1+ name : Turtles release
2+
3+ on :
4+ push :
5+ tags :
6+ - ' v**'
7+ workflow_dispatch :
8+
9+ permissions :
10+ contents : read # to checkout code
11+ id-token : write # to read vault secrets
12+
13+ jobs :
14+ release :
15+ runs-on : ubuntu-latest
16+ strategy :
17+ matrix :
18+ include :
19+ - platform : linux/amd64
20+ tag-suffix : " linux-amd64"
21+ - platform : linux/arm64
22+ tag-suffix : " linux-arm64"
23+ env :
24+ TAG : ${{ github.ref_name }}
25+ steps :
26+ - name : Checkout code
27+ uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
28+ with :
29+ fetch-depth : 0
30+
31+ - name : Setup QEMU
32+ uses : docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
33+ with :
34+ image : tonistiigi/binfmt:qemu-v8.1.5
35+ cache-image : false
36+
37+ - name : Read Vault secrets
38+ uses : rancher-eio/read-vault-secrets@main
39+ with :
40+ secrets : |
41+ secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | PUBLIC_REGISTRY_USERNAME ;
42+ secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | PUBLIC_REGISTRY_PASSWORD ;
43+ secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials registry | STAGING_REGISTRY ;
44+ secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | STAGING_REGISTRY_USERNAME ;
45+ secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | STAGING_REGISTRY_PASSWORD ;
46+ secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
47+
48+ name : Log into Docker Hub registry
49+ uses : docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
50+ with :
51+ username : ${{ env.DOCKER_USERNAME }}
52+ password : ${{ env.DOCKER_PASSWORD }}
53+
54+ - name : Log into Staging registry
55+ uses : docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
56+ with :
57+ username : ${{ env.STAGING_REGISTRY_USERNAME }}
58+ password : ${{ env.STAGING_REGISTRY_PASSWORD }}
59+ registry : ${{ env.STAGING_REGISTRY }}
60+
61+ - name : Build and push community image
62+ shell : bash
63+ env :
64+ REGISTRY : docker.io
65+ ORG : rancher
66+ run : |
67+ IID_FILE=$(mktemp)
68+ make docker-build-and-push-community TAG=${{ env.TAG }}-${{ matrix.tag-suffix }} REGISTRY=${{ env.REGISTRY }} ORG=${{ env.ORG }} IID_FILE=${IID_FILE} TARGET_PLATFORMS=${{ matrix.platform }}
69+
70+ name : Build and push prime image
71+ shell : bash
72+ env :
73+ REGISTRY : ${{ env.STAGING_REGISTRY }}
74+ ORG : rancher
75+ run : |
76+ IID_FILE=$(mktemp)
77+ make docker-build-and-push-prime TAG=${{ env.TAG }}-${{ matrix.tag-suffix }} REGISTRY=${{ env.REGISTRY }} ORG=${{ env.ORG }} IID_FILE=${IID_FILE} TARGET_PLATFORMS=${{ matrix.platform }}
78+
79+ merge :
80+ runs-on : ubuntu-latest
81+ strategy :
82+ matrix :
83+ include :
84+ - image-type : community
85+ - image-type : prime
86+ env :
87+ TAG : ${{ github.ref_name }}
88+ needs :
89+ - release
90+ steps :
91+ - name : Read Vault secrets
92+ uses : rancher-eio/read-vault-secrets@main
93+ with :
94+ secrets : |
95+ secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | PUBLIC_REGISTRY_USERNAME ;
96+ secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | PUBLIC_REGISTRY_PASSWORD ;
97+ secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials registry | STAGING_REGISTRY ;
98+ secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | STAGING_REGISTRY_USERNAME ;
99+ secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | STAGING_REGISTRY_PASSWORD ;
100+ secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
101+
102+ - name : Log into Docker Hub registry
103+ if : ${{ matrix.image-type == 'community' }}
104+ uses : docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
105+ with :
106+ username : ${{ env.DOCKER_USERNAME }}
107+ password : ${{ env.DOCKER_PASSWORD }}
108+
109+ - name : Log into Staging registry
110+ if : ${{ matrix.image-type == 'prime' }}
111+ uses : docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
112+ with :
113+ username : ${{ env.STAGING_REGISTRY_USERNAME }}
114+ password : ${{ env.STAGING_REGISTRY_PASSWORD }}
115+ registry : ${{ env.STAGING_REGISTRY }}
116+
117+ - name : Install Cosign
118+ if : ${{ matrix.image-type == 'prime' }}
119+ uses : sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
120+
121+ - name : Create multi-arch image and push
122+ shell : bash
123+ run : |
124+ IMAGE="turtles"
125+ if [ "${{ matrix.image-type }}" = "community" ]; then
126+ URL="docker.io/rancher/${IMAGE}:${{ env.TAG }}"
127+ docker buildx imagetools create -t "${URL}" \
128+ "${URL}-linux-amd64" \
129+ "${URL}-linux-arm64"
130+ else
131+ URL="${{ env.STAGING_REGISTRY }}/rancher/${IMAGE}:${{ env.TAG }}"
132+ docker buildx imagetools create -t "${URL}" \
133+ "${URL}-linux-amd64" \
134+ "${URL}-linux-arm64"
135+ fi
136+
137+ name : Sign multi-arch image
138+ shell : bash
139+ if : ${{ matrix.image-type == 'prime' }}
140+ run : |
141+ IMAGE="turtles"
142+ URL="${{ env.STAGING_REGISTRY }}/rancher/${IMAGE}:${{ env.TAG }}"
143+ cosign sign \
144+ --oidc-provider=github-actions \
145+ --yes \
146+ --sign-container-identity="${{ env.PRIME_REGISTRY }}/rancher/${IMAGE}" \
147+ "${URL}"
148+
149+ # Pull the manifest locally to make it available for inspection
150+ docker pull "${URL}"
0 commit comments