Skip to content
Release

fix: add security hardening for webhook server and controller #12

Sign in to view logs

fix: add security hardening for webhook server and controller

fix: add security hardening for webhook server and controller #12

Workflow file for this run

.github/workflows/release-anomalo.yaml at 1d4ecce
name: Release
on:
push:
branches: [main, prod]
tags: ["v*"]
concurrency:
group: release-anomalo-${{ github.ref }}
cancel-in-progress: false
env:
REGISTRY: public.ecr.aws/anomalo/kelos
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: arn:aws:iam::580663733917:role/github-actions
aws-region: us-east-1
- name: Login to Amazon ECR
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
- name: Determine version
id: version
run: |
if [[ "${GITHUB_REF}" == refs/tags/v* ]]; then
echo "version=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
else
echo "version=${GITHUB_REF#refs/heads/}" >> "$GITHUB_OUTPUT"
fi
- name: Build images
env:
VERSION: ${{ steps.version.outputs.version }}
run: make image VERSION="$VERSION" REGISTRY="${{ env.REGISTRY }}"
- name: Push images
env:
VERSION: ${{ steps.version.outputs.version }}
run: make push VERSION="$VERSION" REGISTRY="${{ env.REGISTRY }}"
- name: Push latest tags for releases
if: startsWith(github.ref, 'refs/tags/v')
run: |
make image VERSION=latest REGISTRY="${{ env.REGISTRY }}"
make push VERSION=latest REGISTRY="${{ env.REGISTRY }}"
- name: Build CLI binaries
if: startsWith(github.ref, 'refs/tags/v')
env:
VERSION: ${{ steps.version.outputs.version }}
run: make release-binaries VERSION="$VERSION"
- name: Generate release notes
if: startsWith(github.ref, 'refs/tags/v')
env:
GH_TOKEN: ${{ github.token }}
VERSION: ${{ steps.version.outputs.version }}
run: go run ./hack/release-notes "$VERSION" > /tmp/release-notes.md
- name: Upload CLI binaries to GitHub release
if: startsWith(github.ref, 'refs/tags/v')
env:
GH_TOKEN: ${{ github.token }}
VERSION: ${{ steps.version.outputs.version }}
run: |
gh release create "$VERSION" --verify-tag --draft --title "$VERSION" --notes-file /tmp/release-notes.md || true
gh release upload "$VERSION" --clobber \
bin/kelos-* \
bin/checksums.txt
publish-helm-chart:
if: startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
needs: release
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
- name: Install Helm
uses: azure/setup-helm@v4
with:
version: 3.20.1
- name: Determine version
id: version
run: |
# Extract version without 'v' prefix (e.g., v1.2.3 -> 1.2.3)
VERSION=${GITHUB_REF#refs/tags/v}
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: arn:aws:iam::580663733917:role/github-actions
aws-region: us-east-1
- name: Login to Amazon ECR for Helm
run: |
aws ecr-public get-login-password --region us-east-1 | helm registry login --username AWS --password-stdin public.ecr.aws
- name: Set image tag in chart values
run: |
sed -i 's|tag: "latest"|tag: "${{ github.ref_name }}"|' \
internal/manifests/charts/kelos/values.yaml
grep -q 'tag: "${{ github.ref_name }}"' \
internal/manifests/charts/kelos/values.yaml
- name: Package Helm chart
run: |
mkdir -p /tmp/charts
helm package internal/manifests/charts/kelos \
--version ${{ steps.version.outputs.version }} \
--app-version ${{ github.ref_name }} \
--destination /tmp/charts
- name: Push Helm chart to ECR
run: |
helm push /tmp/charts/kelos-${{ steps.version.outputs.version }}.tgz oci://public.ecr.aws/anomalo/kelos/charts