release.yml

name: Release

on:
  push:
    tags:
      - 'v*'
  schedule:
    - cron: '0 2 * * *' # run at 2 AM UTC
  workflow_dispatch:

jobs:
  goreleaser:
    runs-on: ubuntu-latest-32
    permissions:
      id-token: write
      contents: write

    strategy:
      fail-fast: false
      matrix:
        variant:
          - connect-ai
          - connect-cgo
          - connect-cloud
          - connect-fips
          - connect-lambda
          - connect

    steps:

    - name: Check Out Repo
      uses: actions/checkout@v5

    - name: Configure AWS credentials for access to AWS Secrets Manager
      uses: aws-actions/configure-aws-credentials@v5
      with:
        aws-region: ${{ vars.RP_AWS_CRED_REGION }}
        role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}

    - name: Get secrets from AWS Secrets Manager
      uses: aws-actions/aws-secretsmanager-get-secrets@v2
      with:
        secret-ids: |
          ,sdlc/prod/github/cloudsmith
          ,sdlc/prod/github/dockerhub
        parse-json-secrets: true

    - name: Configure AWS credentials for access to Amazon ECR Public
      uses: aws-actions/configure-aws-credentials@v5
      with:
        aws-region: us-east-1
        role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}

    - name: Login to Amazon ECR Public
      uses: aws-actions/amazon-ecr-login@v2
      with:
        registry-type: public

    - name: Install Go
      uses: actions/setup-go@v6
      with:
        go-version: 1.25.4

    - name: Install Microsoft Go
      if: ${{ matrix.variant == 'connect-fips' }}
      run: |
        GO_VERSION=$(go version | cut -d' ' -f3 | cut -d'.' -f1,2)
        curl -sSLf -o "$RUNNER_TEMP/msgo.tgz" https://aka.ms/golang/release/latest/${GO_VERSION}.linux-amd64.tar.gz
        [[ -d "$RUNNER_TEMP/bin" ]] || install -d -m 0755 "$RUNNER_TEMP/bin"
        [[ -d "$RUNNER_TEMP/microsoft" ]] || install -d -m 0755 "$RUNNER_TEMP/microsoft"
        tar -C "$RUNNER_TEMP/microsoft" -xf "$RUNNER_TEMP/msgo.tgz"
        echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH"

    - name: Install patchelf
      run: sudo apt-get update && sudo apt-get install -y patchelf

    - name: Release Notes
      run: ./resources/scripts/release_notes.sh > ./release_notes.md

    - name: Write telemetry private key
      env:
        CONNECT_TELEMETRY_PRIV_KEY: ${{ secrets.TELEMETRY_PRIVATE_KEY }}
      run: |
        git update-index --skip-worktree ./internal/telemetry/key.pem
        echo "$CONNECT_TELEMETRY_PRIV_KEY" > ./internal/telemetry/key.pem

    - uses: actions/setup-python@v6
      with:
        python-version: '3.12'

    - name: Install cloudsmith CLI (for publishing Linux packages)
      run: pip install cloudsmith-cli

    - name: Login to Docker Hub
      uses: docker/login-action@v3
      with:
        username: ${{ env.DOCKERHUB_USER }}
        password: ${{ env.DOCKERHUB_TOKEN }}

    - name: Install Buildx
      uses: docker/setup-buildx-action@v3

    - name: Write telemetry private key
      env:
        CONNECT_TELEMETRY_PRIV_KEY: ${{ secrets.TELEMETRY_PRIVATE_KEY }}
      run: |
        echo "Adding telemetry key"
        git update-index --skip-worktree ./internal/telemetry/key.pem
        echo "$CONNECT_TELEMETRY_PRIV_KEY" > ./internal/telemetry/key.pem

    - name: GoReleaser Release
      if: ${{ github.event_name == 'push' }}
      uses: goreleaser/goreleaser-action@v6
      with:
        args: release --release-notes=./release_notes.md --timeout 120m --config ./.goreleaser/${{ matrix.variant }}.yaml
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        CLOUDSMITH_API_KEY: ${{ env.CLOUDSMITH_API_KEY }}

    - name: Disable checksums for Edge build
      if: ${{ github.event_name == 'schedule' }}
      run: |
        yq eval '.checksum.disable = true' -i .goreleaser/${{ matrix.variant }}.yaml

    - name: GoReleaser Edge
      if: ${{ github.event_name == 'schedule' }}
      uses: goreleaser/goreleaser-action@v6
      with:
        args: release --timeout 120m --snapshot --skip archive,nfpm --config ./.goreleaser/${{ matrix.variant }}.yaml
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        CLOUDSMITH_API_KEY: ${{ env.CLOUDSMITH_API_KEY }}

    - name: GoReleaser Edge push docker
      if: ${{ github.event_name == 'schedule' && (matrix.variant == 'connect' || matrix.variant == 'connect-ai' || matrix.variant == 'connect-cloud') }}
      run: |
        IMAGE_BASE=${{ fromJSON('{"connect":"redpandadata/connect:edge","connect-ai":"redpandadata/connect:edge-ai","connect-cloud":"redpandadata/connect:edge-cloud"}')[matrix.variant] }}
        docker push ${IMAGE_BASE}-amd64
        docker push ${IMAGE_BASE}-arm64
        docker buildx imagetools create -t ${IMAGE_BASE} ${IMAGE_BASE}-amd64 ${IMAGE_BASE}-arm64

    - name: GoReleaser Test
      if: ${{ github.event_name == 'workflow_dispatch' }}
      uses: goreleaser/goreleaser-action@v6
      with:
        args: release --timeout 120m --snapshot --skip publish --config ./.goreleaser/${{ matrix.variant }}.yaml

    - name: Scan docker images for vulnerabilities
      if: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && (matrix.variant == 'connect' || matrix.variant == 'connect-ai' || matrix.variant == 'connect-cloud') }}
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: ${{ fromJSON('{"connect":"redpandadata/connect:edge","connect-ai":"redpandadata/connect:edge-ai","connect-cloud":"redpandadata/connect:edge-cloud"}')[matrix.variant] }}
        format: table
        ignore-unfixed: true
        exit-code: 1