feat: dirty commit with new promote pipeline

andrpac · andrpac · commit 4311ad83179d · 2025-07-15T15:08:28.000+01:00
diff --git a/.github/actions/image2commit/action.yml b/.github/actions/image2commit/action.yml
@@ -15,7 +15,7 @@ inputs:
 outputs:
   commit_sha:
     description: "Resolved full commit SHA"
-
+    value: ${{ steps.resolve.outputs.commit_sha }}
 runs:
   using: "composite"
   steps:
@@ -37,4 +37,6 @@ runs:
           "${{ inputs.repo }}" \
           "${{ inputs.image_sha }}"
         )
+
+        echo "Raw full_sha: $full_sha"
         echo "commit_sha=$full_sha" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/release-image.yml b/.github/workflows/release-image.yml
@@ -16,28 +16,33 @@ on:
         required: false
         default: "latest"
         type: string
-
+  push:
+    branches:
+      - '**'
+        
 permissions:
   contents: write
   pull-requests: write
      
 jobs:
-
-  # Note, the first step is necessary for getting the exact commit from the passed in image_sha
-  # This is because, the release-image step should exactly check out that exact commit
+  # Image2commit: Creates a mapping between the image_sha given as input and the actual git commit
+  # This is necassary for the release-image step that requires checking out that exact git commit
   image2commit:
     name: Resolve Commit SHA from Image
     runs-on: ubuntu-latest
+    environment: release
     outputs:
       commit_sha: ${{ steps.resolve.outputs.commit_sha }}
-
     steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
       - name: Log in to Docker registry
         uses: docker/login-action@v3
         with:
           registry: docker.io
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          username: ${{ secrets.ANDRPAC_DOCKER_USERNAME }}
+          password: ${{ secrets.ANDRPAC_DOCKER_PASSWORD }}
 
       - name: Run image2commit
         id: resolve
@@ -56,6 +61,128 @@ jobs:
         run: |
           echo "Resolved commit: ${{ needs.image2commit.outputs.commit_sha }}"
 
