nightly release with gh actions

Author: anithapriyanatarajan

.github/workflows/nightly-builds.yaml

@@ -0,0 +1,192 @@
+name: Tekton Nightly Build
+
+on:
+  schedule:
+    # Run at 03:00 UTC daily
+    - cron: "0 3 * * *"
+  workflow_dispatch:
+    inputs:
+      kubernetes_version:
+        description: 'Kubernetes version to test with'
+        required: false
+        default: 'v1.33.0'
+        type: choice
+        options:
+          - v1.33.0
+          - v1.32.0
+          - v1.31.0
+      dry_run:
+        description: 'Perform dry run (no actual publishing)'
+        required: false
+        default: false
+        type: boolean
+      nightly_bucket:
+        description: 'Nightly bucket for builds'
+        required: false
+        default: 'gs://tekton-releases-nightly/pipeline'
+        type: string
+  # uncomment the following to enable manual testing of the workflow
+  # push:
+  #   branches:
+  #     - test-rel
+  #   paths:
+  #     - '.github/workflows/nightly-builds.yaml'
+  #     - 'tekton/**'
+  #     - 'cmd/**'
+  #     - 'pkg/**'
+
+env:
+  KUBERNETES_VERSION: ${{ inputs.kubernetes_version || 'v1.33.0' }}
+  REGISTRY: ghcr.io
+  DRY_RUN: ${{ inputs.dry_run || false }}
+
+  COMPONENT: pipeline
+
+  PACKAGE: github.com/${{ github.repository }}
+  GIT_ORG: ${{ github.repository_owner }}
+  GIT_REPO: ${{ github.event.repository.name }}
+  BUCKET: ${{ inputs.nightly_bucket || 'gs://anitha-tekton-nightly-test/pipeline' }}
+  IMAGE_REGISTRY_PATH: ${{ github.repository }}
+  IMAGE_REGISTRY_USER: ${{ github.actor }}
+
+jobs:
+  build:
+    name: Nightly Build (K8s ${{ inputs.kubernetes_version || 'v1.33.0' }})
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Generate version info
+        id: version
+        run: |
+          latest_sha=${{ github.sha }}
+          date_tag=$(date +v%Y%m%d-${latest_sha:0:7})
+          echo "version_tag=${date_tag}" >> "$GITHUB_OUTPUT"
+          echo "latest_sha=${latest_sha}" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Kind cluster
+        uses: helm/kind-action@v1.8.0
+        with:
+          node_image: kindest/node:${{ env.KUBERNETES_VERSION }}
+          cluster_name: tekton-nightly
+
+      - name: Set up Tekton
+        uses: tektoncd/actions/setup-tektoncd@main
+        with:
+          pipeline_version: latest
+          setup_registry: "true"
+          patch_etc_hosts: "true"
+
+      - name: Configure Tekton Git Resolver
+        env:
+          GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN || github.token }}
+        run: |
+          kubectl create secret generic git-resolver-secret \
+            --from-literal=token="${GITHUB_TOKEN}" \
+            -n tekton-pipelines-resolvers || true
+
+          kubectl patch configmap resolvers-feature-flags -n tekton-pipelines-resolvers --patch='
+          data:
+            enable-git-resolver: "true"
+            enable-hub-resolver: "true"
+            enable-bundles-resolver: "true"
+            enable-cluster-resolver: "true"
+          ' || true
+
+          kubectl patch configmap git-resolver-config -n tekton-pipelines-resolvers --patch='
+          data:
+            default-url: "https://github.com"
+            default-revision: "main"
+            fetch-timeout: "1m"
+            scm-type: "github"
+            server-url: "https://api.github.com"
