From 8f781acff4e44afdacd739f5918c8fc2ca2d770a Mon Sep 17 00:00:00 2001 From: Rafael <32229014+rafaelbreno@users.noreply.github.com> Date: Fri, 7 Nov 2025 12:04:41 -0300 Subject: [PATCH] [main] Add Prime assets upload (#13160) * Add Prime assets upload Signed-off-by: Rafael Breno * fixes Signed-off-by: Rafael Breno --------- Signed-off-by: Rafael Breno --- .github/workflows/release.yml | 70 +++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7dadd186b9b..bf9a8305513 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,6 +7,7 @@ on: permissions: contents: read packages: read + id-token: write jobs: build-amd64: @@ -42,6 +43,24 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Read registry secrets (staging) + uses: rancher-eio/read-vault-secrets@main + if: ${{ github.event.release.prerelease && github.repository_owner == 'k3s-io' }} + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/k3s-suse-registry-stg/credentials registry | REGISTRY ; + secret/data/github/repo/${{ github.repository }}/k3s-suse-registry-stg/credentials username | REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/k3s-suse-registry-stg/credentials password | REGISTRY_PASSWORD + + - name: Read registry secrets (prime) + uses: rancher-eio/read-vault-secrets@main + if: ${{ ! github.event.release.prerelease && github.repository_owner == 'k3s-io' }} + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/k3s-suse-registry/credentials registry | REGISTRY ; + secret/data/github/repo/${{ github.repository }}/k3s-suse-registry/credentials username | REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/k3s-suse-registry/credentials password | REGISTRY_PASSWORD + - name: "Read Vault secrets" if: github.repository_owner == 'k3s-io' uses: rancher-eio/read-vault-secrets@main @@ -65,6 +84,14 @@ jobs: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} + - name: Login to Prime Registry + if: github.repository_owner == 'k3s-io' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ env.REGISTRY_USERNAME }} + password: ${{ env.REGISTRY_PASSWORD }} + - name: Log in to GitHub Container Registry uses: docker/login-action@v3 with: @@ -105,6 +132,7 @@ jobs: images: | ghcr.io/${{ github.repository_owner }}/k3s docker.io/${{ env.DOCKERHUB_ORG }}/k3s + ${{ env.REGISTRY }}/rancher/k3s flavor: latest=false tags: ${{ steps.tag_config.outputs.tag_spec }} @@ -145,6 +173,21 @@ jobs: - name: Checkout code uses: actions/checkout@v5 + - name: Read Prime artifacts secrets + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader/credentials accessKeyId | AWS_ACCESS_KEY_ID ; + secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader/credentials secretAccessKey | AWS_SECRET_ACCESS_KEY ; + secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader/credentials primeArtifactsBucketName | PRIME_ARTIFACTS_BUCKET_NAME + + - name: Configure AWS Credentials (s3) + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -184,6 +227,12 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload Assets + env: + S3_PATH: s3://${{ env.PRIME_ARTIFACTS_BUCKET_NAME }}/k3s/${{ github.event.release.tag_name }} + run: | + aws s3 sync dist/artifacts/ "$S3_PATH" --quiet --no-progress --exclude "*" --include "k3s-images.txt" --include "k3s-airgap-images*" + upload-release-assets: name: Prepare and Upload Release Assets permissions: @@ -194,6 +243,21 @@ jobs: - name: Checkout code uses: actions/checkout@v5 + - name: Read Prime artifacts secrets + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader/credentials accessKeyId | AWS_ACCESS_KEY_ID ; + secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader/credentials secretAccessKey | AWS_SECRET_ACCESS_KEY ; + secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader/credentials primeArtifactsBucketName | PRIME_ARTIFACTS_BUCKET_NAME + + - name: Configure AWS Credentials (s3) + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + - name: "Download Binaries and Airgap sha256sum" uses: actions/download-artifact@v6 with: @@ -225,6 +289,12 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload Assets + env: + S3_PATH: s3://${{ env.PRIME_ARTIFACTS_BUCKET_NAME }}/k3s/${{ github.event.release.tag_name }} + run: | + aws s3 sync dist/artifacts/ "$S3_PATH" --quiet --no-progress --exclude "*" --include "k3s*" --include "sha256sum*" + dispatch-k3s-upgrade: name: Dispatch k3s-upgrade Workflow runs-on: ubuntu-latest