name: Release Kata Containers on: workflow_dispatch permissions: {} jobs: release: name: release runs-on: ubuntu-22.04 permissions: contents: write # needed for the `gh release create` command steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false - name: Create a new release run: | ./tools/packaging/release/release.sh create-new-release env: GH_TOKEN: ${{ github.token }} build-and-push-assets-amd64: needs: release permissions: contents: read packages: write id-token: write attestations: write uses: ./.github/workflows/release-amd64.yaml with: target-arch: amd64 secrets: QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }} build-and-push-assets-arm64: needs: release permissions: contents: read packages: write id-token: write attestations: write uses: ./.github/workflows/release-arm64.yaml with: target-arch: arm64 secrets: QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }} build-and-push-assets-s390x: needs: release permissions: contents: read packages: write id-token: write attestations: write uses: ./.github/workflows/release-s390x.yaml with: target-arch: s390x secrets: CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} build-and-push-assets-ppc64le: needs: release permissions: contents: read packages: write id-token: write attestations: write uses: ./.github/workflows/release-ppc64le.yaml with: target-arch: ppc64le secrets: QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} publish-multi-arch-images: name: publish-multi-arch-images runs-on: ubuntu-22.04 needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le] permissions: contents: write # needed for the `gh release` commands packages: write # needed to push the multi-arch manifest to ghcr.io steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Login to Kata Containers ghcr.io uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Kata Containers quay.io uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: quay.io username: ${{ vars.QUAY_DEPLOYER_USERNAME }} password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} - name: Get the image tags run: | release_version=$(./tools/packaging/release/release.sh release-version) echo "KATA_DEPLOY_IMAGE_TAGS=$release_version latest" >> "$GITHUB_ENV" - name: Publish multi-arch manifest on quay.io & ghcr.io run: | ./tools/packaging/release/release.sh publish-multiarch-manifest env: KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-deploy ghcr.io/kata-containers/kata-deploy" upload-multi-arch-static-tarball: name: upload-multi-arch-static-tarball needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le] permissions: contents: write # needed for the `gh release` commands runs-on: ubuntu-22.04 steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Set KATA_STATIC_TARBALL env var run: | tarball=$(pwd)/kata-static.tar.zst echo "KATA_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV" - name: Download amd64 artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-amd64 - name: Upload amd64 static tarball to GitHub run: | ./tools/packaging/release/release.sh upload-kata-static-tarball env: GH_TOKEN: ${{ github.token }} ARCHITECTURE: amd64 - name: Download arm64 artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-arm64 - name: Upload arm64 static tarball to GitHub run: | ./tools/packaging/release/release.sh upload-kata-static-tarball env: GH_TOKEN: ${{ github.token }} ARCHITECTURE: arm64 - name: Download s390x artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-s390x - name: Upload s390x static tarball to GitHub run: | ./tools/packaging/release/release.sh upload-kata-static-tarball env: GH_TOKEN: ${{ github.token }} ARCHITECTURE: s390x - name: Download ppc64le artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-static-tarball-ppc64le - name: Upload ppc64le static tarball to GitHub run: | ./tools/packaging/release/release.sh upload-kata-static-tarball env: GH_TOKEN: ${{ github.token }} ARCHITECTURE: ppc64le - name: Set KATA_TOOLS_STATIC_TARBALL env var run: | tarball=$(pwd)/kata-tools-static.tar.zst echo "KATA_TOOLS_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV" - name: Download amd64 tools artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kata-tools-static-tarball-amd64 - name: Upload amd64 static tarball tools to GitHub run: | ./tools/packaging/release/release.sh upload-kata-tools-static-tarball env: GH_TOKEN: ${{ github.token }} ARCHITECTURE: amd64 upload-versions-yaml: name: upload-versions-yaml needs: release runs-on: ubuntu-22.04 permissions: contents: write # needed for the `gh release` commands steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Upload versions.yaml to GitHub run: | ./tools/packaging/release/release.sh upload-versions-yaml-file env: GH_TOKEN: ${{ github.token }} upload-cargo-vendored-tarball: name: upload-cargo-vendored-tarball needs: release runs-on: ubuntu-22.04 permissions: contents: write # needed for the `gh release` commands steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Generate and upload vendored code tarball run: | ./tools/packaging/release/release.sh upload-vendored-code-tarball env: GH_TOKEN: ${{ github.token }} upload-libseccomp-tarball: name: upload-libseccomp-tarball needs: release runs-on: ubuntu-22.04 permissions: contents: write # needed for the `gh release` commands steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Download libseccomp tarball and upload it to GitHub run: | ./tools/packaging/release/release.sh upload-libseccomp-tarball env: GH_TOKEN: ${{ github.token }} upload-helm-chart-tarball: name: upload-helm-chart-tarball needs: release runs-on: ubuntu-22.04 permissions: contents: write # needed for the `gh release` commands packages: write # needed to push the helm chart to ghcr.io steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Install helm uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 id: install - name: Generate and upload helm chart tarball run: | ./tools/packaging/release/release.sh upload-helm-chart-tarball env: GH_TOKEN: ${{ github.token }} - name: Login to the OCI registries env: QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }} QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} GITHUB_TOKEN: ${{ github.token }} run: | echo "${QUAY_DEPLOYER_PASSWORD}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin echo "${GITHUB_TOKEN}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin - name: Push helm chart to the OCI registries run: | release_version=$(./tools/packaging/release/release.sh release-version) helm push "kata-deploy-${release_version}.tgz" oci://quay.io/kata-containers/kata-deploy-charts helm push "kata-deploy-${release_version}.tgz" oci://ghcr.io/kata-containers/kata-deploy-charts publish-release: name: publish-release needs: [ build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le, publish-multi-arch-images, upload-multi-arch-static-tarball, upload-versions-yaml, upload-cargo-vendored-tarball, upload-libseccomp-tarball ] runs-on: ubuntu-22.04 permissions: contents: write # needed for the `gh release` commands steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Publish a release run: | ./tools/packaging/release/release.sh publish-release env: GH_TOKEN: ${{ github.token }}