Skip to content

feat: upload release manifests to oracle cloud #9121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tekton-robot merged 1 commit into from
Nov 4, 2025
Merged

feat: upload release manifests to oracle cloud #9121

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 43 additions & 28 deletions .github/workflows/nightly-builds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Tekton Nightly Build

on:
"on":
schedule:
# Run at 03:00 UTC daily
- cron: "0 3 * * *"
Expand All @@ -11,16 +11,17 @@ on:
required: false
default: 'v1.33.x'
nightly_bucket:
description: 'Nightly bucket for builds'
description: 'Oracle Cloud bucket name for builds'
required: false
default: 'gs://tekton-releases-nightly/pipeline'
Copy link
Member

@AlanGreene AlanGreene Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a particular reason for removing the repo name from the bucket config and making it a separate param?

This pipeline should always publish to <bucket>/pipeline so making it configurable seems unusual, unless we're planning to use this as a template for a generic pipeline that can be reused across multiple repos. In which case, I think there are likely many other changes that would be required so each repo can customise the pipeline to their needs, and would require careful design before implementing.

Copy link
Contributor Author

@anithapriyanatarajan anithapriyanatarajan Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Oracle cloud, I was not able to pass the bucket name as /pipeline. Hence introduced a new param called reponame and pass as object prefix. https://github.com/anithapriyanatarajan/pipeline/blob/865d2ff9b6646475a5efd759fdac888d9072ce90/.github/workflows/nightly-builds.yaml#L24

default: 'tekton-nightly'
type: string

env:
KUBERNETES_VERSION: ${{ inputs.kubernetes_version || 'v1.33.x' }}
REGISTRY: ghcr.io
PACKAGE: github.com/${{ github.repository }}
BUCKET: ${{ inputs.nightly_bucket || 'gs://tekton-releases-nightly/pipeline' }}
BUCKET: ${{ inputs.nightly_bucket || 'tekton-nightly' }}
REPO_NAME: ${{ github.event.repository.name }}
IMAGE_REGISTRY_PATH: ${{ github.repository }}
IMAGE_REGISTRY_USER: tekton-robot

Expand All @@ -37,7 +38,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0

Expand All @@ -50,12 +51,12 @@ jobs:
echo "latest_sha=${latest_sha}" >> "$GITHUB_OUTPUT"

- name: Set up Kind cluster
uses: chainguard-dev/actions/setup-kind@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7
uses: chainguard-dev/actions/setup-kind@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7
with:
k8s-version: ${{ env.KUBERNETES_VERSION }}

- name: Set up Tekton
uses: tektoncd/actions/setup-tektoncd@0986bcdfbaf4f83a8a7b19bc2fa360c44ee55929 # main
uses: tektoncd/actions/setup-tektoncd@0986bcdfbaf4f83a8a7b19bc2fa360c44ee55929 # main
with:
pipeline_version: latest
setup_registry: "true"
Expand All @@ -65,27 +66,27 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN || github.token }}
run: |
# Create Git authentication secret with proper Tekton annotations
# Create Git authentication secret as basic-auth type for Git resolver
kubectl create secret generic git-resolver-secret \
--from-literal=token="${GITHUB_TOKEN}" \
--type=kubernetes.io/basic-auth \
--from-literal=username=git \
--from-literal=password="${GITHUB_TOKEN}" \
-n tekton-pipelines-resolvers || true

kubectl annotate secret git-resolver-secret \
tekton.dev/git-0=github.com \
-n tekton-pipelines-resolvers || true

kubectl create secret generic git-resolver-secret \
--from-literal=token="${GITHUB_TOKEN}" \
-n default || true

kubectl annotate secret git-resolver-secret \
tekton.dev/git-0=github.com \
-n default || true
-n tekton-pipelines-resolvers --overwrite || true

kubectl patch configmap git-resolver-config -n tekton-pipelines-resolvers --patch='
# Configure Git resolver to use the secret
kubectl patch configmap git-resolver-config -n tekton-pipelines-resolvers --type=merge --patch='
data:
api-token-secret-name: "git-resolver-secret"
api-token-secret-key: "token"
default-url: "https://github.com"
fetch-timeout: "1m"
scm-type: "github"
server-url: "https://api.github.com"
api-secret-name: "git-resolver-secret"
api-secret-key: "password"
api-secret-namespace: "tekton-pipelines-resolvers"
' || true

kubectl patch configmap feature-flags -n tekton-pipelines --patch='
Expand All @@ -94,7 +95,7 @@ jobs:
' || true

