ci: move secrets to vault #698
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| concurrency: | |
| group: "create-release-${{ github.sha }}" | |
| env: | |
| BUILD_ARTIFACTS_BUCKET: "loki-build-artifacts" | |
| GITHUB_APP: "loki-gh-app" | |
| IMAGE_PREFIX: "trevorwhitney075" | |
| PUBLISH_TO_GCS: false | |
| RELEASE_LIB_REF: "main" | |
| RELEASE_REPO: "grafana/loki-release" | |
| USE_GITHUB_APP_TOKEN: true | |
| jobs: | |
| createRelease: | |
| env: | |
| SHA: "${{ needs.shouldRelease.outputs.sha }}" | |
| if: "${{ fromJSON(needs.shouldRelease.outputs.shouldRelease) }}" | |
| needs: | |
| - "shouldRelease" | |
| outputs: | |
| draft: "${{ steps.check_release.outputs.draft }}" | |
| exists: "${{ steps.check_release.outputs.exists }}" | |
| isLatest: "${{ needs.shouldRelease.outputs.isLatest }}" | |
| name: "${{ needs.shouldRelease.outputs.name }}" | |
| sha: "${{ needs.shouldRelease.outputs.sha }}" | |
| permissions: | |
| contents: "write" | |
| id-token: "write" | |
| pull-requests: "write" | |
| runs-on: "ubuntu-latest" | |
| steps: | |
| - name: "pull code to release" | |
| uses: "actions/checkout@v4" | |
| with: | |
| path: "release" | |
| persist-credentials: false | |
| repository: "${{ env.RELEASE_REPO }}" | |
| - name: "pull release library code" | |
| uses: "actions/checkout@v4" | |
| with: | |
| path: "lib" | |
| persist-credentials: false | |
| ref: "${{ env.RELEASE_LIB_REF }}" | |
| repository: "grafana/loki-release" | |
| - name: "setup node" | |
| uses: "actions/setup-node@v4" | |
| with: | |
| node-version: 20 | |
| - id: "fetch_gcs_credentials" | |
| name: "fetch gcs credentials from vault" | |
| uses: "grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760" | |
| with: | |
| repo_secrets: "GCS_SERVICE_ACCOUNT_KEY=gcs:service-account-key" | |
| - name: "auth gcs" | |
| uses: "google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f" | |
| with: | |
| credentials_json: "${{ env.GCS_SERVICE_ACCOUNT_KEY }}" | |
| - name: "Set up Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a" | |
| with: | |
| version: ">= 452.0.0" | |
| - id: "fetch_app_credentials" | |
| if: "${{ fromJSON(env.USE_GITHUB_APP_TOKEN) }}" | |
| name: "fetch app credentials from vault" | |
| uses: "grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760" | |
| with: | |
| repo_secrets: | | |
| APP_ID=${{ env.GITHUB_APP }}:app-id | |
| PRIVATE_KEY=${{ env.GITHUB_APP }}:private-key | |
| - id: "get_github_app_token" | |
| if: "${{ fromJSON(env.USE_GITHUB_APP_TOKEN) }}" | |
| name: "get github app token" | |
| uses: "actions/create-github-app-token@v1" | |
| with: | |
| app-id: "${{ env.APP_ID }}" | |
| owner: "${{ github.repository_owner }}" | |
| private-key: "${{ env.PRIVATE_KEY }}" | |
| - env: | |
| OUTPUTS_TOKEN: "${{ steps.get_github_app_token.outputs.token }}" | |
| id: "github_app_token" | |
| name: "set github token" | |
| run: | | |
| if [[ "${USE_GITHUB_APP_TOKEN}" == "true" ]]; then | |
| echo "token=$OUTPUTS_TOKEN" >> $GITHUB_OUTPUT | |
| else | |
| echo "token=${{ secrets.GH_TOKEN }}" >> $GITHUB_OUTPUT | |
| fi | |
| - name: "download binaries" | |
| run: | | |
| echo "downloading binaries to $(pwd)/dist" | |
| gsutil cp -r gs://${BUILD_ARTIFACTS_BUCKET}/$(echo ${SHA} | tr -d '"')/dist . | |
| working-directory: "release" | |
| - env: | |
| GH_TOKEN: "${{ steps.github_app_token.outputs.token }}" | |
| OUTPUTS_NAME: "${{ needs.shouldRelease.outputs.name }}" | |
