From 2acddef4e0eb0f4d30d053f400b80a7b19d6d62c Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Sun, 26 Apr 2026 20:52:40 -0700 Subject: [PATCH 1/6] Upgrade docker buildx to v0.33.0 to fix deprecated client version error Signed-off-by: Dom Del Nano --- docker.properties | 8 ++++---- tools/chef/cookbooks/px_dev_extras/attributes/linux.rb | 4 ++-- tools/chef/cookbooks/px_dev_extras/attributes/mac_os_x.rb | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docker.properties b/docker.properties index bb7696c727f..4633b5f35bf 100644 --- a/docker.properties +++ b/docker.properties @@ -1,4 +1,4 @@ -DOCKER_IMAGE_TAG=202512082352 -LINTER_IMAGE_DIGEST=441fc5a65697dab0b38627d5afde9e38da6812f1a5b98732b224161c23238e73 -DEV_IMAGE_DIGEST=cac2e8a1c3e70dde4e5089b2383b2e11cc022af467ee430c12416eb42066fbb7 -DEV_IMAGE_WITH_EXTRAS_DIGEST=e84f82d62540e1ca72650f8f7c9c4fe0b32b64a33f04cf0b913b9961527c9e30 +DOCKER_IMAGE_TAG=202604270358 +LINTER_IMAGE_DIGEST=af984e837756bce44089d0f977146aee989b24a12884ba2366b4e6eaf19d9acb +DEV_IMAGE_DIGEST=e4aec14294cff907e7dc3c4835950a4e166e503d32cae082418971e7f70d86bc +DEV_IMAGE_WITH_EXTRAS_DIGEST=331a2391941c589d2b6536ae49794460b1097c482a45a11029d96a7d0d8d8030 diff --git a/tools/chef/cookbooks/px_dev_extras/attributes/linux.rb b/tools/chef/cookbooks/px_dev_extras/attributes/linux.rb index 3504a3c47a1..8607c8193b4 100644 --- a/tools/chef/cookbooks/px_dev_extras/attributes/linux.rb +++ b/tools/chef/cookbooks/px_dev_extras/attributes/linux.rb @@ -23,9 +23,9 @@ default['group'] = 'root' default['docker-buildx']['download_path'] = - 'https://github.com/docker/buildx/releases/download/v0.10.4/buildx-v0.10.4.linux-amd64' + 'https://github.com/docker/buildx/releases/download/v0.33.0/buildx-v0.33.0.linux-amd64' default['docker-buildx']['sha256'] = - 'dbe68cdc537d0150fc83e3f30974cd0ca11c179dafbf27f32d6f063be26e869b' + '9426a15411f35f635afef3f5d3bae53155c3e30d26dee430cc968e13d34be49f' default['faq']['download_path'] = 'https://github.com/jzelinskie/faq/releases/download/0.0.7/faq-linux-amd64' diff --git a/tools/chef/cookbooks/px_dev_extras/attributes/mac_os_x.rb b/tools/chef/cookbooks/px_dev_extras/attributes/mac_os_x.rb index 62019de0263..1313526479b 100644 --- a/tools/chef/cookbooks/px_dev_extras/attributes/mac_os_x.rb +++ b/tools/chef/cookbooks/px_dev_extras/attributes/mac_os_x.rb @@ -24,9 +24,9 @@ default['group'] = 'wheel' default['docker-buildx']['download_path'] = - 'https://github.com/docker/buildx/releases/download/v0.10.4/buildx-v0.10.4.darwin-amd64' + 'https://github.com/docker/buildx/releases/download/v0.33.0/buildx-v0.33.0.darwin-amd64' default['docker-buildx']['sha256'] = - '63aadf0095a583963c9613b3bc6e5782c8c56ed881ca9aa65f41896f4267a9ee' + 'b1b5a38f78311cfed70a0e68096df0e9ed7dd1b1fcd09adbb117d74e3bad6f32' default['faq']['download_path'] = 'https://github.com/jzelinskie/faq/releases/download/0.0.7/faq-darwin-amd64' From ed4f6e8e991b7489644442b9592c9d93ca28e072 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Sun, 26 Apr 2026 18:59:32 -0700 Subject: [PATCH 2/6] Fix and modernize release build scripts Improvements to operator and image release scripts that make builds idempotent and resilient to first-time runs against fresh registries Signed-off-by: Dom Del Nano --- ci/cli_build_release.sh | 4 ++-- ci/cloud_build_release.sh | 1 + ci/image_utils.sh | 13 ++++++------- ci/operator_build_release.sh | 23 ++++++++++++++--------- ci/vizier_build_release.sh | 1 + 5 files changed, 24 insertions(+), 18 deletions(-) diff --git a/ci/cli_build_release.sh b/ci/cli_build_release.sh index a7846d67c5e..f511025f1d7 100755 --- a/ci/cli_build_release.sh +++ b/ci/cli_build_release.sh @@ -37,7 +37,7 @@ darwin_arm64_binary=$(bazel cquery -c opt //src/pixie_cli:px_darwin_arm64 --outp bazel run -c opt //src/utils/artifacts/versions_gen:versions_gen -- \ --repo_path "${repo_path}" --artifact_name cli --versions_file "${versions_file}" -bazel build -c opt --config=stamp //src/pixie_cli:px_darwin_amd64 //src/pixie_cli:px_darwin_arm64 //src/pixie_cli:px +bazel build -c opt --config=stamp --config=x86_64_sysroot //src/pixie_cli:px_darwin_amd64 //src/pixie_cli:px_darwin_arm64 //src/pixie_cli:px # Avoid dealing with bazel's symlinks by copying binaries into a temp dir. binary_dir="$(mktemp -d)" @@ -49,7 +49,7 @@ cp "${darwin_arm64_binary}" "${binary_dir}" darwin_arm64_binary="${binary_dir}/$(basename "${darwin_arm64_binary}")" # Create and push docker image. -bazel run -c opt --config=stamp //src/pixie_cli:push_px_image +bazel run -c opt --config=stamp --config=x86_64_sysroot //src/pixie_cli:push_px_image if [[ ! "$release_tag" == *"-"* ]]; then # Create rpm package. diff --git a/ci/cloud_build_release.sh b/ci/cloud_build_release.sh index 132844f5086..e7e21b98054 100755 --- a/ci/cloud_build_release.sh +++ b/ci/cloud_build_release.sh @@ -38,6 +38,7 @@ image_repo="gcr.io/pixie-oss/pixie-prod" bazel run -c opt \ --config=stamp \ + --config=x86_64_sysroot \ --action_env=GOOGLE_APPLICATION_CREDENTIALS \ --//k8s:image_repository="${image_repo}" \ --//k8s:image_version="${release_tag}" \ diff --git a/ci/image_utils.sh b/ci/image_utils.sh index 674e4d9a47b..f804b7c9c29 100644 --- a/ci/image_utils.sh +++ b/ci/image_utils.sh @@ -42,14 +42,13 @@ push_multiarch_image() { x86_image="${multiarch_image}-x86_64" aarch64_image="${multiarch_image}-aarch64" echo "Building ${multiarch_image} manifest" - # If the multiarch manifest list already exists locally, remove it before building a new one. - # otherwise, the docker manifest create step will fail because it can't amend manifests to an existing image. - # We could use the --amend flag to `manifest create` but it doesn't seem to overwrite existing images with the same tag, - # instead it seems to just ignore images that already exist in the local manifest. - docker manifest rm "${multiarch_image}" || true - docker manifest create "${multiarch_image}" "${x86_image}" "${aarch64_image}" - pushed_digest=$(docker manifest push "${multiarch_image}") + crane index append \ + --manifest "${x86_image}" \ + --manifest "${aarch64_image}" \ + --tag "${multiarch_image}" + + pushed_digest=$(crane digest "${multiarch_image}") sign_image "${multiarch_image}" "${pushed_digest}" } diff --git a/ci/operator_build_release.sh b/ci/operator_build_release.sh index f47d9dd75e1..ad3923d29ab 100755 --- a/ci/operator_build_release.sh +++ b/ci/operator_build_release.sh @@ -35,7 +35,7 @@ bazel run -c opt //src/utils/artifacts/versions_gen:versions_gen -- \ # Find the previous bundle version, which this release should replace. tags=$(git for-each-ref --sort='-*authordate' --format '%(refname:short)' refs/tags \ - | grep "release/operator" | grep -v "\-") + | grep "release/operator" | grep -v "\-" || true) image_repo="gcr.io/pixie-oss/pixie-prod" image_paths=$(bazel cquery //k8s/operator:image_bundle \ @@ -46,8 +46,6 @@ image_paths=$(bazel cquery //k8s/operator:image_bundle \ image_path=$(echo "${image_paths}" | grep -v deleter) deleter_image_path=$(echo "${image_paths}" | grep deleter) -bucket="pixie-dev-public" - channel="stable" channels="stable,dev" # The previous version should be the 2nd item in the tags. Since this is a release build, @@ -77,12 +75,21 @@ mkdir "${tmp_dir}/manifests" previous_version=${prev_tag//*\/v/} +index_image="gcr.io/pixie-oss/pixie-prod/operator/bundle_index:0.0.1" +# Don't set replaces when bootstrapping a fresh index, since the previous bundle won't exist. +from_index_args=() +if crane manifest "${index_image}" > /dev/null; then + from_index_args=(--from-index "${index_image}") +else + previous_version="" +fi + kustomize build "$(pwd)/k8s/operator/crd/base" > "${kustomize_dir}/crd.yaml" kustomize build "$(pwd)/k8s/operator/deployment/base" -o "${kustomize_dir}" #shellcheck disable=SC2016 faq -f yaml -o yaml --slurp ' - .[0].spec.replaces = $previousName | + (if $previousName != "" then .[0].spec.replaces = $previousName else . end) | .[0].metadata.name = $name | .[0].spec.version = $version | .[0].spec.install = {strategy: "deployment", spec:{ @@ -95,7 +102,7 @@ faq -f yaml -o yaml --slurp ' "${kustomize_dir}/rbac.authorization.k8s.io_v1_clusterrole_pixie-operator-role.yaml" \ "${kustomize_dir}/rbac.authorization.k8s.io_v1_clusterrolebinding_pixie-operator-cluster-binding.yaml" \ --kwargs version="${release_tag}" --kwargs name="pixie-operator.v${bundle_version}" \ - --kwargs previousName="pixie-operator.v${previous_version}" \ + --kwargs previousName="${previous_version:+pixie-operator.v${previous_version}}" \ --kwargs image="${image_path}" > "${tmp_dir}/manifests/csv.yaml" faq -f yaml -o yaml --slurp '.[0]' "${kustomize_dir}/crd.yaml" > "${tmp_dir}/manifests/crd.yaml" @@ -109,20 +116,18 @@ mv "$(pwd)/k8s/operator/helm/templates/deleter_tmp.yaml" "$(pwd)/k8s/operator/he # Build and push bundle. cd "${tmp_dir}" bundle_image="gcr.io/pixie-oss/pixie-prod/operator/bundle:${release_tag}" -index_image="gcr.io/pixie-oss/pixie-prod/operator/bundle_index:0.0.1" -docker buildx create --name builder --driver docker-container --bootstrap +docker buildx inspect builder > /dev/null 2>&1 || docker buildx create --name builder --driver docker-container --bootstrap docker buildx use builder opm alpha bundle generate --package pixie-operator --channels "${channels}" --default "${channel}" --directory manifests docker buildx build --platform linux/amd64,linux/arm64 -t "${bundle_image}" --push -f bundle.Dockerfile . -opm index add --bundles "${bundle_image}" --from-index "${index_image}" --tag "${index_image}" --generate --out-dockerfile="${tmp_dir}/index.Dockerfile" -u docker +opm index add --bundles "${bundle_image}" "${from_index_args[@]}" --tag "${index_image}" --generate --out-dockerfile="${tmp_dir}/index.Dockerfile" -u docker docker buildx build --platform linux/amd64,linux/arm64 -t "${index_image}" --push -f "${tmp_dir}/index.Dockerfile" . cd "${repo_path}" # Upload templated YAMLs. -output_path="gs://${bucket}/operator/${release_tag}" bazel build //k8s/operator:operator_templates yamls_tar="${repo_path}/bazel-bin/k8s/operator/operator_templates.tar" diff --git a/ci/vizier_build_release.sh b/ci/vizier_build_release.sh index bc044292f9a..289f0d3634c 100755 --- a/ci/vizier_build_release.sh +++ b/ci/vizier_build_release.sh @@ -40,6 +40,7 @@ image_repo="gcr.io/pixie-oss/pixie-prod" push_all_multiarch_images "//k8s/vizier:vizier_images_push" "//k8s/vizier:list_image_bundle" "${release_tag}" "${image_repo}" bazel build -c opt \ + --config=clang \ --config=stamp \ --//k8s:image_repository="${image_repo}" \ --//k8s:image_version="${release_tag}" \ From 4acc0e08eb6f878b5d6eb6cc805a248f28b2bae6 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Sun, 26 Apr 2026 19:05:14 -0700 Subject: [PATCH 3/6] Parameterize image registry via IMAGE_REPO Lets cloud/operator/vizier release builds push to a configurable container registry while preserving upstream's current gcr.io/pixie-oss/pixie-prod default. The registry can now be overridden via the IMAGE_REPO env var (set in workflow env from vars.IMAGE_REPO with a fallback). For operator, bundle_image and index_image now derive from image_repo so they track the same registry Signed-off-by: Dom Del Nano --- .github/workflows/cloud_release.yaml | 1 + .github/workflows/operator_release.yaml | 1 + .github/workflows/vizier_release.yaml | 1 + ci/cloud_build_release.sh | 2 +- ci/operator_build_release.sh | 6 +++--- ci/vizier_build_release.sh | 2 +- 6 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cloud_release.yaml b/.github/workflows/cloud_release.yaml index ff49ea2cf35..ff160347daf 100644 --- a/.github/workflows/cloud_release.yaml +++ b/.github/workflows/cloud_release.yaml @@ -49,6 +49,7 @@ jobs: COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }} + IMAGE_REPO: ${{ vars.IMAGE_REPO || 'gcr.io/pixie-oss/pixie-prod' }} shell: bash run: | export TAG_NAME="${REF#*/tags/}" diff --git a/.github/workflows/operator_release.yaml b/.github/workflows/operator_release.yaml index d5db686663d..dc1821ee8c8 100644 --- a/.github/workflows/operator_release.yaml +++ b/.github/workflows/operator_release.yaml @@ -52,6 +52,7 @@ jobs: GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} GH_REPO: ${{ github.repository }} BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }} + IMAGE_REPO: ${{ vars.IMAGE_REPO || 'gcr.io/pixie-oss/pixie-prod' }} shell: bash run: | export TAG_NAME="${REF#*/tags/}" diff --git a/.github/workflows/vizier_release.yaml b/.github/workflows/vizier_release.yaml index 12d722cfaf4..24ccb555cc8 100644 --- a/.github/workflows/vizier_release.yaml +++ b/.github/workflows/vizier_release.yaml @@ -52,6 +52,7 @@ jobs: GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }} GH_REPO: ${{ github.repository }} + IMAGE_REPO: ${{ vars.IMAGE_REPO || 'gcr.io/pixie-oss/pixie-prod' }} shell: bash run: | export TAG_NAME="${REF#*/tags/}" diff --git a/ci/cloud_build_release.sh b/ci/cloud_build_release.sh index e7e21b98054..9e0518d9ed1 100755 --- a/ci/cloud_build_release.sh +++ b/ci/cloud_build_release.sh @@ -34,7 +34,7 @@ if [[ "${release_tag}" == *"-"* ]]; then fi echo "The image tag is: ${release_tag}" -image_repo="gcr.io/pixie-oss/pixie-prod" +image_repo="${IMAGE_REPO:-gcr.io/pixie-oss/pixie-prod}" bazel run -c opt \ --config=stamp \ diff --git a/ci/operator_build_release.sh b/ci/operator_build_release.sh index ad3923d29ab..bf80f98899f 100755 --- a/ci/operator_build_release.sh +++ b/ci/operator_build_release.sh @@ -37,7 +37,7 @@ bazel run -c opt //src/utils/artifacts/versions_gen:versions_gen -- \ tags=$(git for-each-ref --sort='-*authordate' --format '%(refname:short)' refs/tags \ | grep "release/operator" | grep -v "\-" || true) -image_repo="gcr.io/pixie-oss/pixie-prod" +image_repo="${IMAGE_REPO:-gcr.io/pixie-oss/pixie-prod}" image_paths=$(bazel cquery //k8s/operator:image_bundle \ --//k8s:image_repository="${image_repo}" \ --//k8s:image_version="${release_tag}" \ @@ -75,7 +75,7 @@ mkdir "${tmp_dir}/manifests" previous_version=${prev_tag//*\/v/} -index_image="gcr.io/pixie-oss/pixie-prod/operator/bundle_index:0.0.1" +index_image="${image_repo}/operator/bundle_index:0.0.1" # Don't set replaces when bootstrapping a fresh index, since the previous bundle won't exist. from_index_args=() if crane manifest "${index_image}" > /dev/null; then @@ -115,7 +115,7 @@ mv "$(pwd)/k8s/operator/helm/templates/deleter_tmp.yaml" "$(pwd)/k8s/operator/he # Build and push bundle. cd "${tmp_dir}" -bundle_image="gcr.io/pixie-oss/pixie-prod/operator/bundle:${release_tag}" +bundle_image="${image_repo}/operator/bundle:${release_tag}" docker buildx inspect builder > /dev/null 2>&1 || docker buildx create --name builder --driver docker-container --bootstrap docker buildx use builder diff --git a/ci/vizier_build_release.sh b/ci/vizier_build_release.sh index 289f0d3634c..2d6b8778b10 100755 --- a/ci/vizier_build_release.sh +++ b/ci/vizier_build_release.sh @@ -35,7 +35,7 @@ echo "The release tag is: ${release_tag}" bazel run -c opt //src/utils/artifacts/versions_gen:versions_gen -- \ --repo_path "${repo_path}" --artifact_name vizier --versions_file "${versions_file}" -image_repo="gcr.io/pixie-oss/pixie-prod" +image_repo="${IMAGE_REPO:-gcr.io/pixie-oss/pixie-prod}" push_all_multiarch_images "//k8s/vizier:vizier_images_push" "//k8s/vizier:list_image_bundle" "${release_tag}" "${image_repo}" From f12f974ead87638f26084a2cc8d6f59b854765ab Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Sun, 26 Apr 2026 19:08:13 -0700 Subject: [PATCH 4/6] Parameterize buildbot identity and GH_REPO Lets release workflows be reused unchanged across forks. Buildbot identity (user.name/user.email) now reads from vars.BUILDBOT_NAME / vars.BUILDBOT_EMAIL with the existing pixie-io values as fallbacks. GH_REPO is now propagated from the workflow to cli/cloud build scripts (operator/vizier already passed it), so artifact_utils.sh no longer relies on a fork-specific default. The default chain falls through GITHUB_REPOSITORY (auto-set by Actions) before the pixie-io/pixie literal. Signed-off-by: Dom Del Nano --- .github/workflows/cli_release.yaml | 5 +++-- .github/workflows/cloud_release.yaml | 4 ++-- .github/workflows/operator_release.yaml | 8 ++++---- .github/workflows/vizier_release.yaml | 8 ++++---- ci/artifact_utils.sh | 2 +- 5 files changed, 14 insertions(+), 13 deletions(-) diff --git a/.github/workflows/cli_release.yaml b/.github/workflows/cli_release.yaml index ba7a5101002..8a832f721af 100644 --- a/.github/workflows/cli_release.yaml +++ b/.github/workflows/cli_release.yaml @@ -54,6 +54,7 @@ jobs: BUILD_NUMBER: ${{ github.run_attempt }} JOB_NAME: ${{ github.job }} GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} + GH_REPO: ${{ github.repository }} shell: bash run: | export TAG_NAME="${REF#*/tags/}" @@ -217,8 +218,8 @@ jobs: env: BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }} run: | - git config --global user.name 'pixie-io-buildbot' - git config --global user.email 'build@pixielabs.ai' + git config --global user.name "${{ vars.BUILDBOT_NAME || 'pixie-io-buildbot' }}" + git config --global user.email "${{ vars.BUILDBOT_EMAIL || 'build@pixielabs.ai' }}" git config --global user.signingkey "${BUILDBOT_GPG_KEY_ID}" git config --global commit.gpgsign true - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 diff --git a/.github/workflows/cloud_release.yaml b/.github/workflows/cloud_release.yaml index ff160347daf..41552f1e401 100644 --- a/.github/workflows/cloud_release.yaml +++ b/.github/workflows/cloud_release.yaml @@ -50,6 +50,7 @@ jobs: GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }} IMAGE_REPO: ${{ vars.IMAGE_REPO || 'gcr.io/pixie-oss/pixie-prod' }} + GH_REPO: ${{ github.repository }} shell: bash run: | export TAG_NAME="${REF#*/tags/}" @@ -77,8 +78,7 @@ jobs: env: REF: ${{ github.event.ref }} GH_TOKEN: ${{ secrets.BUILDBOT_GH_API_TOKEN }} - OWNER: pixie-io - REPO: pixie + GH_REPO: ${{ github.repository }} shell: bash run: | export TAG_NAME="${REF#*/tags/}" diff --git a/.github/workflows/operator_release.yaml b/.github/workflows/operator_release.yaml index dc1821ee8c8..12de324bd27 100644 --- a/.github/workflows/operator_release.yaml +++ b/.github/workflows/operator_release.yaml @@ -128,8 +128,8 @@ jobs: env: GIT_SSH_COMMAND: "ssh -i /tmp/ssh.key" run: | - git config --global user.name 'pixie-io-buildbot' - git config --global user.email 'build@pixielabs.ai' + git config --global user.name "${{ vars.BUILDBOT_NAME || 'pixie-io-buildbot' }}" + git config --global user.email "${{ vars.BUILDBOT_EMAIL || 'build@pixielabs.ai' }}" - name: Push Helm YAML to gh-pages shell: bash env: @@ -172,8 +172,8 @@ jobs: env: BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }} run: | - git config --global user.name 'pixie-io-buildbot' - git config --global user.email 'build@pixielabs.ai' + git config --global user.name "${{ vars.BUILDBOT_NAME || 'pixie-io-buildbot' }}" + git config --global user.email "${{ vars.BUILDBOT_EMAIL || 'build@pixielabs.ai' }}" git config --global user.signingkey "${BUILDBOT_GPG_KEY_ID}" git config --global commit.gpgsign true - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 diff --git a/.github/workflows/vizier_release.yaml b/.github/workflows/vizier_release.yaml index 24ccb555cc8..fea779639b2 100644 --- a/.github/workflows/vizier_release.yaml +++ b/.github/workflows/vizier_release.yaml @@ -135,8 +135,8 @@ jobs: env: GIT_SSH_COMMAND: "ssh -i /tmp/ssh.key" run: | - git config --global user.name 'pixie-io-buildbot' - git config --global user.email 'build@pixielabs.ai' + git config --global user.name "${{ vars.BUILDBOT_NAME || 'pixie-io-buildbot' }}" + git config --global user.email "${{ vars.BUILDBOT_EMAIL || 'build@pixielabs.ai' }}" - name: Push Helm YAML to gh-pages shell: bash env: @@ -179,8 +179,8 @@ jobs: env: BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }} run: | - git config --global user.name 'pixie-io-buildbot' - git config --global user.email 'build@pixielabs.ai' + git config --global user.name "${{ vars.BUILDBOT_NAME || 'pixie-io-buildbot' }}" + git config --global user.email "${{ vars.BUILDBOT_EMAIL || 'build@pixielabs.ai' }}" git config --global user.signingkey "${BUILDBOT_GPG_KEY_ID}" git config --global commit.gpgsign true - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 diff --git a/ci/artifact_utils.sh b/ci/artifact_utils.sh index f79257dcad3..a1eec1a7760 100644 --- a/ci/artifact_utils.sh +++ b/ci/artifact_utils.sh @@ -17,7 +17,7 @@ # SPDX-License-Identifier: Apache-2.0 gh_artifacts_dir="${ARTIFACTS_DIR}" -gh_repo="${GH_REPO:-pixie-io/pixie}" +gh_repo="${GH_REPO:-${GITHUB_REPOSITORY:-pixie-io/pixie}}" workspace=$(git rev-parse --show-toplevel) mirrors_file="${workspace}/ci/artifact_mirrors.yaml" From 04d5def83cd62499723b13b7a35f613a05fbc5a8 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Sun, 26 Apr 2026 20:25:13 -0700 Subject: [PATCH 5/6] Drop GCS release path; push images and helm charts to GHCR Signed-off-by: Dom Del Nano --- .github/workflows/cli_release.yaml | 34 +++++++++++------------ .github/workflows/cloud_release.yaml | 16 ++++++----- .github/workflows/operator_release.yaml | 23 +++++++--------- .github/workflows/vizier_release.yaml | 30 +++++++-------------- ci/artifact_mirrors.yaml | 5 ---- ci/cli_merge_sign.sh | 9 +------ ci/cloud_build_release.sh | 9 ++----- ci/operator_build_release.sh | 2 +- ci/operator_helm_build_release.sh | 36 +++---------------------- ci/vizier_build_release.sh | 2 +- 10 files changed, 55 insertions(+), 111 deletions(-) diff --git a/.github/workflows/cli_release.yaml b/.github/workflows/cli_release.yaml index 8a832f721af..44f4d5e1b93 100644 --- a/.github/workflows/cli_release.yaml +++ b/.github/workflows/cli_release.yaml @@ -17,6 +17,9 @@ jobs: name: Build Release runs-on: oracle-16cpu-64gb-x86-64 needs: get-dev-image + permissions: + contents: read + packages: write container: image: ${{ needs.get-dev-image.outputs.image-with-tag }} env: @@ -42,10 +45,12 @@ jobs: BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }} run: | echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import - - id: gcloud-creds - uses: ./.github/actions/gcloud_creds + - name: Login to GHCR + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: - SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }} + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ github.token }} - name: Build & Push Artifacts env: REF: ${{ github.event.ref }} @@ -53,8 +58,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} BUILD_NUMBER: ${{ github.run_attempt }} JOB_NAME: ${{ github.job }} - GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} GH_REPO: ${{ github.repository }} + IMAGE_REPO: ${{ vars.IMAGE_REPO || 'ghcr.io/pixie-io' }} shell: bash run: | export TAG_NAME="${REF#*/tags/}" @@ -62,18 +67,14 @@ jobs: export ARTIFACTS_DIR="$(realpath artifacts/)" ./ci/save_version_info.sh ./ci/cli_build_release.sh + # Despite the name, linux-artifacts also contains the unsigned darwin + # binaries (cli_darwin_{amd64,arm64}_unsigned). sign-release downloads + # this artifact to feed cli_merge_sign.sh. - name: Upload Github Artifacts uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: linux-artifacts path: artifacts/ - - name: Update GCS Manifest - env: - ARTIFACT_MANIFEST_BUCKET: "pixie-dev-public" - # Use the old style versions file instead of the new updates for the gcs manifest. - MANIFEST_UPDATES: "" - GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} - run: ./ci/update_artifact_manifest.sh - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: artifact-upload-log @@ -88,6 +89,10 @@ jobs: fetch-depth: 0 - name: Add pwd to git safe dir run: git config --global --add safe.directory `pwd` + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: linux-artifacts + path: artifacts/ - name: Install gon run: brew install Bearer/tap/gon - name: Sign CLI release @@ -102,7 +107,6 @@ jobs: export CERT_PATH="pixie.cert" echo -n "$CERT_BASE64" | base64 --decode -o "$CERT_PATH" export TAG_NAME="${REF#*/tags/}" - mkdir -p "artifacts/" export ARTIFACTS_DIR="$(pwd)/artifacts" ./ci/cli_merge_sign.sh - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 @@ -132,10 +136,6 @@ jobs: BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }} run: | echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import - - id: gcloud-creds - uses: ./.github/actions/gcloud_creds - with: - SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }} - name: Add pwd to git safe dir run: | git config --global --add safe.directory `pwd` @@ -143,8 +143,8 @@ jobs: env: REF: ${{ github.event.ref }} BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }} - GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} ARTIFACT_UPLOAD_LOG: "artifact_uploads.json" + GH_REPO: ${{ github.repository }} shell: bash run: | export TAG_NAME="${REF#*/tags/}" diff --git a/.github/workflows/cloud_release.yaml b/.github/workflows/cloud_release.yaml index 41552f1e401..039367b2682 100644 --- a/.github/workflows/cloud_release.yaml +++ b/.github/workflows/cloud_release.yaml @@ -17,6 +17,9 @@ jobs: name: Build Release runs-on: oracle-16cpu-64gb-x86-64 needs: get-dev-image + permissions: + contents: read + packages: write container: image: ${{ needs.get-dev-image.outputs.image-with-tag }} steps: @@ -30,15 +33,17 @@ jobs: with: download_toplevel: 'true' BB_API_KEY: ${{ secrets.BB_IO_API_KEY }} - - id: gcloud-creds - uses: ./.github/actions/gcloud_creds - with: - SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }} - name: Import GPG key env: BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }} run: | echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import + - name: Login to GHCR + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ github.token }} - name: Build & Push Artifacts env: REF: ${{ github.event.ref }} @@ -47,9 +52,8 @@ jobs: GH_API_KEY: ${{ secrets.GITHUB_TOKEN }} COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} - GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }} - IMAGE_REPO: ${{ vars.IMAGE_REPO || 'gcr.io/pixie-oss/pixie-prod' }} + IMAGE_REPO: ${{ vars.IMAGE_REPO || 'ghcr.io/pixie-io' }} GH_REPO: ${{ github.repository }} shell: bash run: | diff --git a/.github/workflows/operator_release.yaml b/.github/workflows/operator_release.yaml index 12de324bd27..947b1f00006 100644 --- a/.github/workflows/operator_release.yaml +++ b/.github/workflows/operator_release.yaml @@ -17,6 +17,9 @@ jobs: name: Build Release runs-on: oracle-16cpu-64gb-x86-64 needs: get-dev-image + permissions: + contents: read + packages: write container: image: ${{ needs.get-dev-image.outputs.image-with-tag }} env: @@ -33,15 +36,17 @@ jobs: with: download_toplevel: 'true' BB_API_KEY: ${{ secrets.BB_IO_API_KEY }} - - id: gcloud-creds - uses: ./.github/actions/gcloud_creds - with: - SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }} - name: Import GPG key env: BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }} run: | echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import + - name: Login to GHCR + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ github.token }} - name: Build & Push Artifacts env: REF: ${{ github.event.ref }} @@ -49,10 +54,9 @@ jobs: JOB_NAME: ${{ github.job }} COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} - GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} GH_REPO: ${{ github.repository }} BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }} - IMAGE_REPO: ${{ vars.IMAGE_REPO || 'gcr.io/pixie-oss/pixie-prod' }} + IMAGE_REPO: ${{ vars.IMAGE_REPO || 'ghcr.io/pixie-io' }} shell: bash run: | export TAG_NAME="${REF#*/tags/}" @@ -61,13 +65,6 @@ jobs: mkdir -p "${ARTIFACTS_DIR}" ./ci/save_version_info.sh ./ci/operator_build_release.sh - - name: Update GCS Manifest - env: - ARTIFACT_MANIFEST_BUCKET: "pixie-dev-public" - # Use the old style versions file instead of the new updates for the gcs manifest. - MANIFEST_UPDATES: "" - GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} - run: ./ci/update_artifact_manifest.sh - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: manifest-updates diff --git a/.github/workflows/vizier_release.yaml b/.github/workflows/vizier_release.yaml index fea779639b2..e12996f9447 100644 --- a/.github/workflows/vizier_release.yaml +++ b/.github/workflows/vizier_release.yaml @@ -17,6 +17,9 @@ jobs: name: Build Release runs-on: oracle-16cpu-64gb-x86-64 needs: get-dev-image + permissions: + contents: read + packages: write container: image: ${{ needs.get-dev-image.outputs.image-with-tag }} env: @@ -33,15 +36,17 @@ jobs: with: download_toplevel: 'true' BB_API_KEY: ${{ secrets.BB_IO_API_KEY }} - - id: gcloud-creds - uses: ./.github/actions/gcloud_creds - with: - SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }} - name: Import GPG key env: BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }} run: | echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import + - name: Login to GHCR + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ github.token }} - name: Build & Push Artifacts env: REF: ${{ github.event.ref }} @@ -49,10 +54,9 @@ jobs: JOB_NAME: ${{ github.job }} COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} - GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }} GH_REPO: ${{ github.repository }} - IMAGE_REPO: ${{ vars.IMAGE_REPO || 'gcr.io/pixie-oss/pixie-prod' }} + IMAGE_REPO: ${{ vars.IMAGE_REPO || 'ghcr.io/pixie-io' }} shell: bash run: | export TAG_NAME="${REF#*/tags/}" @@ -61,20 +65,6 @@ jobs: export INDEX_FILE="$(pwd)/index.yaml" ./ci/save_version_info.sh ./ci/vizier_build_release.sh - - name: Build & Export Docs - env: - PXL_DOCS_GCS_PATH: "gs://pixie-dev-public/pxl-docs.json" - run: | - docs="$(mktemp)" - bazel run //src/carnot/docstring:docstring -- --output_json "${docs}" - gsutil cp "${docs}" "${PXL_DOCS_GCS_PATH}" - - name: Update GCS Manifest - env: - ARTIFACT_MANIFEST_BUCKET: "pixie-dev-public" - # Use the old style versions file instead of the new updates for the gcs manifest. - MANIFEST_UPDATES: "" - GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} - run: ./ci/update_artifact_manifest.sh - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: manifest-updates diff --git a/ci/artifact_mirrors.yaml b/ci/artifact_mirrors.yaml index 003abc5de89..987ec90912f 100644 --- a/ci/artifact_mirrors.yaml +++ b/ci/artifact_mirrors.yaml @@ -4,8 +4,3 @@ - name: gh-releases type: gh-releases url_format: 'https://github.com/${gh_repo}/releases/download/release/${component}/v${version}/${artifact_name}' -- name: pixie-oss-gcs - type: gcs - bucket: pixie-dev-public - path_format: '${component}/${version}/${artifact_name}' - url_format: 'https://storage.googleapis.com/pixie-dev-public/${component}/${version}/${artifact_name}' diff --git a/ci/cli_merge_sign.sh b/ci/cli_merge_sign.sh index fbbe23c7106..af2b8ffed5f 100755 --- a/ci/cli_merge_sign.sh +++ b/ci/cli_merge_sign.sh @@ -33,16 +33,9 @@ security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${KEYCHAI security default-keychain -s "${KEYCHAIN_PATH}" security find-identity -v -release_tag=${TAG_NAME##*/v} -bucket="pixie-dev-public" -ARTIFACT_BASE_PATH="https://storage.googleapis.com/${bucket}/cli" - for arch in amd64 arm64 do - url="${ARTIFACT_BASE_PATH}/${release_tag}/cli_darwin_${arch}_unsigned" - rm -f "cli_darwin_${arch}_unsigned" - wget "${url}" - mv "cli_darwin_${arch}_unsigned" "cli_darwin_${arch}" + cp "${artifacts_dir}/cli_darwin_${arch}_unsigned" "cli_darwin_${arch}" done # Create a universal binary. diff --git a/ci/cloud_build_release.sh b/ci/cloud_build_release.sh index 9e0518d9ed1..397acaef7f2 100755 --- a/ci/cloud_build_release.sh +++ b/ci/cloud_build_release.sh @@ -34,12 +34,11 @@ if [[ "${release_tag}" == *"-"* ]]; then fi echo "The image tag is: ${release_tag}" -image_repo="${IMAGE_REPO:-gcr.io/pixie-oss/pixie-prod}" +image_repo="${IMAGE_REPO:-ghcr.io/pixie-io}" bazel run -c opt \ --config=stamp \ --config=x86_64_sysroot \ - --action_env=GOOGLE_APPLICATION_CREDENTIALS \ --//k8s:image_repository="${image_repo}" \ --//k8s:image_version="${release_tag}" \ //k8s/cloud:cloud_images_push @@ -53,17 +52,13 @@ done < <(bazel run -c opt \ --//k8s:image_version="${release_tag}" \ //k8s/cloud:list_image_bundle) -all_licenses_opts=("//tools/licenses:all_licenses" "--action_env=GOOGLE_APPLICATION_CREDENTIALS" "--remote_download_outputs=toplevel") +all_licenses_opts=("//tools/licenses:all_licenses" "--remote_download_outputs=toplevel") all_licenses_path="$(bazel cquery "${all_licenses_opts[@]}" --output starlark --starlark:expr "target.files.to_list()[0].path" 2> /dev/null)" bazel build "${all_licenses_opts[@]}" upload_artifact_to_mirrors "cloud" "${release_tag}" "${all_licenses_path}" "licenses.json" -# The licenses file uses a non-standard path (outside of the "component/version/artifact" convention) -# so for now we'll also copy it to the legacy path. -gsutil cp "${all_licenses_path}" "gs://pixie-dev-public/oss-licenses/${release_tag}.json" if [[ "${release}" == "true" ]]; then upload_artifact_to_mirrors "cloud" "latest" "${all_licenses_path}" "licenses.json" - gsutil cp "${all_licenses_path}" "gs://pixie-dev-public/oss-licenses/latest.json" fi # Write YAMLs + image paths to a tar file to support easy deployment. diff --git a/ci/operator_build_release.sh b/ci/operator_build_release.sh index bf80f98899f..2ff58d7cb77 100755 --- a/ci/operator_build_release.sh +++ b/ci/operator_build_release.sh @@ -37,7 +37,7 @@ bazel run -c opt //src/utils/artifacts/versions_gen:versions_gen -- \ tags=$(git for-each-ref --sort='-*authordate' --format '%(refname:short)' refs/tags \ | grep "release/operator" | grep -v "\-" || true) -image_repo="${IMAGE_REPO:-gcr.io/pixie-oss/pixie-prod}" +image_repo="${IMAGE_REPO:-ghcr.io/pixie-io}" image_paths=$(bazel cquery //k8s/operator:image_bundle \ --//k8s:image_repository="${image_repo}" \ --//k8s:image_version="${release_tag}" \ diff --git a/ci/operator_helm_build_release.sh b/ci/operator_helm_build_release.sh index 3c5d415be21..06c7e16b2ec 100755 --- a/ci/operator_helm_build_release.sh +++ b/ci/operator_helm_build_release.sh @@ -36,11 +36,6 @@ tmp_dir="$(mktemp -d)" index_file="${INDEX_FILE:?}" gh_repo="${GH_REPO:?}" -helm_gcs_bucket="pixie-operator-charts" -if [[ $VERSION == *"-"* ]]; then - helm_gcs_bucket="pixie-operator-charts-dev" -fi - repo_path=$(pwd) # shellcheck source=ci/artifact_utils.sh . "${repo_path}/ci/artifact_utils.sh" @@ -60,37 +55,12 @@ helm_tmpl_checks="$(cat "${repo_path}/k8s/operator/helm/olm_template_checks.tmpl find "${repo_path}/k8s/operator/helm/templates" -type f -exec sed -i "/HELM_DEPLOY_OLM_PLACEHOLDER/c\\${helm_tmpl_checks}" {} \; rm "${repo_path}/k8s/operator/helm/olm_template_checks.tmpl" -# Fetch all of the current charts in GCS, because generating the index needs all pre-existing tar versions present. -mkdir -p "${tmp_dir}/${helm_gcs_bucket}" -gsutil rsync "gs://${helm_gcs_bucket}" "${tmp_dir}/${helm_gcs_bucket}" - # Generates tgz for the new release helm3 chart. -helm