Fix release pipeline (#1363)

Signed-off-by: Kemal Akkoyun <[email protected]>
parca-dev · Jul 14, 2022 · ffa8368 · ffa8368
1 parent 5dd4744
commit ffa8368
Show file tree

Hide file tree

Showing 7 changed files with 124 additions and 91 deletions.
diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
@@ -39,17 +39,11 @@ jobs:
             ]
           skip_after_successful_duplicate: false
 
-  build-container:
-    name: Container build and push (when merged)
+  build-binary:
+    name: Build binary using goreleaser
     needs: skip-check
-    if: ${{ needs.skip-check.outputs.should_skip != 'true' }}
     runs-on: ubuntu-latest
-
-    permissions:
-      id-token: write
-      packages: write
-      contents: read
-
+    if: ${{ needs.skip-check.outputs.should_skip != 'true' }}
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
@@ -71,25 +65,68 @@ jobs:
         run: |
           echo "goreleaser_current_tag=`git describe --match 'v*' --tags`" >> $GITHUB_ENV
 
+      - name: Get branch name
+        shell: bash
+        run: echo "GITHUB_BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | tr / -)" >> $GITHUB_ENV
+
       - name: Build binaries
         uses: goreleaser/goreleaser-action@68acf3b1adf004ac9c2f0a4259e85c5f66e99bef # tag=v3.0.0
         with:
           distribution: goreleaser
           version: ${{ env.GORELEASER_VERSION }}
-          args: build --rm-dist --skip-validate --snapshot
+          args: build --rm-dist --skip-validate --snapshot --debug
         env:
           GORELEASER_CURRENT_TAG: "${{ env.goreleaser_current_tag }}"
 
+      - name: Archive generated artifacts
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
+        with:
+          name: parca-dist-container
+          if-no-files-found: error
+          path: |
+            dist
+            !dist/*.txt
+
+  build-and-push-container:
+    name: Container build and push (when merged)
+    needs: build-binary
+    runs-on: ubuntu-latest
+    container:
+      # https://github.com/containers/podman/tree/main/contrib/podmanimage
+      # Specifying SHA repeatedly fails:
+      # @sha256:421ac576cebff98e90c531e7b9ce4482370ecc7cee59abc2341714031bfb5f43
+      image: quay.io/containers/podman:v4.1.1
+      options: >-
+        --device /dev/fuse:rw
+        --privileged
+        --security-opt label=disable
+        --security-opt seccomp=unconfined
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+    steps:
+      - name: Install dependencies
+        run: dnf install --assumeyes --repo fedora git make jq
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+
+      - name: Set up Go
+        uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # tag=v3.2.1
+        with:
+          go-version-file: .go-version
+          check-latest: true
+
+      - uses: actions/download-artifact@v3
+        with:
+          name: parca-dist-container
+          path: dist
+
       - name: Get branch name
         shell: bash
         run: echo "GITHUB_BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | tr / -)" >> $GITHUB_ENV
 
-      # To build multi-arch images, see also: https://github.com/redhat-actions/buildah-build#multi-arch-builds
-      - name: Install QEMU dependency
-        run: |
-          sudo apt-get update -y
-          sudo apt-get install -y binfmt-support qemu-user-static
-
       - name: Build container
         run: make container
 

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ permissions:
   contents: write
 
 jobs:
-  binary:
+  release:
     runs-on: ubuntu-latest
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
@@ -46,10 +46,19 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Archive generated artifacts
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
+        with:
+          name: parca-dist-release
+          if-no-files-found: error
+          path: |
+            dist
+            !dist/*.txt
+
   manifests:
     name: Generate and release Kubernetes Manifests
     runs-on: ubuntu-latest
-    needs: binary
+    needs: release
     steps:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
 
@@ -58,7 +67,6 @@ jobs:
         with:
           go-version-file: .go-version
           check-latest: true
-          cache: true
 