| id: "check_release" | |
| name: "check if release exists" | |
| run: | | |
| set +e | |
| isDraft="$(gh release view --json="isDraft" --jq=".isDraft" $(echo $OUTPUTS_NAME | tr -d '"') 2>&1)" | |
| set -e | |
| if [[ "$isDraft" == "release not found" ]]; then | |
| echo "exists=false" >> $GITHUB_OUTPUT | |
| else | |
| echo "exists=true" >> $GITHUB_OUTPUT | |
| fi | |
| if [[ "$isDraft" == "true" ]]; then | |
| echo "draft=true" >> $GITHUB_OUTPUT | |
| fi | |
| working-directory: "release" | |
| - env: | |
| OUTPUTS_BRANCH: "${{ needs.shouldRelease.outputs.branch }}" | |
| OUTPUTS_PR_NUMBER: "${{ needs.shouldRelease.outputs.prNumber }}" | |
| OUTPUTS_TOKEN: "${{ steps.github_app_token.outputs.token }}" | |
| SHA: "${{ needs.shouldRelease.outputs.sha }}" | |
| id: "release" | |
| if: "${{ !fromJSON(steps.check_release.outputs.exists) }}" | |
| name: "create release" | |
| run: | | |
| npm install | |
| npm exec -- release-please github-release \ | |
| --draft \ | |
| --release-type simple \ | |
| --repo-url "${{ env.RELEASE_REPO }}" \ | |
| --target-branch "$(echo $OUTPUTS_BRANCH | tr -d '"')" \ | |
| --token "$(echo $OUTPUTS_TOKEN | tr -d '"')" \ | |
| --shas-to-tag "$(echo $OUTPUTS_PR_NUMBER | tr -d '"'):$(echo ${SHA} | tr -d '"')" | |
| working-directory: "lib" | |
| - env: | |
| GH_TOKEN: "${{ steps.github_app_token.outputs.token }}" | |
| OUTPUTS_NAME: "${{ needs.shouldRelease.outputs.name }}" | |
| id: "upload" | |
| name: "upload artifacts" | |
| run: | | |
| gh release upload --clobber $(echo $OUTPUTS_NAME | tr -d '"') dist/* | |
| working-directory: "release" | |
| - if: "${{ fromJSON(env.PUBLISH_TO_GCS) }}" | |
| name: "release artifacts" | |
| uses: "google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0" | |
| with: | |
| destination: "${{ env.PUBLISH_BUCKET }}" | |
| parent: false | |
| path: "release/dist" | |
| process_gcloudignore: false | |
| createReleaseBranch: | |
| needs: | |
| - "publishRelease" | |
| outputs: | |
| branchExists: "${{ steps.create_branch.outputs.branch_exists }}" | |
| branchName: "${{ steps.create_branch.outputs.branch_name }}" | |
| permissions: | |
| contents: "write" | |
| id-token: "write" | |
| runs-on: "ubuntu-latest" | |
| steps: | |
| - name: "pull code to release" | |
| uses: "actions/checkout@v4" | |
| with: | |
| path: "release" | |
| persist-credentials: false | |
| repository: "${{ env.RELEASE_REPO }}" | |
| - id: "extract_branch" | |
| name: "extract branch name" | |
| run: | | |
| echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT | |
| working-directory: "release" | |
| - id: "fetch_app_credentials" | |
| if: "${{ fromJSON(env.USE_GITHUB_APP_TOKEN) }}" | |
| name: "fetch app credentials from vault" | |
| uses: "grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760" | |
| with: | |
| repo_secrets: | | |
| APP_ID=${{ env.GITHUB_APP }}:app-id | |
| PRIVATE_KEY=${{ env.GITHUB_APP }}:private-key | |
| - id: "get_github_app_token" | |
| if: "${{ fromJSON(env.USE_GITHUB_APP_TOKEN) }}" | |
| name: "get github app token" | |
| uses: "actions/create-github-app-token@v1" | |
| with: | |
| app-id: "${{ env.APP_ID }}" | |
| owner: "${{ github.repository_owner }}" | |
| private-key: "${{ env.PRIVATE_KEY }}" | |
| - env: | |
| OUTPUTS_TOKEN: "${{ steps.get_github_app_token.outputs.token }}" | |
| id: "github_app_token" | |
| name: "set github token" | |
| run: | | |