- name: Install tkn CLI
uses: tektoncd/actions/setup-tektoncd-cli@0986bcdfbaf4f83a8a7b19bc2fa360c44ee55929 # main
uses: tektoncd/actions/setup-tektoncd-cli@0986bcdfbaf4f83a8a7b19bc2fa360c44ee55929 # main
with:
version: latest

Expand All @@ -104,15 +105,29 @@ jobs:

- name: Create secrets, service account and PVC template
env:
GCS_SERVICE_ACCOUNT_KEY: ${{ secrets.GCS_SERVICE_ACCOUNT_KEY }}
OCI_API_KEY: ${{ secrets.OCI_API_KEY }}
OCI_FINGERPRINT: ${{ secrets.OCI_FINGERPRINT }}
OCI_TENANCY_OCID: ${{ secrets.OCI_TENANCY_OCID }}
OCI_USER_OCID: ${{ secrets.OCI_USER_OCID }}
OCI_REGION: ${{ secrets.OCI_REGION }}
GHCR_TOKEN: ${{ secrets.GHCR_TOKEN || github.token }}
IMAGE_REGISTRY_USER: ${{ env.IMAGE_REGISTRY_USER }}
run: |
# Create GCS service account secret for release bucket access
echo "${GCS_SERVICE_ACCOUNT_KEY}" > /tmp/gcs-key.json
# Create Oracle Cloud credentials secret for release bucket access
echo "${OCI_API_KEY}" > /tmp/oci_api_key.pem
echo "${OCI_FINGERPRINT}" > /tmp/fingerprint
echo "${OCI_TENANCY_OCID}" > /tmp/tenancy_ocid
echo "${OCI_USER_OCID}" > /tmp/user_ocid
echo "${OCI_REGION}" > /tmp/region

kubectl create secret generic release-secret \
--from-file=release.json=/tmp/gcs-key.json
rm -f /tmp/gcs-key.json
--from-file=oci_api_key.pem=/tmp/oci_api_key.pem \
--from-file=fingerprint=/tmp/fingerprint \
--from-file=tenancy_ocid=/tmp/tenancy_ocid \
--from-file=user_ocid=/tmp/user_ocid \
--from-file=region=/tmp/region

rm -f /tmp/oci_api_key.pem /tmp/fingerprint /tmp/tenancy_ocid /tmp/user_ocid /tmp/region

# Create a Kubernetes secret for GHCR authentication.
# This version creates the secret with a custom key name `docker-config.json`
Expand Down Expand Up @@ -143,6 +158,7 @@ jobs:
PIPELINE_RUN=$(tkn pipeline start pipeline-release \
--serviceaccount=release-right-meow \
--param package="${{ env.PACKAGE }}" \
--param repoName="${{ env.REPO_NAME }}" \
--param gitRevision="${{ steps.version.outputs.latest_sha }}" \
--param versionTag="${{ steps.version.outputs.version_tag }}" \
--param releaseBucket="${{ env.BUCKET }}" \
Expand All @@ -153,7 +169,6 @@ jobs:
--param buildPlatforms="linux/amd64,linux/arm64,linux/s390x,linux/ppc64le" \
--param publishPlatforms="linux/amd64,linux/arm64,linux/s390x,linux/ppc64le,windows/amd64" \
--param koExtraArgs="" \
--param serviceAccountPath=release.json \
--param serviceAccountImagesPath=docker-config.json \
--param releaseAsLatest="true" \
--param runTests="false" \
Expand Down
58 changes: 38 additions & 20 deletions tekton/release-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ spec:
- name: package
description: package to release
default: github.com/tektoncd/pipeline
- name: repoName
description: repository name (e.g., pipeline, triggers, etc.)
default: pipeline
- name: gitRevision
description: the git revision to release
- name: imageRegistry
Expand All @@ -26,7 +29,7 @@ spec:
description: Version tag (vX.Y.Z for stable, vYYYYMMDD-abc1234 for nightly)
- name: releaseBucket
description: bucket where the release is stored. The bucket must be project specific.
default: "gs://tekton-releases-nightly/pipeline" # Will be overridden based on releaseMode
default: "tekton-nightly" # Will be overridden based on releaseMode
- name: releaseAsLatest
description: Whether to tag and publish this release as latest
default: "false" # Will be overridden based on releaseMode
Expand All @@ -42,8 +45,6 @@ spec:
- name: koExtraArgs
description: Extra args to be passed to ko
default: "--preserve-import-paths"
- name: serviceAccountPath
description: The path to the service account file within the release-secret workspace
- name: serviceAccountImagesPath
description: The path to the service account file or credentials within the release-images-secret workspace
- name: runTests
Expand All @@ -53,7 +54,7 @@ spec:
- name: workarea
description: The workspace where the repo will be cloned.
- name: release-secret
description: The secret that contains a service account authorized to push to the output bucket
description: The secret that contains auth credentials to push to the output bucket
- name: release-images-secret
description: The secret that contains a service account authorized to push to the imageRegistry
results:
Expand Down Expand Up @@ -202,15 +203,16 @@ spec:
- name: release-secret
workspace: release-images-secret
timeout: 3h

