kyverno/.github/workflows/image.yaml

name: image
on:
  push:
    branches:
      - 'main'
      - 'release*'

permissions:
  contents: read
  packages: write
  id-token: write 

jobs:
  push-init-kyverno:
    uses: ./.github/workflows/reuse.yaml
    with:
      publish_command: ko-publish-kyvernopre
      image_name: kyvernopre
      tag: image
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}
      
  push-kyverno:
    uses: ./.github/workflows/reuse.yaml
    with:
      publish_command: ko-publish-kyverno
      image_name: kyverno
      tag: image
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}

  push-kyverno-cli:
    uses: ./.github/workflows/reuse.yaml
    with:
      publish_command: ko-publish-cli
      image_name: kyverno-cli
      tag: image
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}

  generate-init-kyverno-provenance:
    needs: push-init-kyverno
    permissions:
      id-token: write # To sign the provenance.
      packages: write # To upload assets to release.
      actions: read #To read the workflow path.
    # NOTE: The container generator workflow is not officially released as GA.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.2.2
    with:
      image: ghcr.io/${{ github.repository_owner }}/kyvernopre
      digest: "${{ needs.push-init-kyverno.outputs.init_sha256_digest }}"
      registry-username: ${{ github.actor }}
    secrets:
      registry-password: ${{ secrets.CR_PAT }}

  generate-kyverno-provenance:
    needs: push-kyverno
    permissions:
      id-token: write # To sign the provenance.
      packages: write # To upload assets to release.
      actions: read #To read the workflow path.
    # NOTE: The container generator workflow is not officially released as GA.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.2.2
    with:
      image: ghcr.io/${{ github.repository_owner }}/kyverno
      digest: "${{ needs.push-kyverno.outputs.kyverno_sha256_digest }}"
      registry-username: ${{ github.actor }}
    secrets:
      registry-password: ${{ secrets.CR_PAT }}

  generate-kyverno-cli-provenance:
    needs: push-kyverno-cli
    permissions:
      id-token: write # To sign the provenance.
      packages: write # To upload assets to release.
      actions: read #To read the workflow path.
    # NOTE: The container generator workflow is not officially released as GA.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.2.2
    with:
      image: ghcr.io/${{ github.repository_owner }}/kyverno-cli
      digest: "${{ needs.push-kyverno-cli.outputs.cli_sha256_digest }}"
      registry-username: ${{ github.actor }}
    secrets:
      registry-password: ${{ secrets.CR_PAT }}
Publish test image (#1184) * push image on PR * add docker login in CI * publish image once PR is merged * update order * change condition when publish image * add image publish as a separate github action * remove condition 2020-10-09 19:22:05 -07:00			`name: image`
Publish test image (#1183) * push image on PR * add docker login in CI * publish image once PR is merged * update order * change condition when publish image * add image publish as a separate github action 2020-10-09 19:16:28 -07:00			`on:`
			`push:`
			`branches:`
update master to main in CI automation files 2020-11-03 13:56:57 -08:00			`- 'main'`
update workflow configurations to fix CI failure (#3060) Signed-off-by: ShutingZhao <shuting@nirmata.com> 2022-01-24 12:39:15 +08:00			`- 'release*'`
Test publishing dev-test images (#2848) * publish dev-* images Signed-off-by: ShutingZhao <shuting@nirmata.com> * add LD_FLAGS_DEV Signed-off-by: ShutingZhao <shuting@nirmata.com> * add IMAGE_TAG_LATEST_DEV Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove test statement Signed-off-by: ShutingZhao <shuting@nirmata.com> 2021-12-17 10:46:59 +08:00
Fix permissions for image publish workflows (#3021) All of the jobs in this workflow use the same set of permissions and this workflow is only run on pushes to master. Adding the appropriate permissions to read repository contents, publish packages and ID token for cosign. Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> 2022-01-19 11:39:51 +00:00			`permissions:`
			`contents: read`
			`packages: write`
			`id-token: write`
Add github token permissions to improve ossf scorecard (#2992) * Fix autogen issue with cronjob generator and foreach pod generator (#2989) Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> Signed-off-by: Roee Landesman <roee.landesman@gmail.com> * Add baseline read-all permissions Signed-off-by: Roee Landesman <roee.landesman@gmail.com> * remove extra read-all Signed-off-by: Roee Landesman <roee.landesman@gmail.com> * Add arm64 goarch to go releaser (#2991) Signed-off-by: Roee Landesman <roee.landesman@gmail.com> Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com> 2022-01-15 17:14:22 -08:00
Publish test image (#1183) * push image on PR * add docker login in CI * publish image once PR is merged * update order * change condition when publish image * add image publish as a separate github action 2020-10-09 19:16:28 -07:00			`jobs:`
Adding parallel GitHub pipeline to reduce the build time (#1635) * refactoring github workflow Signed-off-by: rajdas98 <mail.rajdas@gmail.com> * refactoring github workflow Signed-off-by: rajdas98 <mail.rajdas@gmail.com> * stage-pipeline Signed-off-by: rajdas98 <mail.rajdas@gmail.com> * Refactoring release and push github workflow Signed-off-by: rajdas98 <mail.rajdas@gmail.com> * refactoring github workflow Signed-off-by: rajdas98 <mail.rajdas@gmail.com> * adding release-cli-via-krew Signed-off-by: rajdas98 <mail.rajdas@gmail.com> 2021-02-23 04:18:11 +05:30			`push-init-kyverno:`
chore: add workflow to ensure github actions are pinned to a commit SHA (#4390) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-08-23 22:02:13 +02:00			`uses: ./.github/workflows/reuse.yaml`
refactoring github actions to remove duplication and enhancement for versioned sbom's (#2979) * initial commit Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * adding docker-buildx-builder to makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * reverting git describe in makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * uploading sbom for each kyverno image Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * small nits Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * scanning image before pushing and removed cosign.pub Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> 2022-01-19 04:37:59 +05:30			`with:`
refactor: clearly separate makefile docker targets for build and publish (#4454) * refactor: clearly separate makefile ko targets for build and publish Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: clearly separate makefile docker targets for build and publish Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-08-31 06:22:46 +02:00			`publish_command: ko-publish-kyvernopre`
refactoring github actions to remove duplication and enhancement for versioned sbom's (#2979) * initial commit Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * adding docker-buildx-builder to makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * reverting git describe in makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * uploading sbom for each kyverno image Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * small nits Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * scanning image before pushing and removed cosign.pub Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> 2022-01-19 04:37:59 +05:30			`image_name: kyvernopre`
			`tag: image`
fix: ko login (#4425) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-08-26 18:56:27 +02:00			`secrets:`
			`registry_username: ${{ github.actor }}`
			`registry_password: ${{ secrets.CR_PAT }}`
feature: SLSA Level 3 provenance generation for Kyverno images: kyverno init, kyverno and kyvernopre (#4268) Signed-off-by: zurrehma <zahid.chashma@gmail.com> Signed-off-by: zurrehma <zahid.chashma@gmail.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-10-28 19:19:15 +05:00
Adding parallel GitHub pipeline to reduce the build time (#1635) * refactoring github workflow Signed-off-by: rajdas98 <mail.rajdas@gmail.com> * refactoring github workflow Signed-off-by: rajdas98 <mail.rajdas@gmail.com> * stage-pipeline Signed-off-by: rajdas98 <mail.rajdas@gmail.com> * Refactoring release and push github workflow Signed-off-by: rajdas98 <mail.rajdas@gmail.com> * refactoring github workflow Signed-off-by: rajdas98 <mail.rajdas@gmail.com> * adding release-cli-via-krew Signed-off-by: rajdas98 <mail.rajdas@gmail.com> 2021-02-23 04:18:11 +05:30			`push-kyverno:`