| if [[ "${USE_GITHUB_APP_TOKEN}" == "true" ]]; then | |
| echo "token=$OUTPUTS_TOKEN" >> $GITHUB_OUTPUT | |
| else | |
| echo "token=${{ secrets.GH_TOKEN }}" >> $GITHUB_OUTPUT | |
| fi | |
| - env: | |
| GH_TOKEN: "${{ steps.github_app_token.outputs.token }}" | |
| OUTPUTS_BRANCH: "${{ steps.extract_branch.outputs.branch }}" | |
| OUTPUTS_NAME: "${{ needs.publishRelease.outputs.name }}" | |
| OUTPUTS_TOKEN: "${{ steps.github_app_token.outputs.token }}" | |
| VERSION: "${{ needs.publishRelease.outputs.name }}" | |
| id: "create_branch" | |
| name: "create release branch" | |
| run: | | |
| # Debug and clean the version variable | |
| echo "Original VERSION: $VERSION" | |
| # Remove all quotes (both single and double) | |
| VERSION=$(echo $VERSION | tr -d '"' | tr -d "'") | |
| echo "After removing quotes: $VERSION" | |
| # Extract version without the 'v' prefix if it exists | |
| VERSION="${VERSION#v}" | |
| echo "After removing v prefix: $VERSION" | |
| # Extract major and minor versions | |
| MAJOR=$(echo $VERSION | cut -d. -f1) | |
| MINOR=$(echo $VERSION | cut -d. -f2) | |
| echo "MAJOR: $MAJOR, MINOR: $MINOR" | |
| # Create branch name from template | |
| BRANCH_TEMPLATE="release-\${major}.\${minor}.x" | |
| BRANCH_NAME=${BRANCH_TEMPLATE//\$\{major\}/$MAJOR} | |
| BRANCH_NAME=${BRANCH_NAME//\$\{minor\}/$MINOR} | |
| echo "Checking if branch already exists: $BRANCH_NAME" | |
| # Check if branch exists | |
| if git ls-remote --heads origin $BRANCH_NAME | grep -q $BRANCH_NAME; then | |
| echo "Branch $BRANCH_NAME already exists, skipping creation" | |
| echo "branch_exists=true" >> $GITHUB_OUTPUT | |
| echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT | |
| else | |
| echo "Creating branch: $BRANCH_NAME from tag: $(echo $OUTPUTS_NAME | tr -d '"')" | |
| # Create branch from the tag | |
| git fetch --tags | |
| git checkout "$(echo $OUTPUTS_BRANCH | tr -d '"')" | |
| git checkout -b $BRANCH_NAME | |
| # explicity set the github app token to override the release branch protection | |
| git remote set-url origin "https://x-access-token:$(echo ${OUTPUTS_TOKEN} | tr -d '"')@github.com/${{ env.RELEASE_REPO }}" | |
| git push -u origin $BRANCH_NAME | |
| echo "branch_exists=false" >> $GITHUB_OUTPUT | |
| echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT | |
| fi | |
| working-directory: "release" | |
| publishDockerPlugins: | |
| needs: | |
| - "createRelease" | |
| permissions: | |
| id-token: "write" | |
| runs-on: "ubuntu-latest" | |
| steps: | |
| - name: "pull release library code" | |
| uses: "actions/checkout@v4" | |
| with: | |
| path: "lib" | |
| persist-credentials: false | |
| ref: "${{ env.RELEASE_LIB_REF }}" | |
| repository: "grafana/loki-release" | |
| - name: "pull code to release" | |
| uses: "actions/checkout@v4" | |
| with: | |
| path: "release" | |
| persist-credentials: false | |
| repository: "${{ env.RELEASE_REPO }}" | |
| - id: "fetch_gcs_credentials" | |
| name: "fetch gcs credentials from vault" | |
| uses: "grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760" | |
| with: | |
| repo_secrets: "GCS_SERVICE_ACCOUNT_KEY=gcs:service-account-key" | |
| - name: "auth gcs" | |
| uses: "google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f" | |
| with: | |
| credentials_json: "${{ env.GCS_SERVICE_ACCOUNT_KEY }}" | |
| - name: "Set up Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a" | |
| with: | |
