From 0974e7777fc9423e91e15c6034d152d0be4164c0 Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Sat, 9 Dec 2023 01:10:58 +0000 Subject: [PATCH 01/16] ci: add dev helm chart publishing workflow --- .github/workflows/publish-dev-chart.yml | 51 +++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/publish-dev-chart.yml diff --git a/.github/workflows/publish-dev-chart.yml b/.github/workflows/publish-dev-chart.yml new file mode 100644 index 000000000..65050b65d --- /dev/null +++ b/.github/workflows/publish-dev-chart.yml @@ -0,0 +1,51 @@ +name: publish-dev-chart + +on: + schedule: + - cron: '30 8 * * 0' # early morning (08:30 UTC) every Sunday + workflow_dispatch: + +permissions: read-all + +jobs: + build: + runs-on: ubuntu-latest + permissions: + packages: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - name: prepare + id: prepare + run: | + BRANCH_NAME=${GITHUB_REF#refs/heads/} + DATE=$(date +'%Y%m%d') + COMMIT=${{ github.sha }} + REPOSITORY=ghcr.io/${{ github.repository }}-chart-dev + VERSION=dev.${DATE}.${COMMIT:0:7} + SEM_VERSION=0-${VERSION} + echo ::set-output name=version::${VERSION} + echo ::set-output name=semversion::${SEM_VERSION} + echo ::set-output name=repo::${REPOSITORY} + - name: replace version + run: | + sed -i '/^ repository:/c\ repository: ghcr.io/deislabs/ratify-dev' charts/ratify/values.yaml + sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/deislabs/ratify-crds-dev' charts/ratify/values.yaml + sed -i '/^ tag:/c\ tag: ${{ steps.prepare.outputs.version }}' charts/ratify/values.yaml + - name: docker login + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: helm package + run: | + helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversion }} + - name: helm push + run: | + helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz ${{ steps.prepare.outputs.repo }} + - name: clear + if: always() + run: | + rm -f ${HOME}/.docker/config.json From 7ade459529e6d94c3df6ed48942ae0066a318753 Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Sat, 9 Dec 2023 01:11:59 +0000 Subject: [PATCH 02/16] testing --- .github/workflows/publish-dev-chart.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-dev-chart.yml b/.github/workflows/publish-dev-chart.yml index 65050b65d..f3b77184c 100644 --- a/.github/workflows/publish-dev-chart.yml +++ b/.github/workflows/publish-dev-chart.yml @@ -30,8 +30,8 @@ jobs: echo ::set-output name=repo::${REPOSITORY} - name: replace version run: | - sed -i '/^ repository:/c\ repository: ghcr.io/deislabs/ratify-dev' charts/ratify/values.yaml - sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/deislabs/ratify-crds-dev' charts/ratify/values.yaml + sed -i '/^ repository:/c\ repository: ghcr.io/akashsinghal/ratify-dev' charts/ratify/values.yaml + sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/akashsinghal/ratify-crds-dev' charts/ratify/values.yaml sed -i '/^ tag:/c\ tag: ${{ steps.prepare.outputs.version }}' charts/ratify/values.yaml - name: docker login uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 From 2d98b32372b1fa2d5f3d736bc97d3683c185ece5 Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Sat, 9 Dec 2023 01:26:48 +0000 Subject: [PATCH 03/16] test2 --- .github/workflows/publish-dev-chart.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/publish-dev-chart.yml b/.github/workflows/publish-dev-chart.yml index f3b77184c..c71df48bb 100644 --- a/.github/workflows/publish-dev-chart.yml +++ b/.github/workflows/publish-dev-chart.yml @@ -4,6 +4,7 @@ on: schedule: - cron: '30 8 * * 0' # early morning (08:30 UTC) every Sunday workflow_dispatch: + push: permissions: read-all From 1a84e635044fd07aa061194b69ef7af167cb1292 Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Sat, 9 Dec 2023 01:27:56 +0000 Subject: [PATCH 04/16] test3 --- .github/workflows/publish-dev-chart.