Merge pull request #264 from mallardduck/4x-backport-slsa

[v4.x] Sync GitHub Actions workflows

Author: mallardduck

.github/renovate.json

@@ -2,22 +2,29 @@
   "extends": [
     "github>rancher/renovate-config#release"
   ],
-  "baseBranches": [
+  "baseBranchPatterns": [
     "main",
     "/^release\\/v[0-9]+.x/"
   ],
   "prHourlyLimit": 24,
   "packageRules": [
     {
       "description": "Using allowedVersions ensures that the upstream range does not block patch bumps.",
-      "matchDepNames": ["kubernetes/kubernetes"],
+      "matchDepNames": [
+        "kubernetes/kubernetes"
+      ],
       "separateMinorPatch": true,
       "allowedVersions": ">=1.28.0"
     },
     {
       "description": "Disable major and minor updates",
-      "matchDepNames": ["kubernetes/kubernetes"],
-      "matchUpdateTypes": ["major", "minor"],
+      "matchDepNames": [
+        "kubernetes/kubernetes"
+      ],
+      "matchUpdateTypes": [
+        "major",
+        "minor"
+      ],
       "enabled": false
     },
     {
@@ -45,8 +52,8 @@
   "customManagers": [
     {
       "customType": "regex",
-      "fileMatch": [
-        "deps.mk$"
+      "managerFilePatterns": [
+        "/deps.mk$/"
       ],
       "matchStrings": [
         "KUBECTL\\d_VERSION :=\\s(?<currentValue>.*?)\\n"

.github/scripts/bump-kubectl-patch-versions

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# If the first argument ($1) is provided and not empty, use it.
+# Otherwise, default to "kubectl-versions.txt".
+VERSIONS_FILE=${1:-"kubectl-versions.txt"}
+TEMP_FILE="${VERSIONS_FILE}.tmp"
+UPDATE_LOG_FILE="${VERSIONS_FILE}.log"
+
+echo "Using versions file: $VERSIONS_FILE"
+echo "Temporary file will be: $TEMP_FILE"
+echo "Log file will be: $UPDATE_LOG_FILE"
+
+# Check if the input file exists
+if [[ ! -f "$VERSIONS_FILE" ]]; then
+    echo "Error: Input file '$VERSIONS_FILE' not found."
+    exit 1
+fi
+
+RELEASES=$(gh api graphql -F owner='kubernetes' -F name='kubernetes' -f query='query($name: String!, $owner: String!) {repository(owner: $owner, name: $name) {releases(first: 100) {nodes { tagName, isPrerelease }} }}' | jq -r '.data.repository.releases.nodes[] | select(.isPrerelease != true) | .tagName' | sort -V)
+
+# Iterate over each line of the input file
+while IFS= read -r VERSION || [[ -n "$VERSION" ]]; do
+    PREFIX=$(echo "$VERSION" | cut -d. -f1,2)
+    echo "Checking version for $VERSION - using $PREFIX to search..."
+    NEWEST_OPTION=$(echo "$RELEASES"| grep "$PREFIX" | sort -rV |head -1)
+    if [ "$VERSION" == "$NEWEST_OPTION" ]; then
+      echo "Nothing to update - $VERSION already newest patch for that Major.Minor"
+      # If the version is the same, keep the original line
+      echo "$VERSION" >> "$TEMP_FILE"
+      continue
+    fi
+    echo "Found newer patch $NEWEST_OPTION to replace $VERSION"
+    echo "$NEWEST_OPTION" >> "$TEMP_FILE"
+    echo "$NEWEST_OPTION" >> "$UPDATE_LOG_FILE"
+done < "$VERSIONS_FILE"
+
+# Check if the temporary file was created successfully
+if [[ -f "$TEMP_FILE" ]]; then
+    # Replace the original file with the temporary file
+    mv "$TEMP_FILE" "$VERSIONS_FILE"
+    echo "File updated successfully: $VERSIONS_FILE"
+else
+    echo "Error: Temporary file not created. No changes made."
+    exit 1
+fi
+
+echo "Remember the $UPDATE_LOG_FILE must be cleaned up after reading..."

