Update release workflows post-migration (#2120)

* Fix to trigger extracted release workflows

* Fix input descriptions

* Add tool installation steps

* Fix indentation

* Fix token passing

* Fix release tag name reference

* Fix release tag name reference

* Fix release tag name

* Update publish-canary workflow

* Update workflows

* Fix target org

* Add push to registries flag

* Update publish-chart

* Add job summary to publish-arc

* Enhance summary message

* Add publish canary workflow

* Remove backticks

* Fix variable

* Fix index.yaml location and add job summary

* Fix publish chart workflow

* Enhance job summary for publish-chart

* Enhance chart version identification and fix chart upload

* Fix cr index

* Fix cr index and add comments

* Fix comment

* Pin marketplace actions

* Remove 3rd party action

* Add comments, parametrise where needed

* Add release process brief

* Change target repo

* Removing failsafe

* Removing failsafe

* Replace DOCKER_USER with DOCKERHUB_USERNAME

.github/workflows/publish-arc.yaml

@@ -1,21 +1,34 @@
 name: Publish ARC
 
+# Revert to https://github.com/actions-runner-controller/releases#releases
+# for details on why we use this approach
 on:
   release:
     types:
       - published
+  workflow_dispatch:
+    inputs:
+      release_tag_name:
+        description: 'Tag name of the release to publish'
+        required: true
+      push_to_registries:
+        description: 'Push images to registries'
+        required: true
+        type: boolean
+        default: false
 
-# https://docs.github.com/en/rest/overview/permissions-required-for-github-apps
 permissions:
  contents: write 
  packages: write
 
+env:
+  TARGET_ORG: actions-runner-controller
+  TARGET_REPO: actions-runner-controller
+
 jobs:
   release-controller:
     name: Release
     runs-on: ubuntu-latest
-    env:
-      DOCKERHUB_USERNAME: ${{ secrets.DOCKER_USER }}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -35,36 +48,45 @@ jobs:
           tar zxvf ghr_v0.13.0_linux_amd64.tar.gz
           sudo mv ghr_v0.13.0_linux_amd64/ghr /usr/local/bin
 
-      - name: Set version
-        run: echo "VERSION=$(cat ${GITHUB_EVENT_PATH} | jq -r '.release.tag_name')" >> $GITHUB_ENV
-
       - name: Upload artifacts
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           make github-release
 
-      - name: Setup Docker Environment
+      - name: Get Token
-        uses: ./.github/actions/setup-docker-environment
+        id: get_workflow_token
+        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
         with:
-          username: ${{ env.DOCKERHUB_USERNAME }}
+          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
-          password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
+          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
-          ghcr_username: ${{ github.actor }}
+          organization: ${{ env.TARGET_ORG }}
-          ghcr_password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and Push
+      - name: Set release tag name
-        uses: docker/build-push-action@v3
+        run: |
-        with:
+          # Define the release tag name based on the event type
-          file: Dockerfile
+          if [[ "${{ github.event_name }}" == "release" ]]; then
-          platforms: linux/amd64,linux/arm64
+            echo "RELEASE_TAG_NAME=$(cat ${GITHUB_EVENT_PATH} | jq -r '.release.tag_name')" >> $GITHUB_ENV
-          build-args: VERSION=${{ env.VERSION }}
+          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-          push: true
+            echo "RELEASE_TAG_NAME=${{ github.event.inputs.release_tag_name }}" >> $GITHUB_ENV
-          tags: |
+          fi
-            ${{ env.DOCKERHUB_USERNAME }}/actions-runner-controller:latest
+
-            ${{ env.DOCKERHUB_USERNAME }}/actions-runner-controller:${{ env.VERSION }}
+      - name: Trigger Build And Push Images To Registries
-            ${{ env.DOCKERHUB_USERNAME }}/actions-runner-controller:${{ env.VERSION }}-${{ env.sha_short }}
+        run: |
-            ghcr.io/actions-runner-controller/actions-runner-controller:latest
+          # Authenticate
-            ghcr.io/actions-runner-controller/actions-runner-controller:${{ env.VERSION }}
+          gh auth login --with-token <<< ${{ steps.get_workflow_token.outputs.token }}
-            ghcr.io/actions-runner-controller/actions-runner-controller:${{ env.VERSION }}-${{ env.sha_short }}
+
-          cache-from: type=gha
+          # Trigger the workflow run
-          cache-to: type=gha,mode=max
+          jq -n '{"event_type": "arc", "client_payload": {"release_tag_name": "${{ env.RELEASE_TAG_NAME }}", "push_to_registries": ${{ inputs.push_to_registries }}}}' \
+            | gh api -X POST /repos/actions-runner-controller/releases/dispatches --input -
+
+      - name: Job summary
+        run: |
+          echo "The [publish-arc](https://github.com/actions-runner-controller/releases/blob/main/.github/workflows/publish-arc.yaml) workflow has been triggered!" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Parameters:**" >> $GITHUB_STEP_SUMMARY
+          echo "- Release tag: ${{ env.RELEASE_TAG_NAME }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Push to registries: ${{ inputs.push_to_registries }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Status:**" >> $GITHUB_STEP_SUMMARY
+          echo "[https://github.com/actions-runner-controller/releases/actions/workflows/publish-arc.yaml](https://github.com/actions-runner-controller/releases/actions/workflows/publish-arc.yaml)" >> $GITHUB_STEP_SUMMARY

