Skip to content

Commit 06c1dd7

Browse files
reggie-kreggie-k
committed
calculate params in setup-variables for release.yaml and add warning for upstream hack release
Signed-off-by: reggie-k <regina.voloshin@codefresh.io>
1 parent 5428c75 commit 06c1dd7

File tree

2 files changed

+43
-10
lines changed

2 files changed

+43
-10
lines changed

.github/workflows/release.yaml

Lines changed: 15 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ jobs:
2020
contents: read
2121
id-token: write # for creating OIDC tokens for signing.
2222
packages: write # used to push images to `ghcr.io` if used.
23-
if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && vars.ENABLE_FORK_RELEASES == 'true' && startsWith(github.ref, 'refs/tags/') && vars.IMAGE_NAMESPACE && vars.IMAGE_NAMESPACE != 'argoproj')
23+
if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && needs.setup-variables.outputs.enable_fork_releases == 'true' && startsWith(github.ref, 'refs/tags/') && needs.setup-variables.outputs.image_namespace != 'argoproj')
2424
uses: ./.github/workflows/image-reuse.yaml
2525
with:
2626
quay_image_name: ${{ needs.setup-variables.outputs.quay_image_name }}
@@ -35,11 +35,12 @@ jobs:
3535

3636
setup-variables:
3737
name: Setup Release Variables
38-
if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && vars.ENABLE_FORK_RELEASES && vars.ENABLE_FORK_RELEASES == 'true' && startsWith(github.ref, 'refs/tags/') && vars.IMAGE_NAMESPACE && vars.IMAGE_NAMESPACE != 'argoproj')
38+
if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && vars.ENABLE_FORK_RELEASES == 'true' && startsWith(github.ref, 'refs/tags/') && vars.IMAGE_NAMESPACE && vars.IMAGE_NAMESPACE != 'argoproj')
3939
runs-on: ubuntu-22.04
4040
outputs:
4141
is_pre_release: ${{ steps.var.outputs.is_pre_release }}
4242
is_latest_release: ${{ steps.var.outputs.is_latest_release }}
43+
enable_fork_releases: ${{ steps.var.outputs.enable_fork_releases }}
4344
image_registry: ${{ steps.var.outputs.image_registry }}
4445
image_namespace: ${{ steps.var.outputs.image_namespace }}
4546
image_repository: ${{ steps.var.outputs.image_repository }}
@@ -75,11 +76,14 @@ jobs:
7576
echo "is_pre_release=$PRE_RELEASE" >> $GITHUB_OUTPUT
7677
echo "is_latest_release=$IS_LATEST" >> $GITHUB_OUTPUT
7778
78-
# Calculate image names with defaults (single source of truth)
79+
# Calculate configuration with defaults
80+
ENABLE_FORK_RELEASES="${{ vars.ENABLE_FORK_RELEASES || 'false' }}"
7981
IMAGE_REGISTRY="${{ vars.IMAGE_REGISTRY || 'quay.io' }}"
8082
IMAGE_NAMESPACE="${{ vars.IMAGE_NAMESPACE || 'argoproj' }}"
8183
IMAGE_REPOSITORY="${{ vars.IMAGE_REPOSITORY || 'argocd' }}"
8284
85+
echo "enable_fork_releases=$ENABLE_FORK_RELEASES" >> $GITHUB_OUTPUT
86+
8387
echo "image_registry=$IMAGE_REGISTRY" >> $GITHUB_OUTPUT
8488
echo "image_namespace=$IMAGE_NAMESPACE" >> $GITHUB_OUTPUT
8589
echo "image_repository=$IMAGE_REPOSITORY" >> $GITHUB_OUTPUT
@@ -110,7 +114,7 @@ jobs:
110114
- argocd-image-provenance
111115
permissions:
112116
contents: write # used for uploading assets
113-
if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && vars.ENABLE_FORK_RELEASES && vars.ENABLE_FORK_RELEASES == 'true' && startsWith(github.ref, 'refs/tags/') && vars.IMAGE_NAMESPACE && vars.IMAGE_NAMESPACE != 'argoproj')
117+
if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && needs.setup-variables.outputs.enable_fork_releases == 'true' && startsWith(github.ref, 'refs/tags/') && needs.setup-variables.outputs.image_namespace != 'argoproj')
114118
runs-on: ubuntu-22.04
115119
env:
116120
GORELEASER_MAKE_LATEST: ${{ needs.setup-variables.outputs.is_latest_release }}
@@ -178,12 +182,12 @@ jobs:
178182
echo "hashes=$hashes" >> $GITHUB_OUTPUT
179183
180184
goreleaser-provenance:
181-
needs: [goreleaser]
185+
needs: [goreleaser, setup-variables]
182186
permissions:
183187
actions: read # for detecting the Github Actions environment
184188
id-token: write # Needed for provenance signing and ID
185189
contents: write # Needed for release uploads
186-
if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && vars.ENABLE_FORK_RELEASES && vars.ENABLE_FORK_RELEASES == 'true' && startsWith(github.ref, 'refs/tags/') && vars.IMAGE_NAMESPACE && vars.IMAGE_NAMESPACE != 'argoproj')
190+
if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && needs.setup-variables.outputs.enable_fork_releases == 'true' && startsWith(github.ref, 'refs/tags/') && needs.setup-variables.outputs.image_namespace != 'argoproj')
187191
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
188192
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
189193
with:
@@ -196,11 +200,12 @@ jobs:
196200
needs:
197201
- argocd-image
198202
- goreleaser
203+
- setup-variables
199204
permissions:
200205
contents: write # Needed for release uploads
201206
outputs:
202207
hashes: ${{ steps.sbom-hash.outputs.hashes }}
203-
if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && vars.ENABLE_FORK_RELEASES && vars.ENABLE_FORK_RELEASES == 'true' && startsWith(github.ref, 'refs/tags/') && vars.IMAGE_NAMESPACE && vars.IMAGE_NAMESPACE != 'argoproj')
208+
if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && needs.setup-variables.outputs.enable_fork_releases == 'true' && startsWith(github.ref, 'refs/tags/') && needs.setup-variables.outputs.image_namespace != 'argoproj')
204209
runs-on: ubuntu-22.04
205210
steps:
206211
- name: Checkout code
@@ -263,12 +268,12 @@ jobs:
263268
/tmp/sbom.tar.gz
264269
265270
sbom-provenance:
266-
needs: [generate-sbom]
271+
needs: [generate-sbom, setup-variables]
267272
permissions:
268273
actions: read # for detecting the Github Actions environment
269274
id-token: write # Needed for provenance signing and ID
270275
contents: write # Needed for release uploads
271-
if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && vars.ENABLE_FORK_RELEASES && vars.ENABLE_FORK_RELEASES == 'true' && startsWith(github.ref, 'refs/tags/') && vars.IMAGE_NAMESPACE && vars.IMAGE_NAMESPACE != 'argoproj')
276+
if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && needs.setup-variables.outputs.enable_fork_releases == 'true' && startsWith(github.ref, 'refs/tags/') && needs.setup-variables.outputs.image_namespace != 'argoproj')
272277
# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
273278
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
274279
with:
@@ -285,7 +290,7 @@ jobs:
285290
permissions:
286291
contents: write # Needed to push commit to update stable tag
287292
pull-requests: write # Needed to create PR for VERSION update.
288-
if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && vars.ENABLE_FORK_RELEASES && vars.ENABLE_FORK_RELEASES == 'true' && startsWith(github.ref, 'refs/tags/') && vars.IMAGE_NAMESPACE && vars.IMAGE_NAMESPACE != 'argoproj')
293+
if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && needs.setup-variables.outputs.enable_fork_releases == 'true' && startsWith(github.ref, 'refs/tags/') && needs.setup-variables.outputs.image_namespace != 'argoproj')
289294
runs-on: ubuntu-22.04
290295
env:
291296
TAG_STABLE: ${{ needs.setup-variables.outputs.is_latest_release }}