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-dev-chart.yml b/.github/workflows/publish-dev-chart.yml index c71df48bb..f4973e0ac 100644 --- a/.github/workflows/publish-dev-chart.yml +++ b/.github/workflows/publish-dev-chart.yml @@ -45,7 +45,7 @@ jobs: helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversion }} - name: helm push run: | - helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz ${{ steps.prepare.outputs.repo }} + helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz oci://${{ steps.prepare.outputs.repo }} - name: clear if: always() run: | From 52262de731567091e5012aef2b075231619a2ef9 Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Sat, 9 Dec 2023 01:31:59 +0000 Subject: [PATCH 05/16] replace repo name --- .github/workflows/publish-dev-chart.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-dev-chart.yml b/.github/workflows/publish-dev-chart.yml index f4973e0ac..a6fe61a57 100644 --- a/.github/workflows/publish-dev-chart.yml +++ b/.github/workflows/publish-dev-chart.yml @@ -31,8 +31,8 @@ jobs: echo ::set-output name=repo::${REPOSITORY} - name: replace version run: | - sed -i '/^ repository:/c\ repository: ghcr.io/akashsinghal/ratify-dev' charts/ratify/values.yaml - sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/akashsinghal/ratify-crds-dev' charts/ratify/values.yaml + sed -i '/^ repository:/c\ repository: ghcr.io/deislabs/ratify-dev' charts/ratify/values.yaml + sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/deislabs/ratify-crds-dev' charts/ratify/values.yaml sed -i '/^ tag:/c\ tag: ${{ steps.prepare.outputs.version }}' charts/ratify/values.yaml - name: docker login uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 From 05e13d77c5c7bdc840d11d3e35a6714aae7347ed Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Sat, 9 Dec 2023 01:32:36 +0000 Subject: [PATCH 06/16] remove push trigger --- .github/workflows/publish-dev-chart.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/publish-dev-chart.yml b/.github/workflows/publish-dev-chart.yml index a6fe61a57..3b6cb70df 100644 --- a/.github/workflows/publish-dev-chart.yml +++ b/.github/workflows/publish-dev-chart.yml @@ -4,7 +4,6 @@ on: schedule: - cron: '30 8 * * 0' # early morning (08:30 UTC) every Sunday workflow_dispatch: - push: permissions: read-all From dbe6c3e8356b297e9650b138e3fe0cb04c5e7a8f Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Fri, 22 Dec 2023 22:35:51 +0000 Subject: [PATCH 07/16] move dev build ghcr to dedicated workflow --- .github/workflows/publish-dev-build.yml | 84 +++++++++++++++++++++++++ .github/workflows/publish-dev-chart.yml | 51 --------------- .github/workflows/publish-package.yml | 10 --- 3 files changed, 84 insertions(+), 61 deletions(-) create mode 100644 .github/workflows/publish-dev-build.yml delete mode 100644 .github/workflows/publish-dev-chart.yml diff --git a/.github/workflows/publish-dev-build.yml b/.github/workflows/publish-dev-build.yml new file mode 100644 index 000000000..b4cbfa053 --- /dev/null +++ b/.github/workflows/publish-dev-build.yml @@ -0,0 +1,84 @@ +name: publish-dev-chart + +on: + schedule: + - cron: '30 8 * * 0' # early morning (08:30 UTC) every Sunday + workflow_dispatch: + +permissions: read-all + +jobs: + build: + runs-on: ubuntu-latest + permissions: + packages: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - name: prepare + id: prepare + run: | + DATE=$(date +'%Y%m%d') + COMMIT=${{ github.sha }} + REPOSITORY=ghcr.io/${{ github.repository }} + CHART_REPOSITORY=${REPOSITORY}-chart-dev + VERSION=dev.${DATE}.