Skip to content
This repository has been archived by the owner on Jun 4, 2024. It is now read-only.

Publish release

Publish release #32

Workflow file for this run

---
name: Publish release
on:
workflow_dispatch:
inputs:
artifact-tag:
description: "The tag associated with the artifact to deploy (eg. v1.2.3)."
type: string
required: true
environment:
description: "The publishing environment that the workflow should run in."
type: environment
required: true
# This is a workaround so that the actor who initiated a workflow run via a workflow dispatch event can determine the run ID of the started workflow run
workflow-tag:
description: "This field adds the provided value to a run step, allowing the calling actor to associate the started run with the GHA run ID."
type: string
required: false
concurrency: "Limit to one build at a time for artifact tag ${{ inputs.artifact-tag || github.event.release.tag_name }}"
jobs:
publish:
runs-on: ubuntu-latest
# Unfortuntely this cannot be set as a global env var as they are not evaluated until runtime
environment: ${{ inputs.environment || 'release-prod' }}
permissions:
id-token: write
env:
ARTIFACT_TAG: ${{ inputs.artifact-tag || github.event.release.tag_name }}
LOCAL_ARTIFACTS_PATH: /tmp/artifacts
LOCAL_HELM_REPO_PATH: /tmp/helm-repo
LOCAL_TERRAFORM_REGISTRY_PATH: /tmp/terraform-registry
ENVIRONMENT_NAME: ${{ inputs.environment || 'release-prod' }}
steps:
- name: Validate artifact tag
env:
SEMVER_REGEX: ^v?(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)(?:-(?:(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?:[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
run: |
echo "$ARTIFACT_TAG" | grep -qP "$SEMVER_REGEX" || { echo "The artifact tag $ARTIFACT_TAG is not a valid semver-coerced value"; exit 1; }
- name: Validate environment
run: |
echo "$ENVIRONMENT_NAME" | grep -qP '^publish-(prod|stage)$' || { echo "This workflow may only be ran from publishing environments"; exit 1; }
- name: Checkout repo
uses: actions/checkout@v4
with:
ref: ${{ github.workflow_sha }} # Publishing tooling should all be the same version
- name: Setup tooling Go
uses: actions/setup-go@v5
with:
go-version-file: "./tooling/go.mod"
cache-dependency-path: "./tooling/go.sum"
check-latest: true
# Sync artifacts down (required by everything)
- name: Assume AWS role for uploading the artifacts
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-skip-session-tagging: true
aws-region: us-west-2
role-to-assume: ${{ vars.ARTIFACT_DOWNLOAD_AWS_ROLE }}
role-session-name: "tag-publish-artifact-download-${{ github.run_attempt }}"
role-duration-seconds: 900
- name: Download artifacts from S3
env:
PENDING_BUCKET: ${{ vars.PENDING_BUCKET }}
run: aws s3 cp "s3://$PENDING_BUCKET/teleport-plugins/tag/$ARTIFACT_TAG/" "$LOCAL_ARTIFACTS_PATH" --recursive
# Binary artifact promotion
- name: Assume AWS role for uploading the artifacts
# This step is only supported in production as there is no staging version of Houston
if: ${{ env.ENVIRONMENT_NAME == 'publish-prod' }}
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-skip-session-tagging: true
aws-region: us-west-2
role-to-assume: ${{ vars.HOUSTON_UPLOAD_AWS_ROLE }}
role-session-name: "tag-publish-houston-upload-${{ github.run_attempt }}"
role-duration-seconds: 900
- name: Upload artifacts to Houston
# This step is only supported in production as there is no staging version of Houston
if: ${{ env.ENVIRONMENT_NAME == 'publish-prod' }}
env:
