refactoring github actions to remove duplication and enhancement for versioned sbom's (#2979)

* initial commit Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * adding docker-buildx-builder to makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * reverting git describe in makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * uploading sbom for each kyverno image Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * small nits Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * scanning image before pushing and removed cosign.pub Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
2025-03-31 03:45:17 +00:00 · 2022-01-19 04:37:59 +05:30 · 2022-01-19 04:37:59 +05:30 · 1580837526
commit 1580837526
parent cde1d0f2b2
6 changed files with 196 additions and 412 deletions
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@ -8,152 +8,34 @@ permissions: read-all
 jobs:
  push-init-kyverno:
-    runs-on: ubuntu-latest
+    uses: kyverno/kyverno/.github/workflows/reuse.yaml@main
-    permissions:
+    with:
-      packages: write
+      publish_command: docker-publish-initContainer-dev
-      id-token: write
+      digest_command: docker-get-initContainer-dev-digest
-    steps:
+      image_name: kyvernopre
-      - name: Checkout
+      tag: image
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+    secrets:
-
+      registry_username: ${{ github.actor }}
-      - name: Unshallow
+      registry_password: ${{ secrets.CR_PAT }}
        run: git fetch --prune --unshallow
      - name: Set up Go
        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
        with:
          go-version: 1.16
      - name: Install Cosign
        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
        with:
          cosign-release: 'v1.4.1'
      - name: login to GitHub Container Registry
        run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
        id: buildx
        with:
          install: true
      - name: docker images publish
        run: |
          make docker-publish-sigs
          make docker-publish-initContainer-dev
      - name: get digest
        id: get-step
        run: |
          echo "::set-output name=digest::$(make docker-get-initContainer-dev-digest)"
      - name: Sign image
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: |
          cosign sign \
          -a "repo=${{ github.repository }}" \
          -a "workflow=${{ github.workflow }}" \
          -a "ref=${{ github.sha }}" \
          ghcr.io/kyverno/kyvernopre@sha256:${{ steps.get-step.outputs.digest }}
  push-kyverno:
-    runs-on: ubuntu-latest
+    uses: kyverno/kyverno/.github/workflows/reuse.yaml@main
-    permissions:
+    with:
-      packages: write
+      publish_command: docker-publish-kyverno-dev
-      id-token: write
+      digest_command: docker-get-kyverno-dev-digest
-    steps:
+      image_name: kyverno
-      - name: Checkout
+      tag: image
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+    secrets:
-
+      registry_username: ${{ github.actor }}
-      - name: Unshallow
+      registry_password: ${{ secrets.CR_PAT }}
        run: git fetch --prune --unshallow
      - name: Set up Go
        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
        with:
          go-version: 1.16
      - name: Install Cosign
        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
        with:
          cosign-release: 'v1.4.1'
      - name: login to GitHub Container Registry
        run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
        id: buildx
        with:
          install: true
      - name: docker images publish
        run: |
          make docker-publish-kyverno-dev
      - name: get digest
        id: get-step
        run: |
          echo "::set-output name=digest::$(make docker-get-kyverno-dev-digest)"
      - name: Sign image
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: |
          cosign sign \
          -a "repo=${{ github.repository }}" \
          -a "workflow=${{ github.workflow }}" \
          -a "ref=${{ github.sha }}" \
          ghcr.io/kyverno/kyverno@sha256:${{ steps.get-step.outputs.digest }}
  push-kyverno-cli:
-    runs-on: ubuntu-latest
+    uses: kyverno/kyverno/.github/workflows/reuse.yaml@main
-    permissions:
+    with:
-      packages: write
+      publish_command: docker-publish-cli-dev
-      id-token: write
+      digest_command: docker-get-cli-dev-digest
-    steps:
+      image_name: kyverno-cli
-      - name: Checkout
+      tag: image
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+    secrets:
-
+      registry_username: ${{ github.actor }}
-      - name: Unshallow
+      registry_password: ${{ secrets.CR_PAT }}
        run: git fetch --prune --unshallow
      - name: Set up Go
        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
        with:
          go-version: 1.16
      - name: Install Cosign
        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
        with:
          cosign-release: 'v1.4.1'
      - name: login to GitHub Container Registry
        run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
        id: buildx
        with:
          install: true
      - name: docker images publish
        run: |
          make docker-publish-cli-dev
      - name: get digest
        id: get-step
        run: |
          echo "::set-output name=digest::$(make docker-get-cli-dev-digest)"
      - name: Sign image
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: |
          cosign sign \
          -a "repo=${{ github.repository }}" \
          -a "workflow=${{ github.workflow }}" \
          -a "ref=${{ github.sha }}" \
          ghcr.io/kyverno/kyverno-cli@sha256:${{ steps.get-step.outputs.digest }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -8,230 +8,40 @@ permissions: read-all
