Publish All Operators - scheduled Release #830
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish All Operators | |
| run-name: ${{ format('Publish All Operators - {0} Release', github.event.inputs.release_type || 'scheduled') }} | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| release_type: | |
| type: choice | |
| description: The type of release | |
| options: | |
| - Patch | |
| - Minor | |
| - Major | |
| - Snapshot | |
| vulnerability_severity: | |
| description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. | |
| type: choice | |
| options: | |
| - CRITICAL,HIGH | |
| - CRITICAL,HIGH,MEDIUM | |
| - CRITICAL (DO NOT use if JIRA ticket not raised) | |
| schedule: | |
| - cron: "0 0 * * *" | |
| jobs: | |
| check_major: | |
| name: Check if major release | |
| runs-on: ubuntu-latest | |
| environment: ${{ inputs.release_type == 'Major' && 'publish-major' || '' }} | |
| steps: | |
| - run: echo "${{ inputs.release_type == 'Major' && 'Major release approved' || 'Skipped - not a Major release' }}" | |
| start: | |
| name: Start Operator Build | |
| needs: check_major | |
| runs-on: ubuntu-latest | |
| # Job-level (not workflow-level) so the lock frees when `start` completes, | |
| # before buildPublic runs — sharing this group with publish-public-operator | |
| # at the workflow level would otherwise deadlock the reusable call. Serializes | |
| # this train's version bump against a standalone public-operator dispatch. | |
| concurrency: | |
| group: operator-version-bump-${{ github.ref }} | |
| cancel-in-progress: false | |
| environment: ${{ github.ref_protected && 'ci-auto-merge' || '' }} | |
| outputs: | |
| new_version: ${{ steps.version.outputs.new_version }} | |
| commit_sha: ${{ steps.commit-and-tag.outputs.commit_sha }} | |
| release_type: ${{ steps.set-env.outputs.release_type }} | |
| vulnerability_severity: ${{ steps.set-env.outputs.vulnerability_severity }} | |
| env: | |
| RELEASE_TYPE: ${{ inputs.release_type || (github.event_name == 'schedule' && 'patch') }} | |
| VULNERABILITY_SEVERITY: ${{ inputs.vulnerability_severity || (github.event_name == 'schedule' && 'CRITICAL,HIGH') }} | |
| steps: | |
| - name: Set Environment Variables | |
| id: set-env | |
| run: | | |
| echo "release_type=${{ inputs.release_type || (github.event_name == 'schedule' && 'patch') }}" >> $GITHUB_ENV | |
| echo "vulnerability_severity=${{ inputs.vulnerability_severity || (github.event_name == 'schedule' && 'CRITICAL,HIGH') }}" >> $GITHUB_ENV | |
| echo "release_type=${RELEASE_TYPE}" >> $GITHUB_OUTPUT | |
| echo "vulnerability_severity=${VULNERABILITY_SEVERITY}" >> $GITHUB_OUTPUT | |
| - name: Show Context | |
| run: | | |
| printenv | |
| echo "$GITHUB_CONTEXT" | |
| shell: bash | |
| env: | |
| GITHUB_CONTEXT: ${{ toJson(github) }} | |
| - name: Check branch and release type | |
| uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v3 | |
| with: | |
| release_type: ${{ inputs.release_type }} | |
| - name: Checkout repo | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Scan vulnerabilities | |
| uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 | |
| with: | |
| scan_severity: HIGH,CRITICAL | |
| failure_severity: CRITICAL | |
| scan_type: 'fs' | |
| - name: Set version number | |
| id: version | |
| uses: IABTechLab/uid2-shared-actions/actions/version_number@v3 | |
| with: | |
| type: ${{ env.RELEASE_TYPE }} | |
| branch_name: ${{ github.ref }} | |
| - name: Update pom.xml | |
| run: | | |
| current_version=$(grep -o '<version>.*</version>' pom.xml | head -1 | sed 's/<version>\(.*\)<\/version>/\1/') | |
| new_version=${{ steps.version.outputs.new_version }} | |
| sed -i "s/$current_version/$new_version/g" pom.xml | |
| echo "Version number updated from $current_version to $new_version" | |
| - name: Commit pom.xml, version.json and set tag | |
| id: commit-and-tag | |
| uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v3 | |
| with: | |
| add: 'pom.xml version.json' | |
| message: 'Released ${{ env.RELEASE_TYPE }} version: ${{ steps.version.outputs.new_version }}' | |