+            api-token-secret-name: "git-resolver-secret"
+            api-token-secret-key: "token"
+          ' || true
+
+      - name: Install tkn CLI
+        uses: tektoncd/actions/setup-tektoncd-cli@main
+        with:
+          version: latest
+
+      - name: Apply Build Pipeline Definition
+        run: |
+          kubectl apply -f tekton/publish.yaml
+          kubectl apply -f tekton/release-pipeline.yaml
+
+      - name: Create secrets and PVC template
+        env:
+          GCS_SERVICE_ACCOUNT_KEY: ${{ secrets.GCS_SERVICE_ACCOUNT_KEY }}
+          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN || github.token }}
+        run: |
+          echo "${GCS_SERVICE_ACCOUNT_KEY}" > /tmp/gcs-key.json
+          kubectl create secret generic release-secret \
+            --from-file=release.json=/tmp/gcs-key.json
+          rm -f /tmp/gcs-key.json
+
+          kubectl create secret docker-registry ghcr-creds \
+            --docker-server=ghcr.io \
+            --docker-username=${{ github.actor }} \
+            --docker-password="${GHCR_TOKEN}" \
+            --docker-email=${{ github.actor }}@users.noreply.github.com
+
+          cat > workspace-template.yaml << EOF
+          spec:
+            accessModes:
+            - ReadWriteOnce
+            resources:
+              requests:
+                storage: 1Gi
+          EOF
+
+      - name: Start Tekton Build Pipeline
+        run: |
+          set -euo pipefail  # Exit on any error, undefined variables, or pipe failures
+
+          echo "Starting Tekton pipeline..."
+
+          PIPELINE_RUN=$(tkn pipeline start pipeline-release \
+            --param package="${{ env.PACKAGE }}" \
+            --param gitRevision="${{ steps.version.outputs.latest_sha }}" \
+            --param versionTag="${{ steps.version.outputs.version_tag }}" \
+            --param releaseBucket="${{ env.BUCKET }}" \
+            --param imageRegistry=${{ env.REGISTRY }} \
+            --param imageRegistryPath="${{ env.IMAGE_REGISTRY_PATH }}" \
+            --param imageRegistryUser="${{ env.IMAGE_REGISTRY_USER }}" \
+            --param imageRegistryRegions="" \
+            --param buildPlatforms="linux/amd64" \
+            --param publishPlatforms="linux/amd64" \
+            --param koExtraArgs="" \
+            --param serviceAccountPath=release.json \
+            --param serviceAccountImagesPath=.dockerconfigjson \
+            --param releaseAsLatest="false" \
+            --param runTests="false" \
+            --workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml \
+            --workspace name=release-secret,secret=release-secret \
+            --workspace name=release-images-secret,secret=ghcr-creds \
+            --pipeline-timeout 2h \
+            --output name) || {
+            echo "Failed to start Tekton pipeline!"
+            exit 1
+          }
+
+          echo "Pipeline started: ${PIPELINE_RUN}"
+          tkn pipelinerun logs "${PIPELINE_RUN}" -f
+
+          # Check if pipeline succeeded
+          tkn pipelinerun describe "${PIPELINE_RUN}" --output jsonpath='{.status.conditions[?(@.type=="Succeeded")].status}' | grep -q "True" || {
+            echo "Pipeline failed!"
+            tkn pipelinerun describe "${PIPELINE_RUN}"
+            exit 1
+          }
+
+          echo "✅ Pipeline Run completed successfully!"