HOUSTON_BUCKET: ${{ vars.HOUSTON_BUCKET }}
run: |
aws s3 sync --acl public-read "$LOCAL_ARTIFACTS_PATH" "s3://$HOUSTON_BUCKET/teleport-plugins/${ARTIFACT_TAG##v}/" \
--include "*" \
--exclude "*.tgz*" # Exclude helm chart artifacts
# Image promotion
- name: Assume AWS role for publishing the container images
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-skip-session-tagging: true
aws-region: us-west-2
role-to-assume: ${{ vars.CONTAINER_IMAGE_PUBLISHING_SYNC_AWS_ROLE }}
role-session-name: "tag-publish-container-image-publishing-sync-${{ github.run_attempt }}"
role-duration-seconds: 900
- name: Authenticate with ECR
env:
CONTAINER_IMAGE_PRIVATE_REGISTRY: ${{ vars.CONTAINER_IMAGE_PRIVATE_REGISTRY }}
run: |
aws ecr get-login-password | docker login -u="AWS" --password-stdin "$CONTAINER_IMAGE_PRIVATE_REGISTRY"
aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
- name: Publish access and event-handler images
env:
CONTAINER_IMAGE_PRIVATE_REGISTRY: ${{ vars.CONTAINER_IMAGE_PRIVATE_REGISTRY }}
CONTAINER_IMAGE_PUBLIC_REGISTRY: ${{ vars.CONTAINER_IMAGE_PUBLIC_REGISTRY }}
GITREF: ${{ env.ARTIFACT_TAG }}
run: |
export VERSION=${ARTIFACT_TAG##v}
make -j"$(nproc)" DOCKER_PRIVATE_REGISTRY="$CONTAINER_IMAGE_PRIVATE_REGISTRY" \
DOCKER_ECR_PUBLIC_REGISTRY="$CONTAINER_IMAGE_PUBLIC_REGISTRY" docker-promote
# Helm promotion
- name: Assume AWS role for syncing the Helm artifacts
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-skip-session-tagging: true
aws-region: us-west-2
role-to-assume: ${{ vars.HELM_PUBLISHING_SYNC_AWS_ROLE }}
role-session-name: "tag-publish-helm-publishing-sync-${{ github.run_attempt }}"
role-duration-seconds: 900
- name: Download the Helm repo from S3
env:
HELM_REPO_BUCKET: ${{ vars.HELM_REPO_BUCKET }}
run: aws s3 cp "s3://$HELM_REPO_BUCKET/" "$LOCAL_HELM_REPO_PATH" --recursive
- name: Copy the Helm charts to the repo and regenerate the index
working-directory: "${{ env.LOCAL_HELM_REPO_PATH }}"
run: |
find "$LOCAL_ARTIFACTS_PATH" -name 'teleport-plugin-*.tgz' -type f -exec cp {} "." \;
helm repo index .
- name: Upload the Helm repo to S3
env:
HELM_REPO_BUCKET: ${{ vars.HELM_REPO_BUCKET }}
run: aws s3 sync "$LOCAL_HELM_REPO_PATH" "s3://$HELM_REPO_BUCKET/"
# Terraform promotion
- name: Assume AWS role for syncing the Terraform artifacts
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-skip-session-tagging: true
aws-region: us-west-2
role-to-assume: ${{ vars.TERRAFORM_PUBLISHING_SYNC_AWS_ROLE }}
role-session-name: "tag-publish-terraform-publishing-sync-${{ github.run_attempt }}"
role-duration-seconds: 900
- name: Download the Terraform repo from S3
env:
TERRAFORM_REGISTRY_BUCKET: ${{ vars.TERRAFORM_REGISTRY_BUCKET }}
run: aws s3 cp "s3://$TERRAFORM_REGISTRY_BUCKET/" "$LOCAL_TERRAFORM_REGISTRY_PATH" --recursive
- name: Run the terraform-publish tool
env:
TERRAFORM_REGISTRY_URL: ${{ vars.TERRAFORM_REGISTRY_URL }}
SIGNING_KEY: ${{ secrets.TERRAFORM_SIGNING_KEY }}
run: |
go run -C tooling ./cmd/promote-terraform \
--tag "$ARTIFACT_TAG" \
--artifact-directory-path "$LOCAL_ARTIFACTS_PATH" \
--registry-directory-path "$LOCAL_TERRAFORM_REGISTRY_PATH" \
--protocol 6 \
--registry-url "$TERRAFORM_REGISTRY_URL" \
--namespace gravitational \
--name teleport
- name: Upload the Terraform repo to S3
env:
TERRAFORM_REGISTRY_BUCKET: ${{ vars.TERRAFORM_REGISTRY_BUCKET }}
run: aws s3 sync "$LOCAL_TERRAFORM_REGISTRY_PATH" "s3://$TERRAFORM_REGISTRY_BUCKET/"
- name: ${{ inputs.workflow-tag }}
if: inputs.workflow-tag != ''
run: |
# Do nothing