Skip to content
Branch head Prerelease Images

Merge pull request #21 from mallardduck/ci-bug-perms #25

Sign in to view logs

Merge pull request #21 from mallardduck/ci-bug-perms

Merge pull request #21 from mallardduck/ci-bug-perms #25

Workflow file for this run

.github/workflows/head-build.yml at a1e9073
name: Branch head Prerelease Images
on:
push:
branches:
- main
- release/v[0-9]+.0
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: write # Upload artefacts to release.
env:
PUBLIC_REGISTRY: docker.io
jobs:
prebuild-env:
name: Prebuild needed Env vars
runs-on: ubuntu-latest
steps:
- name: Check out the repository to the runner
uses: actions/checkout@v4
- name: Set Branch Tag and Other Variables
id: set-vars
run: bash ./.github/scripts/branch-tags.sh >> $GITHUB_OUTPUT
outputs:
branch_tag: ${{ steps.set-vars.outputs.branch_tag }}
branch_static_tag: ${{ steps.set-vars.outputs.branch_static_tag }}
prev_tag: ${{ steps.set-vars.outputs.prev_tag }}
publish-public:
permissions:
contents: read
# write is needed for:
# - OIDC for cosign's use in ecm-distro-tools/publish-image.
# - Read vault secrets in rancher-eio/read-vault-secrets.
# - Publish image to ghcr.io
id-token: write
packages: write
attestations: write
runs-on: ubuntu-latest
needs:
- prebuild-env
steps:
- name: Check out repository code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Load Secrets from Vault
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ;
- name: Build and push all image variations
uses: rancher/ecm-distro-tools/actions/publish-image@master
with:
image: ${{ vars.IMAGE_NAME || 'kuberlr-kubectl' }}
tag: ${{ needs.prebuild-env.outputs.branch_static_tag }}
platforms: "linux/amd64,linux/arm64"
public-registry: ${{ env.PUBLIC_REGISTRY }}
public-repo: ${{ vars.REPO || github.repository_owner }}
public-username: ${{ env.DOCKER_USERNAME || vars.DOCKER_USERNAME || github.repository_owner }}
public-password: ${{ env.DOCKER_PASSWORD || secrets.DOCKER_PASSWORD }}
push-to-prime: false
- name: Re-tag the static head image using the rolling tag
env:
FULL_IMAGE_URL: ${{ env.PUBLIC_REGISTRY }}/${{ vars.REPO || github.repository_owner }}/${{ vars.IMAGE_NAME || 'kuberlr-kubectl' }}
STATIC_TAG: ${{ needs.prebuild-env.outputs.branch_static_tag }}
LATEST_TAG: ${{ needs.prebuild-env.outputs.branch_tag }}
run: |
VERSION="1.2.0"
curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
mkdir -p oras-install/
tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
oras-install/oras copy ${{ env.FULL_IMAGE_URL }}:${{ env.STATIC_TAG }} ${{ env.FULL_IMAGE_URL }}:${{ env.LATEST_TAG }}
-
name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Re-tag the image tags to ghcr.io/${{ github.repository_owner }}
env:
FULL_IMAGE_URL: ${{ env.PUBLIC_REGISTRY }}/${{ vars.REPO || github.repository_owner }}/${{ vars.IMAGE_NAME || 'kuberlr-kubectl' }}
STATIC_TAG: ${{ needs.prebuild-env.outputs.branch_static_tag }}
LATEST_TAG: ${{ needs.prebuild-env.outputs.branch_tag }}
FULL_IMAGE_GHCR_URL: ghcr.io/${{ github.repository_owner }}/${{ vars.IMAGE_NAME || 'kuberlr-kubectl' }}
run: |
VERSION="1.2.0"
curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
mkdir -p oras-install/
tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
oras-install/oras copy ${{ env.FULL_IMAGE_URL }}:${{ env.STATIC_TAG }} ${{ env.FULL_IMAGE_GHCR_URL }}:${{ env.STATIC_TAG }},${{ env.LATEST_TAG }}