| tag: v${{ steps.version.outputs.new_version }} | |
| github_token: ${{ github.ref_protected && secrets.GH_MERGE_TOKEN || '' }} | |
| buildPublic: | |
| name: Public Operator | |
| needs: start | |
| uses: ./.github/workflows/publish-public-operator-docker-image.yaml | |
| with: | |
| release_type: ${{ needs.start.outputs.release_type }} | |
| version_number_input: ${{ needs.start.outputs.new_version }} | |
| vulnerability_severity: ${{ needs.start.outputs.vulnerability_severity }} | |
| force_release: 'no' # The createRelease job below publishes the single combined Release; the component build must not. | |
| secrets: inherit | |
| buildGCP: | |
| name: GCP Private Operator | |
| needs: start | |
| uses: ./.github/workflows/publish-gcp-oidc-enclave-docker.yaml | |
| with: | |
| release_type: ${{ needs.start.outputs.release_type }} | |
| version_number_input: ${{ needs.start.outputs.new_version }} | |
| commit_sha: ${{ needs.start.outputs.commit_sha }} | |
| vulnerability_severity: ${{ needs.start.outputs.vulnerability_severity }} | |
| secrets: inherit | |
| buildAzure: | |
| name: Azure Private Operator | |
| needs: start | |
| uses: ./.github/workflows/publish-azure-cc-enclave-docker.yaml | |
| with: | |
| release_type: ${{ needs.start.outputs.release_type }} | |
| version_number_input: ${{ needs.start.outputs.new_version }} | |
| commit_sha: ${{ needs.start.outputs.commit_sha }} | |
| vulnerability_severity: ${{ needs.start.outputs.vulnerability_severity }} | |
| secrets: inherit | |
| buildAWS: | |
| name: AWS Private Operator EIF | |
| needs: start | |
| uses: ./.github/workflows/publish-aws-nitro-eif.yaml | |
| with: | |
| release_type: ${{ needs.start.outputs.release_type }} | |
| version_number_input: ${{ needs.start.outputs.new_version }} | |
| commit_sha: ${{ needs.start.outputs.commit_sha }} | |
| secrets: inherit | |
| buildAMI: | |
| name: Build AWS AMI | |
| needs: [start, buildAWS] | |
| uses: ./.github/workflows/build-uid2-ami.yaml | |
| with: | |
| operator_run_number: ${{ github.run_id }} | |
| secrets: inherit | |
| createRelease: | |
| name: Create Release | |
| runs-on: ubuntu-latest | |
| # Also publish on scheduled builds, not just manual dispatch: the deployed | |
| # operator versions may come from the daily scheduled run, so | |
| # the uid2-deployment pre-deploy release gate won't hard-block | |
| # any deploy/rollback of a version due to not having a release. | |
| if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' | |
| needs: [start, buildPublic, buildGCP, buildAzure, buildAWS, buildAMI] | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download public manifest | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: public-image-* | |
| path: ./manifests/public_operator | |
| - name: Download GCP manifest | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: gcp-oidc-enclave-ids-* | |
| path: ./manifests/gcp_oidc_operator | |
| - name: Download Azure CC manifest | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: azure-cc-enclave-id-* | |
| path: ./manifests/azure_cc_operator | |
| - name: Download Azure AKS manifest | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: azure-aks-enclave-id-* | |
| path: ./manifests/azure_aks_operator | |
| - name: Download EIF manifest | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: 'aws-eif-enclave-ids-*' | |
| path: ./manifests/aws_eif | |
| - name: Download AWS AMI manifest | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: 'aws-ami-ids-*' | |
| path: ./manifests/aws_ami | |
| - name: Download Deployment Files | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: '*-deployment-files-*' | |
| path: ./deployment | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: uid2-operator-release-${{ needs.start.outputs.new_version }}-manifests | |
| path: ./manifests | |
| - name: Build changelog | |
| id: changelog | |
| uses: mikepenz/release-changelog-builder-action@348e88fab4c37338b1e803ceb2d4a7a5db6c0833 # v6.2.2 | |
| with: | |
| toTag: v${{ needs.start.outputs.new_version }} | |
| configurationJson: | | |
