Merge branch 'master' into cluster-label-docs

Author: pavangudiwada

.github/workflows/deploy-docs.yaml

@@ -13,6 +13,7 @@ jobs:
   has-secrets:
     name: Check Secrets
     runs-on: ubuntu-latest
+
     steps:
     - id: docs
       env:
@@ -25,26 +26,28 @@ jobs:
   setup-build-publish-deploy:
     name: Deploy docs
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     needs: [has-secrets]
     env:
       PROJECT_ID: ${{ secrets.GKE_PROD_PROJECT }}
-
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
-    - uses: google-github-actions/setup-gcloud@v0.2.0
+    - uses: google-github-actions/auth@v2
       if: needs.has-secrets.outputs.docs
       with:
-        service_account_key: ${{ secrets.GKE_PROD_SA_KEY }}
         project_id: ${{ secrets.GKE_PROD_PROJECT }}
-        export_default_credentials: true
+        workload_identity_provider: 'projects/429189597230/locations/global/workloadIdentityPools/github/providers/robusta-repos' # prod
 
-    # Configure Docker to use the gcloud command-line tool as a credential helper for authentication
-    - name: Configure Docker
+    - name: Set up gcloud CLI
+      uses: google-github-actions/setup-gcloud@v2
       if: needs.has-secrets.outputs.docs
-      run: |-
-        gcloud auth configure-docker us-central1-docker.pkg.dev
+      with:
+        project_id: ${{ secrets.GKE_PROD_PROJECT }}
 
     - name: Set up Python
       uses: actions/setup-python@v2

.github/workflows/release.yaml

@@ -6,115 +6,120 @@ on:
 
 env:
   PROJECT_ID: ${{ secrets.GKE_PROD_PROJECT }}
-# ` ``  GKE_ZONE: us-central1-c   # TODO: update to cluster zone
-  RELEASE_VER : ${{ github.event.release.tag_name }}
-jobs:
+  # ` ``  GKE_ZONE: us-central1-c   # TODO: update to cluster zone
+  RELEASE_VER: ${{ github.event.release.tag_name }}
 