${COMMIT:0:7} + SEM_VERSION=0-${VERSION} + REPOSITORY_PLUGINS=${REPOSITORY}-dev + REPOSITORYBASE=${REPOSITORY}-base-dev + REPOSITORYCRD=${REPOSITORY}-crds-dev + echo ::set-output name=version::${VERSION} + echo ::set-output name=semversion::${SEM_VERSION} + echo ::set-output name=chartrepo::${CHART_REPOSITORY} + echo ::set-output name=ref::${REPOSITORY_PLUGINS} + echo ::set-output name=baseref::${REPOSITORYBASE} + echo ::set-output name=crdref::${REPOSITORYCRD} + - name: docker login + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: docker build ratify-crds + run: | + docker buildx create --use + docker buildx build --build-arg KUBE_VERSION="1.27.7" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }},${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds + - name: docker build ratify base + run: | + docker buildx create --use + docker buildx build -f ./httpserver/Dockerfile \ + --platform linux/amd64,linux/arm64,linux/arm/v7 \ + --build-arg LDFLAGS="-X github.com/deislabs/ratify/internal/version.Version=$(TAG)" \ + --label org.opencontainers.image.revision=${{ github.sha }} \ + -t ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }},${{ steps.prepare.outputs.baseref }} \ + --push . + - name: docker build ratify with plugin + run: | + docker buildx create --use + docker buildx build -f ./httpserver/Dockerfile \ + --platform linux/amd64,linux/arm64,linux/arm/v7 \ + --build-arg build_cosign=true \ + --build-arg build_sbom=true \ + --build-arg build_licensechecker=true \ + --build-arg build_schemavalidator=true \ + --build-arg build_vulnerabilityreport=true \ + --build-arg LDFLAGS="-X github.com/deislabs/ratify/internal/version.Version=$(TAG)" \ + --label org.opencontainers.image.revision=${{ github.sha }} \ + -t ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }},${{ steps.prepare.outputs.ref }} \ + --push . + - name: replace version + run: | + sed -i '/^ repository:/c\ repository: ghcr.io/deislabs/ratify-dev' charts/ratify/values.yaml + sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/deislabs/ratify-crds-dev' charts/ratify/values.yaml + sed -i '/^ tag:/c\ tag: ${{ steps.prepare.outputs.version }}' charts/ratify/values.yaml + - name: helm package + run: | + helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversion }} + - name: helm push + run: | + helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz oci://${{ steps.prepare.outputs.chartrepo }} + - name: clear + if: always() + run: | + rm -f ${HOME}/.docker/config.json diff --git a/.github/workflows/publish-dev-chart.yml b/.github/workflows/publish-dev-chart.yml deleted file mode 100644 index 3b6cb70df..000000000 --- a/.github/workflows/publish-dev-chart.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: publish-dev-chart - -on: - schedule: - - cron: '30 8 * * 0' # early morning (08:30 UTC) every Sunday - workflow_dispatch: - -permissions: read-all - -jobs: - build: - runs-on: ubuntu-latest - permissions: - packages: write - contents: read - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - - name: prepare - id: prepare - run: | - BRANCH_NAME=${GITHUB_REF#refs/heads/} - DATE=$(date +'%Y%m%d') - COMMIT=${{ github.sha }} - REPOSITORY=ghcr.io/${{ github.repository }}-chart-dev - VERSION=dev.${DATE}.${COMMIT:0:7} - SEM_VERSION=0-${VERSION} - echo ::set-output name=version::${VERSION} - echo ::set-output name=semversion::${SEM_VERSION} - echo ::set-output name=repo::${REPOSITORY} - - name: replace version - run: | - sed -i '/^ repository:/c\ repository: ghcr.io/deislabs/ratify-dev' charts/ratify/values.yaml - sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/deislabs/ratify-crds-dev' charts/ratify/values.yaml - sed -i '/^ tag:/c\ tag: ${{ steps.prepare.outputs.version }}' charts/ratify/values.yaml - - name: docker login - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: helm package - run: | - helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversion }} - - name: helm push - run: | - helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz oci://${{ steps.prepare.outputs.repo }} - - name: clear - if: always() - run: | - rm -f ${HOME}/.docker/config.json diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml index fce88de45..deb9664f7 100644 --- a/.github/workflows/publish-package.yml +++ b/.github/workflows/publish-package.yml @@ -4,8 +4,6 @@ on: push: tags: - v* - schedule: - - cron: '30 8 * * 0' # early morning (08:30 UTC) every Sunday workflow_dispatch: permissions: read-all @@ -24,20 +22,12 @@ jobs: run: | VERSION=${GITHUB_REF#refs/*/} BRANCH_NAME=${GITHUB_REF#refs/heads/} - DATE=$(date +'%Y%m%d') - COMMIT=${{ github.sha }} REPOSITORY=ghcr.io/${{ github.repository }} REPOSITORYBASE=ghcr.io/${{ github.repository }}-base REPOSITORYCRD=ghcr.io/${{ github.repository }}-crds if [[ "${VERSION}" == "${BRANCH_NAME}" ]]; then VERSION=$(git rev-parse --short HEAD) fi - if [[ "${{ github.event_name }}" == "workflow_dispatch" || "${{ github.event_name }}" == "schedule" ]]; then - VERSION=dev.${DATE}.${COMMIT:0:7} - REPOSITORY=${REPOSITORY}-dev - REPOSITORYBASE=${REPOSITORYBASE}-dev - REPOSITORYCRD=${REPOSITORYCRD}-dev - fi echo ::set-output name=version::${VERSION} echo ::set-output name=ref::${REPOSITORY}:${VERSION} echo ::set-output name=baseref::${REPOSITORYBASE}:${VERSION} From 2f5f3c2ebf72b30fdabb2d85e9c08597da187b56 Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Fri, 22 Dec 2023 22:39:18 +0000 Subject: [PATCH 08/16] rename --- .../workflows/{publish-dev-build.yml => publish-dev-assets.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename .github/workflows/{publish-dev-build.yml => publish-dev-assets.yml} (99%) diff --git a/.github/workflows/publish-dev-build.yml b/.github/workflows/publish-dev-assets.yml similarity index 99% rename from .github/workflows/publish-dev-build.yml rename to .github/workflows/publish-dev-assets.yml index b4cbfa053..6fdfbc629 100644 --- a/.github/workflows/publish-dev-build.yml +++ b/.github/workflows/publish-dev-assets.yml @@ -1,4 +1,4 @@ -name: publish-dev-chart +name: publish-dev-assets on: schedule: From 8fa1d563a8e1678bfd494553f618d347d4334d51 Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Fri, 22 Dec 2023 22:40:52 +0000 Subject: [PATCH 09/16] change repo name --- .github/workflows/publish-dev-assets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml index 6fdfbc629..a0c7f6c2d 100644 --- a/.github/workflows/publish-dev-assets.yml +++ b/.github/workflows/publish-dev-assets.yml @@ -69,8 +69,8 @@ jobs: --push . - name: replace version run: | - sed -i '/^ repository:/c\ repository: ghcr.io/deislabs/ratify-dev' charts/ratify/values.yaml - sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/deislabs/ratify-crds-dev' charts/ratify/values.yaml + sed -i '/^ repository:/c\ repository: ghcr.io/akashsinghal/ratify-dev' charts/ratify/values.yaml + sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/akashsinghal/ratify-crds-dev' charts/ratify/values.yaml sed -i '/^ tag:/c\ tag: ${{ steps.prepare.outputs.version }}' charts/ratify/values.yaml - name: helm package run: | From c314e6f7bb40cccaf9fd80743ba4da5db84f5035 Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Fri, 22 Dec 2023 22:50:38 +0000 Subject: [PATCH 10/16] add push event temp --- .github/workflows/publish-dev-assets.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml index a0c7f6c2d..b85e6880b 100644 --- a/.github/workflows/publish-dev-assets.yml +++ b/.github/workflows/publish-dev-assets.yml @@ -4,6 +4,7 @@ on: schedule: - cron: '30 8 * * 0' # early morning (08:30 UTC) every Sunday workflow_dispatch: + push: permissions: read-all From 334a522a067ee670ac5c2b060a5cbf20570ea668 Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Fri, 22 Dec 2023 22:55:47 +0000 Subject: [PATCH 11/16] fix tag --- .github/workflows/publish-dev-assets.