| version: ">= 452.0.0" | |
| - name: "Set up QEMU" | |
| uses: "docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392" | |
| - name: "set up docker buildx" | |
| uses: "docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2" | |
| - id: "fetch_docker_credentials" | |
| name: "fetch docker credentials from vault" | |
| uses: "grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760" | |
| with: | |
| repo_secrets: "DOCKER_PASSWORD=docker:password" | |
| - name: "Login to DockerHub (from secrets)" | |
| uses: "docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772" | |
| with: | |
| password: "${{ env.DOCKER_PASSWORD }}" | |
| username: "trevorwhitney075" | |
| - env: | |
| SHA: "${{ needs.createRelease.outputs.sha }}" | |
| name: "download and prepare plugins" | |
| run: | | |
| echo "downloading images to $(pwd)/plugins" | |
| gsutil cp -r gs://${BUILD_ARTIFACTS_BUCKET}/$(echo ${SHA} | tr -d '"')/plugins . | |
| mkdir -p "release/clients/cmd/docker-driver" | |
| - name: "publish docker driver" | |
| uses: "./lib/actions/push-images" | |
| with: | |
| buildDir: "release/clients/cmd/docker-driver" | |
| imageDir: "plugins" | |
| imagePrefix: "${{ env.IMAGE_PREFIX }}" | |
| isLatest: "${{ needs.createRelease.outputs.isLatest }}" | |
| isPlugin: true | |
| publishImages: | |
| needs: | |
| - "createRelease" | |
| permissions: | |
| id-token: "write" | |
| runs-on: "ubuntu-latest" | |
| steps: | |
| - name: "pull release library code" | |
| uses: "actions/checkout@v4" | |
| with: | |
| path: "lib" | |
| persist-credentials: false | |
| ref: "${{ env.RELEASE_LIB_REF }}" | |
| repository: "grafana/loki-release" | |
| - id: "fetch_gcs_credentials" | |
| name: "fetch gcs credentials from vault" | |
| uses: "grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760" | |
| with: | |
| repo_secrets: "GCS_SERVICE_ACCOUNT_KEY=gcs:service-account-key" | |
| - name: "auth gcs" | |
| uses: "google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f" | |
| with: | |
| credentials_json: "${{ env.GCS_SERVICE_ACCOUNT_KEY }}" | |
| - name: "Set up Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a" | |
| with: | |
| version: ">= 452.0.0" | |
| - name: "Set up QEMU" | |
| uses: "docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392" | |
| - name: "set up docker buildx" | |
| uses: "docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2" | |
| - id: "fetch_docker_credentials" | |
| name: "fetch docker credentials from vault" | |
| uses: "grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760" | |
| with: | |
| repo_secrets: "DOCKER_PASSWORD=docker:password" | |
| - name: "Login to DockerHub (from secrets)" | |
| uses: "docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772" | |
| with: | |
| password: "${{ env.DOCKER_PASSWORD }}" | |
| username: "trevorwhitney075" | |
| - env: | |
| SHA: "${{ needs.createRelease.outputs.sha }}" | |
| name: "download images" | |
| run: | | |
| echo "downloading images to $(pwd)/images" | |
| gsutil cp -r gs://${BUILD_ARTIFACTS_BUCKET}/$(echo ${SHA} | tr -d '"')/images . | |
| - name: "publish docker images" | |
| uses: "./lib/actions/push-images" | |
| with: | |
| imageDir: "images" | |
| imagePrefix: "${{ env.IMAGE_PREFIX }}" | |
| isLatest: "${{ needs.createRelease.outputs.isLatest }}" | |
| publishRelease: | |
| needs: | |
| - "createRelease" | |
| - "publishImages" | |
| - "publishDockerPlugins" | |