+jobs:
   setup-build-publish-deploy:
     name: Build images
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
     steps:
-    - name: Checkout
-      uses: actions/checkout@v2
-
-    - name: Get release version
-      run: echo "$RELEASE_VER"
-
-    - uses: google-github-actions/setup-gcloud@v0.2.0
-      with:
-        service_account_key: ${{ secrets.GKE_PROD_SA_KEY }}
-        project_id: ${{ secrets.GKE_PROD_PROJECT }}
-        export_default_credentials: true
-
-    # Configure Docker to use the gcloud command-line tool as a credential helper for authentication
-    - run: |-
-        gcloud auth configure-docker us-central1-docker.pkg.dev
-
-    - run: |-
-        gcloud config get-value project
-
-    - run: |-
-        curl -Lo skaffold https://storage.googleapis.com/skaffold/releases/latest/skaffold-linux-amd64
-        chmod a+x skaffold
-
-    - name: Update package version
-      run: |
-        sed -i 's/0.0.0/${{env.RELEASE_VER}}/g' src/robusta/_version.py helm/robusta/Chart.yaml helm/robusta/values.yaml
-        sed -i 's/version = "0.0.0"/version = "${{env.RELEASE_VER}}"/g' pyproject.toml
-        sed -i 's/0.0.1/${{env.RELEASE_VER}}/g' helm/robusta/Chart.yaml
-
-    # Set up the buildx to run build for multiple platforms
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@c5ffa2a61740d9877bd1f40899a87c8ec93b0d9f
-
-    - name: Docker Setup Buildx
-      uses: docker/setup-buildx-action@bea6a01aa40b4d58b0382d47e1c4a70137af67b1
-      with:
-        config-inline: |
-          [worker.oci]
-            enabled = true
-            platforms = [ "linux/amd64", "linux/arm64" ]
-
-    # see https://github.com/GoogleContainerTools/skaffold/issues/4842
-    - name: Cache skaffold image builds & config
-      uses: actions/cache@v2
-      with:
-        path: ~/.skaffold/
-        key: fixed-${{ github.sha }}
-        restore-keys: |
-          fixed-${{ github.sha }}
-          fixed-
-
-    - name: Login to Docker Hub
-      uses: docker/login-action@v1
-      with:
-        username: ${{ secrets.DOCKER_USERNAME }}
-        password: ${{ secrets.DOCKER_PASSWORD }}
-
-    - name: Build with skaffold
-      run: ./skaffold build --profile release --file-output=container-ids.json --tag='${{env.RELEASE_VER}}'
-
-
-    - name: Save artifact with tags of built containers
-      uses: actions/upload-artifact@v4
-      with:
-        name: container-ids
-        path: container-ids.json
-
-    - name: Set up Python
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.9
-
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install twine
-
-    - name: Prepare pypi dist
-      run: |
-        curl -sSL https://install.python-poetry.org | python3 - --version 1.4.0
-        poetry config virtualenvs.create false
-        poetry install --extras "all"
-        poetry publish --build -u __token__ -p ${{ secrets.PYPI_PROJECT_TOKEN }}
-
-    - name: Save artifact with helm chart
-      uses: actions/upload-artifact@v4
-      with:
-        name: helm-chart
-        path: helm/robusta/
-
-    - name: Release Docker to Dockerhub
-      run: |-
-        docker buildx build \
-        --build-arg BUILDKIT_INLINE_CACHE=1 \
-        --platform linux/arm64,linux/amd64 \
-        --cache-from us-central1-docker.pkg.dev/genuine-flight-317411/devel/robusta:cache \
-        --tag robustadev/robusta-runner:${{env.RELEASE_VER}} \
-        --push \
-        .
-
-    - name: Upload helm chart
-      run: |
-        cd helm && ./upload_chart.sh
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Get release version
+        run: echo "$RELEASE_VER"
+
+      - uses: google-github-actions/auth@v2
+        with:
+          project_id: ${{ secrets.GKE_PROD_PROJECT }}
+          workload_identity_provider: 'projects/429189597230/locations/global/workloadIdentityPools/github/providers/robusta-repos' # prod
+
+      - name: Set up gcloud CLI
+        uses: google-github-actions/setup-gcloud@v2
+        with:
+          project_id: ${{ secrets.GKE_PROD_PROJECT }}
+
+      - name: Configure Docker Registry
+        run: gcloud auth configure-docker us-central1-docker.pkg.dev
+
+
+      - run: |-
+          curl -Lo skaffold https://storage.googleapis.com/skaffold/releases/latest/skaffold-linux-amd64
+          chmod a+x skaffold
+
+      - name: Update package version
+        run: |
+          sed -i 's/0.0.0/${{env.RELEASE_VER}}/g' src/robusta/_version.py helm/robusta/Chart.yaml helm/robusta/values.yaml
+          sed -i 's/version = "0.0.0"/version = "${{env.RELEASE_VER}}"/g' pyproject.toml
+          sed -i 's/0.0.1/${{env.RELEASE_VER}}/g' helm/robusta/Chart.yaml
+
+      # Set up the buildx to run build for multiple platforms
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@c5ffa2a61740d9877bd1f40899a87c8ec93b0d9f
+
+      - name: Docker Setup Buildx
+        uses: docker/setup-buildx-action@bea6a01aa40b4d58b0382d47e1c4a70137af67b1
+        with:
+          config-inline: |
+            [worker.oci]
+              enabled = true
+              platforms = [ "linux/amd64", "linux/arm64" ]
+
+      # see https://github.com/GoogleContainerTools/skaffold/issues/4842
+      - name: Cache skaffold image builds & config
+        uses: actions/cache@v4
+        with:
+          path: ~/.skaffold/
+          key: fixed-${{ github.sha }}
+          restore-keys: |
+            fixed-${{ github.sha }}
+            fixed-
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build with skaffold
+        run: ./skaffold build --profile release --file-output=container-ids.json --tag='${{env.RELEASE_VER}}'
+
+      - name: Save artifact with tags of built containers
+        uses: actions/upload-artifact@v4
+        with:
+          name: container-ids
+          path: container-ids.json
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.9
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install twine
+
+      - name: Prepare pypi dist
+        run: |
+          curl -sSL https://install.python-poetry.org | python3 - --version 1.4.0
+          poetry config virtualenvs.create false
+          poetry install --extras "all"
+          poetry publish --build -u __token__ -p ${{ secrets.PYPI_PROJECT_TOKEN }}
+
+      - name: Save artifact with helm chart
+        uses: actions/upload-artifact@v4
+        with:
+          name: helm-chart
+          path: helm/robusta/
+
+      - name: Release Docker to Dockerhub
+        run: |-
+          docker buildx build \
+          --build-arg BUILDKIT_INLINE_CACHE=1 \
+          --platform linux/arm64,linux/amd64 \
+          --cache-from us-central1-docker.pkg.dev/genuine-flight-317411/devel/robusta:cache \
+          --tag robustadev/robusta-runner:${{env.RELEASE_VER}} \
+          --push \
+          .
+
+      - name: Upload helm chart
+        run: |
+          cd helm && ./upload_chart.sh