       - name: Set up Jsonnet
         run: ./env-jsonnet.sh
@@ -101,30 +109,60 @@ jobs:
   container:
     name: Build and release container images
     runs-on: ubuntu-latest
-    needs: binary
-
+    needs: release
+    container:
+      # https://github.com/containers/podman/tree/main/contrib/podmanimage
+      # Specifying SHA repeatedly fails:
+      # @sha256:421ac576cebff98e90c531e7b9ce4482370ecc7cee59abc2341714031bfb5f43
+      image: quay.io/containers/podman:v4.1.1
+      options: >-
+        --device /dev/fuse:rw
+        --privileged
+        --security-opt label=disable
+        --security-opt seccomp=unconfined
     permissions:
       id-token: write
       packages: write
       contents: read
 
     steps:
-      - name: Install cosign
-        uses: sigstore/cosign-installer@48866aa521d8bf870604709cd43ec2f602d03ff2 # tag=v2.4.1
-
-      - name: Install crane
-        uses: imjasonh/setup-crane@5146f708a817ea23476677995bf2133943b9be0b # tag=v0.1
+      - name: Install dependencies
+        run: dnf install --assumeyes --repo fedora git make jq
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
 
+      - name: Set up Go
+        uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # tag=v3.2.1
+        with:
+          go-version-file: .go-version
+          check-latest: true
+
+      - uses: actions/download-artifact@v3
+        with:
+          name: parca-dist-release
+          path: dist
+
+      - name: Get branch name
+        shell: bash
+        run: echo "GITHUB_BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | tr / -)" >> $GITHUB_ENV
+
       - name: Build container
         run: make container
 
+      - name: Check images created
+        run: podman images | grep 'ghcr.io/parca-dev/parca'
+
       - name: Login to registry
         run: |
           echo "${{ secrets.PERSONAL_ACCESS_TOKEN }}" | podman login -u parca-dev --password-stdin ghcr.io
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@48866aa521d8bf870604709cd43ec2f602d03ff2 # tag=v2.4.1
+
+      - name: Install crane
+        uses: imjasonh/setup-crane@5146f708a817ea23476677995bf2133943b9be0b # tag=v0.1
+
       - name: Push container
         run: |
           make push-container

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -57,48 +57,3 @@ changelog:
     exclude:
       - '^docs:'
       - '^test:'
-
-# It's still not possible to use docker (buildx) for reproducible builds.
-# And Goreleaser only supports podman with pro version, (https://goreleaser.com/customization/docker/#podman)
-# for full build pipeline transparency, we don't want to use pro version for Parca.
-
-#dockers:
-#  # https://goreleaser.com/customization/docker/
-#  - id: amd64
-#    use: buildx
-#    image_templates:
-#      - parca-dev/{{ .ProjectName }}:{{ .Version }}-amd64
-#      - parca-dev/{{ .ProjectName }}:latest-amd64
-#    dockerfile: Dockerfile
-#    extra_files:
-#      - parca.yaml
-#    build_flag_templates:
-#      - --platform=linux/amd64
-#      - --label=org.opencontainers.image.title={{ .ProjectName }}
-#      - --label=org.opencontainers.image.description={{ .ProjectName }}
-#      - --label=org.opencontainers.image.url=https://github.com/parca-dev/{{ .ProjectName }}
-#      - --label=org.opencontainers.image.source=https://github.com/parca-dev/{{ .ProjectName }}
-#      - --label=org.opencontainers.image.created={{.CommitDate}}
-#      - --label=org.opencontainers.image.version={{ .Version }}
-#      - --label=org.opencontainers.image.revision={{ .FullCommit }}
-#      - --label=org.opencontainers.image.licenses=Apache-2.0
-#
-#  - id: arm64
-#    use: buildx
-#    image_templates:
-#      - parca-dev/{{ .ProjectName }}:{{ .Version }}-arm64v8
-#      - parca-dev/{{ .ProjectName }}:latest-arm64v8
-#    goarch: arm64
-#    dockerfile: Dockerfile
-#    extra_files:
-#      - parca.yaml
-#    build_flag_templates:
-#      - --platform=linux/arm64/v8
-#      - --label=org.opencontainers.image.title={{ .ProjectName }}
-#      - --label=org.opencontainers.image.description={{ .ProjectName }}
-#      - --label=org.opencontainers.image.url=https://github.com/parca-dev/{{ .ProjectName }}
-#      - --label=org.opencontainers.image.source=https://github.com/parca-dev/{{ .ProjectName }}
-#      - --label=org.opencontainers.image.version={{ .Version }}
-#      - --label=org.opencontainers.image.created={{.CommitDate}}
-#      - --label=org.opencontainers.image.revision={{ .FullCommit }}
-#      - --label=org.opencontainers.image.licenses=Apache-2.0
diff --git a/Dockerfile b/Dockerfile
@@ -1,25 +1,31 @@
-FROM docker.io/golang:1.18.4-alpine@sha256:46f1fa18ca1ec228f7ea4978ad717f0a8c5e51436e7b8efaf64011f7729886df AS builder
-RUN mkdir /.cache && chown nobody:nogroup /.cache && touch -t 202101010000.00 /.cache
+FROM --platform="${BUILDPLATFORM:-linux/amd64}" docker.io/golang:1.18.4-alpine@sha256:46f1fa18ca1ec228f7ea4978ad717f0a8c5e51436e7b8efaf64011f7729886df AS builder
+RUN mkdir /.cache && touch -t 202101010000.00 /.cache
+
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
+ARG TARGETVARIANT
 
