name: release-manifests on: release: types: [published] workflow_dispatch: permissions: contents: read jobs: permissions: id-token: write # needed for keyless signing packages: write # needed for ghcr access build-push: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Setup Kustomize uses: fluxcd/pkg/actions/kustomize@main - name: Setup Flux CLI uses: ./action/ - name: Prepare id: prep run: | VERSION=$(flux version --client | awk '{ print $NF }') echo ::set-output name=VERSION::${VERSION} - name: Login to GHCR uses: docker/login-action@v2 with: registry: username: fluxcdbot password: ${{ secrets.GHCR_TOKEN }} - name: Login to DockerHub uses: docker/login-action@v2 with: username: fluxcdbot password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }} - name: Push manifests to GHCR run: | mkdir -p ./ flux install \ --components-extra=image-reflector-controller,image-automation-controller \ --export > ./ cd ./ && flux push artifact \ oci://${{ steps.prep.outputs.VERSION }} \ --path="./flux-system" \ --source=${{ github.repositoryUrl }} \ --revision="${{ github.ref_name }}/${{ github.sha }}" - name: Push manifests to DockerHub run: | mkdir -p ./ flux install \ --components-extra=image-reflector-controller,image-automation-controller \ --export > ./ cd ./ && flux push artifact \ oci://${{ steps.prep.outputs.VERSION }} \ --path="./flux-system" \ --source=${{ github.repositoryUrl }} \ --revision="${{ github.ref_name }}/${{ github.sha }}" - uses: sigstore/cosign-installer@main - name: Sign manifests env: COSIGN_EXPERIMENTAL: 1 run: | cosign sign${{ steps.prep.outputs.VERSION }} cosign sign${{ steps.prep.outputs.VERSION }} - name: Tag manifests run: | flux tag artifact oci://${{ steps.prep.outputs.VERSION }} \ --tag latest flux tag artifact oci://${{ steps.prep.outputs.VERSION }} \ --tag latest