.github/workflows/release.yaml

name: Release

on:
  push:
    tags:
      - v*
    branches:
      - master
      - dev-*

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

defaults:
  run:
    shell: bash

permissions:
  contents: read

jobs:
  build-linux-amd64:
    name: Build & push linux/amd64
    if: github.repository == 'argoproj/argo-workflows'
    runs-on: ubuntu-latest
    strategy:
      matrix:
        platform: [ linux/amd64 ]
        target: [ workflow-controller, argocli, argoexec ]
    steps:
      - uses: actions/checkout@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
          version: v0.10.4

      - name: Cache Docker layers
        uses: actions/cache@v3
        id: cache
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx-

      - name: Docker Login
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERIO_USERNAME }}
          password: ${{ secrets.DOCKERIO_PASSWORD }}

      - name: Docker Login
        uses: docker/login-action@v2
        with:
          registry: quay.io
          username: ${{ secrets.QUAYIO_USERNAME }}
          password: ${{ secrets.QUAYIO_PASSWORD }}

      - name: Docker Buildx
        env:
          DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
          PLATFORM: ${{ matrix.platform }}
          TARGET: ${{ matrix.target }}
        run: |
          set -eux
          tag=$(basename $GITHUB_REF)
          if [ $tag = "master" ]; then
            tag="latest"
          fi
          # copied verbatim from Makefile
          GIT_COMMIT=$(git rev-parse HEAD || echo unknown)
          GIT_TAG=$(git describe --exact-match --tags --abbrev=0  2> /dev/null || echo untagged)
          GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)
  
          tag_suffix=$(echo $PLATFORM | sed -r "s/\//-/g")
          image_name="${DOCKERIO_ORG}/${TARGET}:${tag}-${tag_suffix}"

          docker buildx build \
            --cache-from "type=local,src=/tmp/.buildx-cache" \
            --cache-to "type=local,dest=/tmp/.buildx-cache" \
            --output "type=image,push=true" \
            --build-arg GIT_COMMIT=$GIT_COMMIT \
            --build-arg GIT_TAG=$GIT_TAG \
            --build-arg GIT_TREE_STATE=$GIT_TREE_STATE \
            --platform="${PLATFORM}" \
            --target $TARGET \
            --provenance=false \
            --tag $image_name .

          docker buildx build \
            --cache-from "type=local,src=/tmp/.buildx-cache" \
            --cache-to "type=local,dest=/tmp/.buildx-cache" \
            --output "type=image,push=true" \
            --build-arg GIT_COMMIT=$GIT_COMMIT \
            --build-arg GIT_TAG=$GIT_TAG \
            --build-arg GIT_TREE_STATE=$GIT_TREE_STATE \
            --platform="${PLATFORM}" \
            --target $TARGET \
            --provenance=false \
            --tag quay.io/$image_name .

  build-linux-arm64:
    name: Build & push linux/arm64
    if: github.repository == 'argoproj/argo-workflows'
    runs-on: ubuntu-latest
    strategy:
      matrix:
        platform: [ linux/arm64 ]
        target: [ workflow-controller, argocli, argoexec ]
    steps:
      - uses: actions/checkout@v3

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
        with:
          platforms: arm64

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
          version: v0.10.4

      - name: Cache Docker layers
        uses: actions/cache@v3
        id: cache
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx-

      - name: Docker Login
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERIO_USERNAME }}
          password: ${{ secrets.DOCKERIO_PASSWORD }}

      - name: Docker Login
        uses: docker/login-action@v2
        with:
          registry: quay.io
          username: ${{ secrets.QUAYIO_USERNAME }}
          password: ${{ secrets.QUAYIO_PASSWORD }}

      - name: Docker Buildx
        env:
          DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
          PLATFORM: ${{ matrix.platform }}
          TARGET: ${{ matrix.target }}
        run: |
          set -eux
          tag=$(basename $GITHUB_REF)
          if [ $tag = "master" ]; then
            tag="latest"
          fi
          # copied verbatim from Makefile
          GIT_COMMIT=$(git rev-parse HEAD || echo unknown)
          GIT_TAG=$(git describe --exact-match --tags --abbrev=0  2> /dev/null || echo untagged)
          GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)
          
          tag_suffix=$(echo $PLATFORM | sed -r "s/\//-/g")
          image_name="${DOCKERIO_ORG}/${TARGET}:${tag}-${tag_suffix}"

          docker buildx build \
            --cache-from "type=local,src=/tmp/.buildx-cache" \
            --cache-to "type=local,dest=/tmp/.buildx-cache" \
            --output "type=image,push=true" \
            --build-arg GIT_COMMIT=$GIT_COMMIT \
            --build-arg GIT_TAG=$GIT_TAG \
            --build-arg GIT_TREE_STATE=$GIT_TREE_STATE \
            --platform="${PLATFORM}" \
            --target $TARGET \
            --provenance=false \
            --tag $image_name .

