release.yml

name: Release
on:
  push:
    tags:
      - "v*" # Push events to matching v*, i.e. v1.0, v20.15.10
env:
  REGISTRY: ghcr.io/sovereigncloudstack
  metadata_flavor: latest=true
  metadata_tags: type=ref,event=tag
permissions:
  contents: write
  packages: write
  # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
  id-token: write
jobs:
  manager-image:
    name: Build and push manager image
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
        with:
          fetch-depth: 0
      - uses: ./.github/actions/setup-go
      - name: Set up QEMU
        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34 # v2

      - name: Generate metadata cso
        id: metacso
        uses: ./.github/actions/metadata
        env:
          IMAGE_NAME: cso
        with:
          metadata_flavor: ${{ env.metadata_flavor }}
          metadata_tags: ${{ env.metadata_tags }}

      - name: Login to ghcr.io for CI
        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Install Cosign
        uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # v3.0.5

      - name: Install Bom
        shell: bash
        run: |
          curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.4.1/bom-linux-amd64 -o bom
          sudo mv ./bom /usr/local/bin/bom
          sudo chmod +x /usr/local/bin/bom

      - name: Setup Env
        run: |
          DOCKER_BUILD_LDFLAGS="$(hack/version.sh)"
          echo 'DOCKER_BUILD_LDFLAGS<<EOF' >> $GITHUB_ENV
          echo $DOCKER_BUILD_LDFLAGS >> $GITHUB_ENV
          echo 'EOF' >> $GITHUB_ENV

      - name: Build and push cso image
        uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4
        id: docker_build_release_cso
        with:
          provenance: false
          context: .
          file: ./images/cso/Dockerfile
          push: true
          build-args: |
            LDFLAGS=${{ env.DOCKER_BUILD_LDFLAGS }}
          tags: ${{ steps.metacso.outputs.tags }}
          labels: ${{ steps.metacso.outputs.labels }}
          platforms: linux/amd64
          cache-from: type=gha, scope=${{ github.workflow }}
          cache-to: type=gha, mode=max, scope=${{ github.workflow }}

      - name: Sign Container Images
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: |
          cosign sign --yes ghcr.io/sovereigncloudstack/cso@${{ steps.docker_build_release_cso.outputs.digest }}

      - name: Generate SBOM CSO
        shell: bash
        # To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
        # To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479
        run: |
          bom generate -o sbom_ci_main_cso_${{ steps.metacso.outputs.version }}.spdx \
          --image=ghcr.io/sovereigncloudstack/cso:${{ steps.metacso.outputs.version }}

      - name: Attach SBOM to Container Images cso
        run: |
          cosign attach sbom --sbom sbom_ci_main_cso_${{ steps.metacso.outputs.version }}.spdx ghcr.io/sovereigncloudstack/cso@${{ steps.docker_build_release_cso.outputs.digest }}

      - name: Sign SBOM Images cso
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: |
          docker_build_release_digest="${{ steps.docker_build_release_cso.outputs.digest }}"
          image_name="ghcr.io/sovereigncloudstack/cso:${docker_build_release_digest/:/-}.sbom"
          docker_build_release_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
          cosign sign --yes "ghcr.io/sovereigncloudstack/cso@${docker_build_release_sbom_digest}"

      - name: Image Releases digests cso
        shell: bash
        run: |
          mkdir -p image-digest/
          echo "ghcr.io/sovereigncloudstack/cso:{{ steps.metacso.outputs.version }}@${{ steps.docker_build_release_cso.outputs.digest }}" >> image-digest/cso.txt

      # Upload artifact digests
      - name: Upload artifact digests
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: image-digest cso
          path: image-digest
          retention-days: 90

      - name: Image Digests Output
        shell: bash
        run: |
          cd image-digest/
          find -type f | sort | xargs -d '\n' cat

  release:
    name: Create draft release
    runs-on: ubuntu-latest
    needs:
      - manager-image
    steps:
      - name: Set env
        run: echo "RELEASE_TAG=${GITHUB_REF:10}" >> $GITHUB_ENV

      - name: checkout code
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
        with:
          fetch-depth: 0

      - name: Install go
        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
          go-version-file: "go.mod"
          cache: true
          cache-dependency-path: go.sum

      - name: install kustomize
        run: |
          make kustomize

      - name: generate release artifacts
        run: |
          make release

      - name: generate release notes
        run: |
          make release-notes

      - name: Release
        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
        with:
          draft: true
          files: out/*
          body_path: _releasenotes/${{ env.RELEASE_TAG }}.md