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml index b85e6880b..2ff170bef 100644 --- a/.github/workflows/publish-dev-assets.yml +++ b/.github/workflows/publish-dev-assets.yml @@ -44,7 +44,7 @@ jobs: - name: docker build ratify-crds run: | docker buildx create --use - docker buildx build --build-arg KUBE_VERSION="1.27.7" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }},${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds + docker buildx build --build-arg KUBE_VERSION="1.27.7" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds - name: docker build ratify base run: | docker buildx create --use @@ -52,7 +52,8 @@ jobs: --platform linux/amd64,linux/arm64,linux/arm/v7 \ --build-arg LDFLAGS="-X github.com/deislabs/ratify/internal/version.Version=$(TAG)" \ --label org.opencontainers.image.revision=${{ github.sha }} \ - -t ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }},${{ steps.prepare.outputs.baseref }} \ + -t ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }} \ + -t ${{ steps.prepare.outputs.baseref }} \ --push . - name: docker build ratify with plugin run: | @@ -66,7 +67,8 @@ jobs: --build-arg build_vulnerabilityreport=true \ --build-arg LDFLAGS="-X github.com/deislabs/ratify/internal/version.Version=$(TAG)" \ --label org.opencontainers.image.revision=${{ github.sha }} \ - -t ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }},${{ steps.prepare.outputs.ref }} \ + -t ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} \ + -t ${{ steps.prepare.outputs.ref }} \ --push . - name: replace version run: | From 620c7eaf3c253c2d4ede2279016bf289fa99425f Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Wed, 27 Dec 2023 18:10:36 +0000 Subject: [PATCH 12/16] add chart publish rolling tag --- .github/workflows/publish-dev-assets.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml index 2ff170bef..3f68a5375 100644 --- a/.github/workflows/publish-dev-assets.yml +++ b/.github/workflows/publish-dev-assets.yml @@ -26,11 +26,13 @@ jobs: CHART_REPOSITORY=${REPOSITORY}-chart-dev VERSION=dev.${DATE}.${COMMIT:0:7} SEM_VERSION=0-${VERSION} + SEM_VERSION_ROLLING=0-dev REPOSITORY_PLUGINS=${REPOSITORY}-dev REPOSITORYBASE=${REPOSITORY}-base-dev REPOSITORYCRD=${REPOSITORY}-crds-dev echo ::set-output name=version::${VERSION} echo ::set-output name=semversion::${SEM_VERSION} + echo ::set-output name=semversionrolling::${SEM_VERSION_ROLLING} echo ::set-output name=chartrepo::${CHART_REPOSITORY} echo ::set-output name=ref::${REPOSITORY_PLUGINS} echo ::set-output name=baseref::${REPOSITORYBASE} @@ -78,9 +80,11 @@ jobs: - name: helm package run: | helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversion }} + helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversionrolling }} - name: helm push run: | helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz oci://${{ steps.prepare.outputs.chartrepo }} + helm push ratify-${{ steps.prepare.outputs.semversionrolling }}.tgz oci://${{ steps.prepare.outputs.chartrepo }} - name: clear if: always() run: | From 874f03703a8b61d7b8a4bafb456678ebc4026a23 Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Wed, 27 Dec 2023 18:54:22 +0000 Subject: [PATCH 13/16] updating helmfiles and docs --- CONTRIBUTING.md | 12 ++------- RELEASES.md | 6 +++-- dev.helmfile.yaml | 15 +++--------- dev.high-availability.helmfile.yaml | 38 ++++++++++++++++++++++------- 4 files changed, 39 insertions(+), 32 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 41cbfd183..cdf2c0245 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -156,16 +156,8 @@ docker push ${REGISTRY}/localbuildcrd:yourtag ``` ### Deploy using Dev Helmfile -#### Update dev.helmfile.yaml -Replace `repository`, `crdRepository`, and `tag` with previously built images: -```yaml -- name: image.repository - value: -- name: image.crdRepository - value: -- name: image.tag - value: -``` + +Development charts + images are published weekly and latest versions are tagged with rolling tags referenced in dev helmfile. Deploy to cluster: ```bash diff --git a/RELEASES.md b/RELEASES.md index 6b8f2bd2c..6487a911c 