Merge branch 'master' into master

.codecov.yml

@@ -8,13 +8,16 @@ coverage:
       default:
         threshold: 0.1
 ignore:
-  - "pkg/apis/rollouts/v1alpha1"
-  - "test"
-  - "**/*.pb.go"
-  - "**/*.pb.gw.go"
-  - "**/*generated.go"
-  - "**/*generated.deepcopy.go"
-  - "**/*_test.go"
-  - "pkg/apis/client/.*"
-  - "pkg/client/.*"
-  - "vendor/.*"
+  - 'pkg/apis/rollouts/v1alpha1'
+  - 'test'
+  - '**/*.pb.go'
+  - '**/*.pb.gw.go'
+  - '**/*generated.go'
+  - '**/*generated.deepcopy.go'
+  - '**/*_test.go'
+  - 'pkg/apis/client/.*'
+  - 'pkg/client/.*'
+  - 'vendor/.*'
+  - '**/mocks/*'
+  - 'hack/gen-crd-spec/main.go'
+  - 'hack/gen-docs/main.go'

.github/ISSUE_TEMPLATE/bug_report.md

@@ -11,7 +11,7 @@ assignees: ''
 Checklist:
 
 * [ ] I've included steps to reproduce the bug.
-* [ ] I've inclued the version of argo rollouts.
+* [ ] I've included the version of argo rollouts.
 
 **Describe the bug**
 
@@ -49,4 +49,4 @@ kubectl logs -n argo-rollouts deployment/argo-rollouts | grep rollout=<ROLLOUTNA
 <!-- Issue Author: Don't delete this message to encourage other users to support your issue! -->
 **Message from the maintainers**:
 
-Impacted by this bug? Give it a 👍. We prioritize the issues with the most 👍.
+Impacted by this bug? Give it a 👍. We prioritize the issues with the most 👍.

.github/workflows/README.md

@@ -0,0 +1,39 @@
+# Workflows
+
+| Workflow            | Description                                                     |
+|---------------------|-----------------------------------------------------------------|
+| changelog.yml       | Updates changelog when a release is published                   |
+| codeql.yaml         | CodeQL analysis                                                 |
+| docker-publish.yaml | Build container image for PR's & publish for push events        |
+| image-reuse.yaml    | Build, push, and Sign container images                          |
+| go.yaml             | lint, build, codegen                                            |
+| pr-title-check.yaml | Lint PR for semantic information                                |
+| init-release.yaml   | Build manifests and version then create a PR for release branch |
+| release.yaml        | Build images, cli-binaries, provenances, and post actions       |
+
+
+# Reusable workflows
+
+## image-reuse.yaml
+
+- The resuable workflow can be used to publish or build images with multiple container registries(Quay,GHCR, dockerhub), and then sign them with cosign when an image is published.
+- A GO version `must` be specified e.g. 1.19
+- The image name for each registry *must* contain the tag. Note: multiple tags are allowed for each registry using a CSV type.
+- Multiple platforms can be specified e.g. linux/amd64,linux/arm64
+- Images are not published by default. A boolean value must be set to `true` to push images.
+- An optional target can be specified.
+
+| Inputs            | Description                         | Type        | Required | Defaults        |
+|-------------------|-------------------------------------|-------------|----------|-----------------|
+| go-version        | Version of Go to be used            | string      | true     | none            |
+| quay_image_name   | Full image name and tag             | CSV, string | false    | none            |
+| ghcr_image_name   | Full image name and tag             | CSV, string | false    | none            |
+| docker_image_name | Full image name and tag             | CSV, string | false    | none            |
+| platforms         | Platforms to build (linux/amd64)    | CSV, string | false    | linux/amd64     |
+| push              | Whether to push image/s to registry | boolean     | false    | false           |
+| target            | Target build stage                  | string      | false    | none            |
+
+| Outputs     | Description                              | Type  |
+|-------------|------------------------------------------|-------|
+|image-digest | Image digest of image container created  | string|
+

.github/workflows/changelog.yml

@@ -12,7 +12,7 @@ jobs:
       pull-requests: write  # for peter-evans/create-pull-request to create a PR
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Update Changelog
@@ -23,10 +23,12 @@ jobs:
           ./git-chglog --sort semver -o CHANGELOG.md v1.3.1..
           rm git-chglog
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v6
         with:
           commit-message: update changelog
           title: "docs: Update Changelog"
           body: Update changelog to reflect release changes
           branch: update-changelog
-          base: master
+          base: master
+          add-paths: |
+            CHANGELOG.md

.github/workflows/codeql.yml

@@ -27,19 +27,19 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3.1.0
+        uses: actions/checkout@v4
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         # Override language selection by uncommenting this and choosing your languages
         # with:
         #   languages: go, javascript, csharp, python, cpp, java
 
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -53,4 +53,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3

.github/workflows/docker-publish.yml

@@ -9,66 +9,42 @@ on:
   # Run tests for any PRs.
   pull_request:
 