README.md

@@ -101,4 +101,4 @@ We are so excited to have you!
 - Look at our
   [good first issues](https://github.com/tektoncd/pipeline/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22)
   and our
-  [help wanted issues](https://github.com/tektoncd/pipeline/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
+  [help wanted issues](https://github.com/tektoncd/pipeline/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)

tekton/README.md

@@ -46,6 +46,8 @@ consumers of a project. In that case we'll make a patch release. To make one:
 
 ## Nightly releases
 
+### Existing approach:
+
 [The nightly release pipeline](release-pipeline.yaml) is
 [triggered nightly by Tekton](https://github.com/tektoncd/plumbing/tree/main/tekton).
 
@@ -207,3 +209,57 @@ The image which we use for this is built from
 
 _[go-containerregistry#383](https://github.com/google/go-containerregistry/issues/383)
 is about publishing a `ko` image, which hopefully we'll be able to move it._
+
+### GitHub Action based approach:
+
+The GitHub Actions workflow provides an alternative approach for automated nightly releases with enhanced CI/CD capabilities and better integration with GitHub infrastructure.
+
+[The nightly release workflow](../.github/workflows/nightly-release.yaml) is triggered daily and uses:
+
+- [release-nightly-pipeline.yaml](release-nightly-pipeline.yaml) - Tekton Pipeline for nightly releases
+- [publish-nightly.yaml](publish-nightly.yaml) - Tekton Task for building and publishing nightly images
+
+#### Key Features:
+
+**Automated Scheduling:**
+- Runs daily at 03:00 UTC via cron schedule
+- Supports manual triggering with customizable parameters
+- Intelligent change detection - only releases when there are recent commits (configurable)
+
+**Multi-mode Operation:**
+- **Production mode**: For `tektoncd/pipeline` repository with full release capabilities
+- **Fork mode**: For testing in forks with isolated buckets and registries
+
+#### Usage:
+
+**Scheduled Release:**
+The workflow runs automatically every night and will create a release if:
+- There have been commits in the last 25 hours, OR
+- Force release is enabled, OR
+- It's manually triggered
+
+**Manual Release:**
+```bash
+# Trigger via GitHub UI or CLI
+gh workflow run nightly-release.yaml \
+  --field kubernetes_version=v1.33.0 \
+  --field force_release=true \
+  --field dry_run=false
+```
+
+**Fork Testing:**
+For testing in forks, the workflow automatically:
+- Uses a test bucket pattern: `gs://tekton-releases-nightly-{repo-owner}`
+- Publishes to `ghcr.io/{owner}/pipeline/*` instead of production registry
+- Skips certain production-only validations
+
+#### Output:
+
+The workflow generates:
+- Container images tagged with `vYYYYMMDD-{sha7}` format
+- Release YAML manifests uploaded to GCS bucket
+- Multi-architecture image support
+- Comprehensive build logs and artifacts
+
+This approach provides better observability, easier debugging, and more flexible configuration compared to the traditional Tekton-only pipeline approach.
+

tekton/publish.yaml

@@ -1,4 +1,4 @@
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: publish-release
@@ -16,15 +16,15 @@ spec:
       description: Extra args to be passed to ko
       default: "--preserve-import-paths"
     - name: versionTag
-      description: The vX.Y.Z version that the artifacts should be tagged with (including `v`)
+      description: Version tag (X.Y.Z for stable, vYYYYMMDD-abc1234 for nightly)
     - name: imageRegistry
       description: The target image registry
-      default: gcr.io
+      default: ghcr.io
     - name: imageRegistryPath
       description: The path (project) in the image registry
     - name: imageRegistryRegions
       description: The target image registry regions
-      default: "us eu asia"
+      default: ""
     - name: imageRegistryUser
       description: Username to be used to login to the container registry
       default: "_json_key"
@@ -41,9 +41,9 @@ spec:
       description: >-
         The workspace where the repo has been cloned. This should ideally
         be /go/src/$(params.package) however that is not possible today,
-        see https://github.com/tektoncd/pipeline/issues/3786. To use this
-        task on a fork of pipeline change the mountPath below
-      mountPath: /go/src/github.com/tektoncd/pipeline
+        see https://github.com/tektoncd/pipeline/issues/3786. For nightly builds
+        on forks, we use a more generic mount path that works across repositories.
+      mountPath: /go/src/repo
     - name: release-secret
       description: The secret that contains a service account authorized to push to the imageRegistry and to the output bucket
     - name: output
@@ -73,23 +73,57 @@ spec:
   steps:
 
   - name: container-registry-auth
-    image: cgr.dev/chainguard/crane:latest-dev@sha256:430c7813147443b59185d79ce7f5d682698a9fc3072f100850dc3a04100c1d91
+    image: cgr.dev/chainguard/crane:latest-dev@sha256:68d9b984ee9cb5ff9cf7a779e8bdf3c2022f9042abfa1f0f5727a082a9429535
     script: |
       #!/bin/sh
       set -ex
 