 # renovate: datasource=go depName=github.com/grpc-ecosystem/grpc-health-probe
 ARG GRPC_HEALTH_PROBE_VERSION=v0.4.11
 
-WORKDIR /app
-
 RUN go install "github.com/grpc-ecosystem/grpc-health-probe@${GRPC_HEALTH_PROBE_VERSION}"
 # Predicatable path for copying over to final image
 RUN if [ "$(go env GOHOSTARCH)" != "$(go env GOARCH)" ]; then \
         mv "$(go env GOPATH)/bin/$(go env GOOS)_$(go env GOARCH)/grpc-health-probe" "$(go env GOPATH)/bin/grpc-health-probe"; \
     fi
 
+WORKDIR /app
 COPY ./dist /app/dist
+
 RUN if [ "amd64" = "$(go env GOARCH)" ]; then \
         cp "dist/parca_$(go env GOOS)_$(go env GOARCH)_$(go env GOAMD64)/parca" parca; \
     else \
         cp "dist/parca_$(go env GOOS)_$(go env GOARCH)/parca" parca; \
     fi
 
-FROM docker.io/alpine:3.16.0@sha256:686d8c9dfa6f3ccfc8230bc3178d23f84eeaf7e457f36f271ab1acc53015037c AS runner
+RUN chmod +x parca
+
+FROM --platform="${TARGETPLATFORM:-linux/amd64}"  docker.io/alpine:3.16.0@sha256:686d8c9dfa6f3ccfc8230bc3178d23f84eeaf7e457f36f271ab1acc53015037c AS runner
 
 USER nobody
 

diff --git a/Makefile b/Makefile
@@ -1,4 +1,3 @@
-CMD_DOCKER ?= docker
 CMD_GIT ?= git
 SHELL := /usr/bin/env bash
 ifeq (,$(shell go env GOBIN))
@@ -139,7 +138,10 @@ container-dev:
 
 .PHONY: container
 container:
-	./scripts/make-containers.sh $(OUT_DOCKER):$(VERSION)
+	podman build \
+		--platform linux/amd64,linux/arm64 \
+		--timestamp 0 \
+		--manifest $(OUT_DOCKER):$(VERSION) .
 
 .PHONY: push-container
 push-container:
@@ -190,3 +192,11 @@ endif
 
 README.md: embedmd tmp/help.txt
 	$(EMBEDMD) -w README.md
+
+.PHONY: release-dry-run
+release-dry-run:
+	goreleaser release --rm-dist --auto-snapshot --skip-validate --skip-publish --debug
+
+.PHONY: release-build
+release-build:
+	goreleaser build --rm-dist --skip-validate --snapshot --debug
diff --git a/pkg/debuginfo/release.md b/pkg/debuginfo/release.md
diff --git a/scripts/make-containers.sh b/scripts/make-containers.sh