.github/workflows/publish-canary.yaml

@@ -1,5 +1,7 @@
 name: Publish Canary Image
 
+# Revert to https://github.com/actions-runner-controller/releases#releases
+# for details on why we use this approach
 on:
   push:
     branches:
@@ -19,41 +21,50 @@ on:
       - 'LICENSE'
       - 'Makefile'
 
+env:
+  # Safeguard to prevent pushing images to registeries after build
+  PUSH_TO_REGISTRIES: true
+  TARGET_ORG: actions-runner-controller
+  TARGET_REPO: actions-runner-controller
+
 # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps
 permissions:
   contents: read
-  packages: write
 
 jobs:
   canary-build:
     name: Build and Publish Canary Image
     runs-on: ubuntu-latest
     env:
-      DOCKERHUB_USERNAME: ${{ secrets.DOCKER_USER }}
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
 
-      - name: Setup Docker Environment
+      - name: Get Token
-        id: vars
+        id: get_workflow_token
-        uses: ./.github/actions/setup-docker-environment
+        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
         with:
-          username: ${{ env.DOCKERHUB_USERNAME }}
+          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
-          password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
+          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
-          ghcr_username: ${{ github.actor }}
+          organization: ${{ env.TARGET_ORG }}
-          ghcr_password: ${{ secrets.GITHUB_TOKEN }}
 
-      # Considered unstable builds
+      - name: Trigger Build And Push Images To Registries
-      # See Issue #285, PR #286, and PR #323 for more information
+        run: |
-      - name: Build and Push
+          # Authenticate
-        uses: docker/build-push-action@v3
+          gh auth login --with-token <<< ${{ steps.get_workflow_token.outputs.token }}
-        with:
+
-          file: Dockerfile
+          # Trigger the workflow run
-          platforms: linux/amd64,linux/arm64
+          jq -n '{"event_type": "canary", "client_payload": {"sha": "${{ github.sha }}", "push_to_registries": ${{ env.PUSH_TO_REGISTRIES }}}}' \
-          build-args: VERSION=canary-${{ github.sha }}
+            | gh api -X POST /repos/actions-runner-controller/releases/dispatches --input -
-          push: true
+
-          tags: |
+      - name: Job summary
-            ${{ env.DOCKERHUB_USERNAME }}/actions-runner-controller:canary
+        run: |
-            ghcr.io/${{ github.repository }}:canary
+          echo "The [publish-canary](https://github.com/actions-runner-controller/releases/blob/main/.github/workflows/publish-canary.yaml) workflow has been triggered!" >> $GITHUB_STEP_SUMMARY
-          cache-from: type=gha,scope=arc-canary
+          echo "" >> $GITHUB_STEP_SUMMARY
-          cache-to: type=gha,mode=max,scope=arc-canary
+          echo "**Parameters:**" >> $GITHUB_STEP_SUMMARY
+          echo "- sha: ${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Push to registries: ${{ env.PUSH_TO_REGISTRIES }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Status:**" >> $GITHUB_STEP_SUMMARY
+          echo "[https://github.com/actions-runner-controller/releases/actions/workflows/publish-canary.yaml](https://github.com/actions-runner-controller/releases/actions/workflows/publish-canary.yaml)" >> $GITHUB_STEP_SUMMARY