-      # Login to the container registry
-      DOCKER_CONFIG=$(cat ${CONTAINER_REGISTRY_CREDENTIALS} | \
-        crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin $(params.imageRegistry) 2>&1 | \
-        sed -n 's,^.*logged in via \(.*\)$,\1,p')
+      # For GHCR (GitHub Container Registry), handle authentication differently
+      if [[ "$(params.imageRegistry)" == "ghcr.io" ]]; then
+        echo "🔍 Configuring authentication for GitHub Container Registry"
 
-      # Auth with account credentials for all regions.
-      for region in ${REGIONS}
-      do
-        HOSTNAME=${region}.$(params.imageRegistry)
-        cat ${CONTAINER_REGISTRY_CREDENTIALS} | crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin ${HOSTNAME}
-      done
-      cp ${DOCKER_CONFIG} /workspace/docker-config.json
+        # For GHCR with Docker registry secrets, the secret structure is different
+        # Check if we have a .dockerconfigjson file (from kubectl create secret docker-registry)
+        if [[ -f "$(workspaces.release-secret.path)/.dockerconfigjson" ]]; then
+          echo "Using Docker registry secret format"
+          cp "$(workspaces.release-secret.path)/.dockerconfigjson" /workspace/docker-config.json
+        elif [[ -f "${CONTAINER_REGISTRY_CREDENTIALS}" ]]; then
+          # Check if it's a docker config.json or a simple token
+          if cat ${CONTAINER_REGISTRY_CREDENTIALS} | jq -r '.auths // empty' >/dev/null 2>&1; then
+            # It's a docker config.json, copy it directly
+            echo "Using docker config.json format"
+            cp ${CONTAINER_REGISTRY_CREDENTIALS} /workspace/docker-config.json
+          else
+            # It's a simple token, create docker config
+            echo "Using token-based authentication"
+            TOKEN=$(cat ${CONTAINER_REGISTRY_CREDENTIALS})
+
+            # Create docker config for GHCR
+            mkdir -p ~/.docker
+            echo '{"auths":{"ghcr.io":{"auth":"'$(echo -n "${CONTAINER_REGISTRY_USER}:${TOKEN}" | base64 -w 0)'"}}}' > ~/.docker/config.json
+            cp ~/.docker/config.json /workspace/docker-config.json
+          fi
+        else
+          echo "Credentials file not found: ${CONTAINER_REGISTRY_CREDENTIALS}"
+          exit 1
+        fi
+      else
+        # Original GCR authentication logic
+        echo "🔍 Configuring authentication for GCR/other registries"
+
+        # Login to the container registry
+        DOCKER_CONFIG=$(cat ${CONTAINER_REGISTRY_CREDENTIALS} | \
+          crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin $(params.imageRegistry) 2>&1 | \
+          sed -n 's,^.*logged in via \(.*\)$,\1,p')
+
+        # Auth with account credentials for all regions.
+        for region in ${REGIONS}
+        do
+          HOSTNAME=${region}.$(params.imageRegistry)
+          cat ${CONTAINER_REGISTRY_CREDENTIALS} | crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin ${HOSTNAME}
+        done
+        cp ${DOCKER_CONFIG} /workspace/docker-config.json
+      fi
 
   - name: create-ko-yaml
     image: cgr.dev/chainguard/go:latest-dev@sha256:8e2632f8725d1a48d6f97a13c71e1594fe17dc9c0e7d00543091a04ac82e429b
@@ -146,6 +180,10 @@ spec:
       #!/usr/bin/env sh
       set -ex
 
+      # Fix Git ownership issue for the repository directory
+      git config --global --add safe.directory /go/src/repo
+      git config --global --add safe.directory ${PROJECT_ROOT}
+
       # Use the generated `.ko.yaml`
       export KO_CONFIG_PATH=/workspace
       cat ${KO_CONFIG_PATH}/.ko.yaml
@@ -273,4 +311,4 @@ spec:
           # regional copies of the images in the result - see https://github.com/tektoncd/pipeline/issues/4282
           # echo ${REGION}.$IMAGE_WITH_SHA, >> $(results.IMAGES.path)
         done
-      done
+      done