- name: publish-to-bucket
runAfter: [publish-images]
taskRef:
resolver: bundles
params:
- name: bundle
value: ghcr.io/tektoncd/catalog/upstream/tasks/gcs-upload:0.3
value: ghcr.io/tektoncd/catalog/upstream/tasks/oracle-cloud-storage-upload:0.1
- name: name
value: gcs-upload
value: oracle-cloud-storage-upload
- name: kind
value: task
workspaces:
Expand All @@ -220,12 +222,17 @@ spec:
workspace: workarea
subPath: bucket
params:
- name: location
value: $(params.releaseBucket)/previous/$(params.versionTag)
- name: path
value: $(params.versionTag)
- name: serviceAccountPath
value: $(params.serviceAccountPath)
- name: bucketName
value: $(params.releaseBucket)
- name: objectPrefix
value: $(params.repoName)/previous/$(params.versionTag)/
- name: replaceExistingFiles
value: "true"
- name: recursive
value: "true"

- name: publish-to-bucket-latest
runAfter: [publish-images]
when:
Expand All @@ -236,9 +243,9 @@ spec:
resolver: bundles
params:
- name: bundle
value: ghcr.io/tektoncd/catalog/upstream/tasks/gcs-upload:0.3
value: ghcr.io/tektoncd/catalog/upstream/tasks/oracle-cloud-storage-upload:0.1
- name: name
value: gcs-upload
value: oracle-cloud-storage-upload
- name: kind
value: task
workspaces:
Expand All @@ -248,25 +255,33 @@ spec:
workspace: workarea
subPath: bucket
params:
- name: location
value: $(params.releaseBucket)/latest
- name: path
value: $(params.versionTag)
- name: serviceAccountPath
value: $(params.serviceAccountPath)
- name: bucketName
value: $(params.releaseBucket)
- name: objectPrefix
value: $(params.repoName)/latest/
- name: replaceExistingFiles
value: "true"
- name: recursive
value: "true"
- name: deleteExtraFiles
value: "true" # Uses rsync to copy content into latest
value: "true" # Uses sync to copy content into latest

- name: report-bucket
runAfter: [publish-to-bucket]
params:
- name: releaseBucket
value: $(params.releaseBucket)
- name: versionTag
value: $(params.versionTag)
- name: repoName
value: $(params.repoName)
taskSpec:
params:
- name: releaseBucket
- name: versionTag
- name: repoName
results:
- name: release
description: The full URL of the release file in the bucket
Expand All @@ -280,9 +295,12 @@ spec:
value: $(params.releaseBucket)
- name: VERSION_TAG
value: $(params.versionTag)
- name: REPO_NAME
value: $(params.repoName)
script: |
BASE_URL=$(echo "${RELEASE_BUCKET}/previous/${VERSION_TAG}")
# If the bucket is in the gs:// return the corresponding public https URL
BASE_URL=$(echo ${BASE_URL} | sed 's,gs://,https://storage.googleapis.com/,g')
# Oracle Cloud Storage: Construct public URL
# Format: https://infra.tekton.dev/<releaseBucket>/<repoName>/previous/<versionTag>
BASE_URL="https://infra.tekton.dev/${RELEASE_BUCKET}/${REPO_NAME}/previous/${VERSION_TAG}"

echo "${BASE_URL}/release.yaml" > $(results.release.path)
echo "${BASE_URL}/release.notag.yaml" > $(results.release-no-tag.path)
Loading