.github/workflows/publish-chart.yaml

@@ -1,5 +1,7 @@
 name: Publish Helm Chart
 
+# Revert to https://github.com/actions-runner-controller/releases#releases
+# for details on why we use this approach
 on:
   push:
     branches:
@@ -86,20 +88,31 @@ jobs:
         if: steps.list-changed.outputs.changed == 'true'
         run: ct install --config charts/.ci/ct-config.yaml
 
-      # WARNING: This relies on the latest release being inat the top of the JSON from GitHub and a clean chart.yaml
+      # WARNING: This relies on the latest release being at the top of the JSON from GitHub and a clean chart.yaml
       - name: Check if Chart Publish is Needed
         id: publish-chart-step
         run: |
-          CHART_TEXT=$(curl -fs https://raw.githubusercontent.com/actions/actions-runner-controller/master/charts/actions-runner-controller/Chart.yaml)
+          CHART_TEXT=$(curl -fs https://raw.githubusercontent.com/${{ github.repository }}/master/charts/actions-runner-controller/Chart.yaml)
           NEW_CHART_VERSION=$(echo "$CHART_TEXT" | grep version: | cut -d ' ' -f 2)
-          RELEASE_LIST=$(curl -fs https://api.github.com/repos/actions/actions-runner-controller/releases  | jq .[].tag_name | grep actions-runner-controller | cut -d '"' -f 2 | cut -d '-' -f 4)
+          RELEASE_LIST=$(curl -fs https://api.github.com/repos/${{ github.repository }}/releases  | jq .[].tag_name | grep actions-runner-controller | cut -d '"' -f 2 | cut -d '-' -f 4)
           LATEST_RELEASED_CHART_VERSION=$(echo $RELEASE_LIST | cut -d ' ' -f 1)
-          echo "Chart version in master : $NEW_CHART_VERSION"
+          echo "CHART_VERSION_IN_MASTER=$NEW_CHART_VERSION" >> $GITHUB_ENV
-          echo "Latest release chart version : $LATEST_RELEASED_CHART_VERSION"
+          echo "LATEST_CHART_VERSION=$LATEST_RELEASED_CHART_VERSION" >> $GITHUB_ENV
           if [[ $NEW_CHART_VERSION != $LATEST_RELEASED_CHART_VERSION ]]; then
-            echo "::set-output name=publish::true"
+            echo "publish=true" >> $GITHUB_OUTPUT
+          else
+            echo "publish=false" >> $GITHUB_OUTPUT
           fi
 
+      - name: Job summary
+        run: |
+          echo "Chart linting has been completed." >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Status:**" >> $GITHUB_STEP_SUMMARY
+          echo "- chart version in master: ${{ env.CHART_VERSION_IN_MASTER }}" >> $GITHUB_STEP_SUMMARY
+          echo "- latest chart version: ${{ env.LATEST_CHART_VERSION }}" >> $GITHUB_STEP_SUMMARY
+          echo "- publish new chart: ${{ steps.publish-chart-step.outputs.publish }}" >> $GITHUB_STEP_SUMMARY
+
   publish-chart:
     if: needs.lint-chart.outputs.publish-chart == 'true'
     needs: lint-chart
@@ -107,8 +120,11 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write  # for helm/chart-releaser-action to push chart release and create a release
+    env:
+      CHART_TARGET_ORG: actions-runner-controller
+      CHART_TARGET_REPO: actions-runner-controller.github.io
+      CHART_TARGET_BRANCH: main
     
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -120,8 +136,68 @@ jobs:
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
-      - name: Run chart-releaser
+      - name: Get Token
-        uses: helm/chart-releaser-action@v1.4.1
+        id: get_workflow_token
-        env:
+        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
-          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        with:
+          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
+          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
+          organization: ${{ env.CHART_TARGET_ORG }}
 
