Add reusable controller-release workflow

Signed-off-by: Matheus Pimenta <[email protected]>

Author: matheuscscp

.github/workflows/controller-release.yaml

@@ -0,0 +1,143 @@
+name: controller-release
+
+on:
+  workflow_call:
+    inputs:
+      controller:
+        description: 'controller name'
+        required: true
+        type: string
+      release-candidate-prefix:
+        description: 'release candidate image tag prefix'
+        required: true
+        type: string
+    secrets:
+      github-token:
+        description: 'GitHub token (for pushing to GHCR and creating GitHub releases)'
+        required: true
+      dockerhub-token:
+        description: 'Docker Hub token'
+        required: true
+    outputs:
+      hashes:
+        description: 'Release artifacts digests compatible with SLSA'
+        value: ${{ jobs.release.outputs.hashes }}
+      image-url:
+        description: 'Published image URL'
+        value: ${{ jobs.release.outputs.image-url }}
+      image-digest:
+        description: 'Published image digest'
+        value: ${{ jobs.release.outputs.image-digest }}
+
+jobs:
+  release:
+    outputs:
+      hashes: ${{ steps.slsa.outputs.hashes }}
+      image-url: ${{ steps.slsa.outputs.image_url }}
+      image-digest: ${{ steps.slsa.outputs.image_digest }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # for creating the GitHub release.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for pushing and signing container images.
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Setup Kustomize
+        uses: fluxcd/pkg/actions/kustomize@main
+      - name: Prepare
+        id: prep
+        env:
+          GIT_REF: ${{ github.ref }}
+          GIT_SHA: ${{ github.sha }}
+          RELEASE_CANDIDATE_PREFIX: ${{ inputs.release-candidate-prefix }}
+        run: |
+          VERSION="${RELEASE_CANDIDATE_PREFIX}-${GIT_SHA::8}"
+          if [[ $GIT_REF == refs/tags/* ]]; then
+            VERSION=${GIT_REF/refs\/tags\//}
+          fi
+          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - name: Setup Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          registry: ghcr.io
+          username: fluxcdbot # not necessary for ghcr.io
+          password: ${{ secrets.github-token }}
+      - name: Login to Docker Hub
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          username: ${{ github.repository_owner == 'fluxcd' && 'fluxcdbot' || github.repository_owner }}
+          password: ${{ secrets.dockerhub-token }}
+      - name: Generate images meta
+        id: meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        with:
+          images: |
+            ${{ github.repository_owner }}/${{ inputs.controller }}
+            ghcr.io/${{ github.repository_owner }}/${{ inputs.controller }}
+          tags: |
+            type=raw,value=${{ steps.prep.outputs.VERSION }}
+      - name: Publish images
+        id: build-push
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          sbom: true
+          provenance: true
+          push: true
+          builder: ${{ steps.buildx.outputs.name }}
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm/v7,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+      - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+      - name: Sign images
+        env:
+          COSIGN_EXPERIMENTAL: 1
+          CONTROLLER: ${{ inputs.controller }}
+          DIGEST: ${{ steps.build-push.outputs.digest }}
+          REPOSITORY_OWNER: ${{ github.repository_owner }}
+        run: |
+          cosign sign --yes ${REPOSITORY_OWNER}/${CONTROLLER}@${DIGEST}
+          cosign sign --yes ghcr.io/${REPOSITORY_OWNER}/${CONTROLLER}@${DIGEST}
+      - name: Generate release artifacts
+        if: startsWith(github.ref, 'refs/tags/v')
+        env:
+          CONTROLLER: ${{ inputs.controller }}
+        run: |
+          mkdir -p config/release
+          kustomize build ./config/crd > ./config/release/${CONTROLLER}.crds.yaml
+          kustomize build ./config/manager > ./config/release/${CONTROLLER}.deployment.yaml
+      - uses: anchore/sbom-action/download-syft@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5
+      - name: Create release and SBOM
+        id: run-goreleaser
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        with:
+          version: latest
+          args: release --clean --skip=validate
+        env:
+          GITHUB_TOKEN: ${{ secrets.github-token }}
+      - name: Generate SLSA metadata
+        id: slsa
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+          CONTROLLER: ${{ inputs.controller }}
+          VERSION: ${{ steps.prep.outputs.version }}
+          BUILD_DIGEST: ${{ steps.build-push.outputs.digest }}
+          REPOSITORY_OWNER: ${{ github.repository_owner }}
+        run: |
+          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+
+          image_url=${REPOSITORY_OWNER}/${CONTROLLER}:${VERSION}
+          echo "image_url=$image_url" >> $GITHUB_OUTPUT
+
+          image_digest=${BUILD_DIGEST}
+          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT

README.md

@@ -7,6 +7,61 @@ This repository contains reusable GitHub Workflows shared across the Flux contro
 
 ## Workflows
 
+### Release Flux controllers
+
+The [controller-release](.github/workflows/controller-release.yaml) workflow automates the release of
+Flux controllers by building and publishing container images to GitHub Container Registry (GHCR) and Docker Hub,
+and creating a GitHub release with the changelog.
+
+Example usage:
+
+```yaml
+name: release
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'image tag prefix'
+        default: 'rc'
+        required: false
+
+jobs:
+  release:
+    permissions:
+      contents: write # for creating the GitHub release.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for pushing and signing container images.
+    uses: fluxcd/gha-workflows/.github/workflows/[email protected]
+    with:
+      controller: ${{ github.event.repository.name }}
+      release-candidate-prefix: ${{ github.event.inputs.tag }}
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+      dockerhub-token: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+```
+
+3rd-party actions used:
+
+- [actions/checkout](https://github.com/actions/checkout)
+- [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action)
+- [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action)
+- [docker/login-action](https://github.com/docker/login-action)
+- [docker/metadata-action](https://github.com/docker/metadata-action)
+- [docker/build-push-action](https://github.com/docker/build-push-action)
+- [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer)
+- [anchore/sbom-action](https://github.com/anchore/sbom-action)
+- [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action)
+
+Outputs:
+
+- `hashes`: Release artifacts digests compatible with SLSA
+- `image-url`: Published image URL
+- `image-digest`: Published image digest
+
 ### Backport to Release Branches
 
 The [backport](.github/workflows/backport.yaml) workflow automates the backporting of merged pull