Another attempt to remediate user namespace issues with ubuntu24 runn… #33
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: cli-release | |
on: | |
push: | |
tags: | |
- release/cli/** | |
permissions: | |
contents: read | |
env: | |
VERSIONS_FILE: "VERSIONS.json" | |
jobs: | |
get-dev-image: | |
uses: ./.github/workflows/get_image.yaml | |
with: | |
image-base-name: "dev_image_with_extras" | |
build-release: | |
name: Build Release | |
runs-on: ubuntu-latest-16-cores | |
needs: get-dev-image | |
container: | |
image: ${{ needs.get-dev-image.outputs.image-with-tag }} | |
env: | |
ARTIFACT_UPLOAD_LOG: "artifact_uploads.json" | |
steps: | |
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 | |
with: | |
fetch-depth: 0 | |
- name: Add pwd to git safe dir | |
run: git config --global --add safe.directory `pwd` | |
- name: get bazel config | |
uses: ./.github/actions/bazelrc | |
with: | |
download_toplevel: 'true' | |
BB_API_KEY: ${{ secrets.BB_IO_API_KEY }} | |
- name: Setup podman | |
run: | | |
# With some kernel configs (eg. COS), podman only works with legacy iptables. | |
update-alternatives --set iptables /usr/sbin/iptables-legacy | |
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy | |
- name: Import GPG key | |
env: | |
BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }} | |
run: | | |
echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import | |
- id: gcloud-creds | |
uses: ./.github/actions/gcloud_creds | |
with: | |
SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }} | |
- name: Build & Push Artifacts | |
env: | |
REF: ${{ github.event.ref }} | |
BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
BUILD_NUMBER: ${{ github.run_attempt }} | |
JOB_NAME: ${{ github.job }} | |
GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} | |
shell: bash | |
run: | | |
export TAG_NAME="${REF#*/tags/}" | |
mkdir -p "artifacts/" | |
export ARTIFACTS_DIR="$(realpath artifacts/)" | |
sysctl -w kernel.unprivileged_userns_clone=1 | |
./ci/save_version_info.sh | |
./ci/cli_build_release.sh | |
- name: Upload Github Artifacts | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: linux-artifacts | |
path: artifacts/ | |
- name: Update GCS Manifest | |
env: | |
ARTIFACT_MANIFEST_BUCKET: "pixie-dev-public" | |
# Use the old style versions file instead of the new updates for the gcs manifest. | |
MANIFEST_UPDATES: "" | |
GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} | |
run: ./ci/update_artifact_manifest.sh | |
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: artifact-upload-log | |
path: ${{ env.ARTIFACT_UPLOAD_LOG }} | |
sign-release: | |
name: Sign Release for MacOS | |
runs-on: macos-latest | |
needs: build-release | |
steps: | |
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 | |
with: | |
fetch-depth: 0 | |
- name: Add pwd to git safe dir | |
run: git config --global --add safe.directory `pwd` | |
- name: Install gon | |
run: brew install Bearer/tap/gon | |
- name: Sign CLI release | |
env: | |
REF: ${{ github.event.ref }} | |
AC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} | |
KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} | |
CERT_BASE64: ${{ secrets.APPLE_SIGN_CERT_B64 }} | |
CERT_PASSWORD: ${{ secrets.APPLE_SIGN_CERT_PASSWORD }} | |
shell: bash | |
run: | | |
export CERT_PATH="pixie.cert" | |
echo -n "$CERT_BASE64" | base64 --decode -o "$CERT_PATH" | |
export TAG_NAME="${REF#*/tags/}" | |
mkdir -p "artifacts/" | |
export ARTIFACTS_DIR="$(pwd)/artifacts" | |
./ci/cli_merge_sign.sh | |
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: macos-artifacts | |
path: artifacts/ | |
push-signed-artifacts: | |
name: Push Signed Artifacts for MacOS | |
runs-on: ubuntu-latest | |
needs: [get-dev-image, sign-release] | |
container: | |
image: ${{ needs.get-dev-image.outputs.image-with-tag }} | |
env: | |
MANIFEST_UPDATES: "manifest_updates.json" | |
steps: | |
