1616 required : false
1717 default : " latest"
1818 type : string
19-
19+
2020permissions :
2121 contents : write
2222 pull-requests : write
2323
2424jobs :
25-
26- # Note, the first step is necessary for getting the exact commit from the passed in image_sha
27- # This is because, the release-image step should exactly check out that exact commit
25+ # Image2commit: Creates a mapping between the image_sha given as input and the actual git commit
26+ # This is necassary for the release-image step that requires checking out that exact git commit
2827 image2commit :
2928 name : Resolve Commit SHA from Image
3029 runs-on : ubuntu-latest
3130 outputs :
3231 commit_sha : ${{ steps.resolve.outputs.commit_sha }}
33-
3432 steps :
33+ - name : Checkout code
34+ uses : actions/checkout@v4
35+
3536 - name : Log in to Docker registry
3637 uses : docker/login-action@v3
3738 with :
@@ -56,6 +57,128 @@ jobs:
5657 run : |
5758 echo "Resolved commit: ${{ needs.image2commit.outputs.commit_sha }}"
5859
60+ # Release-image: Created and uploads a release for the specified operator version given in the image_sha
61+ # Note, with new releases, all of the release artifacts will be stored withing docs/releases/{release_version}
62+ release-image :
63+ runs-on : ubuntu-latest
64+ environment : release
65+ needs : image2commit
66+ env :
67+ VERSION : ${{ github.event.inputs.version || 'test-0.0.0-dev' }}
68+ AUTHORS : ${{ github.event.inputs.authors || 'unknown' }}
69+ IMAGE_SHA : ${{ github.event.inputs.image_sha || 'latest' }}
70+ DOCKER_SIGNATURE_REPO : docker.io/andrpac/signatures
71+ DOCKER_RELEASE_REPO : docker.io/andrpac/mongodb-atlas-kubernetes-operator
72+ DOCKER_PRERELEASE_REPO : docker.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease
73+ QUAY_RELEASE_REPO : quay.io/andrpac/mongodb-atlas-kubernetes-operator
74+ QUAY_PRERELEASE_REPO : quay.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease
75+ steps :
76+ - name : Checkout code
77+ uses : actions/checkout@v4
78+ with :
79+ fetch-depth : 0
80+ ref : ${{ needs.image2commit.outputs.commit_sha }}
81+
82+ - name : Generate GitHub App Token
83+ id : generate_token
84+ uses : mongodb/apix-action/token@v8
85+ with :
86+ app-id : ${{ secrets.AKO_RELEASER_APP_ID }}
87+ private-key : ${{ secrets.AKO_RELEASER_RSA_KEY }}
88+
89+ # Login in into all registries
90+ - name : Log in to Docker registry
91+ uses : docker/login-action@v3
92+ with :
93+ registry : docker.io
94+ username : ${{ secrets.DOCKER_USERNAME }}
95+ password : ${{ secrets.DOCKER_PASSWORD }}
96+
97+ - name : Log in to Quay registry
98+ uses : docker/login-action@v3
99+ with :
100+ registry : quay.io
101+ username : ${{ secrets.QUAY_USERNAME }}
102+ password : ${{ secrets.QUAY_PASSWORD }}
103+
104+ - name : Install devbox
105+ uses : jetify-com/devbox-install-action@v0.13.0
106+
107+ # This step configures all of the dynamic variables needed for later steps
108+ - name : Configure job environment for downstream steps
109+ id : tags
110+ run : |
111+ promoted_tag="promoted-${IMAGE_SHA}"
112+ release_tag="${VERSION}"
113+ certified_tag="certified-${release_tag}"
114+
115+ docker_image_url="${DOCKER_RELEASE_REPO}:${release_tag}"
116+ quay_image_url="${QUAY_RELEASE_REPO}:${release_tag}"
117+ quay_certified_image_url="${QUAY_RELEASE_REPO}:${certified_tag}"
118+
119+ echo "promoted_tag=$promoted_tag" >> $GITHUB_OUTPUT
120+ echo "release_tag=$release_tag" >> $GITHUB_OUTPUT
121+ echo "certified_tag=$certified_tag" >> $GITHUB_OUTPUT
122+ echo "docker_image_url=$docker_image_url" >> $GITHUB_OUTPUT
123+ echo "quay_image_url=$quay_image_url" >> $GITHUB_OUTPUT
124+ echo "quay_certified_image_url=$quay_certified_image_url" >> $GITHUB_OUTPUT
125+
126+ # Move prerelease images to official release registries in Docker Hub and Quay
127+ - name : Move image to Docker registry release from prerelease
128+ run : devbox run -- ./scripts/move-image.sh
129+ env :
130+ IMAGE_SRC_REPO : ${{ env.DOCKER_PRERELEASE_REPO }}
131+ IMAGE_DEST_REPO : ${{ env.DOCKER_RELEASE_REPO }}
132+ IMAGE_SRC_TAG : ${{ steps.tags.outputs.promoted_tag }}
133+ IMAGE_DEST_TAG : ${{ github.event.inputs.version }}
134+
135+ - name : Move image to Quay registry release from prerelease
136+ run : devbox run -- ./scripts/move-image.sh
137+ env :
138+ IMAGE_SRC_REPO : ${{ env.QUAY_PRERELEASE_REPO }}
139+ IMAGE_DEST_REPO : ${{ env.QUAY_RELEASE_REPO }}
140+ IMAGE_SRC_TAG : ${{ steps.tags.outputs.promoted_tag }}
141+ IMAGE_DEST_TAG : ${{ github.event.inputs.version }}
142+
143+ # Create Openshift certified images
144+ - name : Create OpenShift certified image on Quay
145+ run : devbox run -- ./scripts/move-image.sh
146+ env :
147+ IMAGE_SRC_REPO : ${{ env.QUAY_PRERELEASE_REPO }}
148+ IMAGE_DEST_REPO : ${{ env.QUAY_RELEASE_REPO }}
149+ IMAGE_SRC_TAG : ${{ steps.tags.outputs.promoted_tag }}
150+ IMAGE_DEST_TAG : ${{ steps.tags.outputs.certified_tag }}
151+
152+ # Link updates to pr: all-in-one.yml, helm-updates, sdlc requirements
153+ - name : Generate deployment configurations
154+ uses : ./.github/actions/gen-install-scripts
155+ with :
156+ ENV : prod
157+ IMAGE_URL : ${{ steps.tags.outputs.docker_image_url }}
158+
159+ - name : Bump Helm chart version
160+ run : devbox run -- ./scripts/bump-helm-chart-version.sh
161+
162+ # Prepare SDLC requirement: signatures, sboms, compliance reports
163+ # Note, signed images will live in mongodb/release and mongodb/signature repos
164+ - name : Sign released images
165+ run : |
166+ devbox run -- make sign IMG="${{ steps.tags.outputs.docker_image_url }}" SIGNATURE_REPO="${{ env.DOCKER_RELEASE_REPO }}"
167+ devbox run -- make sign IMG="${{ steps.tags.outputs.quay_image_url }}" SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}"
168+ devbox run -- make sign IMG="${{ steps.tags.outputs.docker_image_url }}" SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}"
169+ devbox run -- make sign IMG="${{ steps.tags.outputs.quay_certified_image_url }}" SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}"
170+ devbox run -- make sign IMG="${{ steps.tags.outputs.quay_certified_image_url }}" SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}"
171+ env :
172+ PKCS11_URI : ${{ secrets.PKCS11_URI }}
173+ GRS_USERNAME : ${{ secrets.GRS_USERNAME }}
174+ GRS_PASSWORD : ${{ secrets.GRS_PASSWORD }}
175+
176+ - name : Generate SBOMs
177+ run : devbox run -- make generate-sboms RELEASED_OPERATOR_IMAGE="${{ env.DOCKER_RELEASE_REPO }}"
178+
179+ - name : Create SDLC report
180+ run : devbox run -- make gen-sdlc-checklist
181+
59182 prepare-environment :
60183 name : Set up Environment Variables
61184 runs-on : ubuntu-latest
@@ -151,7 +274,7 @@ jobs:
151274 echo "quay_image_url=$quay_image_url" >> $GITHUB_OUTPUT
152275 echo "quay_certified_image_url=$quay_certified_image_url" >> $GITHUB_OUTPUT
153276
154- release-image :
277+ release-image1 :
155278 runs-on : ubuntu-latest
156279 if : false
157280 environment : release
@@ -205,6 +328,7 @@ jobs:
205328 short_sha="${sha:0:6}"
206329 echo "promoted_tag=promoted-${short_sha}" >> "$GITHUB_OUTPUT"
207330
331+ # Move prerelease images to official release registries in Docker Hub and Quay
208332 - name : Move image to Docker registry release from prerelease
209333 run : devbox run -- ./scripts/move-image.sh
210334 env :
@@ -220,6 +344,15 @@ jobs:
220344 IMAGE_DEST_REPO : ${{ env.QUAY_RELEASE_REPO }}
221345 IMAGE_SRC_TAG : ${{ steps.tags.outputs.promoted_tag }}
222346 IMAGE_DEST_TAG : ${{ github.event.inputs.version }}
347+
348+ # Create Openshift certified images
349+ - name : Create OpenShift certified image on Quay
350+ run : devbox run -- ./scripts/move-image.sh
351+ env :
352+ IMAGE_SRC_REPO : ${{ env.QUAY_PRERELEASE_REPO }}
353+ IMAGE_DEST_REPO : ${{ env.QUAY_RELEASE_REPO }}
354+ IMAGE_SRC_TAG : ${{ steps.tags.outputs.promoted_tag }}
355+ IMAGE_DEST_TAG : ${{ steps.tags.outputs.certified_tag }}
223356
224357 - name : Create deploy configurations
225358 uses : ./.github/actions/gen-install-scripts
0 commit comments