.github/scripts/check-semver

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Usage:
+#   ./check_tag.sh [tag]
+# If no tag is provided, it uses GITHUB_REF_NAME environment variable.
+
+set -euo pipefail
+
+# Input: tag
+tag="${1:-${GITHUB_REF_NAME:-}}"
+
+if [[ -z "$tag" ]]; then
+  echo "Error: No tag provided and GITHUB_REF_NAME is not set." >&2
+  exit 1
+fi
+
+# Strip leading 'v' if present
+if [[ "$tag" == v* ]]; then
+  tag="${tag:1}"
+fi
+
+# Function to detect prerelease (e.g. 1.2.3-beta)
+has_prerelease() {
+  [[ "$1" =~ ^[0-9]+\.[0-9]+\.[0-9]+- ]]
+}
+
+# Function to detect build metadata (e.g. 1.2.3+build.1)
+has_build_meta() {
+  [[ "$1" =~ \+ ]]
+}
+
+# Output results to stdout
+if has_prerelease "$tag"; then
+  echo "HAS_PRERELEASE=true"
+else
+  echo "HAS_PRERELEASE=false"
+fi
+
+if has_build_meta "$tag"; then
+  echo "HAS_BUILD_META=true"
+else
+  echo "HAS_BUILD_META=false"
+fi

.github/workflows/ci.yml

@@ -26,23 +26,30 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: write # Upload artefacts to release.
-
 env:
   PUBLIC_REGISTRY: ghcr.io
 
 jobs:
   ci:
+    permissions:
+      contents: write  # Upload artefacts to release.
+      # write is needed for:
+      # - OIDC for cosign's use in ecm-distro-tools/publish-image.
+      # - Read vault secrets in rancher-eio/read-vault-secrets.
+      id-token: write
+      packages: write
+      attestations: write
     runs-on: runs-on,runner=2cpu-linux-x64,run-id=${{ github.run_id }}
     steps:
+      - name: Check out repository code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
       -
         # Add support for more platforms with QEMU (optional)
         # https://github.com/docker/setup-qemu-action
         name: Set up QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
-      - name: Check out repository code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
       - name: Basic CI
         run: make ci
       - name: Upload CI files to artifacts (on failure)

.github/workflows/cleanup.yml

@@ -0,0 +1,64 @@
+name: Clean PR Branch
+
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    if: contains(github.event.pull_request.labels.*.name, 'status/auto-created')
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Check PR branch exists
+        id: check-branch
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            try {
+              let {status: status} = await github.rest.git.getRef({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                ref: "heads/${{ github.event.pull_request.head.ref }}"
+              })
+              if (status == 200) {
+                await core.summary
+                  .addHeading("PR Branch Found", 2)
+                  .addRaw("The PR branch was found and will be cleaned up.")
+                  .write();
+              } else {
+
+                core.setFailed("Branch not found, nothing to clean. (failure can be ignored)");
+              }
+            }
+            catch (err) {
+              if (err.response && err.response.status === 404) {
+                await core.summary
+                  .addHeading("PR Branch Not Found", 2)
+                  .addRaw("The PR branch didn't exist; the action failure can be ignored.")
+                  .write();
+                core.setFailed("Branch not found, nothing to clean. (failure can be ignored)");
+              } else {
+                core.setFailed(`Action failed with error ${err}`);
+              }
+            }
+      - name: Delete the PR branch
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            try {
+              let {status: status} = github.rest.git.deleteRef({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                ref: "heads/${{ github.event.pull_request.head.ref }}"
+              })
+              await core.summary
+                .addHeading("PR Branch Deleted", 2)
+                .addRaw("The PR's branch `${{ github.event.pull_request.head.ref }}` was deleted.")
+                .write();
+            }
+            catch (err) {
+              // setFailed logs the message and sets a failing exit code
+              core.setFailed(`Action failed with error ${err}`);
+            }

.github/workflows/e2e-ci.yaml

@@ -43,30 +43,33 @@ env:
   DEBUG: ${{ github.event.inputs.debug || false }}
   CLUSTER_NAME: 'e2e-ci-kuberlr-kubectl'
 
-permissions:
-  contents: write
-
 jobs:
   e2e-kuberlr-kubectl:
+    permissions:
+      contents: write  # Upload artefacts to release.
+      # write is needed for:
+      # - OIDC for cosign's use in ecm-distro-tools/publish-image.
+      # - Read vault secrets in rancher-eio/read-vault-secrets.
+      id-token: write
+      packages: write
+      attestations: write
     strategy:
       matrix:
         arch:
           - x64
           - arm64
     runs-on: ${{ github.repository == 'rancher/kuberlr-kubectl' && format('runs-on,image=ubuntu22-full-{1},runner=4cpu-linux-{1},run-id={0}', github.run_id, matrix.arch) || 'ubuntu-latest' }}
     steps:
+      -
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+
       -
         # Add support for more platforms with QEMU (optional)
         # https://github.com/docker/setup-qemu-action
         name: Set up QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
-      -
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
-        with:
-          go-version: '>=1.20.0'
       - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4
       - name : Install helm
         uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4