100644 --- a/RELEASES.md +++ b/RELEASES.md @@ -26,9 +26,11 @@ Example pre-release versions include `v0.1.0-alpha1`, `v0.1.0-beta2`, `v0.1.0-rc 2. If the format of the data returned for [external data calls](docs/reference/verification-result-version.md) has changed, validate change is also reflected in [`httpserver/types.go`](httpserver/types.go). -3. Delete all dev images generated since the previous release under the `ratify-dev` and `ratify-crds-dev` [packages](https://github.com/orgs/deislabs/packages?repo_name=ratify). Each dev image tag is prefixed with `dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a build generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `dev.20230308.4cf9838`). +3. Delete all dev images generated since the previous release under the `ratify-dev` and `ratify-crds-dev` [packages](https://github.com/orgs/deislabs/packages?repo_name=ratify). Each dev image tag is prefixed with `dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a build generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `dev.20230308.4cf9838`). The most recent images are also tagged with a rolling tag `latest`. -4. Copy contents from [`dev.helmfile.yaml`](dev.helmfile.yaml) to [`helmfile.yaml`](helmfile.yaml) & [`dev.high-availability.helmfile.yaml`](dev.high-availability.helmfile.yaml) to [`high-availability.helmfile.yaml`](high-availability.helmfile.yaml). You MUST update/remove values marked by comments in the files. The `dev` prefixed helmfiles are treated as staging files that are up to date with new changes on main branch. The primary `helmfile.yaml` and `high-availability.helmfile.yaml` MUST stay pinned to the current release since they are used by the quickstarts. Update `dev.helmfile.yaml` & `dev.high-availability.helmfile.yaml` ratify chart version to new release version. +4. Delete all dev helm charts since the previous release under the `ratify-chart-dev/ratify` [packages](https://github.com/orgs/deislabs/packages?repo_name=ratify). Each helm chart is published with a semantic version compatible tag `0-dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a chart generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `0-dev.20230308.4cf9838`). The most recent dev chart is also tagged with the rolling tag `0-dev`. + +5. Copy contents from [`dev.helmfile.yaml`](dev.helmfile.yaml) to [`helmfile.yaml`](helmfile.yaml) & [`dev.high-availability.helmfile.yaml`](dev.high-availability.helmfile.yaml) to [`high-availability.helmfile.yaml`](high-availability.helmfile.yaml). You MUST update/remove values marked by comments in the files. The `dev` prefixed helmfiles are treated as staging files that are up to date with new changes on main branch. The primary `helmfile.yaml` and `high-availability.helmfile.yaml` MUST stay pinned to the current release since they are used by the quickstarts. Update `dev.helmfile.yaml` & `dev.high-availability.helmfile.yaml` ratify chart version to new release version. ## Git Release Flow diff --git a/dev.helmfile.yaml b/dev.helmfile.yaml index d12cb94a4..7ea87bb7c 100644 --- a/dev.helmfile.yaml +++ b/dev.helmfile.yaml @@ -2,7 +2,8 @@ repositories: - name: gatekeeper url: https://open-policy-agent.github.io/gatekeeper/charts - name: ratify - url: https://deislabs.github.io/ratify + url: ghcr.io/akashsinghal/ratify-chart-dev # PRERELEASE: Change to 'https://deislabs.github.io/ratify' before copying to helmfile.yaml + oci: true # PRERELEASE: Remove before copying to helmfile.yaml releases: - name: gatekeeper @@ -22,8 +23,8 @@ releases: value: 10s - name: ratify namespace: gatekeeper-system - chart: charts/ratify # PRERELEASE: Change to 'ratify/ratify' before copying to helmfile.yaml - version: 1.12.0 # ATTENTION: Needs to match latest in Chart.yaml + chart: ratify/ratify + version: 0-dev # ATTENTION: Needs to match latest in