-permissions:
-  contents: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
 
 jobs:
-  docker:
+  set-vars:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
+    outputs:
+      controller-meta-tags: ${{ steps.controller-meta.outputs.tags }}
+      plugin-meta-tags: ${{ steps.plugin-meta.outputs.tags }}
+      platforms: ${{ steps.platform-matrix.outputs.platform-matrix }}
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@v3.1.0
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-        with:
-          config-inline: |
-            [worker.oci]
-            gc = false
-
       - name: Docker meta (controller)
         id: controller-meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: |
             quay.io/argoproj/argo-rollouts
-          # ghcr.io/argoproj/argo-rollouts
           tags: |
-            type=ref,event=branch
-          flavor: |
-            latest=${{ github.ref == 'refs/heads/master' }}
+            type=ref,event=branch,enable=${{ github.ref != 'refs/heads/master'}}
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
 
       - name: Docker meta (plugin)
         id: plugin-meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: |
             quay.io/argoproj/kubectl-argo-rollouts
-          # ghcr.io/argoproj/kubectl-argo-rollouts
           tags: |
-            type=ref,event=branch
-          flavor: |
-            latest=${{ github.ref == 'refs/heads/master' }}
-
-      # - name: Login to GitHub Container Registry
-      #   if: github.event_name != 'pull_request'
-      #   uses: docker/login-action@v2 
-      #   with:
-      #     registry: ghcr.io
-      #     username: ${{ github.repository_owner }}
-      #     password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Login to Quay.io
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USERNAME }}
-          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
+            type=ref,event=branch,enable=${{ github.ref != 'refs/heads/master'}}
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
 
       # avoid building linux/arm64 for PRs since it takes so long
       - name: Set Platform Matrix
@@ -79,69 +55,39 @@ jobs:
           then
             PLATFORM_MATRIX=$PLATFORM_MATRIX,linux/arm64
           fi
-          echo "::set-output name=platform-matrix::$PLATFORM_MATRIX"
-
-      - name: Build and push (controller-image)
-        uses: docker/build-push-action@v3
-        with:
-          platforms: ${{ steps.platform-matrix.outputs.platform-matrix }}
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.controller-meta.outputs.tags }}
-
-      - name: Build and push (plugin-image)
-        uses: docker/build-push-action@v3
-        with:
-          target: kubectl-argo-rollouts
-          platforms: ${{ steps.platform-matrix.outputs.platform-matrix }}
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.plugin-meta.outputs.tags }}
-
-      - name: Install cosign
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: 'v1.13.1'
-
-      - name: Install crane to get digest of image
-        uses: imjasonh/setup-crane@v0.2
-
-      - name: Get digest of controller-image
-        run: |
-          if [[ "${{ github.ref == 'refs/heads/master' }}" ]]
-          then
-            echo "CONTROLLER_DIGEST=$(crane digest quay.io/argoproj/argo-rollouts:latest)" >> $GITHUB_ENV
-          fi
-          if [[ "${{ github.ref != 'refs/heads/master' }}" ]]
-          then
-            echo "CONTROLLER_DIGEST=$(crane digest ${{ steps.controller-meta.outputs.tags }})" >> $GITHUB_ENV
-          fi
-        if: github.event_name != 'pull_request'
-
-      - name: Get digest of plugin-image
-        run: |
-          if [[ "${{ github.ref == 'refs/heads/master' }}" ]]
-          then
-            echo "PLUGIN_DIGEST=$(crane digest quay.io/argoproj/kubectl-argo-rollouts:latest)" >> $GITHUB_ENV
-          fi
-          if [[ "${{ github.ref != 'refs/heads/master' }}" ]]
-          then
-            echo "PLUGIN_DIGEST=$(crane digest ${{ steps.plugin-meta.outputs.tags }})" >> $GITHUB_ENV
-          fi
-        if: github.event_name != 'pull_request'
-
-      - name: Sign Argo Rollouts Images
-        run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argo-rollouts@${{ env.CONTROLLER_DIGEST }}
-          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/kubectl-argo-rollouts@${{ env.PLUGIN_DIGEST }}
-        env:
-          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-        if: ${{ github.event_name == 'push' }}
-
-      - name: Display the public key to share.
-        run: |
-          # Displays the public key to share
-          cosign public-key --key env://COSIGN_PRIVATE_KEY
-        env:
-          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-        if: ${{ github.event_name == 'push' }}
+          echo "platform-matrix=$PLATFORM_MATRIX" >> $GITHUB_OUTPUT
+
+  build-and-push-controller-image:
+    needs: [set-vars]
+    permissions:
+      contents: read
+      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+      id-token: write # for creating OIDC tokens for signing.
+    uses: ./.github/workflows/image-reuse.yaml
+    with:
+      quay_image_name: ${{ needs.set-vars.outputs.controller-meta-tags }}
+      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      go-version: '1.22'
+      platforms: ${{ needs.set-vars.outputs.platforms }}
+      push: ${{ github.event_name != 'pull_request' }}
+    secrets:
+      quay_username: ${{ secrets.QUAY_USERNAME }}
+      quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }}
+
+  build-and-push-plugin-image:
+    needs: [set-vars]
+    permissions:
+      contents: read
+      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+      id-token: write # for creating OIDC tokens for signing.
+    uses: ./.github/workflows/image-reuse.yaml
+    with:
+      quay_image_name: ${{ needs.set-vars.outputs.plugin-meta-tags }}
+      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      go-version: '1.22'
+      platforms: ${{ needs.set-vars.outputs.platforms }}
+      push: ${{ github.event_name != 'pull_request' }}
+      target: kubectl-argo-rollouts
+    secrets:
+      quay_username: ${{ secrets.QUAY_USERNAME }}
+      quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }}