Drop GCS release path; push images and helm charts to GHCR

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

Author: ddelnano

.github/workflows/cli_release.yaml

@@ -17,6 +17,9 @@ jobs:
     name: Build Release
     runs-on: oracle-16cpu-64gb-x86-64
     needs: get-dev-image
+    permissions:
+      contents: read
+      packages: write
     container:
       image: ${{ needs.get-dev-image.outputs.image-with-tag }}
     env:
@@ -42,38 +45,36 @@ jobs:
         BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }}
       run: |
         echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import
-    - id: gcloud-creds
-      uses: ./.github/actions/gcloud_creds
+    - name: Login to GHCR
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
       with:
-        SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }}
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ github.token }}
     - name: Build & Push Artifacts
       env:
         REF: ${{ github.event.ref }}
         BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         BUILD_NUMBER: ${{ github.run_attempt }}
         JOB_NAME: ${{ github.job }}
-        GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}
         GH_REPO: ${{ github.repository }}
+        IMAGE_REPO: ${{ vars.IMAGE_REPO || 'ghcr.io/pixie-io' }}
       shell: bash
       run: |
         export TAG_NAME="${REF#*/tags/}"
         mkdir -p "artifacts/"
         export ARTIFACTS_DIR="$(realpath artifacts/)"
         ./ci/save_version_info.sh
         ./ci/cli_build_release.sh
+    # Despite the name, linux-artifacts also contains the unsigned darwin
+    # binaries (cli_darwin_{amd64,arm64}_unsigned). sign-release downloads
+    # this artifact to feed cli_merge_sign.sh.
     - name: Upload Github Artifacts
       uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
       with:
         name: linux-artifacts
         path: artifacts/
-    - name: Update GCS Manifest
-      env:
-        ARTIFACT_MANIFEST_BUCKET: "pixie-dev-public"
-        # Use the old style versions file instead of the new updates for the gcs manifest.
-        MANIFEST_UPDATES: ""
-        GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}
-      run: ./ci/update_artifact_manifest.sh
     - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
       with:
         name: artifact-upload-log
@@ -88,6 +89,10 @@ jobs:
         fetch-depth: 0
     - name: Add pwd to git safe dir
       run: git config --global --add safe.directory `pwd`
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
+      with:
+        name: linux-artifacts
+        path: artifacts/
     - name: Install gon
       run: brew install Bearer/tap/gon
     - name: Sign CLI release
@@ -102,7 +107,6 @@ jobs:
         export CERT_PATH="pixie.cert"
         echo -n "$CERT_BASE64" | base64 --decode -o "$CERT_PATH"
         export TAG_NAME="${REF#*/tags/}"
-        mkdir -p "artifacts/"
         export ARTIFACTS_DIR="$(pwd)/artifacts"
         ./ci/cli_merge_sign.sh
     - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
@@ -132,19 +136,15 @@ jobs:
         BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }}
       run: |
         echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import
-    - id: gcloud-creds
-      uses: ./.github/actions/gcloud_creds
-      with:
-        SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }}
     - name: Add pwd to git safe dir
       run: |
         git config --global --add safe.directory `pwd`
     - name: Upload signed CLI
       env:
         REF: ${{ github.event.ref }}
         BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
-        GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}
         ARTIFACT_UPLOAD_LOG: "artifact_uploads.json"
+        GH_REPO: ${{ github.repository }}
       shell: bash
       run: |
         export TAG_NAME="${REF#*/tags/}"

.github/workflows/cloud_release.yaml

@@ -17,6 +17,9 @@ jobs:
     name: Build Release
     runs-on: oracle-16cpu-64gb-x86-64
     needs: get-dev-image
+    permissions:
+      contents: read
+      packages: write
     container:
       image: ${{ needs.get-dev-image.outputs.image-with-tag }}
     steps:
@@ -30,15 +33,17 @@ jobs:
       with:
         download_toplevel: 'true'
         BB_API_KEY: ${{ secrets.BB_IO_API_KEY }}
-    - id: gcloud-creds
-      uses: ./.github/actions/gcloud_creds
-      with:
-        SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }}
     - name: Import GPG key
       env:
         BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }}
       run: |
         echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import
+    - name: Login to GHCR
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ github.token }}
     - name: Build & Push Artifacts
       env:
         REF: ${{ github.event.ref }}
@@ -47,9 +52,8 @@ jobs:
         GH_API_KEY: ${{ secrets.GITHUB_TOKEN }}
         COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
         COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-        GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}
         BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
-        IMAGE_REPO: ${{ vars.IMAGE_REPO || 'gcr.io/pixie-oss/pixie-prod' }}
+        IMAGE_REPO: ${{ vars.IMAGE_REPO || 'ghcr.io/pixie-io' }}
         GH_REPO: ${{ github.repository }}
       shell: bash
       run: |

.github/workflows/operator_release.yaml

@@ -17,6 +17,9 @@ jobs:
     name: Build Release
     runs-on: oracle-16cpu-64gb-x86-64
     needs: get-dev-image
+    permissions:
+      contents: read
+      packages: write
     container:
       image: ${{ needs.get-dev-image.outputs.image-with-tag }}
     env:
@@ -33,26 +36,27 @@ jobs:
       with:
         download_toplevel: 'true'
         BB_API_KEY: ${{ secrets.BB_IO_API_KEY }}
-    - id: gcloud-creds
-      uses: ./.github/actions/gcloud_creds
-      with:
-        SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }}
     - name: Import GPG key
       env:
         BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }}
       run: |
         echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import
+    - name: Login to GHCR
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ github.token }}
     - name: Build & Push Artifacts
       env:
         REF: ${{ github.event.ref }}
         BUILD_NUMBER: ${{ github.run_attempt }}
         JOB_NAME: ${{ github.job }}
         COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
         COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-        GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}
         GH_REPO: ${{ github.repository }}
         BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
-        IMAGE_REPO: ${{ vars.IMAGE_REPO || 'gcr.io/pixie-oss/pixie-prod' }}
+        IMAGE_REPO: ${{ vars.IMAGE_REPO || 'ghcr.io/pixie-io' }}
       shell: bash
       run: |
         export TAG_NAME="${REF#*/tags/}"
@@ -61,13 +65,6 @@ jobs:
         mkdir -p "${ARTIFACTS_DIR}"
         ./ci/save_version_info.sh
         ./ci/operator_build_release.sh
-    - name: Update GCS Manifest
-      env:
-        ARTIFACT_MANIFEST_BUCKET: "pixie-dev-public"
-        # Use the old style versions file instead of the new updates for the gcs manifest.
-        MANIFEST_UPDATES: ""
-        GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}
-      run: ./ci/update_artifact_manifest.sh
     - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
       with:
         name: manifest-updates

.github/workflows/vizier_release.yaml

@@ -17,6 +17,9 @@ jobs:
     name: Build Release
     runs-on: oracle-16cpu-64gb-x86-64
     needs: get-dev-image
+    permissions:
+      contents: read
+      packages: write
     container:
       image: ${{ needs.get-dev-image.outputs.image-with-tag }}
     env:
@@ -33,26 +36,27 @@ jobs:
       with:
         download_toplevel: 'true'
         BB_API_KEY: ${{ secrets.BB_IO_API_KEY }}
-    - id: gcloud-creds
-      uses: ./.github/actions/gcloud_creds
-      with:
-        SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }}
     - name: Import GPG key
       env:
         BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }}
       run: |
         echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import
+    - name: Login to GHCR
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ github.token }}
     - name: Build & Push Artifacts
       env:
         REF: ${{ github.event.ref }}
         BUILD_NUMBER: ${{ github.run_attempt }}
         JOB_NAME: ${{ github.job }}
         COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
         COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-        GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}
         BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
         GH_REPO: ${{ github.repository }}
-        IMAGE_REPO: ${{ vars.IMAGE_REPO || 'gcr.io/pixie-oss/pixie-prod' }}
+        IMAGE_REPO: ${{ vars.IMAGE_REPO || 'ghcr.io/pixie-io' }}
       shell: bash
       run: |
         export TAG_NAME="${REF#*/tags/}"
@@ -61,20 +65,6 @@ jobs:
         export INDEX_FILE="$(pwd)/index.yaml"
         ./ci/save_version_info.sh
         ./ci/vizier_build_release.sh
-    - name: Build & Export Docs
-      env:
-        PXL_DOCS_GCS_PATH: "gs://pixie-dev-public/pxl-docs.json"
-      run: |
-        docs="$(mktemp)"
-        bazel run //src/carnot/docstring:docstring -- --output_json "${docs}"
-        gsutil cp "${docs}" "${PXL_DOCS_GCS_PATH}"
-    - name: Update GCS Manifest
-      env:
-        ARTIFACT_MANIFEST_BUCKET: "pixie-dev-public"
-        # Use the old style versions file instead of the new updates for the gcs manifest.
-        MANIFEST_UPDATES: ""
-        GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}
-      run: ./ci/update_artifact_manifest.sh
     - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
       with:
         name: manifest-updates

ci/artifact_mirrors.yaml

@@ -4,8 +4,3 @@
 - name: gh-releases
   type: gh-releases
   url_format: 'https://github.com/${gh_repo}/releases/download/release/${component}/v${version}/${artifact_name}'
-- name: pixie-oss-gcs
-  type: gcs
-  bucket: pixie-dev-public
-  path_format: '${component}/${version}/${artifact_name}'
-  url_format: 'https://storage.googleapis.com/pixie-dev-public/${component}/${version}/${artifact_name}'

ci/cli_merge_sign.sh

@@ -33,16 +33,9 @@ security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${KEYCHAI
 security default-keychain -s "${KEYCHAIN_PATH}"
 security find-identity -v
 
-release_tag=${TAG_NAME##*/v}
-bucket="pixie-dev-public"
-ARTIFACT_BASE_PATH="https://storage.googleapis.com/${bucket}/cli"
-
 for arch in amd64 arm64
 do
-  url="${ARTIFACT_BASE_PATH}/${release_tag}/cli_darwin_${arch}_unsigned"
-  rm -f "cli_darwin_${arch}_unsigned"
-  wget "${url}"
-  mv "cli_darwin_${arch}_unsigned" "cli_darwin_${arch}"
+  cp "${artifacts_dir}/cli_darwin_${arch}_unsigned" "cli_darwin_${arch}"
 done
 
 # Create a universal binary.

ci/cloud_build_release.sh

@@ -34,12 +34,11 @@ if [[ "${release_tag}" == *"-"* ]]; then
 fi
 
 echo "The image tag is: ${release_tag}"
-image_repo="${IMAGE_REPO:-gcr.io/pixie-oss/pixie-prod}"
+image_repo="${IMAGE_REPO:-ghcr.io/pixie-io}"
 
 bazel run -c opt \
   --config=stamp \
   --config=x86_64_sysroot \
-  --action_env=GOOGLE_APPLICATION_CREDENTIALS \
   --//k8s:image_repository="${image_repo}" \
   --//k8s:image_version="${release_tag}" \
   //k8s/cloud:cloud_images_push
@@ -53,17 +52,13 @@ done < <(bazel run -c opt \
   --//k8s:image_version="${release_tag}" \
   //k8s/cloud:list_image_bundle)
 
-all_licenses_opts=("//tools/licenses:all_licenses" "--action_env=GOOGLE_APPLICATION_CREDENTIALS" "--remote_download_outputs=toplevel")
+all_licenses_opts=("//tools/licenses:all_licenses" "--remote_download_outputs=toplevel")
 all_licenses_path="$(bazel cquery "${all_licenses_opts[@]}"  --output starlark --starlark:expr "target.files.to_list()[0].path" 2> /dev/null)"
 bazel build "${all_licenses_opts[@]}"
 
 upload_artifact_to_mirrors "cloud" "${release_tag}" "${all_licenses_path}" "licenses.json"
-# The licenses file uses a non-standard path (outside of the "component/version/artifact" convention)
-# so for now we'll also copy it to the legacy path.
-gsutil cp "${all_licenses_path}" "gs://pixie-dev-public/oss-licenses/${release_tag}.json"
 if [[ "${release}" == "true" ]]; then
   upload_artifact_to_mirrors "cloud" "latest" "${all_licenses_path}" "licenses.json"
-  gsutil cp "${all_licenses_path}" "gs://pixie-dev-public/oss-licenses/latest.json"
 fi
 
 # Write YAMLs + image paths to a tar file to support easy deployment.

ci/operator_build_release.sh

@@ -37,7 +37,7 @@ bazel run -c opt //src/utils/artifacts/versions_gen:versions_gen -- \
 tags=$(git for-each-ref --sort='-*authordate' --format '%(refname:short)' refs/tags \
     | grep "release/operator" | grep -v "\-" || true)
 