chore: add workflow to ensure github actions are pinned to a commit SHA (#4390) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-08-23 22:02:13 +02:00			`uses: ./.github/workflows/reuse.yaml`
refactoring github actions to remove duplication and enhancement for versioned sbom's (#2979) * initial commit Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * adding docker-buildx-builder to makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * reverting git describe in makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * uploading sbom for each kyverno image Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * small nits Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * scanning image before pushing and removed cosign.pub Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> 2022-01-19 04:37:59 +05:30			`with:`
refactor: clearly separate makefile ko targets for build and publish (#4450) * refactor: clearly separate makefile ko targets for build and publish Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-08-30 17:30:28 +02:00			`publish_command: ko-publish-kyverno`
refactoring github actions to remove duplication and enhancement for versioned sbom's (#2979) * initial commit Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * adding docker-buildx-builder to makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * reverting git describe in makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * uploading sbom for each kyverno image Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * small nits Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * scanning image before pushing and removed cosign.pub Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> 2022-01-19 04:37:59 +05:30			`image_name: kyverno`
			`tag: image`
fix: ko login (#4425) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-08-26 18:56:27 +02:00			`secrets:`
			`registry_username: ${{ github.actor }}`
			`registry_password: ${{ secrets.CR_PAT }}`
feat: sign images using cosign on build Signed-off-by: ShubhamPalriwala <spalriwalau@gmail.com> 2021-09-27 00:57:02 +05:30
Adding parallel GitHub pipeline to reduce the build time (#1635) * refactoring github workflow Signed-off-by: rajdas98 <mail.rajdas@gmail.com> * refactoring github workflow Signed-off-by: rajdas98 <mail.rajdas@gmail.com> * stage-pipeline Signed-off-by: rajdas98 <mail.rajdas@gmail.com> * Refactoring release and push github workflow Signed-off-by: rajdas98 <mail.rajdas@gmail.com> * refactoring github workflow Signed-off-by: rajdas98 <mail.rajdas@gmail.com> * adding release-cli-via-krew Signed-off-by: rajdas98 <mail.rajdas@gmail.com> 2021-02-23 04:18:11 +05:30			`push-kyverno-cli:`
chore: add workflow to ensure github actions are pinned to a commit SHA (#4390) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-08-23 22:02:13 +02:00			`uses: ./.github/workflows/reuse.yaml`
refactoring github actions to remove duplication and enhancement for versioned sbom's (#2979) * initial commit Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * adding docker-buildx-builder to makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * reverting git describe in makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * uploading sbom for each kyverno image Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * small nits Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * scanning image before pushing and removed cosign.pub Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> 2022-01-19 04:37:59 +05:30			`with:`
refactor: clearly separate makefile ko targets for build and publish (#4450) * refactor: clearly separate makefile ko targets for build and publish Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-08-30 17:30:28 +02:00			`publish_command: ko-publish-cli`
refactoring github actions to remove duplication and enhancement for versioned sbom's (#2979) * initial commit Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * adding docker-buildx-builder to makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * reverting git describe in makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * uploading sbom for each kyverno image Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * small nits Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * scanning image before pushing and removed cosign.pub Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> 2022-01-19 04:37:59 +05:30			`image_name: kyverno-cli`
			`tag: image`
fix: ko login (#4425) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-08-26 18:56:27 +02:00			`secrets:`
			`registry_username: ${{ github.actor }}`
			`registry_password: ${{ secrets.CR_PAT }}`
feature: SLSA Level 3 provenance generation for Kyverno images: kyverno init, kyverno and kyvernopre (#4268) Signed-off-by: zurrehma <zahid.chashma@gmail.com> Signed-off-by: zurrehma <zahid.chashma@gmail.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-10-28 19:19:15 +05:00
			`generate-init-kyverno-provenance:`
			`needs: push-init-kyverno`
			`permissions:`
			`id-token: write # To sign the provenance.`
			`packages: write # To upload assets to release.`
			`actions: read #To read the workflow path.`
Update SLSA generator workflow to v1.2.2 (#5323) * Update SLSA generator workflow to v1.2.2 Signed-off-by: Ian Lewis <ianlewis@google.com> * Allow slsa-github-generator workflows to use tags Signed-off-by: Ian Lewis <ianlewis@google.com> Signed-off-by: Ian Lewis <ianlewis@google.com> 2022-11-15 15:08:09 +09:00			`# NOTE: The container generator workflow is not officially released as GA.`
			`uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.2.2`
feature: SLSA Level 3 provenance generation for Kyverno images: kyverno init, kyverno and kyvernopre (#4268) Signed-off-by: zurrehma <zahid.chashma@gmail.com> Signed-off-by: zurrehma <zahid.chashma@gmail.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-10-28 19:19:15 +05:00			`with:`
			`image: ghcr.io/${{ github.repository_owner }}/kyvernopre`
			`digest: "${{ needs.push-init-kyverno.outputs.init_sha256_digest }}"`
			`registry-username: ${{ github.actor }}`
			`secrets:`
			`registry-password: ${{ secrets.CR_PAT }}`

