Migrate the Drone release steps to GitHub Actions (#3606)

Author: ptodev

.drone/drone.jsonnet

@@ -3,5 +3,4 @@ local pipelines = import './pipelines.jsonnet';
 (import 'pipelines/test.jsonnet') +
 (import 'pipelines/check_containers.jsonnet') +
 (import 'pipelines/crosscompile.jsonnet') +
-(import 'pipelines/publish.jsonnet') +
 (import 'util/secrets.jsonnet').asList

.drone/drone.yml

@@ -244,151 +244,6 @@ trigger:
   - pull_request
 type: docker
 ---
-kind: pipeline
-name: Publish Linux alloy container
-platform:
-  arch: amd64
-  os: linux
-steps:
-- commands:
-  - git fetch --tags
-  image: grafana/alloy-build-image:v0.1.19
-  name: Fetch tags
-- commands:
-  - docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
-  failure: ignore
-  image: grafana/alloy-build-image:v0.1.19
-  name: Configure QEMU
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-- commands:
-  - mkdir -p $HOME/.docker
-  - printenv GCR_CREDS > $HOME/.docker/config.json
-  - docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD
-  - docker buildx create --name multiarch-alloy-alloy-${DRONE_COMMIT_SHA} --driver
-    docker-container --use
-  - ./tools/ci/docker-containers alloy
-  - docker buildx rm multiarch-alloy-alloy-${DRONE_COMMIT_SHA}
-  environment:
-    DOCKER_LOGIN:
-      from_secret: docker_login
-    DOCKER_PASSWORD:
-      from_secret: docker_password
-    GCR_CREDS:
-      from_secret: gcr_admin
-  image: grafana/alloy-build-image:v0.1.19
-  name: Publish container
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-trigger:
-  ref:
-  - refs/tags/v*
-type: docker
-volumes:
-- host:
-    path: /var/run/docker.sock
-  name: docker
----
-kind: pipeline
-name: Publish Linux alloy-boringcrypto container
-platform:
-  arch: amd64
-  os: linux
-steps:
-- commands:
-  - git fetch --tags
-  image: grafana/alloy-build-image:v0.1.19
-  name: Fetch tags
-- commands:
-  - docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
-  failure: ignore
-  image: grafana/alloy-build-image:v0.1.19
-  name: Configure QEMU
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-- commands:
-  - mkdir -p $HOME/.docker
-  - printenv GCR_CREDS > $HOME/.docker/config.json
-  - docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD
-  - docker buildx create --name multiarch-alloy-alloy-boringcrypto-${DRONE_COMMIT_SHA}
-    --driver docker-container --use
-  - ./tools/ci/docker-containers alloy-boringcrypto
-  - docker buildx rm multiarch-alloy-alloy-boringcrypto-${DRONE_COMMIT_SHA}
-  environment:
-    DOCKER_LOGIN:
-      from_secret: docker_login
-    DOCKER_PASSWORD:
-      from_secret: docker_password
-    GCR_CREDS:
-      from_secret: gcr_admin
-  image: grafana/alloy-build-image:v0.1.19
-  name: Publish container
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-trigger:
-  ref:
-  - refs/tags/v*
-type: docker
-volumes:
-- host:
-    path: /var/run/docker.sock
-  name: docker
----
-depends_on:
-- Publish Linux alloy container
-- Publish Linux alloy-boringcrypto container
-image_pull_secrets:
-- dockerconfigjson
-kind: pipeline
-name: Publish release
-platform:
-  arch: amd64
-  os: linux
-steps:
-- commands:
-  - git fetch --tags
-  image: grafana/alloy-build-image:v0.1.19
-  name: Fetch tags
-- commands:
-  - /usr/bin/github-app-external-token > /drone/src/gh-token.txt
-  environment:
-    GITHUB_APP_ID:
-      from_secret: updater_app_id
-    GITHUB_APP_INSTALLATION_ID:
-      from_secret: updater_app_installation_id
-    GITHUB_APP_PRIVATE_KEY:
-      from_secret: updater_private_key
-  image: us.gcr.io/kubernetes-dev/github-app-secret-writer:latest
-  name: Generate GitHub token
-- commands:
-  - export GITHUB_TOKEN=$(cat /drone/src/gh-token.txt)
-  - docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD
-  - RELEASE_BUILD=1 VERSION="${DRONE_TAG}" make -j4 dist
-  - |
-    VERSION="${DRONE_TAG}" RELEASE_DOC_TAG=$(echo "${DRONE_TAG}" | awk -F '.' '{print $1"."$2}') ./tools/release
-  environment:
-    DOCKER_LOGIN:
-      from_secret: docker_login
-    DOCKER_PASSWORD:
-      from_secret: docker_password
-  image: grafana/alloy-build-image:v0.1.19
-  name: Publish release
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-trigger:
-  ref:
-  - refs/tags/v*
-type: docker
-volumes:
-- host:
-    path: /var/run/docker.sock
-  name: docker
----
 get:
   name: app-id
   path: infra/data/ci/agent/githubapp
@@ -456,6 +311,6 @@ kind: secret
 name: updater_private_key
 ---
 kind: signature
-hmac: 97e03c7222ff8e76e82dfc902b5bfad2c608742470e01db30ad76a2bfbb49d56
+hmac: 64f2e8742ad821a4cfe298fd79d67a732fb99a492259cf34de8ef515dc2bec38
 
 ...

.drone/pipelines/publish.jsonnet

@@ -18,27 +18,19 @@ permissions:
 
 jobs:
   check-linux-container:
-    name: Check Linux container
-    container: grafana/alloy-build-image:v0.1.19
-    runs-on:
-      labels: github-hosted-ubuntu-x64-large
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        persist-credentials: false
+    uses: ./.github/workflows/publish-alloy-linux.yml
+    permissions:
+      contents: read
+      id-token: write
+    with:
+      img-name: alloy-devel
+      push: false
 
-    - name: Set ownership
-      # https://github.com/actions/runner/issues/2033#issuecomment-1204205989
-      run: |
-          # this is to fix GIT not liking owner of the checkout dir
-          chown -R $(id -u):$(id -g) $PWD
-
-    - name: Set up Go
-      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
-      with:
-        go-version-file: go.mod
-        cache: false
-
-    - run: |
-        make alloy-image
+  check-linux-boringcrypto-container:
+    uses: ./.github/workflows/publish-alloy-linux.yml
+    permissions:
+      contents: read
+      id-token: write
+    with:
+      img-name: alloy-devel-boringcrypto
+      push: false

.github/workflows/check-linux-container.yml

@@ -24,7 +24,7 @@ permissions:
 
 jobs:
   check_windows_container:
-    uses: ./.github/workflows/publish-alloy.yml
+    uses: ./.github/workflows/publish-alloy-windows.yml
     permissions:
       contents: read
       id-token: write