name: Finalize release on: release: types: [published] workflow_dispatch: inputs: version: description: 'Run finalize release on a specific tag.' required: true default: '' jobs: push-final-images: runs-on: ubuntu-latest env: SYSDIG_IMAGE_BASE: ghcr.io/draios/sysdig SYSDIG_DOCKERHUB_IMAGE_BASE: docker.io/sysdig/sysdig RELEASE: ${{ (github.event_name == 'workflow_dispatch') && (github.event.inputs.version != '') && github.event.inputs.version || github.event.release.name }} steps: - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_HUB_USERNAME_PUBLIC }} password: ${{ secrets.DOCKER_HUB_PASSWORD_PUBLIC }} - name: Login to Github Packages uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Publish final docker images (amd64) uses: akhilerm/tag-push-action@v2.0.0 with: src: ${{ env.SYSDIG_IMAGE_BASE }}:${{ env.RELEASE }}-amd64-draft dst: | ${{ env.SYSDIG_IMAGE_BASE }}:${{ env.RELEASE }}-amd64 ${{ env.SYSDIG_IMAGE_BASE }}:latest-amd64 ${{ env.SYSDIG_DOCKERHUB_IMAGE_BASE }}:${{ env.RELEASE }}-amd64 ${{ env.SYSDIG_DOCKERHUB_IMAGE_BASE }}:latest-amd64 - name: Publish final docker images (arm64) uses: akhilerm/tag-push-action@v2.0.0 with: src: ${{ env.SYSDIG_IMAGE_BASE }}:${{ env.RELEASE }}-arm64-draft dst: | ${{ env.SYSDIG_IMAGE_BASE }}:${{ env.RELEASE }}-arm64 ${{ env.SYSDIG_IMAGE_BASE }}:latest-arm64 ${{ env.SYSDIG_DOCKERHUB_IMAGE_BASE }}:${{ env.RELEASE }}-arm64 ${{ env.SYSDIG_DOCKERHUB_IMAGE_BASE }}:latest-arm64 - name: Create latest manifest and push run: | docker manifest create \ ${{ env.SYSDIG_IMAGE_BASE }}:${{ env.RELEASE }} \ --amend ${{ env.SYSDIG_IMAGE_BASE }}:${{ env.RELEASE }}-amd64 \ --amend ${{ env.SYSDIG_IMAGE_BASE }}:${{ env.RELEASE }}-arm64 docker manifest push ${{ env.SYSDIG_IMAGE_BASE }}:${{ env.RELEASE }} docker manifest create \ ${{ env.SYSDIG_DOCKERHUB_IMAGE_BASE }}:${{ env.RELEASE }} \ --amend ${{ env.SYSDIG_DOCKERHUB_IMAGE_BASE }}:${{ env.RELEASE }}-amd64 \ --amend ${{ env.SYSDIG_DOCKERHUB_IMAGE_BASE }}:${{ env.RELEASE }}-arm64 docker manifest push ${{ env.SYSDIG_DOCKERHUB_IMAGE_BASE }}:${{ env.RELEASE }} docker manifest create \ ${{ env.SYSDIG_IMAGE_BASE }}:latest \ --amend ${{ env.SYSDIG_IMAGE_BASE }}:latest-amd64 \ --amend ${{ env.SYSDIG_IMAGE_BASE }}:latest-arm64 docker manifest push ${{ env.SYSDIG_IMAGE_BASE }}:latest docker manifest create \ ${{ env.SYSDIG_DOCKERHUB_IMAGE_BASE }}:latest \ --amend ${{ env.SYSDIG_DOCKERHUB_IMAGE_BASE }}:latest-amd64 \ --amend ${{ env.SYSDIG_DOCKERHUB_IMAGE_BASE }}:latest-arm64 docker manifest push ${{ env.SYSDIG_DOCKERHUB_IMAGE_BASE }}:latest release-rpm: strategy: matrix: name: [amd64, arm64] include: - name: amd64 base_arch: x86_64 release_arch: x86_64 - name: arm64 base_arch: aarch64 release_arch: aarch64 runs-on: ubuntu-latest env: RPM_BASEARCH: ${{ matrix.base_arch }} RELEASE_ARCH: ${{ matrix.release_arch }} REPOSITORY_NAME: stable REPOSITORY_DIR: rpm_repo PACKAGES_DIR: packages S3_BUCKET: download.draios.com RELEASE: ${{ (github.event_name == 'workflow_dispatch') && (github.event.inputs.version != '') && github.event.inputs.version || github.event.release.name }} KEY_ID: EC51E8C4 # These permissions are needed to interact with GitHub's OIDC Token endpoint. permissions: id-token: write contents: read steps: - name: Install deps run: | sudo apt-get update && sudo apt-get -y install dpkg-dev gpg createrepo-c - name: Cleanup run: | sudo rm -rf /usr/lib/jvm sudo rm -rf /usr/share/dotnet sudo rm -rf /usr/share/swift sudo rm -rf /usr/local/.ghcup sudo rm -rf /usr/local/julia* sudo rm -rf /usr/local/lib/android sudo rm -rf /usr/local/share/chromium sudo rm -rf /opt/microsoft /opt/google sudo rm -rf /opt/az sudo rm -rf /usr/local/share/powershell sudo rm -rf /opt/hostedtoolcache/CodeQL sudo rm -fr /usr/lib/google-cloud-sdk sudo rm -fr /home/runner/.rustup docker system prune -af || true docker builder prune -af || true df -h - name: Checkout Sysdig uses: actions/checkout@v4 with: path: sysdig - name: Create directories run: | mkdir -p $REPOSITORY_DIR mkdir -p $PACKAGES_DIR - name: Download RPM uses: dsaltares/fetch-gh-release-asset@master with: version: "tags/${{ env.RELEASE }}" file: sysdig-${{ env.RELEASE }}-${{ env.RELEASE_ARCH }}.rpm target: ${{ env.PACKAGES_DIR }}/sysdig-${{ env.RELEASE }}-${{ env.RELEASE_ARCH }}.rpm token: ${{ secrets.GITHUB_TOKEN }} - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@fcd8bb1e0a3c9d2a0687615ee31d34d8aea18a96 with: role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} aws-region: us-east-1 - name: Import private key env: PRIVATE_KEY: ${{ secrets.SYSDIG_REPO_SIGNING_KEY }} run: printenv PRIVATE_KEY | gpg --import - - name: Release RPMs env: SCRIPTS_DIR: sysdig/scripts/release run: sysdig/scripts/release/release_rpm.sh release-deb: strategy: matrix: name: [amd64, arm64] include: - name: amd64 base_arch: amd64 release_arch: x86_64 - name: arm64 base_arch: arm64 release_arch: aarch64 runs-on: ubuntu-latest env: DEB_BASEARCH: ${{ matrix.base_arch }} RELEASE_ARCH: ${{ matrix.release_arch }} REPOSITORY_NAME: stable REPOSITORY_DIR: deb_repo PACKAGES_DIR: packages RELEASE: ${{ (github.event_name == 'workflow_dispatch') && (github.event.inputs.version != '') && github.event.inputs.version || github.event.release.name }} S3_BUCKET: download.draios.com KEY_ID: EC51E8C4 # These permissions are needed to interact with GitHub's OIDC Token endpoint. permissions: id-token: write contents: read steps: - name: Install deps run: | sudo apt-get update && sudo apt-get -y install dpkg-dev gpg - name: Cleanup run: | sudo rm -rf /usr/lib/jvm sudo rm -rf /usr/share/dotnet sudo rm -rf /usr/share/swift sudo rm -rf /usr/local/.ghcup sudo rm -rf /usr/local/julia* sudo rm -rf /usr/local/lib/android sudo rm -rf /usr/local/share/chromium sudo rm -rf /opt/microsoft /opt/google sudo rm -rf /opt/az sudo rm -rf /usr/local/share/powershell sudo rm -rf /opt/hostedtoolcache/CodeQL sudo rm -fr /usr/lib/google-cloud-sdk sudo rm -fr /home/runner/.rustup docker system prune -af || true docker builder prune -af || true df -h - name: Checkout Sysdig uses: actions/checkout@v4 with: path: sysdig - name: Create directories run: | mkdir -p $REPOSITORY_DIR mkdir -p $PACKAGES_DIR - name: Download DEB uses: dsaltares/fetch-gh-release-asset@master with: version: "tags/${{ env.RELEASE }}" file: sysdig-${{ env.RELEASE }}-${{ env.RELEASE_ARCH }}.deb target: ${{ env.PACKAGES_DIR }}/sysdig-${{ env.RELEASE }}-${{ env.RELEASE_ARCH }}.deb token: ${{ secrets.GITHUB_TOKEN }} - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@fcd8bb1e0a3c9d2a0687615ee31d34d8aea18a96 with: role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} aws-region: us-east-1 - name: Import private key env: PRIVATE_KEY: ${{ secrets.SYSDIG_REPO_SIGNING_KEY }} run: printenv PRIVATE_KEY | gpg --import - - name: Release DEBs env: SCRIPTS_DIR: sysdig/scripts/release run: sysdig/scripts/release/release_deb.sh release-tgz: strategy: matrix: name: [amd64, arm64] include: - name: amd64 base_arch: x86_64 release_arch: x86_64 - name: arm64 base_arch: aarch64 release_arch: aarch64 runs-on: ubuntu-latest env: RELEASE_ARCH: ${{ matrix.release_arch }} TGZ_BASEARCH: ${{ matrix.base_arch }} REPOSITORY_NAME: stable REPOSITORY_DIR: tgz_repo PACKAGES_DIR: packages RELEASE: ${{ (github.event_name == 'workflow_dispatch') && (github.event.inputs.version != '') && github.event.inputs.version || github.event.release.name }} S3_BUCKET: download.draios.com # These permissions are needed to interact with GitHub's OIDC Token endpoint. permissions: id-token: write contents: read steps: - name: Checkout Sysdig uses: actions/checkout@v4 with: path: sysdig - name: Create directories run: | mkdir -p $REPOSITORY_DIR mkdir -p $PACKAGES_DIR - name: Download targz uses: dsaltares/fetch-gh-release-asset@master with: version: "tags/${{ env.RELEASE }}" file: sysdig-${{ env.RELEASE }}-${{ env.RELEASE_ARCH }}.tar.gz target: ${{ env.PACKAGES_DIR }}/sysdig-${{ env.RELEASE }}-${{ env.RELEASE_ARCH }}.tar.gz token: ${{ secrets.GITHUB_TOKEN }} - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@fcd8bb1e0a3c9d2a0687615ee31d34d8aea18a96 with: role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} aws-region: us-east-1 - name: Release tar.gz run: sysdig/scripts/release/release_tgz.sh - name: Release install-sysdig run: aws s3 cp sysdig/scripts/install-sysdig s3://${{ env.S3_BUCKET }}/${{ env.REPOSITORY_NAME }}/ --acl public-read