+      - name: Install chart-releaser
+        uses: helm/chart-releaser-action@v1.4.1
+        with:
+          install_only: true
+          install_dir: ${{ github.workspace }}/bin
+
+      - name: Package and upload release assets
+        run: |
+          cr package \
+            ${{ github.workspace }}/charts/actions-runner-controller/ \
+            --package-path .cr-release-packages
+
+          cr upload \
+            --owner "$(echo ${{ github.repository }} | cut -d '/' -f 1)" \
+            --git-repo "$(echo ${{ github.repository }} | cut -d '/' -f 2)" \
+            --package-path .cr-release-packages \
+            --token ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate updated index.yaml
+        run: |
+          cr index \
+            --owner "$(echo ${{ github.repository }} | cut -d '/' -f 1)" \
+            --git-repo "$(echo ${{ github.repository }} | cut -d '/' -f 2)" \
+            --index-path ${{ github.workspace }}/index.yaml \
+            --pages-branch 'gh-pages' \
+            --pages-index-path 'index.yaml'
+
+      # Chart Release was never intended to publish to a different repo
+      # this workaround is intended to move the index.yaml to the target repo
+      # where the github pages are hosted
+      - name: Checkout pages repository
+        uses: actions/checkout@v3
+        with:
+          repository: ${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}
+          path: ${{ env.CHART_TARGET_REPO }}
+          ref: ${{ env.CHART_TARGET_BRANCH }}
+          token: ${{ steps.get_workflow_token.outputs.token }}
+
+      - name: Copy index.yaml
+        run: |
+          cp ${{ github.workspace }}/index.yaml ${{ env.CHART_TARGET_REPO }}/actions-runner-controller/index.yaml
+      
+      - name: Commit and push
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+          git add .
+          git commit -m "Update index.yaml"
+          git push
+        working-directory: ${{ github.workspace }}/${{ env.CHART_TARGET_REPO }}
+
+      - name: Job summary
+        run: |
+          echo "New helm chart has been published" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Status:**" >> $GITHUB_STEP_SUMMARY
+          echo "- New [index.yaml](https://github.com/${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}/tree/main/actions-runner-controller) pushed" >> $GITHUB_STEP_SUMMARY

.github/workflows/runners.yaml

@@ -1,5 +1,7 @@
 name: Runners
 
+# Revert to https://github.com/actions-runner-controller/releases#releases
+# for details on why we use this approach
 on:
   pull_request:
     types:
@@ -25,97 +27,36 @@ on:
       - '!**.md'
 
 env:
+  # Safeguard to prevent pushing images to registeries after build  
+  PUSH_TO_REGISTRIES: true
+  TARGET_ORG: actions-runner-controller
+  TARGET_WORKFLOW: release-runners.yaml
   RUNNER_VERSION: 2.299.1
   DOCKER_VERSION: 20.10.21
   RUNNER_CONTAINER_HOOKS_VERSION: 0.1.3
-  DOCKERHUB_USERNAME: summerwind
 
 jobs:
   build-runners:
-    name: Build ${{ matrix.name }}-${{ matrix.os-name }}-${{ matrix.os-version }}
+    name: Trigger Build and Push of Runner Images
     runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      contents: read
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - name: actions-runner
-            os-name: ubuntu
-            os-version: 20.04
-            latest: "true"
-          - name: actions-runner
-            os-name: ubuntu
-            os-version: 22.04
-            latest: "false"
-          - name: actions-runner-dind
-            os-name: ubuntu
-            os-version: 20.04
-            latest: "true"
-          - name: actions-runner-dind
-            os-name: ubuntu
-            os-version: 22.04
-            latest: "false"
-          - name: actions-runner-dind-rootless
-            os-name: ubuntu
-            os-version: 20.04
-            latest: "true"
-          - name: actions-runner-dind-rootless
-            os-name: ubuntu
-            os-version: 22.04
-            latest: "false"
-
     steps:
-      - name: Checkout
+      - name: Get Token
-        uses: actions/checkout@v3
+        id: get_workflow_token
-
+        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
-      - name: Setup Docker Environment
-        uses: ./.github/actions/setup-docker-environment
         with:
-          username: ${{ env.DOCKERHUB_USERNAME }}
+          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
-          password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
+          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
-          ghcr_username: ${{ github.actor }}
+          organization: ${{ env.TARGET_ORG }}
-          ghcr_password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and Push Versioned Tags
+      - name: Trigger Build And Push Runner Images To Registries
-        uses: docker/build-push-action@v3
+        run: |
-        with:
+          # Authenticate
-          context: ./runner
+          gh auth login --with-token <<< ${{ steps.get_workflow_token.outputs.token }}
-          file: ./runner/${{ matrix.name }}.${{ matrix.os-name }}-${{ matrix.os-version }}.dockerfile
-          platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
-          build-args: |
-            RUNNER_VERSION=${{ env.RUNNER_VERSION }}
-            DOCKER_VERSION=${{ env.DOCKER_VERSION }}
-            RUNNER_CONTAINER_HOOKS_VERSION=${{ env.RUNNER_CONTAINER_HOOKS_VERSION }}
-          tags: |
-            ${{ env.DOCKERHUB_USERNAME }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}
-            ${{ env.DOCKERHUB_USERNAME }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}-${{ env.sha_short }}
-            ${{ env.DOCKERHUB_USERNAME }}/${{ matrix.name }}:${{ matrix.os-name }}-${{ matrix.os-version }}
-            ghcr.io/${{ github.repository }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}
-            ghcr.io/${{ github.repository }}/${{ matrix.name }}:v${{ env.RUNNER_VERSION }}-${{ matrix.os-name }}-${{ matrix.os-version }}-${{ env.sha_short }}
-            ghcr.io/${{ github.repository }}/${{ matrix.name }}:${{ matrix.os-name }}-${{ matrix.os-version }}
-          cache-from: type=gha,scope=build-${{ matrix.name }}-${{ matrix.os-name }}-${{ matrix.os-version }}
-          cache-to: type=gha,mode=max,scope=build-${{ matrix.name }}-${{ matrix.os-name }}-${{ matrix.os-version }}
 