Chart.yaml wait: true needs: - gatekeeper @@ -74,11 +75,3 @@ releases: value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }} - name: featureFlags.RATIFY_CERT_ROTATION value: true - - name: image.repository # PRERELEASE: REMOVE before copying to helmfile.yaml - value: ghcr.io/deislabs/ratify-dev # PRERELEASE: REMOVE before copying to helmfile.yaml - - name: image.crdRepository # PRERELEASE: REMOVE before copying to helmfile.yaml - value: ghcr.io/deislabs/ratify-crds-dev # PRERELEASE: REMOVE before copying to helmfile.yaml - - name: image.tag # PRERELEASE: REMOVE before copying to helmfile.yaml - value: dev.20230822.cd81c6e # PRERELEASE: REMOVE before copying to helmfile.yaml - - name: image.pullPolicy # PRERELEASE: REMOVE before copying to helmfile.yaml - value: Always # PRERELEASE: REMOVE before copying to helmfile.yaml diff --git a/dev.high-availability.helmfile.yaml b/dev.high-availability.helmfile.yaml index 88b6203d4..409ce96e6 100644 --- a/dev.high-availability.helmfile.yaml +++ b/dev.high-availability.helmfile.yaml @@ -1,10 +1,13 @@ repositories: + - name: gatekeeper + url: https://open-policy-agent.github.io/gatekeeper/charts - name: dapr url: https://dapr.github.io/helm-charts/ - name: bitnami url: https://charts.bitnami.com/bitnami - name: ratify - url: https://deislabs.github.io/ratify + url: ghcr.io/akashsinghal/ratify-chart-dev # PRERELEASE: Change to 'https://deislabs.github.io/ratify' before copying to helmfile.yaml + oci: true # PRERELEASE: Remove before copying to helmfile.yaml releases: - name: dapr @@ -13,8 +16,24 @@ releases: chart: dapr/dapr version: 1.11.1 wait: true + - name: gatekeeper + namespace: gatekeeper-system + createNamespace: true + chart: gatekeeper/gatekeeper + version: 3.14.0 + wait: true + set: + - name: enableExternalData + value: true + - name: validatingWebhookTimeoutSeconds + value: 5 + - name: mutatingWebhookTimeoutSeconds + value: 2 + - name: externaldataProviderResponseCacheTTL + value: 10s - name: redis namespace: gatekeeper-system + createNamespace: true chart: bitnami/redis version: 17.11.6 wait: true @@ -31,12 +50,13 @@ releases: value: false - name: ratify namespace: gatekeeper-system - chart: charts/ratify/ - version: 1.12.0 # ATTENTION: Needs to match latest in Chart.yaml + chart: ratify/ratify + version: 0-dev # ATTENTION: Needs to match latest in Chart.yaml wait: true needs: - dapr-system/dapr - gatekeeper-system/redis + - gatekeeper-system/gatekeeper hooks: - events: ["presync"] showlogs: true @@ -53,6 +73,12 @@ releases: - "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/dapr/dapr-redis.yaml" - "-n" - "gatekeeper-system" + - events: ["presync"] + showlogs: true + command: "bash" + args: + - "-c" + - "kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml && kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml" - events: ["postuninstall"] showlogs: true command: "kubectl" @@ -109,12 +135,6 @@ releases: - "-n" - "gatekeeper-system" set: - - name: image.repository # REMOVE before copying to high-availability.helmfile.yaml - value: ghcr.io/deislabs/ratify-dev # REMOVE before copying to high-availability.helmfile.yaml - - name: image.crdRepository # REMOVE before copying to high-availability.helmfile.yaml - value: ghcr.io/deislabs/ratify-crds-dev # REMOVE before copying to high-availability.helmfile.yaml - - name: image.tag # REMOVE before copying to high-availability.helmfile.yaml - value: dev.20230822.cd81c6e # REMOVE before copying to high-availability.helmfile.yaml - name: featureFlags.RATIFY_EXPERIMENTAL_HIGH_AVAILABILITY value: true - name: featureFlags.RATIFY_CERT_ROTATION From 533ee15603bc4245b1c35d4da1abf23f51729812 Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Wed, 27 Dec 2023 18:56:38 +0000 Subject: [PATCH 14/16] remove extra stuff --- .github/workflows/publish-dev-assets.yml | 5 ++--- dev.helmfile.yaml | 2 +- dev.high-availability.helmfile.yaml | 2 +- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml index 3f68a5375..0eb6dc6e5 100644 --- a/.github/workflows/publish-dev-assets.yml +++ b/.github/workflows/publish-dev-assets.yml @@ -4,7 +4,6 @@ on: schedule: - cron: '30 8 * * 0' # early morning (08:30 UTC) every Sunday workflow_dispatch: - push: permissions: read-all @@ -74,8 +73,8 @@ jobs: --push . - name: replace version run: | - sed -i '/^ repository:/c\ repository: ghcr.io/akashsinghal/ratify-dev' charts/ratify/values.yaml - sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/akashsinghal/ratify-crds-dev' charts/ratify/values.yaml + sed -i '/^ repository:/c\ repository: ghcr.io/deislabs/ratify-dev' charts/ratify/values.yaml + sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/deislabs/ratify-crds-dev' charts/ratify/values.yaml sed -i '/^ tag:/c\ tag: ${{ steps.prepare.outputs.version }}' charts/ratify/values.yaml - name: helm package run: | diff --git a/dev.helmfile.yaml b/dev.helmfile.yaml index 7ea87bb7c..35dc39ae6 100644 --- a/dev.helmfile.yaml +++ b/dev.helmfile.yaml @@ -2,7 +2,7 @@ repositories: - name: gatekeeper url: https://open-policy-agent.github.io/gatekeeper/charts - name: ratify - url: ghcr.io/akashsinghal/ratify-chart-dev # PRERELEASE: Change to 'https://deislabs.github.io/ratify' before copying to helmfile.yaml + url: ghcr.io/deislabs/ratify-chart-dev # PRERELEASE: Change to 'https://deislabs.github.io/ratify' before copying to helmfile.yaml oci: true # PRERELEASE: Remove before copying to helmfile.yaml releases: diff --git a/dev.high-availability.helmfile.yaml b/dev.high-availability.helmfile.yaml index 409ce96e6..6698a6bca 100644 --- a/dev.high-availability.helmfile.yaml +++ b/dev.high-availability.helmfile.yaml @@ -6,7 +6,7 @@ repositories: - name: bitnami url: https://charts.bitnami.com/bitnami - name: ratify - url: ghcr.io/akashsinghal/ratify-chart-dev # PRERELEASE: Change to 'https://deislabs.github.io/ratify' before copying to helmfile.yaml + url: ghcr.io/deislabs/ratify-chart-dev # PRERELEASE: Change to 'https://deislabs.github.io/ratify' before copying to helmfile.yaml oci: true # PRERELEASE: Remove before copying to helmfile.yaml releases: From f59cc04486a8ae27d66658e9a3d9d4be71d06faa Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Thu, 4 Jan 2024 01:42:27 +0000 Subject: [PATCH 15/16] update contributing doc with helmfile install command --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index cdf2c0245..6b531eada 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -161,7 +161,7 @@ Development charts + images are published weekly and latest versions are tagged Deploy to cluster: ```bash -helmfile sync -f dev.helmfile.yaml +helmfile sync -f git::https://github.com/deislabs/ratify.git@dev.helmfile.yaml ``` ### Deploy from local helm chart From 98f99c3920637dcb3d9a202cd91edc71cabe621e Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Thu, 4 Jan 2024 18:49:02 +0000 Subject: [PATCH 16/16] add back local image helmfile overrides --- CONTRIBUTING.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 6b531eada..a64269cce 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -155,6 +155,24 @@ docker push ${REGISTRY}/deislabs/ratify:yourtag docker push ${REGISTRY}/localbuildcrd:yourtag ``` +#### Update dev.helmfile.yaml +Replace Ratify `chart` and `version` with local values: +```yaml +... +chart: chart/ratify +version: # ATTENTION: Needs to match latest in Chart.yaml +... +``` +Replace `repository`, `crdRepository`, and `tag` with previously built images: +```yaml +- name: image.repository + value: +- name: image.crdRepository + value: +- name: image.tag + value: +``` + ### Deploy using Dev Helmfile Development charts + images are published weekly and latest versions are tagged with rolling tags referenced in dev helmfile.