PASSWORD }}
+
+      - name: Log in to Quay registry
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.ANDRPAC_QUAY_USERNAME }}
+          password: ${{ secrets.ANDRPAC_QUAY_PASSWORD }}
+
+      - name: Log in to Artifactory
+        uses: docker/login-action@v3
+        with:
+          registry: artifactory.corp.mongodb.com
+          username: ${{ secrets.MDB_ARTIFACTORY_USERNAME }}
+          password: ${{ secrets.MDB_ARTIFACTORY_PASSWORD }}
+
+      - name: Install devbox
+        uses: jetify-com/[email protected]
+
+      - name: Resolve commit SHA and tags
+        id: tags
+        run: |
+          if [ "${{ env.COMMIT_SHA }}" = "latest" ]; then
+            git fetch origin main
+            sha=$(git rev-parse origin/main)
+          else
+            sha="${{ env.COMMIT_SHA }}"
+          fi
+
+          short_sha="${sha:0:6}"
+          promoted_tag="promoted-${short_sha}"
+          release_tag="${{ env.VERSION }}"
+          certified_tag="certified-${release_tag}"
+
+          docker_image_url="${{ env.DOCKER_RELEASE_REPO }}:${release_tag}"
+          quay_image_url="${{ env.QUAY_RELEASE_REPO }}:${release_tag}"
+          quay_certified_image_url="${{ env.QUAY_RELEASE_REPO }}:${certified_tag}"
+
+          echo "promoted_tag=${promoted_tag}" >> "$GITHUB_OUTPUT"
+          echo "release_tag=${release_tag}" >> "$GITHUB_OUTPUT"
+          echo "certified_tag=${certified_tag}" >> "$GITHUB_OUTPUT"
+          echo "docker_image_url=${docker_image_url}" >> "$GITHUB_OUTPUT"
+          echo "quay_image_url=${quay_image_url}" >> "$GITHUB_OUTPUT"
+          echo "quay_certified_image_url=${quay_certified_image_url}" >> "$GITHUB_OUTPUT"
+
+      # Move prerelease images to official release registries in Docker Hub and Quay
+      - name: Promote Docker prerelease image
+        run: devbox run -- ./scripts/move-image.sh
+        env:
+          IMAGE_SRC_REPO: ${{ env.DOCKER_PRERELEASE_REPO }}
+          IMAGE_DEST_REPO: ${{ env.DOCKER_RELEASE_REPO }}
+          IMAGE_SRC_TAG: ${{ steps.tags.outputs.promoted_tag }}
+          IMAGE_DEST_TAG: ${{ steps.tags.outputs.release_tag }}
+
+      - name: Promote Quay prerelease image
+        run: devbox run -- ./scripts/move-image.sh
+        env:
+          IMAGE_SRC_REPO: ${{ env.QUAY_PRERELEASE_REPO }}
+          IMAGE_DEST_REPO: ${{ env.QUAY_RELEASE_REPO }}
+          IMAGE_SRC_TAG: ${{ steps.tags.outputs.promoted_tag }}
+          IMAGE_DEST_TAG: ${{ steps.tags.outputs.release_tag }}
+
+      # Create Openshift certified images 
+      - name: Create OpenShift certified image on Quay
+        run: devbox run -- ./scripts/move-image.sh
+        env:
+          IMAGE_SRC_REPO: ${{ env.QUAY_PRERELEASE_REPO }}
+          IMAGE_DEST_REPO: ${{ env.QUAY_RELEASE_REPO }}
+          IMAGE_SRC_TAG: ${{ steps.tags.outputs.promoted_tag }}
+          IMAGE_DEST_TAG: ${{ steps.tags.outputs.certified_tag }}
+
+      # Link updates to pr: all-in-one.yml, helm-updates, sdlc requirements
+      - name: Generate deployment configurations
+        uses: ./.github/actions/gen-install-scripts
+        with:
+          ENV: prod
+          IMAGE_URL: ${{ steps.tags.outputs.docker_image_url }}
+
+      - name: Bump Helm chart version
+        run: devbox run -- ./scripts/bump-helm-chart-version.sh
+
+      # Prepare SDLC requirement: signatures, sboms, compliance reports
+      # Note, signed images will live in mongodb/release and mongodb/signature repos
+      - name: Sign released images
+        run: |
+          devbox run -- make sign IMG="${{ steps.tags.outputs.docker_image_url }}"         SIGNATURE_REPO="${{ env.DOCKER_RELEASE_REPO }}"
+          devbox run -- make sign IMG="${{ steps.tags.outputs.quay_image_url }}"           SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}"
+          devbox run -- make sign IMG="${{ steps.tags.outputs.docker_image_url }}"         SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}"
+          devbox run -- make sign IMG="${{ steps.tags.outputs.quay_certified_image_url }}" SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}"
+          devbox run -- make sign IMG="${{ steps.tags.outputs.quay_certified_image_url }}" SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}"
+        env:
+          PKCS11_URI: ${{ secrets.PKCS11_URI }}
+          GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
+          GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
+
+      - name: Generate SBOMs
+        run: devbox run -- make generate-sboms
+        env:
+          RELEASED_OPERATOR_IMAGE: ${{ env.DOCKER_RELEASE_REPO }}
+
+      - name: Generate SDLC report
+        run: devbox run -- make gen-sdlc-checklist
+
+      # Create pr with all updates
+      - name: Create pull request for release changes
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          commit-message: "chore(release): updates from new release v${{ env.VERSION }}"
+          title: "Release v${{ env.VERSION }}"
+          body: |
+            This PR was automatically generated by the **release-image** workflow.
+
+            Version: `${{ env.VERSION }}`
+            Authors: ${{ env.AUTHORS }}
+          base: main
+          branch: "new-release/${{ env.VERSION }}" # This should avoid for now running all tests till we fix cloud-test-filter.yml
+          delete-branch: true
+          draft: true
+
+        # Create release assets on GitHub
+      - name: Create configuration package
+        run: |
+          devbox run -- 'set -x'
+          devbox run -- 'tar czvf atlas-operator-all-in-one-${{ env.VERSION }}.tar.gz -C deploy all-in-one.yaml'
+
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+        with:
+          tag_name: ${{ env.VERSION }}
+          release_name: ${{ env.VERSION }}
+          body_path: docs/release-notes/release-notes-template.md
+          draft: true
+          prerelease: false
+
+      - name: Upload Release Asset
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./atlas-operator-all-in-one-${{ env.VERSION }}.tar.gz
+          asset_name: atlas-operator-all-in-one-${{ env.VERSION }}.tar.gz
+          asset_content_type: application/tgz