| { | |
| "template": "\n## Integration Guides\n[AWS Marketplace](https://unifiedid.com/docs/guides/operator-guide-aws-marketplace)\n[GCP Confidential Space](https://unifiedid.com/docs/guides/operator-private-gcp-confidential-space)\n[Microsoft Azure](https://unifiedid.com/docs/guides/operator-guide-azure-enclave)\n\n## Installation\n```\ndocker pull us-docker.pkg.dev/uid2-prod-project/iabtechlab/uid2-operator:${{ needs.start.outputs.new_version }}-gcp-oidc\ndocker pull ghcr.io/iabtechlab/uid2-operator:${{ needs.start.outputs.new_version }}-azure-cc\n```\n## Changelog\n#{{CHANGELOG}}\n#{{UNCATEGORIZED}}", | |
| "pr_template": " - #{{TITLE}} - ( PR: ##{{NUMBER}} )" | |
| } | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Zip files | |
| run: | | |
| (cd ./deployment/aws-euid-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../aws-euid-deployment-files-${{ needs.start.outputs.new_version }}.zip . ) | |
| (cd ./deployment/aws-uid2-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../aws-uid2-deployment-files-${{ needs.start.outputs.new_version }}.zip . ) | |
| (cd ./deployment/azure-cc-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../azure-cc-deployment-files-${{ needs.start.outputs.new_version }}.zip . ) | |
| (cd ./deployment/azure-aks-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../azure-aks-deployment-files-${{ needs.start.outputs.new_version }}.zip . ) | |
| (cd ./deployment/gcp-oidc-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../gcp-oidc-deployment-files-${{ needs.start.outputs.new_version }}.zip . ) | |
| (cd manifests && zip -r ../uid2-operator-release-manifests-${{ needs.start.outputs.new_version }}.zip .) | |
| # Publish as a pre-release (not a draft): durable + fetchable by tag | |
| # without claiming GA. The Major-release approval gate stays the | |
| # check_major job above, and promoting this to Latest in the UI remains | |
| # the deliberate manual GA checkpoint. See UID2-7340. | |
| - name: Create pre-release | |
| uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 | |
| with: | |
| # tag_name must be explicit. softprops defaults it to github.ref_name | |
| # (the dispatch branch, e.g. main) — not the version tag. The draft | |
| # masked this (a draft carries no tag until manually published); a | |
| # published release needs the tag now or get-by-tag would still 404. | |
| # The v<version> tag already exists (pushed by the start job). UID2-7340. | |
| tag_name: v${{ needs.start.outputs.new_version }} | |
| name: v${{ needs.start.outputs.new_version }} | |
| body: ${{ steps.changelog.outputs.changelog }} | |
| draft: false | |
| prerelease: true | |
| files: | | |
| ./aws-euid-deployment-files-${{ needs.start.outputs.new_version }}.zip | |
| ./aws-uid2-deployment-files-${{ needs.start.outputs.new_version }}.zip | |
| ./azure-cc-deployment-files-${{ needs.start.outputs.new_version }}.zip | |
| ./azure-aks-deployment-files-${{ needs.start.outputs.new_version }}.zip | |
| ./gcp-oidc-deployment-files-${{ needs.start.outputs.new_version }}.zip | |
| ./uid2-operator-release-manifests-${{ needs.start.outputs.new_version }}.zip | |
| notifyFailure: | |
| name: Notify Slack on Failure | |
| runs-on: ubuntu-latest | |
| # cancelled() catches the case where a needed job (e.g. buildPublic's | |
| # image job) loses the operator-version-bump-* concurrency group to a | |
| # concurrent standalone dispatch and gets evicted — that surfaces as | |
| # "cancelled", not "failure", and failure() alone would miss it, silently | |
| # reintroducing the no-Release gap this workflow exists to close. | |
| if: (failure() || cancelled()) && github.ref == 'refs/heads/main' | |
| needs: [start, buildPublic, buildGCP, buildAzure, buildAWS, buildAMI, createRelease] | |
| steps: | |
| - name: Send Slack Alert | |
| env: | |
| SLACK_COLOR: danger | |
| SLACK_MESSAGE: ':x: Operator Pipeline failed' | |
| SLACK_TITLE: Pipeline Failed in ${{ github.workflow }} | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
| uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2 |