          docker buildx build \
            --cache-from "type=local,src=/tmp/.buildx-cache" \
            --cache-to "type=local,dest=/tmp/.buildx-cache" \
            --output "type=image,push=true" \
            --build-arg GIT_COMMIT=$GIT_COMMIT \
            --build-arg GIT_TAG=$GIT_TAG \
            --build-arg GIT_TREE_STATE=$GIT_TREE_STATE \
            --platform="${PLATFORM}" \
            --target $TARGET \
            --provenance=false \
            --tag quay.io/$image_name .

  build-windows:
    name: Build & push windows
    if: github.repository == 'argoproj/argo-workflows'
    runs-on: windows-2019
    steps:
      - uses: actions/checkout@v3
      - name: Docker Login
        uses: Azure/docker-login@v1
        with:
          username: ${{ secrets.DOCKERIO_USERNAME }}
          password: ${{ secrets.DOCKERIO_PASSWORD }}

      - name: Login to Quay
        uses: Azure/docker-login@v1
        with:
          login-server: quay.io
          username: ${{ secrets.QUAYIO_USERNAME }}
          password: ${{ secrets.QUAYIO_PASSWORD }}
   
      - name: Build & Push Windows Docker Images
        env:
          DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
        run: |
          docker_org=$DOCKERIO_ORG

          tag=$(basename $GITHUB_REF)
          if [ $tag = "master" ]; then
            tag="latest"
          fi

          targets="argoexec"
          for target in $targets; do
            image_name="${docker_org}/${target}:${tag}-windows"
            docker build \
              --build-arg GIT_COMMIT=$tag \
              --build-arg GIT_BRANCH=$branch \
              --build-arg GIT_TREE_STATE=$tree_state \
              --target $target \
              -t $image_name \
              -f Dockerfile.windows \
              .
          
            docker push $image_name

            docker tag $image_name quay.io/$image_name
            docker push quay.io/$image_name

          done

  push-images:
    name: Push manifest with all images
    if: github.repository == 'argoproj/argo-workflows'
    runs-on: ubuntu-latest
    needs: [ build-linux-amd64, build-linux-arm64, build-windows ]
    steps:
      - uses: actions/checkout@v3
      - name: Docker Login
        uses: Azure/docker-login@v1
        with:
          username: ${{ secrets.DOCKERIO_USERNAME }}
          password: ${{ secrets.DOCKERIO_PASSWORD }}

      - name: Login to Quay
        uses: Azure/docker-login@v1
        with:
          login-server: quay.io
          username: ${{ secrets.QUAYIO_USERNAME }}
          password: ${{ secrets.QUAYIO_PASSWORD }}

      - name: Install cosign
        uses: sigstore/cosign-installer@main
        with:
          cosign-release: 'v1.13.0'

      - name: Push Multiarch Image
        env:
          DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
        run: |
          echo $(jq -c '. + { "experimental": "enabled" }' ${DOCKER_CONFIG}/config.json) > ${DOCKER_CONFIG}/config.json

          docker_org=$DOCKERIO_ORG

          tag=$(basename $GITHUB_REF)
          if [ $tag = "master" ]; then
            tag="latest"
          fi

          targets="workflow-controller argoexec argocli"
          for target in $targets; do
            image_name="${docker_org}/${target}:${tag}"

            if [ $target = "argoexec" ]; then
              docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64 ${image_name}-windows
              docker manifest create quay.io/$image_name quay.io/${image_name}-linux-arm64 quay.io/${image_name}-linux-amd64 quay.io/${image_name}-windows
            else
              docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64
              docker manifest create quay.io/$image_name quay.io/${image_name}-linux-arm64 quay.io/${image_name}-linux-amd64
            fi

            docker manifest push $image_name
            docker manifest push quay.io/$image_name

            cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/$image_name

          done

  test-images-linux-amd64:
    name: Try pulling linux/amd64
    if: github.repository == 'argoproj/argo-workflows'
    runs-on: ubuntu-latest
    needs: [ push-images ]
    strategy:
      matrix:
        platform: [ linux/amd64 ]
        target: [ workflow-controller, argocli, argoexec ]
    steps:
      - name: Docker Login
        uses: Azure/docker-login@v1
        with:
          username: ${{ secrets.DOCKERIO_USERNAME }}
          password: ${{ secrets.DOCKERIO_PASSWORD }}

      - name: Login to Quay
        uses: Azure/docker-login@v1
        with:
          login-server: quay.io
          username: ${{ secrets.QUAYIO_USERNAME }}
          password: ${{ secrets.QUAYIO_PASSWORD }}

