upstream/k3s
1
0
Fork 0
mirror of https://github.com/k3s-io/k3s.git synced 2026-02-03 20:39:49 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
k3s/.github/workflows/release.yml
Brad Davidson 650fed932d
Some checks failed
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Details
Validate collected files for release 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2025-12-15 19:27:56 -08:00

256 lines
9.1 KiB
YAML
Raw Blame History

name: K3s Release
on:
release:
types: [published]
permissions:
contents: read
packages: read
id-token: write
jobs:
build-amd64:
name: Build Binary (amd64)
uses: ./.github/workflows/build-k3s.yaml
with:
upload-build: true
build-arm64:
name: Build Binary (arm64)
uses: ./.github/workflows/build-k3s.yaml
with:
arch: arm64
upload-build: true
build-arm:
name: Build Binary (arm)
uses: ./.github/workflows/build-k3s.yaml
with:
arch: arm
upload-build: true
push-release-image:
name: Build and Push Multi-Arch Image
runs-on: ubuntu-latest
permissions:
packages: write # Needed to push images to GHCR
id-token: write
needs: [build-amd64, build-arm64, build-arm]
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Docker
uses: docker/setup-docker-action@v4
with:
version: type=image,tag=28
daemon-config: '{"features":{"containerd-snapshotter":true}}'
set-host: true
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Read registry secrets (staging)
uses: rancher-eio/read-vault-secrets@main
if: ${{ github.event.release.prerelease && github.repository_owner == 'k3s-io' }}
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/k3s-suse-registry-stg/credentials registry | REGISTRY ;
secret/data/github/repo/${{ github.repository }}/k3s-suse-registry-stg/credentials username | REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/k3s-suse-registry-stg/credentials password | REGISTRY_PASSWORD
- name: Read registry secrets (prime)
uses: rancher-eio/read-vault-secrets@main
if: ${{ ! github.event.release.prerelease && github.repository_owner == 'k3s-io' }}
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/k3s-suse-registry/credentials registry | REGISTRY ;
secret/data/github/repo/${{ github.repository }}/k3s-suse-registry/credentials username | REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/k3s-suse-registry/credentials password | REGISTRY_PASSWORD
- name: "Read Vault secrets"
if: github.repository_owner == 'k3s-io'
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_TOKEN ;
- name: Login to DockerHub with Rancher Secrets
if: github.repository_owner == 'k3s-io'
uses: docker/login-action@v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_TOKEN }}
# For forks, setup DockerHub login with GHA secrets
- name: Login to DockerHub with GHA Secrets
if: github.repository_owner != 'k3s-io'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to Prime Registry
if: github.repository_owner == 'k3s-io'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ env.REGISTRY_USERNAME }}
password: ${{ env.REGISTRY_PASSWORD }}
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Configure image tags
id: tag_config
run: |
TAG=${GITHUB_REF#refs/tags/}
# Base configuration - always transform the main tag
# Transforms v1.32.4-rc1+k3s1 → v1.32.4-rc1-k3s1
BASE_CONFIG="type=raw,value=${TAG//+/-}"
if [[ "${TAG,,}" == *"rc"* ]]; then
echo "RC release detected: $TAG"
echo "tag_spec=$BASE_CONFIG" >> $GITHUB_OUTPUT
else
echo "Stable release detected: $TAG"
echo "tag_spec=$BASE_CONFIG
type=semver,pattern=v{{major}}.{{minor}}" >> $GITHUB_OUTPUT
fi
- name: Set DockerHub Org
run: |
if [ "${{ github.repository_owner }}" == "k3s-io" ]; then
echo "DOCKERHUB_ORG=rancher" >> $GITHUB_ENV
else
echo "DOCKERHUB_ORG=${{ secrets.DOCKER_USERNAME }}" >> $GITHUB_ENV
fi
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/${{ github.repository_owner }}/k3s
docker.io/${{ env.DOCKERHUB_ORG }}/k3s
${{ env.REGISTRY }}/rancher/k3s
flavor: latest=false
tags: ${{ steps.tag_config.outputs.tag_spec }}
- name: "Download K3s build"
uses: actions/download-artifact@v6
with:
pattern: k3s*
path: ./dist/artifacts
merge-multiple: true
- name: Prepare build folder
run: |
mkdir -p ./build/out
cp ./dist/artifacts/data-* ./build/out
- name: Build and push K3s runtime image
uses: docker/build-push-action@v6
with:
context: .
file: ./package/Dockerfile
platforms: linux/amd64,linux/arm64,linux/arm/v7
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
TAG=${{ github.ref_name }}
build-airgap:
name: Airgap Image Tarballs
uses: ./.github/workflows/airgap.yaml
upload-release-assets:
name: Prepare and Upload Release Assets
permissions:
contents: write # Needed to update release with assets
id-token: write
runs-on: ubuntu-latest
needs: [build-amd64, build-arm64, build-arm, build-airgap]
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Read Prime artifacts secrets
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader/credentials accessKeyId | AWS_ACCESS_KEY_ID ;
secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader/credentials secretAccessKey | AWS_SECRET_ACCESS_KEY ;
secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader/credentials primeArtifactsBucketName | PRIME_ARTIFACTS_BUCKET_NAME
- name: Configure AWS Credentials (s3)
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: "Download Artifacts"
uses: actions/download-artifact@v6
with:
pattern: "*"
path: ./dist/artifacts
merge-multiple: true
- name: "Combine and format sha256sum files"
run: |
cp scripts/airgap/image-list.txt dist/artifacts/k3s-images.txt
for ARCH in amd64 arm64 arm; do
OUTPUT_FILE="./dist/artifacts/sha256sum-${ARCH}.txt"
cat ./dist/artifacts/k3s-airgap-images-${ARCH}*.sha256sum >> "${OUTPUT_FILE}"
rm ./dist/artifacts/k3s-airgap-images-${ARCH}*.sha256sum # Remove the original file to avoid uploading it
if [[ "${ARCH}" == "amd64" ]]; then
cat ./dist/artifacts/k3s.sha256sum >> "${OUTPUT_FILE}"
rm ./dist/artifacts/k3s.sha256sum # Remove the original file to avoid uploading it
else
cat ./dist/artifacts/k3s-${ARCH}.sha256sum >> "${OUTPUT_FILE}"
rm ./dist/artifacts/k3s-${ARCH}.sha256sum # Remove the original file to avoid uploading it
fi
done
- name: Validate Assets for Release
run: |
./scripts/validate-artifacts
- name: Upload Assets to Release
uses: softprops/action-gh-release@v2.2.1
with:
files: |
dist/artifacts/k3s*
dist/artifacts/sha256sum*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload Assets to S3
env:
S3_PATH: s3://${{ env.PRIME_ARTIFACTS_BUCKET_NAME }}/k3s/${{ github.event.release.tag_name }}
run: |
aws s3 sync dist/artifacts/ "$S3_PATH" --quiet --no-progress --exclude "*" --include "k3s*" --include "sha256sum*"
dispatch-k3s-upgrade:
name: Dispatch k3s-upgrade Workflow
runs-on: ubuntu-latest
needs: [upload-release-assets]
steps:
- name: Dispatch k3s-upgrade Workflow
run: |
curl -L -XPOST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.K3S_UPGRADE_PAT }}" \
-H "Content-Type: application/json" \
https://api.github.com/repos/${{ github.repository_owner }}/k3s-upgrade/dispatches \
-d '{"event_type":"tag-release","client_payload":{"tag":"${{ github.ref_name }}"}}'
Reference in a new issue View git blame Copy permalink