package "${helm_path}" -d "${tmp_dir}/${helm_gcs_bucket}" - -# Create release for Helm2. -mkdir "${helm_path}2" - -# Create Chart.yaml for this release for Helm2. -echo "apiVersion: v1 -name: pixie-operator-helm2-chart -type: application -version: ${VERSION}" > "${helm_path}2/Chart.yaml" - -cp -r "${helm_path}/templates" "${helm_path}2/templates" -cp "${helm_path}/values.yaml" "${helm_path}2/values.yaml" - -# Generates tgz for the new release helm3 chart. -helm package "${helm_path}2" -d "${tmp_dir}/${helm_gcs_bucket}" - -# Update the index file. -helm repo index "${tmp_dir}/${helm_gcs_bucket}" --url "https://${helm_gcs_bucket}.storage.googleapis.com" - -upload_artifact_to_mirrors "operator" "${VERSION}" "${tmp_dir}/${helm_gcs_bucket}/pixie-operator-chart-${VERSION}.tgz" "pixie-operator-chart-${VERSION}.tgz" +helm package "${helm_path}" -d "${tmp_dir}/helm_chart" -# Upload the new index and tar to gcs by syncing. This will help keep the timestamps for pre-existing tars the same. -gsutil rsync "${tmp_dir}/${helm_gcs_bucket}" "gs://${helm_gcs_bucket}" +upload_artifact_to_mirrors "operator" "${VERSION}" "${tmp_dir}/helm_chart/pixie-operator-chart-${VERSION}.tgz" "pixie-operator-chart-${VERSION}.tgz" -# Generate separate index file for GH. +# Generate index file for GH. mkdir -p "${tmp_dir}/gh_helm_chart" helm package "${helm_path}" -d "${tmp_dir}/gh_helm_chart" # Pull index file. diff --git a/ci/vizier_build_release.sh b/ci/vizier_build_release.sh index 2d6b8778b10..f3f5bc9cb0e 100755 --- a/ci/vizier_build_release.sh +++ b/ci/vizier_build_release.sh @@ -35,7 +35,7 @@ echo "The release tag is: ${release_tag}" bazel run -c opt //src/utils/artifacts/versions_gen:versions_gen -- \ --repo_path "${repo_path}" --artifact_name vizier --versions_file "${versions_file}" -image_repo="${IMAGE_REPO:-gcr.io/pixie-oss/pixie-prod}" +image_repo="${IMAGE_REPO:-ghcr.io/pixie-io}" push_all_multiarch_images "//k8s/vizier:vizier_images_push" "//k8s/vizier:list_image_bundle" "${release_tag}" "${image_repo}" From 9aba7f3ecf12c74de9a38684727b8ef7236d793c Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Sun, 26 Apr 2026 20:26:33 -0700 Subject: [PATCH 6/6] Gate CLI macOS signing on vars.ENABLE_MACOS_SIGNING Signed-off-by: Dom Del Nano --- .github/workflows/cli_release.yaml | 24 ++++++++++++++++++++++-- ci/cli_build_release.sh | 5 +++++ 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cli_release.yaml b/.github/workflows/cli_release.yaml index 44f4d5e1b93..192ba13510b 100644 --- a/.github/workflows/cli_release.yaml +++ b/.github/workflows/cli_release.yaml @@ -24,6 +24,8 @@ jobs: image: ${{ needs.get-dev-image.outputs.image-with-tag }} env: ARTIFACT_UPLOAD_LOG: "artifact_uploads.json" + # When macOS signing is enabled, push-signed-artifacts owns the manifest update. + MANIFEST_UPDATES: ${{ vars.ENABLE_MACOS_SIGNING == 'true' && '' || 'manifest_updates.json' }} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -79,8 +81,14 @@ jobs: with: name: artifact-upload-log path: ${{ env.ARTIFACT_UPLOAD_LOG }} + - if: vars.ENABLE_MACOS_SIGNING != 'true' + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: manifest-updates + path: manifest_updates.json sign-release: name: Sign Release for MacOS + if: vars.ENABLE_MACOS_SIGNING == 'true' runs-on: macos-latest needs: build-release steps: @@ -115,6 +123,7 @@ jobs: path: artifacts/ push-signed-artifacts: name: Push Signed Artifacts for MacOS + if: vars.ENABLE_MACOS_SIGNING == 'true' runs-on: ubuntu-latest needs: [get-dev-image, sign-release] container: @@ -162,7 +171,11 @@ jobs: create-github-release: name: Create Release on Github runs-on: ubuntu-latest - needs: push-signed-artifacts + needs: [build-release, push-signed-artifacts] + if: | + always() && + needs.build-release.result == 'success' && + (needs.push-signed-artifacts.result == 'success' || needs.push-signed-artifacts.result == 'skipped') permissions: contents: write steps: @@ -187,8 +200,15 @@ jobs: gh release create "${TAG_NAME}" "${prerelease[@]}" \ --title "CLI ${TAG_NAME#release/cli/}" \ --notes $'Pixie CLI Release:\n'"${changelog}" - gh release upload "${TAG_NAME}" linux-artifacts/* macos-artifacts/* + shopt -s nullglob + upload_paths=(linux-artifacts/*) + if [[ -d macos-artifacts ]]; then + upload_paths+=(macos-artifacts/*) + fi + gh release upload "${TAG_NAME}" "${upload_paths[@]}" update-gh-artifacts-manifest: + if: | + always() && needs.create-github-release.result == 'success' runs-on: oracle-8cpu-32gb-x86-64 needs: [get-dev-image, create-github-release] container: diff --git a/ci/cli_build_release.sh b/ci/cli_build_release.sh index f511025f1d7..4b5b952eb45 100755 --- a/ci/cli_build_release.sh +++ b/ci/cli_build_release.sh @@ -95,3 +95,8 @@ upload_artifacts "${release_tag}" if [[ ! $release_tag == *"-"* ]]; then upload_artifacts "latest" fi + +# Create manifest update for downstream jobs. +if [[ -n "${MANIFEST_UPDATES:-}" ]]; then + create_manifest_update "cli" "${release_tag}" > "${MANIFEST_UPDATES}" +fi