diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e47e7d1..3a87272 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -55,7 +55,8 @@ jobs: uses: ietf-tools/semver-action@v1.5.1 with: token: ${{ github.token }} - branch: ${{ github.ref_name }} + # fall back to dev because we want to have a valid semver + branch: ${{ fromJSON('{"main":"dev"}')[github.ref_name] || github.ref_name }} noVersionBumpBehavior: current - name: Set OPERATOR_VERSION @@ -75,20 +76,14 @@ jobs: NEXT_STRICT, } = process.env - let OPERATOR_VERSION = GITHUB_REF_NAME - let OPERATOR_VERSION_STRICT = GITHUB_REF_NAME + let REPLACED_BRANCH_NAME = (GITHUB_REF_NAME || GITHUB_HEAD_REF).replace(/[^a-zA-Z0-9]/g, '-') - // if run is triggerd by a pull request use GITHUB_HEAD_REF - if (GITHUB_HEAD_REF) { - OPERATOR_VERSION = GITHUB_HEAD_REF - } - - // remove any non alphanumeric characters - OPERATOR_VERSION = NEXT + '-' + OPERATOR_VERSION.replace(/[^a-zA-Z0-9]/g, '-') - OPERATOR_VERSION_STRICT = NEXT_STRICT + '-' + OPERATOR_VERSION_STRICT.replace(/[^a-zA-Z0-9]/g, '-') + // use semver if branch name is not a valid semver + let OPERATOR_VERSION = NEXT + "-" + REPLACED_BRANCH_NAME + let OPERATOR_VERSION_STRICT = NEXT_STRICT + "-" + REPLACED_BRANCH_NAME // if run is triggerd on main use the next tag - if (OPERATOR_VERSION == 'main') { + if (REPLACED_BRANCH_NAME == 'main') { OPERATOR_VERSION = NEXT OPERATOR_VERSION_STRICT = NEXT_STRICT core.setOutput('IS_RELEASE', true) @@ -199,10 +194,11 @@ jobs: steps: - name: Update CHANGELOG id: changelog - uses: requarks/changelog-action@v1.8.0 + uses: requarks/changelog-action@v1.8.1 with: token: ${{ github.token }} - fromTag: ${{ github.ref_name }} + # calculate the changelog from the last tag to the current dev state + fromTag: ${{ fromJSON('{"main":"dev"}')[github.ref_name] || github.ref_name }} toTag: ${{ env.CURRENT }} # Create a new release on GitHub with the semantic OPERATOR_VERSION number - name: Create Release diff --git a/Makefile b/Makefile index 6dc0f5b..9645173 100644 --- a/Makefile +++ b/Makefile @@ -137,7 +137,7 @@ PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le docker-buildx: test create-buildx ## Build and push docker image for the manager for cross-platform support # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross - - docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} --cache-to type=registry,ref=${IMAGE_TAG_BASE}:cache,oci-mediatypes=true,compression=zstd,mode=max --cache-from type=registry,ref=${IMAGE_TAG_BASE}:cache -f Dockerfile.cross . + docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} --cache-to type=registry,ref=${IMAGE_TAG_BASE}:cache,oci-mediatypes=true,compression=zstd,mode=max --cache-from type=registry,ref=${IMAGE_TAG_BASE}:cache -f Dockerfile.cross . rm Dockerfile.cross ##@ Deployment @@ -214,7 +214,7 @@ bundle-push: ## Push the bundle image. bundle-buildx: test create-buildx ## Build and push docker image for the manager for cross-platform support # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' bundle.Dockerfile > bundle.Dockerfile.cross - - docker buildx build --push --platform=$(PLATFORMS) --tag ${BUNDLE_IMG} --cache-to type=registry,ref=${IMAGE_TAG_BASE}-bundle:cache,oci-mediatypes=true,compression=zstd,mode=max --cache-from type=registry,ref=${IMAGE_TAG_BASE}-bundle:cache -f bundle.Dockerfile.cross . + docker buildx build --push --platform=$(PLATFORMS) --tag ${BUNDLE_IMG} --cache-to type=registry,ref=${IMAGE_TAG_BASE}-bundle:cache,oci-mediatypes=true,compression=zstd,mode=max --cache-from type=registry,ref=${IMAGE_TAG_BASE}-bundle:cache -f bundle.Dockerfile.cross . rm bundle.Dockerfile.cross .PHONY: create-buildx diff --git a/hack/role.yaml b/hack/role.yaml new file mode 100644 index 0000000..f6ba4e6 --- /dev/null +++ b/hack/role.yaml @@ -0,0 +1,53 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: buildah +spec: + privileged: false # Don't allow privileged pods! + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + runAsUser: + rule: MustRunAsNonRoot + volumes: + - configMap + - projected + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + allowedCapabilities: + - SETGID + - SETUID + seLinux: + rule: RunAsAny + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: buildah +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - buildah + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: buildah +roleRef: + kind: ClusterRole + name: buildah + apiGroup: rbac.authorization.k8s.io +subjects: + # Authorize all service accounts in a namespace (recommended): + - kind: Group + name: system:serviceaccounts + apiGroup: rbac.authorization.k8s.io