      - name: Docker Buildx
        env:
          DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
          PLATFORM: ${{ matrix.platform }}
          TARGET: ${{ matrix.target }}
        run: |
          tag=$(basename $GITHUB_REF)
          if [ $tag = "master" ]; then
            tag="latest"
          fi

          image_name="${DOCKERIO_ORG}/${TARGET}:${tag}"
          docker pull $image_name
          docker pull quay.io/$image_name

  test-images-windows:
    name: Try pulling windows
    if: github.repository == 'argoproj/argo-workflows'
    runs-on: windows-2019
    needs: [ push-images ]
    steps:
      - name: Docker Login
        uses: Azure/docker-login@v1
        with:
          username: ${{ secrets.DOCKERIO_USERNAME }}
          password: ${{ secrets.DOCKERIO_PASSWORD }}

      - name: Login to Quay
        uses: Azure/docker-login@v1
        with:
          login-server: quay.io
          username: ${{ secrets.QUAYIO_USERNAME }}
          password: ${{ secrets.QUAYIO_PASSWORD }}
      - name: Try pulling
        env:
          DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
        run: |
          docker_org=$DOCKERIO_ORG
          tag=$(basename $GITHUB_REF)
          if [ $tag = "master" ]; then
            tag="latest"
          fi

          targets="argoexec"
          for target in $targets; do
            image_name="${docker_org}/${target}:${tag}"
            docker pull $image_name
            docker pull quay.io/$image_name
          done

  publish-release:
    permissions:
      contents: write  # for softprops/action-gh-release to create GitHub release
    runs-on: ubuntu-latest
    if: github.repository == 'argoproj/argo-workflows'
    needs: [ push-images, test-images-linux-amd64, test-images-windows ]
    env:
      NODE_OPTIONS: --max-old-space-size=4096
      COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
      COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: "16"
      - uses: actions/setup-go@v4
        with:
          go-version: "1.20"
      - uses: actions/cache@v3
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v1-${{ hashFiles('**/yarn.lock') }}
      - uses: actions/cache@v3
        with:
          path: /home/runner/.cache/go-build
          key: GOCACHE-v2-${{ hashFiles('**/go.mod') }}
      - uses: actions/cache@v3
        with:
          path: /home/runner/go/pkg/mod
          key: GOMODCACHE-v2-${{ hashFiles('**/go.mod') }}
      - name: Install cosign
        uses: sigstore/cosign-installer@main
        with:
          cosign-release: 'v1.13.0'
      # https://stackoverflow.com/questions/58033366/how-to-get-current-branch-within-github-actions
      - run: |
          if [ ${GITHUB_REF##*/} = master ]; then
           echo "VERSION=latest" >> $GITHUB_ENV
          else
            echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV
          fi
      - run: go install sigs.k8s.io/bom/cmd/bom@v0.2.0
      - run: go install github.com/spdx/spdx-sbom-generator/cmd/generator@v0.0.13
      - run: mkdir -p dist
      - run: generator -o dist -p .
      - run: yarn --cwd ui install
      - run: generator -o dist -p ui
      - run: bom generate --image quay.io/argoproj/workflow-controller:$VERSION -o dist/workflow-controller.spdx
      - run: bom generate --image quay.io/argoproj/argocli:$VERSION -o dist/argocli.spdx
      - run: bom generate --image quay.io/argoproj/argoexec:$VERSION -o dist/argoexec.spdx
      # pack the boms into one file to make it easy to download
      - run: tar -zcf dist/sbom.tar.gz dist/*.spdx
      - run: make release-notes VERSION=$VERSION
      - run: cat release-notes
      - run: make manifests VERSION=$VERSION
      - name: Print image tag (please check it is not `:latest`)
        run: |
          grep image: dist/manifests/install.yaml
      - run: go mod download
      - run: make clis STATIC_FILES=true VERSION=$VERSION
      - name: Print version (please check it is not dirty)
        run: dist/argo-linux-amd64 version
      - run: make checksums
      - name: Sign checksums and create public key for release assets
        run: |
          cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argo-workflows-cli-checksums.txt > ./dist/argo-workflows-cli-checksums.sig
          # Retrieves the public key to release as an asset
          cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argo-workflows-cosign.pub

      # https://github.com/softprops/action-gh-release
      # This will publish the release and upload assets.
      # If a conflict occurs (because you are not on a tag), the release will not be updated. This is a short coming
      # of this action.
      # Instead, delete the release so it is re-created.
      - uses: softprops/action-gh-release@v1
        if: startsWith(github.ref, 'refs/tags/v')
        with:
          prerelease: ${{ startsWith(github.ref, 'refs/tags/v0') || contains(github.ref, 'rc') }}
          body_path: release-notes
          files: |
            dist/argo-*.gz
            dist/argo-workflows-cli-checksums.txt
            dist/argo-workflows-cli-checksums.sig
            dist/manifests/*.yaml
            dist/argo-workflows-cosign.pub
            dist/sbom.tar.gz
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}