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 | |
with: | |
fetch-depth: 0 | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: macos-artifacts | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: artifact-upload-log | |
- name: Import GPG key | |
env: | |
BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }} | |
run: | | |
echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import | |
- id: gcloud-creds | |
uses: ./.github/actions/gcloud_creds | |
with: | |
SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }} | |
- name: Add pwd to git safe dir | |
run: | | |
git config --global --add safe.directory `pwd` | |
- name: Upload signed CLI | |
env: | |
REF: ${{ github.event.ref }} | |
BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }} | |
GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} | |
ARTIFACT_UPLOAD_LOG: "artifact_uploads.json" | |
shell: bash | |
run: | | |
export TAG_NAME="${REF#*/tags/}" | |
mkdir -p "artifacts/" | |
export ARTIFACTS_DIR="$(pwd)/artifacts" | |
./ci/cli_upload_signed.sh | |
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: macos-artifacts | |
path: artifacts/ | |
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: manifest-updates | |
path: ${{ env.MANIFEST_UPDATES }} | |
create-github-release: | |
name: Create Release on Github | |
runs-on: ubuntu-latest | |
needs: push-signed-artifacts | |
permissions: | |
contents: write | |
steps: | |
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 | |
with: | |
fetch-depth: 0 | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
- name: Create Release | |
env: | |
REF: ${{ github.event.ref }} | |
GH_TOKEN: ${{ secrets.BUILDBOT_GH_API_TOKEN }} | |
shell: bash | |
run: | | |
export TAG_NAME="${REF#*/tags/}" | |
# actions/checkout doesn't get the tag annotation properly. | |
git fetch origin tag "${TAG_NAME}" -f | |
export changelog="$(git tag -l --format='%(contents)' "${TAG_NAME}")" | |
prerelease=() | |
if [[ "${REF}" == *"-"* ]]; then | |
prerelease=("--prerelease") | |
fi | |
gh release create "${TAG_NAME}" "${prerelease[@]}" \ | |
--title "CLI ${TAG_NAME#release/cli/}" \ | |
--notes $'Pixie CLI Release:\n'"${changelog}" | |
gh release upload "${TAG_NAME}" linux-artifacts/* macos-artifacts/* | |
update-gh-artifacts-manifest: | |
runs-on: ubuntu-latest-8-cores | |
needs: [get-dev-image, create-github-release] | |
container: | |
image: ${{ needs.get-dev-image.outputs.image-with-tag }} | |
concurrency: gh-pages | |
permissions: | |
contents: write | |
steps: | |
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 | |
with: | |
fetch-depth: 0 | |
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 | |
with: | |
ref: gh-pages | |
path: gh-pages | |
- name: Add pwd to git safe dir | |
run: | | |
git config --global --add safe.directory `pwd` | |
git config --global --add safe.directory "$(pwd)/gh-pages" | |
- name: Import GPG key | |
env: | |
BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }} | |
run: | | |
echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import | |
- name: Setup git | |
shell: bash | |
env: | |
BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }} | |
run: | | |
git config --global user.name 'pixie-io-buildbot' | |
git config --global user.email '[email protected]' | |
git config --global user.signingkey "${BUILDBOT_GPG_KEY_ID}" | |
git config --global commit.gpgsign true | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
id: download-artifact | |
with: | |
name: manifest-updates | |
- name: Update gh-pages Manifest | |
env: | |
ARTIFACT_MANIFEST_PATH: "gh-pages/artifacts/manifest.json" | |
MANIFEST_UPDATES: "manifest_updates.json" | |
run: | | |
./ci/update_artifact_manifest.sh | |
cd gh-pages | |
export ARTIFACT_MANIFEST_PATH="${ARTIFACT_MANIFEST_PATH##gh-pages/}" | |
git add "${ARTIFACT_MANIFEST_PATH}" "${ARTIFACT_MANIFEST_PATH}.sha256" | |
git commit -s -m "Update artifact manifest" | |
git push origin "gh-pages" |