hack/trigger-release.sh

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,34 @@ fi
3131

3232
echo ">> Working in release branch '${RELEASE_BRANCH}'"
3333

34+
# Safety check: Warn if pushing to official argoproj/argo-cd repository
35+
REMOTE_URL=$(git remote get-url "${GIT_REMOTE}")
36+
if echo "${REMOTE_URL}" | grep -q "argoproj/argo-cd"; then
37+
echo "" >&2
38+
echo "!! ============================================================================" >&2
39+
echo "!! WARNING: Remote '${GIT_REMOTE}' points to OFFICIAL argoproj/argo-cd!" >&2
40+
echo "!! Remote URL: ${REMOTE_URL}" >&2
41+
echo "!! ============================================================================" >&2
42+
echo "!!" >&2
43+
echo "!! This will create an OFFICIAL Argo CD release:" >&2
44+
echo "!! - Tag: ${NEW_TAG}" >&2
45+
echo "!! - Images: quay.io/argoproj/argocd:${NEW_TAG}" >&2
46+
echo "!! - GitHub Release: https://github.com/argoproj/argo-cd/releases" >&2
47+
echo "!! - Visible to ALL users" >&2
48+
echo "!!" >&2
49+
echo "!! If you want to release from YOUR FORK:" >&2
50+
echo "!! 1. Press Ctrl+C now" >&2
51+
echo "!! 2. Use your fork remote: ./hack/trigger-release.sh ${NEW_TAG} origin" >&2
52+
echo "!!" >&2
53+
echo "!! To proceed with OFFICIAL release, type 'OFFICIAL' (30 second timeout):" >&2
54+
read -t 30 -r confirmation
55+
if [ "$confirmation" != "OFFICIAL" ]; then
56+
echo "!! Cancelled. Did not receive 'OFFICIAL' confirmation." >&2
57+
exit 1
58+
fi
59+
echo ">> Confirmed official release. Proceeding..." >&2
60+
fi
61+
3462
echo ">> Ensuring release branch is up to date."
3563
# make sure release branch is up to date
3664
git pull "${GIT_REMOTE}" "${RELEASE_BRANCH}"

0 commit comments

Comments
 (0)