			`generate-kyverno-provenance:`
			`needs: push-kyverno`
			`permissions:`
			`id-token: write # To sign the provenance.`
			`packages: write # To upload assets to release.`
			`actions: read #To read the workflow path.`
Update SLSA generator workflow to v1.2.2 (#5323) * Update SLSA generator workflow to v1.2.2 Signed-off-by: Ian Lewis <ianlewis@google.com> * Allow slsa-github-generator workflows to use tags Signed-off-by: Ian Lewis <ianlewis@google.com> Signed-off-by: Ian Lewis <ianlewis@google.com> 2022-11-15 15:08:09 +09:00			`# NOTE: The container generator workflow is not officially released as GA.`
			`uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.2.2`
feature: SLSA Level 3 provenance generation for Kyverno images: kyverno init, kyverno and kyvernopre (#4268) Signed-off-by: zurrehma <zahid.chashma@gmail.com> Signed-off-by: zurrehma <zahid.chashma@gmail.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-10-28 19:19:15 +05:00			`with:`
			`image: ghcr.io/${{ github.repository_owner }}/kyverno`
			`digest: "${{ needs.push-kyverno.outputs.kyverno_sha256_digest }}"`
			`registry-username: ${{ github.actor }}`
			`secrets:`
			`registry-password: ${{ secrets.CR_PAT }}`
Update SLSA generator workflow to v1.2.2 (#5323) * Update SLSA generator workflow to v1.2.2 Signed-off-by: Ian Lewis <ianlewis@google.com> * Allow slsa-github-generator workflows to use tags Signed-off-by: Ian Lewis <ianlewis@google.com> Signed-off-by: Ian Lewis <ianlewis@google.com> 2022-11-15 15:08:09 +09:00
feature: SLSA Level 3 provenance generation for Kyverno images: kyverno init, kyverno and kyvernopre (#4268) Signed-off-by: zurrehma <zahid.chashma@gmail.com> Signed-off-by: zurrehma <zahid.chashma@gmail.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-10-28 19:19:15 +05:00			`generate-kyverno-cli-provenance:`
			`needs: push-kyverno-cli`
			`permissions:`
			`id-token: write # To sign the provenance.`
			`packages: write # To upload assets to release.`
			`actions: read #To read the workflow path.`
Update SLSA generator workflow to v1.2.2 (#5323) * Update SLSA generator workflow to v1.2.2 Signed-off-by: Ian Lewis <ianlewis@google.com> * Allow slsa-github-generator workflows to use tags Signed-off-by: Ian Lewis <ianlewis@google.com> Signed-off-by: Ian Lewis <ianlewis@google.com> 2022-11-15 15:08:09 +09:00			`# NOTE: The container generator workflow is not officially released as GA.`
			`uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.2.2`
feature: SLSA Level 3 provenance generation for Kyverno images: kyverno init, kyverno and kyvernopre (#4268) Signed-off-by: zurrehma <zahid.chashma@gmail.com> Signed-off-by: zurrehma <zahid.chashma@gmail.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-10-28 19:19:15 +05:00			`with:`
			`image: ghcr.io/${{ github.repository_owner }}/kyverno-cli`
			`digest: "${{ needs.push-kyverno-cli.outputs.cli_sha256_digest }}"`
			`registry-username: ${{ github.actor }}`
			`secrets:`
Update SLSA generator workflow to v1.2.2 (#5323) * Update SLSA generator workflow to v1.2.2 Signed-off-by: Ian Lewis <ianlewis@google.com> * Allow slsa-github-generator workflows to use tags Signed-off-by: Ian Lewis <ianlewis@google.com> Signed-off-by: Ian Lewis <ianlewis@google.com> 2022-11-15 15:08:09 +09:00			`registry-password: ${{ secrets.CR_PAT }}`