-      # NOTE : Only to be used on the 20.04 image until we remove the latest tag entirely
+          # Trigger the workflow run
-      # at which point this step needs to be deleted
+          gh workflow run ${{ env.TARGET_WORKFLOW }} -R ${{ env.TARGET_ORG }}/releases \
-      # https://github.com/actions/actions-runner-controller/issues/2056
+            -f runner_version=${{ env.RUNNER_VERSION }} \
-      - name: Build and Push Latest Tags
+            -f docker_version=${{ env.DOCKER_VERSION }} \
-        if: ${{ matrix.latest == 'true' }}
+            -f runner_container_hooks_version=${{ env.RUNNER_CONTAINER_HOOKS_VERSION }} \
-        uses: docker/build-push-action@v3
+            -f sha='${{ github.sha }}' \
-        with:
+            -f push_to_registries=${{ env.PUSH_TO_REGISTRIES }}
-          context: ./runner
-          file: ./runner/${{ matrix.name }}.${{ matrix.os-name }}-${{ matrix.os-version }}.dockerfile
-          platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
-          build-args: |
-            RUNNER_VERSION=${{ env.RUNNER_VERSION }}
-            DOCKER_VERSION=${{ env.DOCKER_VERSION }}
-            RUNNER_CONTAINER_HOOKS_VERSION=${{ env.RUNNER_CONTAINER_HOOKS_VERSION }}
-          tags: |
-            ${{ env.DOCKERHUB_USERNAME }}/${{ matrix.name }}:latest
-            ghcr.io/${{ github.repository }}/${{ matrix.name }}:latest
-          cache-from: type=gha,scope=build-${{ matrix.name }}-${{ matrix.os-name }}-${{ matrix.os-version }}
-          cache-to: type=gha,mode=max,scope=build-${{ matrix.name }}-${{ matrix.os-name }}-${{ matrix.os-version }}

CONTRIBUTING.md

@@ -210,4 +210,10 @@ The process would look like the below:
 - Run `NAME=$DOCKER_USER/actions-runner-controller VERSION=canary make docker-build docker-push` for a custom container image build
 - Update your actions-runner-controller's controller-manager deployment to use the new image, `$DOCKER_USER/actions-runner-controller:canary`
 
-Please also note that you need to replace `$DOCKER_USER` with your own DockerHub account name.
+Please also note that you need to replace `$DOCKER_USER` with your own DockerHub account name.
+
+## Release process
+
+Only the maintainers can release a new version of actions-runner-controller, publish a new version of the helm charts, and runner images.
+
+All release workflows have been moved to [actions-runner-controller/releases](https://github.com/actions-runner-controller/releases) since the packages are owned by the former organization.