-image_repo="${IMAGE_REPO:-gcr.io/pixie-oss/pixie-prod}"
+image_repo="${IMAGE_REPO:-ghcr.io/pixie-io}"
 image_paths=$(bazel cquery //k8s/operator:image_bundle \
   --//k8s:image_repository="${image_repo}" \
   --//k8s:image_version="${release_tag}" \

ci/operator_helm_build_release.sh

@@ -36,11 +36,6 @@ tmp_dir="$(mktemp -d)"
 index_file="${INDEX_FILE:?}"
 gh_repo="${GH_REPO:?}"
 
-helm_gcs_bucket="pixie-operator-charts"
-if [[ $VERSION == *"-"* ]]; then
-  helm_gcs_bucket="pixie-operator-charts-dev"
-fi
-
 repo_path=$(pwd)
 # shellcheck source=ci/artifact_utils.sh
 . "${repo_path}/ci/artifact_utils.sh"
@@ -60,37 +55,12 @@ helm_tmpl_checks="$(cat "${repo_path}/k8s/operator/helm/olm_template_checks.tmpl
 find "${repo_path}/k8s/operator/helm/templates" -type f -exec sed -i "/HELM_DEPLOY_OLM_PLACEHOLDER/c\\${helm_tmpl_checks}" {} \;
 rm "${repo_path}/k8s/operator/helm/olm_template_checks.tmpl"
 
-# Fetch all of the current charts in GCS, because generating the index needs all pre-existing tar versions present.
-mkdir -p "${tmp_dir}/${helm_gcs_bucket}"
-gsutil rsync "gs://${helm_gcs_bucket}" "${tmp_dir}/${helm_gcs_bucket}"
-
 # Generates tgz for the new release helm3 chart.
-helm package "${helm_path}" -d "${tmp_dir}/${helm_gcs_bucket}"
-
-# Create release for Helm2.
-mkdir "${helm_path}2"
-
-# Create Chart.yaml for this release for Helm2.
-echo "apiVersion: v1
-name: pixie-operator-helm2-chart
-type: application
-version: ${VERSION}" > "${helm_path}2/Chart.yaml"
-
-cp -r "${helm_path}/templates" "${helm_path}2/templates"
-cp "${helm_path}/values.yaml" "${helm_path}2/values.yaml"
-
-# Generates tgz for the new release helm3 chart.
-helm package "${helm_path}2" -d "${tmp_dir}/${helm_gcs_bucket}"
-
-# Update the index file.
-helm repo index "${tmp_dir}/${helm_gcs_bucket}" --url "https://${helm_gcs_bucket}.storage.googleapis.com"
-
-upload_artifact_to_mirrors "operator" "${VERSION}" "${tmp_dir}/${helm_gcs_bucket}/pixie-operator-chart-${VERSION}.tgz" "pixie-operator-chart-${VERSION}.tgz"
+helm package "${helm_path}" -d "${tmp_dir}/helm_chart"
 
-# Upload the new index and tar to gcs by syncing. This will help keep the timestamps for pre-existing tars the same.
-gsutil rsync "${tmp_dir}/${helm_gcs_bucket}" "gs://${helm_gcs_bucket}"
+upload_artifact_to_mirrors "operator" "${VERSION}" "${tmp_dir}/helm_chart/pixie-operator-chart-${VERSION}.tgz" "pixie-operator-chart-${VERSION}.tgz"
 
-# Generate separate index file for GH.
+# Generate index file for GH.
 mkdir -p "${tmp_dir}/gh_helm_chart"
 helm package "${helm_path}" -d "${tmp_dir}/gh_helm_chart"
 # Pull index file.

ci/vizier_build_release.sh

@@ -35,7 +35,7 @@ echo "The release tag is: ${release_tag}"
 bazel run -c opt //src/utils/artifacts/versions_gen:versions_gen -- \
       --repo_path "${repo_path}" --artifact_name vizier --versions_file "${versions_file}"
 
-image_repo="${IMAGE_REPO:-gcr.io/pixie-oss/pixie-prod}"
+image_repo="${IMAGE_REPO:-ghcr.io/pixie-io}"
 
 push_all_multiarch_images "//k8s/vizier:vizier_images_push" "//k8s/vizier:list_image_bundle" "${release_tag}" "${image_repo}"