image: try upstream version of workflow

Author: zarbis

.github/workflows/image.yaml

@@ -3,59 +3,116 @@ name: Image
 on:
   push:
     branches:
-      - "sync-*" # Codefresh change instead of `master`
+      - sync-*
+  pull_request:
+    branches:
+      - sync-*
+    types: [labeled, unlabeled, opened, synchronize, reopened]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
-env:
-  GOLANG_VERSION: "1.22"
+permissions: {}
 
 jobs:
-  publish:
-    runs-on: ubuntu-latest
-    env:
-      GOPATH: /home/runner/work/argo-cd/argo-cd
+  set-vars:
+    permissions:
+      contents: read
+    if: github.repository == 'argoproj/argo-cd'
+    runs-on: ubuntu-22.04
+    outputs:
+      image-tag: ${{ steps.image.outputs.tag}}
+      platforms: ${{ steps.platforms.outputs.platforms }}
     steps:
-      - uses: actions/setup-go@0caeaed6fd66a828038c2da3c0f662a42862658f # v1.1.3
-        with:
-          go-version: ${{ env.GOLANG_VERSION }}
       - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
-        with:
-          path: src/github.com/argoproj/argo-cd
 
-      # get image tag
-      - run: echo ::set-output name=tag::$(cat ./VERSION)-${GITHUB_SHA::8}
-        working-directory: ./src/github.com/argoproj/argo-cd
+      - name: Set image tag for ghcr
+        run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
         id: image
 
-      # build
-      - run: |
-          docker images -a --format "{{.ID}}" | xargs -I {} docker rmi {}
-          make image DEV_IMAGE=true DOCKER_PUSH=false IMAGE_NAMESPACE=ghcr.io/codefresh-io IMAGE_TAG=${{ steps.image.outputs.tag }}
-        working-directory: ./src/github.com/argoproj/argo-cd
-      - run: |
-          docker login ghcr.io --username $USERNAME --password $PASSWORD
-          docker push ghcr.io/codefresh-io/argocd:${{ steps.image.outputs.tag }}
-        env:
-          USERNAME: ${{ github.repository_owner }}
-          PASSWORD: ${{ secrets.TOKEN }}
-      # Codefresh step
-      - name: Push docker image to quay repository
-        env:
-          QUAY_USERNAME: ${{ secrets.RELEASE_QUAY_USERNAME }}
-          QUAY_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
-          IMAGE_NAMESPACE: quay.io/codefresh
+      - name: Determine image platforms to use
+        id: platforms
         run: |
-          set -ue
-          docker login quay.io --username "${QUAY_USERNAME}" --password "${QUAY_TOKEN}"
-          docker tag ghcr.io/codefresh-io/argocd:${{ steps.image.outputs.tag }} ${IMAGE_NAMESPACE}/argocd:${{ steps.image.outputs.tag }}
-          docker push ${IMAGE_NAMESPACE}/argocd:${{ steps.image.outputs.tag }}
-      # # deploy
-      # - run: git clone "https://$TOKEN@github.com/codefresh-io/argoproj-deployments"
-      #   env:
-      #     TOKEN: ${{ secrets.TOKEN }}
-      # - run: |
-      #     docker run -v $(pwd):/src -w /src --rm -t lyft/kustomizer:v3.3.0 kustomize edit set image quay.io/argoproj/argocd=ghcr.io/codefresh-io/argocd:${{ steps.image.outputs.tag }}
-      #     git config --global user.email 'integration@codefresh.io'
-      #     git config --global user.name 'CI-Codefresh'
-      #     git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ steps.image.outputs.tag }}' && git push)
-      #   if: github.event_name == 'push'
-      #   working-directory: argoproj-deployments/argocd
+          IMAGE_PLATFORMS=linux/amd64
+          if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-multi-image') }}" == "true" ]]
+          then
+            IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
+          fi
+          echo "Building image for platforms: $IMAGE_PLATFORMS"
+          echo "platforms=$IMAGE_PLATFORMS" >> $GITHUB_OUTPUT
+
+  build-only:
+    needs: [set-vars]
+    permissions:
+      contents: read
+      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+      id-token: write # for creating OIDC tokens for signing.
+    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name != 'push' }}
+    uses: ./.github/workflows/image-reuse.yaml
+    with:
+      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      # renovate: datasource=golang-version packageName=golang
+      go-version: 1.24.1
+      platforms: ${{ needs.set-vars.outputs.platforms }}
+      push: false
+
+  build-and-publish:
+    needs: [set-vars]
+    permissions:
+      contents: read
+      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+      id-token: write # for creating OIDC tokens for signing.
+    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+    uses: ./.github/workflows/image-reuse.yaml
+    with:
+      quay_image_name: quay.io/codefresh-io/argocd:${{ needs.set-vars.outputs.image-tag }}
+      ghcr_image_name: ghcr.io/codefresh-io/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
+      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      # renovate: datasource=golang-version packageName=golang
+      go-version: 1.24.1
+      platforms: ${{ needs.set-vars.outputs.platforms }}
+      push: true
+    secrets:
+      quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }}
+      quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}
+      ghcr_username: ${{ github.actor }}
+      ghcr_password: ${{ secrets.GITHUB_TOKEN }}
+
+  # build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io
+  #   needs:
+  #     - build-and-publish
+  #   permissions:
+  #     actions: read # for detecting the Github Actions environment.
+  #     id-token: write # for creating OIDC tokens for signing.
+  #     packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
+  #   if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+  #   # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+  #   uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+  #   with:
+  #     image: ghcr.io/argoproj/argo-cd/argocd
+  #     digest: ${{ needs.build-and-publish.outputs.image-digest }}
+  #     registry-username: ${{ github.actor }}
+  #   secrets:
+  #     registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  # Deploy:
+  #   needs:
+  #     - build-and-publish
+  #     - set-vars
+  #   permissions:
+  #     contents: write # for git to push upgrade commit if not already deployed
+  #     packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+  #   if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+  #   runs-on: ubuntu-22.04
+  #   steps:
+  #     - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+  #     - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
+  #       env:
+  #         TOKEN: ${{ secrets.TOKEN }}
+  #     - run: |
+  #         docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
+  #         git config --global user.email 'ci@argoproj.com'
+  #         git config --global user.name 'CI'
+  #         git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ needs.set-vars.outputs.image-tag }}' && git push)
+  #       working-directory: argoproj-deployments/argocd