+  # Release-image: Created and uploads a release for the specified operator version given in the image_sha
+  # Note, with new releases, all of the release artifacts will be stored withing docs/releases/{release_version}
+  release-image:
+    runs-on: ubuntu-latest
+    environment: release
+    needs: image2commit
+    env:
+      VERSION: ${{ github.event.inputs.version || 'test-0.0.0-dev' }}
+      AUTHORS: ${{ github.event.inputs.authors || 'unknown' }}
+      IMAGE_SHA: ${{ github.event.inputs.image_sha || 'latest' }}
+      DOCKER_SIGNATURE_REPO: docker.io/andrpac/signatures
+      DOCKER_RELEASE_REPO: docker.io/andrpac/mongodb-atlas-kubernetes-operator
+      DOCKER_PRERELEASE_REPO: docker.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease
+      QUAY_RELEASE_REPO: quay.io/andrpac/mongodb-atlas-kubernetes-operator
+      QUAY_PRERELEASE_REPO: quay.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          #ref: $#{{ needs.image2commit.outputs.commit_sha }} !!!!!!!!! SUPER IMPORTNAT TO PUT BACK !!!!!!! 
+
+      - name: Generate GitHub App Token
+        id: generate_token
+        uses: mongodb/apix-action/token@v8
+        with:
+          app-id: ${{ secrets.AKO_RELEASER_APP_ID }}
+          private-key: ${{ secrets.AKO_RELEASER_RSA_KEY }}
+      
+      # Login in into all registries
+      - name: Log in to Docker registry
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.ANDRPAC_DOCKER_USERNAME }}
+          password: ${{ secrets.ANDRPAC_DOCKER_PASSWORD }}
+
+      - name: Log in to Quay registry
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.ANDRPAC_QUAY_USERNAME }}
+          password: ${{ secrets.ANDRPAC_QUAY_PASSWORD }}
+
+      - name: Install devbox
+        uses: jetify-com/devbox-install-action@v0.13.0
+
+      # This step configures all of the dynamic variables needed for later steps
+      - name: Configure job environment for downstream steps
+        id: tags
+        run: |
+          promoted_tag="promoted-${IMAGE_SHA}"
+          release_tag="${VERSION}"
+          certified_tag="certified-${release_tag}"
+
+          docker_image_url="${DOCKER_RELEASE_REPO}:${release_tag}"
+          quay_image_url="${QUAY_RELEASE_REPO}:${release_tag}"
+          quay_certified_image_url="${QUAY_RELEASE_REPO}:${certified_tag}"
+
+          echo "promoted_tag=$promoted_tag"                         >> $GITHUB_OUTPUT
+          echo "release_tag=$release_tag"                           >> $GITHUB_OUTPUT
+          echo "certified_tag=$certified_tag"                       >> $GITHUB_OUTPUT
+          echo "docker_image_url=$docker_image_url"                 >> $GITHUB_OUTPUT
+          echo "quay_image_url=$quay_image_url"                     >> $GITHUB_OUTPUT
+          echo "quay_certified_image_url=$quay_certified_image_url" >> $GITHUB_OUTPUT
+        
+      # Move prerelease images to official release registries in Docker Hub and Quay 
+      - name: Move image to Docker registry release from prerelease
+        run: devbox run -- ./scripts/move-image.sh
+        env:
+          IMAGE_SRC_REPO: ${{ env.DOCKER_PRERELEASE_REPO }}
+          IMAGE_DEST_REPO: ${{ env.DOCKER_RELEASE_REPO }}
+          IMAGE_SRC_TAG: ${{ steps.tags.outputs.promoted_tag }}
+          IMAGE_DEST_TAG: ${{ github.event.inputs.version }}
+
+      - name: Move image to Quay registry release from prerelease
+        run: devbox run -- ./scripts/move-image.sh
+        env:
+          IMAGE_SRC_REPO: ${{ env.QUAY_PRERELEASE_REPO }}
+          IMAGE_DEST_REPO: ${{ env.QUAY_RELEASE_REPO }}
+          IMAGE_SRC_TAG: ${{ steps.tags.outputs.promoted_tag }}
+          IMAGE_DEST_TAG: ${{ github.event.inputs.version }}
+
+      # Create Openshift certified images 
+      - name: Create OpenShift certified image on Quay
+        run: devbox run -- ./scripts/move-image.sh
+        env:
+          IMAGE_SRC_REPO: ${{ env.QUAY_PRERELEASE_REPO }}
+          IMAGE_DEST_REPO: ${{ env.QUAY_RELEASE_REPO }}
+          IMAGE_SRC_TAG: ${{ steps.tags.outputs.promoted_tag }}
+          IMAGE_DEST_TAG: ${{ steps.tags.outputs.certified_tag }}
+
+      # Link updates to pr: all-in-one.yml, helm-updates, sdlc requirements
+      - name: Generate deployment configurations
+        uses: ./.github/actions/gen-install-scripts
+        with:
+          ENV: prod
+          IMAGE_URL: ${{ steps.tags.outputs.docker_image_url }}
+
+      - name: Bump Helm chart version
+        run: devbox run -- ./scripts/bump-helm-chart-version.sh
+    
+      # Prepare SDLC requirement: signatures, sboms, compliance reports
+      # Note, signed images will live in mongodb/release and mongodb/signature repos
+      - name: Sign released images
+        run: |
+          devbox run -- make sign IMG="${{ steps.tags.outputs.docker_image_url }}"         SIGNATURE_REPO="${{ env.DOCKER_RELEASE_REPO }}"
+          devbox run -- make sign IMG="${{ steps.tags.outputs.quay_image_url }}"           SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}"
+          devbox run -- make sign IMG="${{ steps.tags.outputs.docker_image_url }}"         SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}"
+          devbox run -- make sign IMG="${{ steps.tags.outputs.quay_certified_image_url }}" SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}"
+          devbox run -- make sign IMG="${{ steps.tags.outputs.quay_certified_image_url }}" SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}"
+        env:
+          PKCS11_URI: ${{ secrets.PKCS11_URI }}
+          GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
+          GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
+
+      - name: Generate SBOMs
+        run: devbox run -- make generate-sboms RELEASED_OPERATOR_IMAGE="${{ env.DOCKER_RELEASE_REPO }}"
+
+      - name: Create SDLC report
+        run: devbox run -- make gen-sdlc-checklist 
+
   prepare-environment:
     name: Set up Environment Variables
     runs-on: ubuntu-latest
@@ -151,7 +278,7 @@ jobs:
           echo "quay_image_url=$quay_image_url"                     >> $GITHUB_OUTPUT
           echo "quay_certified_image_url=$quay_certified_image_url" >> $GITHUB_OUTPUT
 
-  release-image:
+  release-image1:
     runs-on: ubuntu-latest
     if: false
     environment: release
@@ -205,6 +332,7 @@ jobs:
           short_sha="${sha:0:6}"
           echo "promoted_tag=promoted-${short_sha}" >> "$GITHUB_OUTPUT"
 
+      # Move prerelease images to official release registries in Docker Hub and Quay 
       - name: Move image to Docker registry release from prerelease
         run: devbox run -- ./scripts/move-image.sh
         env:
@@ -220,6 +348,15 @@ jobs:
           IMAGE_DEST_REPO: ${{ env.QUAY_RELEASE_REPO }}
           IMAGE_SRC_TAG: ${{ steps.tags.outputs.promoted_tag }}
           IMAGE_DEST_TAG: ${{ github.event.inputs.version }}
+
+      # Create Openshift certified images 
+      - name: Create OpenShift certified image on Quay
+        run: devbox run -- ./scripts/move-image.sh
+        env:
+          IMAGE_SRC_REPO: ${{ env.QUAY_PRERELEASE_REPO }}
+          IMAGE_DEST_REPO: ${{ env.QUAY_RELEASE_REPO }}
+          IMAGE_SRC_TAG: ${{ steps.tags.outputs.promoted_tag }}
+          IMAGE_DEST_TAG: ${{ steps.tags.outputs.certified_tag }}
       
       - name: Create deploy configurations
         uses: ./.github/actions/gen-install-scripts