| outputs: | |
| name: "${{ needs.createRelease.outputs.name }}" | |
| permissions: | |
| contents: "write" | |
| id-token: "write" | |
| runs-on: "ubuntu-latest" | |
| steps: | |
| - name: "pull code to release" | |
| uses: "actions/checkout@v4" | |
| with: | |
| path: "release" | |
| persist-credentials: false | |
| repository: "${{ env.RELEASE_REPO }}" | |
| - id: "fetch_app_credentials" | |
| if: "${{ fromJSON(env.USE_GITHUB_APP_TOKEN) }}" | |
| name: "fetch app credentials from vault" | |
| uses: "grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760" | |
| with: | |
| repo_secrets: | | |
| APP_ID=${{ env.GITHUB_APP }}:app-id | |
| PRIVATE_KEY=${{ env.GITHUB_APP }}:private-key | |
| - id: "get_github_app_token" | |
| if: "${{ fromJSON(env.USE_GITHUB_APP_TOKEN) }}" | |
| name: "get github app token" | |
| uses: "actions/create-github-app-token@v1" | |
| with: | |
| app-id: "${{ env.APP_ID }}" | |
| owner: "${{ github.repository_owner }}" | |
| private-key: "${{ env.PRIVATE_KEY }}" | |
| - env: | |
| OUTPUTS_TOKEN: "${{ steps.get_github_app_token.outputs.token }}" | |
| id: "github_app_token" | |
| name: "set github token" | |
| run: | | |
| if [[ "${USE_GITHUB_APP_TOKEN}" == "true" ]]; then | |
| echo "token=$OUTPUTS_TOKEN" >> $GITHUB_OUTPUT | |
| else | |
| echo "token=${{ secrets.GH_TOKEN }}" >> $GITHUB_OUTPUT | |
| fi | |
| - env: | |
| GH_TOKEN: "${{ steps.github_app_token.outputs.token }}" | |
| OUTPUTS_IS_LATEST: "${{ needs.createRelease.outputs.isLatest }}" | |
| OUTPUTS_NAME: "${{ needs.createRelease.outputs.name }}" | |
| if: "${{ !fromJSON(needs.createRelease.outputs.exists) || (needs.createRelease.outputs.draft && fromJSON(needs.createRelease.outputs.draft)) }}" | |
| name: "publish release" | |
| run: | | |
| gh release edit $(echo $OUTPUTS_NAME | tr -d '"') --draft=false --latest=$(echo $OUTPUTS_IS_LATEST | tr -d '"') | |
| working-directory: "release" | |
| shouldRelease: | |
| outputs: | |
| branch: "${{ steps.extract_branch.outputs.branch }}" | |
| isLatest: "${{ steps.should_release.outputs.isLatest }}" | |
| name: "${{ steps.should_release.outputs.name }}" | |
| prNumber: "${{ steps.should_release.outputs.prNumber }}" | |
| sha: "${{ steps.should_release.outputs.sha }}" | |
| shouldRelease: "${{ steps.should_release.outputs.shouldRelease }}" | |
| permissions: | |
| contents: "write" | |
| id-token: "write" | |
| pull-requests: "write" | |
| runs-on: "ubuntu-latest" | |
| steps: | |
| - name: "pull code to release" | |
| uses: "actions/checkout@v4" | |
| with: | |
| path: "release" | |
| persist-credentials: false | |
| repository: "${{ env.RELEASE_REPO }}" | |
| - name: "pull release library code" | |
| uses: "actions/checkout@v4" | |
| with: | |
| path: "lib" | |
| persist-credentials: false | |
| ref: "${{ env.RELEASE_LIB_REF }}" | |
| repository: "grafana/loki-release" | |
| - id: "extract_branch" | |
| name: "extract branch name" | |
| run: | | |
| echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT | |
| working-directory: "release" | |
| - id: "should_release" | |
| name: "should a release be created?" | |
| uses: "./lib/actions/should-release" | |
| with: | |
| baseBranch: "${{ steps.extract_branch.outputs.branch }}" | |
| name: "Create Release" | |
| "on": | |
| pull_request: {} | |
| push: | |
| branches: | |
| - "release-[0-9]+.[0-9]+.x" | |
| permissions: | |
| contents: "read" | |
| pull-requests: "read" |