---

name: operator-release

on:

push:

tags:

- release/operator/**

permissions:

contents: read

env:

VERSIONS_FILE: "VERSIONS.json"

jobs:

get-dev-image:

uses: ./.github/workflows/get_image.yaml

with:

image-base-name: "dev_image_with_extras"

build-release:

name: Build Release

runs-on: oracle-16cpu-64gb-x86-64

needs: get-dev-image

container:

image: ${{ needs.get-dev-image.outputs.image-with-tag }}

env:

MANIFEST_UPDATES: "manifest_updates.json"

ARTIFACT_UPLOAD_LOG: "artifact_uploads.json"

steps:

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

with:

fetch-depth: 0

- name: Add pwd to git safe dir

run: git config --global --add safe.directory `pwd`

- name: Use github bazel config

uses: ./.github/actions/bazelrc

with:

download_toplevel: 'true'

BB_API_KEY: ${{ secrets.BB_IO_API_KEY }}

- id: gcloud-creds

uses: ./.github/actions/gcloud_creds

with:

SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }}

- name: Import GPG key

env:

BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }}

run: |

echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import

- name: Build & Push Artifacts

env:

REF: ${{ github.event.ref }}

BUILD_NUMBER: ${{ github.run_attempt }}

JOB_NAME: ${{ github.job }}

COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}

COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}

GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}

GH_REPO: ${{ github.repository }}

BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}

shell: bash

run: |

export TAG_NAME="${REF#*/tags/}"

export ARTIFACTS_DIR="$(pwd)/artifacts"

export INDEX_FILE="$(pwd)/index.yaml"

mkdir -p "${ARTIFACTS_DIR}"

./ci/save_version_info.sh

./ci/operator_build_release.sh

- name: Update GCS Manifest

env:

ARTIFACT_MANIFEST_BUCKET: "pixie-dev-public"

# Use the old style versions file instead of the new updates for the gcs manifest.

MANIFEST_UPDATES: ""

GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}

run: ./ci/update_artifact_manifest.sh

- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

with:

name: manifest-updates

path: ${{ env.MANIFEST_UPDATES }}

- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

with:

name: operator-artifacts

path: artifacts/

- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

with:

name: index-artifacts

path: index.yaml

create-github-release:

name: Create Release on Github

runs-on: ubuntu-latest

needs: build-release

permissions:

contents: write

steps:

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

with:

fetch-depth: 0

- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0

- name: Create Release

env:

REF: ${{ github.event.ref }}

GH_TOKEN: ${{ secrets.BUILDBOT_GH_API_TOKEN }}

shell: bash

run: |

export TAG_NAME="${REF#*/tags/}"

# actions/checkout doesn't get the tag annotation properly.

git fetch origin tag "${TAG_NAME}" -f

export changelog="$(git tag -l --format='%(contents)' "${TAG_NAME}")"

prerelease=()

if [[ "${REF}" == *"-"* ]]; then

prerelease=("--prerelease")

fi

gh release create "${TAG_NAME}" "${prerelease[@]}" \

--title "Operator ${TAG_NAME#release/operator/}" \

--notes $'Pixie Operator Release:\n'"${changelog}"

gh release upload "${TAG_NAME}" operator-artifacts/*

create-helm-chart:

if: ${{ !contains(github.event.ref, '-') }}

name: Create Helm chart on Github

runs-on: ubuntu-latest

needs: build-release

concurrency: gh-pages

permissions:

contents: write

steps:

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

with:

fetch-depth: 0

ref: gh-pages

- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0

- name: Setup git

shell: bash

env:

GIT_SSH_COMMAND: "ssh -i /tmp/ssh.key"

run: |

git config --global user.name 'pixie-io-buildbot'

git config --global user.email 'build@pixielabs.ai'

- name: Push Helm YAML to gh-pages

shell: bash

env:

TAG_NAME: ${{ github.event.release.tag_name }}

GH_TOKEN: ${{ secrets.BUILDBOT_GH_API_TOKEN }}

GIT_SSH_COMMAND: "ssh -i /tmp/ssh.key"

run: |

cp index-artifacts/index.yaml helm_charts/operator/index.yaml

git add helm_charts/operator/index.yaml

export VERSION="$(echo "${TAG_NAME}" | cut -d'/' -f3)"

git commit -s -m "Release Helm chart ${VERSION}"

git push origin "gh-pages"

update-gh-artifacts-manifest:

runs-on: oracle-8cpu-32gb-x86-64

needs: [get-dev-image, create-github-release]

container:

image: ${{ needs.get-dev-image.outputs.image-with-tag }}

concurrency: gh-pages

permissions:

contents: write

steps:

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

with:

fetch-depth: 0

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

with:

ref: gh-pages

path: gh-pages

- name: Add pwd to git safe dir

run: |

git config --global --add safe.directory `pwd`

git config --global --add safe.directory "$(pwd)/gh-pages"

- name: Import GPG key

env:

BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }}

run: |

echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import

- name: Setup git

shell: bash

env:

BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}

run: |

git config --global user.name 'pixie-io-buildbot'

git config --global user.email 'build@pixielabs.ai'

git config --global user.signingkey "${BUILDBOT_GPG_KEY_ID}"

git config --global commit.gpgsign true

- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0

id: download-artifact

with:

name: manifest-updates

- name: Update gh-pages Manifest

env:

ARTIFACT_MANIFEST_PATH: "gh-pages/artifacts/manifest.json"

MANIFEST_UPDATES: "manifest_updates.json"

run: |

./ci/update_artifact_manifest.sh

cd gh-pages

export ARTIFACT_MANIFEST_PATH="${ARTIFACT_MANIFEST_PATH##gh-pages/}"

git add "${ARTIFACT_MANIFEST_PATH}" "${ARTIFACT_MANIFEST_PATH}.sha256"

git commit -s -m "Update artifact manifest"

git push origin "gh-pages"