prime/staging k3s assets (#12911)

brooksn · web-flow · commit c0daeb1a7f8a · 2025-09-12T13:49:35.000-07:00
Signed-off-by: Brooks Newberry &lt;brooks@newberry.com&gt;
diff --git a/.drone.yml b/.drone.yml
@@ -11,6 +11,7 @@ trigger:
     exclude:
     - cron
     - pull_request
+    - tag
 
 clone:
   retries: 3
@@ -147,6 +148,7 @@ trigger:
     exclude:
     - cron
     - pull_request
+    - tag
 
 clone:
   retries: 3
@@ -222,6 +224,7 @@ trigger:
   event:
     exclude:
     - cron
+    - tag
 
 clone:
   retries: 3
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -32,8 +32,9 @@ jobs:
   push-release-image:
     name: Build and Push Multi-Arch Image
     runs-on: ubuntu-latest
-    permissions: 
-      packages: write # Needed to push images to GHCR
+    permissions:
+      contents: read
+      id-token: write
     needs: [build-amd64, build-arm64, build-arm]
     steps:
       - name: Checkout code
@@ -42,12 +43,31 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Read registry secrets (staging)
+        uses: rancher-eio/read-vault-secrets@main
+        if: ${{ github.event.release.prerelease }}
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/k3s-suse-registry-stg/credentials registry | REGISTRY ;
+            secret/data/github/repo/${{ github.repository }}/k3s-suse-registry-stg/credentials username | REGISTRY_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/k3s-suse-registry-stg/credentials password | REGISTRY_PASSWORD
+
+      - name: Read registry secrets (prime)
+        uses: rancher-eio/read-vault-secrets@main
+        if: ${{ ! github.event.release.prerelease }}
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/k3s-suse-registry/credentials registry | REGISTRY ;
+            secret/data/github/repo/${{ github.repository }}/k3s-suse-registry/credentials username | REGISTRY_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/k3s-suse-registry/credentials password | REGISTRY_PASSWORD
+
+
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
         with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ${{ env.REGISTRY }}
+          username: ${{ env.REGISTRY_USERNAME }}
+          password: ${{ env.REGISTRY_PASSWORD }}
 
       - name: Configure image tags
         id: tag_config
@@ -72,7 +92,7 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: |
-            ghcr.io/${{ github.repository_owner }}/k3s
+            ${{ env.REGISTRY }}/rancher/k3s
           flavor: latest=false
           tags: ${{ steps.tag_config.outputs.tag_spec }}
       
@@ -104,7 +124,8 @@ jobs:
     name: Build Airgap Pkg (${{ matrix.arch }})
     runs-on: ubuntu-latest # Runs on standard runner, docker pulls with --platform
     permissions: 
-      contents: write  # Needed to update release with assets
+      contents: read
+      id-token: write
     strategy:
       matrix:
         arch: [amd64, arm64, arm]
@@ -113,6 +134,21 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Read Prime artifacts secrets
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-artifacts/credentials accessKeyId | AWS_ACCESS_KEY_ID ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-artifacts/credentials secretAccessKey | AWS_SECRET_ACCESS_KEY ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-artifacts/credentials primeArtifactsBucketName | PRIME_ARTIFACTS_BUCKET_NAME
+
+      - name: Configure AWS Credentials (s3)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -133,35 +169,38 @@ jobs:
           name: k3s-airgap-images-${{ matrix.arch }}.sha256sum
           path: dist/artifacts/k3s-airgap-images-${{ matrix.arch }}.sha256sum
       
-      - name: Upload k3s-images.txt to Release
-        uses: softprops/action-gh-release@v2
-        # This action is recommended by GITHUB, they don't support a first party action for releases
-        # See https://github.com/actions/create-release?tab=readme-ov-file#github-action---releases-api
-        if: ${{ matrix.arch == 'amd64' }}
-        with:
-          files: |
-            dist/artifacts/k3s-images.txt
+      - name: Upload Assets
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload Airgap Assets to Release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: |
-            dist/artifacts/k3s-airgap-images*
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          S3_PATH: s3://${{ env.PRIME_ARTIFACTS_BUCKET_NAME }}/k3s/${{ github.event.release.tag_name }}
+        run: |
+          aws s3 sync dist/artifacts/ "$S3_PATH" --quiet --no-progress --exclude "*" --include "k3s-images.txt" --include "k3s-airgap-images*"
 
   upload-release-assets:
     name: Prepare and Upload Release Assets
     permissions: 
-      contents: write # Needed to update release with assets
+      contents: read
+      id-token: write
     runs-on: ubuntu-latest
     needs: [build-amd64, build-arm64, build-arm, upload-release-airgap]
     steps:
     - name: Checkout code
       uses: actions/checkout@v4
 
+    - name: Read Prime artifacts secrets
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader/credentials accessKeyId | AWS_ACCESS_KEY_ID ;
+          secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader/credentials secretAccessKey | AWS_SECRET_ACCESS_KEY ;
+          secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader/credentials primeArtifactsBucketName | PRIME_ARTIFACTS_BUCKET_NAME
+
+    - name: Configure AWS Credentials (s3)
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+        aws-region: us-east-1
+
     - name: "Download Binaries and Airgap sha256sum"
       uses: actions/download-artifact@v4
       with:
@@ -184,12 +223,8 @@ jobs:
           fi
         done    
     
-    - name: Upload Assets to Release
-      uses: softprops/action-gh-release@v2.2.1
-      with:
-        files: |
-          dist/artifacts/k3s*
-          dist/artifacts/sha256sum*
+    - name: Upload Assets
       env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
+        S3_PATH: s3://${{ env.PRIME_ARTIFACTS_BUCKET_NAME }}/k3s/${{ github.event.release.tag_name }}
+      run: |
+        aws s3 sync dist/artifacts/ "$S3_PATH" --quiet --no-progress --exclude "*" --include "k3s*" --include "sha256sum*"