.github/workflows/release.yml

@@ -15,17 +15,15 @@ on:
 #   - PUBLIC_REGISTRY_USERNAME
 #   - PUBLIC_REGISTRY_PASSWORD
 
-permissions:
-  contents: write # Upload artefacts to release.
-
 env:
   PUBLIC_REGISTRY: docker.io
+  REPO: rancher
 
 jobs:
 
   publish-public:
     permissions:
-      contents: read
+      contents: write
       # write is needed for:
       # - OIDC for cosign's use in ecm-distro-tools/publish-image.
       # - Read vault secrets in rancher-eio/read-vault-secrets.
@@ -44,26 +42,71 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+      - name : Make test helm chart
+        env:
+          TAG_NAME: ${{ github.ref_name }}
+        run: TAG=$TAG_NAME make package-helm
+      - name: Add test helm chart to release
+        env:
+          TAG_NAME: ${{ github.ref_name }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release upload "${TAG_NAME}" "./build/charts/rancher-kubectl-test-${TAG_NAME#v}.tgz"
+
       - name: Load Secrets from Vault
         uses: rancher-eio/read-vault-secrets@main
         with:
           secrets: |
             secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
             secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials registry | PRIME_STG_REGISTRY ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | PRIME_STG_REGISTRY_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | PRIME_STG_REGISTRY_PASSWORD ;
 
-      - name: Build and push all platforms
+      - name: Build and push kuberlr-kubectl image (dockerhub and prime stg)
         uses: rancher/ecm-distro-tools/actions/publish-image@master
         with:
           image: ${{ vars.IMAGE_NAME || 'kuberlr-kubectl' }}
           tag: ${{ github.ref_name }}
-          platforms: "linux/amd64,linux/arm64"
 
           public-registry: ${{ env.PUBLIC_REGISTRY }}
-          public-repo: ${{ vars.REPO || github.repository_owner }}
+          public-repo: ${{ vars.REPO || env.REPO || github.repository_owner }}
           public-username: ${{ env.DOCKER_USERNAME || vars.DOCKER_USERNAME || github.repository_owner }}
           public-password: ${{ env.DOCKER_PASSWORD || secrets.DOCKER_PASSWORD }}
 
-          push-to-prime: false
+          push-to-prime: true
+          prime-registry: ${{ env.PRIME_STG_REGISTRY }}
+          prime-repo: rancher
+          prime-username: ${{ env.PRIME_STG_REGISTRY_USERNAME }}
+          prime-password: ${{ env.PRIME_STG_REGISTRY_PASSWORD }}
+
+      - name: Check SemVer Characteristics
+        id: semver_check
+        run: bash ./.github/scripts/check-semver "${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
+
+      - name: Load Secrets from Vault
+        if: ${{ steps.semver_check.outputs.HAS_PRERELEASE == 'false' }}
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD ;
+
+      - name: Build and push kuberlr-kubectl image (prime prod)
+        if: ${{ steps.semver_check.outputs.HAS_PRERELEASE == 'false' }}
+        uses: rancher/ecm-distro-tools/actions/publish-image@master
+        with:
+          image: ${{ vars.IMAGE_NAME || 'kuberlr-kubectl' }}
+          tag: ${{ github.ref_name }}
+
+          push-to-public: false
+
+          push-to-prime: true
+          prime-registry: ${{ env.PRIME_REGISTRY }}
+          prime-repo: rancher
+          prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+          prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
 
       -
         name: Login to GitHub Container Registry

scripts/version

@@ -15,13 +15,6 @@ else
     VERSION="${COMMIT}${DIRTY}"
 fi
 
-ARCH=$TARGET_ARCH
-if [ -z "$ARCH" ]; then
-    ARCH=$(go env GOHOSTARCH)
-fi
-
-SUFFIX="-${ARCH}"
-
 TAG=${TAG:-${BRANCH_TAG:-${VERSION}}}
 REPO=${REPO:-rancher}