 jobs:
  release-init-kyverno:
-    runs-on: ubuntu-latest
+    uses: kyverno/kyverno/.github/workflows/reuse.yaml@main
-    permissions:
+    with:
-      packages: write
+      publish_command: docker-publish-initContainer
-      id-token: write
+      digest_command: docker-get-initContainer-digest
-    steps:
+      image_name: kyvernopre
-      - name: Checkout
+      tag: release
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+      main: cmd/initContainer
-        with:
+    secrets:
-          fetch-depth: 0
+      registry_username: ${{ github.actor }}
-
+      registry_password: ${{ secrets.CR_PAT }}
      - name: Set up Go
        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
        with:
          go-version: 1.16
      - name: Install Cosign
        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
        with:
          cosign-release: 'v1.4.1'
      - name: Cache Go modules
        uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Set up Go
        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
        with:
          go-version: 1.16
      - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
      - name: login to GitHub Container Registry
        run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
        id: buildx
        with:
          install: true
      - name: Set version
        run: |
          echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
      - name :  docker images publish
        run: |
          make docker-publish-sigs
          make docker-publish-initContainer
      - name: get digest
        id: get-step
        run: |
          echo "::set-output name=digest::$(make docker-get-initContainer-digest)"
      - name: Sign image
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: |
          cosign sign \
          -a "repo=${{ github.repository }}" \
          -a "workflow=${{ github.workflow }}" \
          -a "ref=${{ github.sha }}" \
          ghcr.io/kyverno/kyvernopre@sha256:${{ steps.get-step.outputs.digest }}
  release-kyverno:
-    runs-on: ubuntu-latest
+    uses: kyverno/kyverno/.github/workflows/reuse.yaml@main
-    permissions:
+    with:
-      packages: write
+      publish_command: docker-publish-kyverno
-      id-token: write
+      digest_command: docker-get-kyverno-digest
-    steps:
+      image_name: kyverno
-      - name: Checkout
+      tag: release
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+      main: cmd/kyverno
-        with:
+    secrets:
-          fetch-depth: 0
+      registry_username: ${{ github.actor }}
-
+      registry_password: ${{ secrets.CR_PAT }}
      - name: Set up Go
        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
        with:
          go-version: 1.16
      - name: Install Cosign
        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
        with:
          cosign-release: 'v1.4.1'
      - name: Cache Go modules
        uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Set up Go
        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
        with:
          go-version: 1.16
      - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
      - name: login to GitHub Container Registry
        run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
        id: buildx
        with:
          install: true
      - name: Set version
        run: |
          echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
          echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")" >> $GITHUB_ENV
      - name: Generate SBOM JSON
        uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0
        with:
          version: v1
          args: mod -licenses -json -output kyverno-v${{ env.KYVERNO_VERSION }}-bom.cdx.json
      - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
        with:
          name: kyverno-bom-cdx
          path: kyverno-v*-bom.cdx.json
      - name :  docker images publish
        run: |
          make docker-publish-sbom
          make docker-publish-kyverno
      - name: get digest
        id: get-step
        run: |
          echo "::set-output name=digest::$(make docker-get-kyverno-digest)"
      - name: Sign image and SBOM
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: |
          cosign sign \
          -a "repo=${{ github.repository }}" \
          -a "workflow=${{ github.workflow }}" \
          -a "ref=${{ github.sha }}" \
          ghcr.io/kyverno/kyverno@sha256:${{ steps.get-step.outputs.digest }}
          cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/sbom:latest
      - name: Trivy Scan Image
        uses: aquasecurity/trivy-action@8f4c7160b470bafe4299efdc1c8a1fb495f8325a # v0.2.1
        with: 
          image-ref: 'ghcr.io/kyverno/kyverno:${{env.KYVERNO_VERSION}}'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
  release-kyverno-cli:
-    runs-on: ubuntu-latest
+    uses: kyverno/kyverno/.github/workflows/reuse.yaml@main
-    permissions:
+    with:
-      packages: write
+      publish_command: docker-publish-cli
-      id-token: write
+      digest_command: docker-get-cli-digest
-    steps:
+      image_name: kyverno-cli
-      - name: Checkout
+      tag: release
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+      main: cmd/cli/kubectl-kyverno
-        with:
+    secrets:
-          fetch-depth: 0
+      registry_username: ${{ github.actor }}
-
+      registry_password: ${{ secrets.CR_PAT }}
      - name: Set up Go
        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
        with:
          go-version: 1.16
      - name: Install Cosign
        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
        with:
          cosign-release: 'v1.4.1'
      - name: Cache Go modules
        uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Set up Go
        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
        with:
          go-version: 1.16
      - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
      - name: login to GitHub Container Registry
        run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
        id: buildx
        with:
          install: true
      - name: Set version
        run: |
          echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
      - name :  docker images publish
        run: |
          make docker-publish-cli
      - name: get digest
        id: get-step
        run: |
          echo "::set-output name=digest::$(make docker-get-cli-digest)"
      - name: Sign image
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: |
          cosign sign \
          -a "repo=${{ github.repository }}" \
          -a "workflow=${{ github.workflow }}" \
          -a "ref=${{ github.sha }}" \
          ghcr.io/kyverno/kyverno-cli@sha256:${{ steps.get-step.outputs.digest }}
  create-release:
    runs-on: ubuntu-latest
@ -261,10 +71,7 @@ jobs:
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
-      - name: Set up Go
+            
        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
        with:
          go-version: 1.16
      - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
      - name: Make Release
@ -304,4 +111,4 @@ jobs:
      - name: Update new version in krew-index
        if: steps.check-tag.outputs.match == 'true'
-        uses: rajatjindal/krew-release-bot@3320c0b546b5d2320613c46762bd3f73e2801bdc # v0.0.38
+        uses: rajatjindal/krew-release-bot@3320c0b546b5d2320613c46762bd3f73e2801bdc # v0.0.38
--- a/.github/workflows/reuse.yaml
+++ b/.github/workflows/reuse.yaml
@ -0,0 +1,132 @@
 name: Create Publish and Sign Docker Image
 on:
  workflow_call:
    inputs:
      publish_command:
        required: true
        type: string
      digest_command: 
        required: true
        type: string
      image_name: 
        required: true
        type: string
      tag: 
        required: true
        type: string
      main: 
        type: string
    secrets:
      registry_username:
        required: true
      registry_password:
        required: true
 jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write
    steps:
      - name: Checkout release
        if: ${{ inputs.tag == 'release'}}
        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
        with:
          fetch-depth: 0
      - name: Checkout image
        if: ${{ inputs.tag == 'image'}}
        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
      - name: Unshallow
        if: ${{ inputs.tag == 'image'}}
        run: git fetch --prune --unshallow --tags
      - name: Set up Go
        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
        with:
          go-version: 1.16
      - name: Install Cosign
        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
        with:
          cosign-release: 'v1.4.1'
      - name: Cache Go modules
        uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Log into ghcr.io
        uses: docker/login-action@master
        with:
          registry: ghcr.io
          username: ${{secrets.registry_username}}
          password: ${{secrets.registry_password}}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4ab11c41e45d028884a99163086648e898eed25 # v1.6.0
        id: buildx
        with:
          install: true
      - name: Run Trivy vulnerability scanner in repo mode
        if: ${{inputs.tag == 'release'}}
        uses: aquasecurity/trivy-action@8f4c7160b470bafe4299efdc1c8a1fb495f8325a # v0.2.1
        with: 
          scan-type: 'fs'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
      - name: Set Version
        if: ${{ inputs.tag == 'release'}}
        run: |
          echo "KYVERNO_VERSION=$(git tag --list --sort=-version:refname "v[0-9]*" | head -n 1)" >> $GITHUB_ENV
      - name: Generate SBOM JSON
        if: ${{inputs.tag == 'release'}}
        uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0
        with:
          version: v1
          args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}}
      - name: Upload SBOM JSON
        if: ${{inputs.tag == 'release'}}
        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
        with:
          name: ${{inputs.image_name}}-bom-cdx
          path: ${{inputs.image_name}}-v*-bom.cdx.json
      - name : Docker images publish
        run: make ${{inputs.publish_command}}
      - name: get digest
        id: get-step
        run: |
          echo "::set-output name=digest::$(make ${{inputs.digest_command}})"
      - name: Sign image
        env:
          COSIGN_EXPERIMENTAL: "true"
          COSIGN_REPOSITORY: "ghcr.io/kyverno/signatures"
        run: |          
          cosign sign \
          -a "repo=${{ github.repository }}" \
          -a "workflow=${{ github.workflow }}" \
          -a "ref=${{ github.sha }}" \
          ghcr.io/kyverno/${{inputs.image_name}}@sha256:${{ steps.get-step.outputs.digest }}
      - name : Attach SBOM
        if: ${{inputs.tag == 'release'}}
        env:
          COSIGN_REPOSITORY: "ghcr.io/kyverno/sbom"
        run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx  ghcr.io/kyverno/${{inputs.image_name}}@sha256:${{ steps.get-step.outputs.digest }}
--- a/42
+++ b/42
@ -49,43 +49,6 @@ KYVERNO_PATH:= cmd/kyverno
 build: kyverno
 PWD := $(CURDIR)
 ##################################
 # SIGNATURE CONTAINER
 ##################################
 ALPINE_PATH := cmd/alpineBase
 SIG_IMAGE := signatures
 .PHONY: docker-build-signature docker-push-signature
 docker-buildx-builder:
 	if ! docker buildx ls | grep -q kyverno; then\
 		docker buildx create --name kyverno --use;\
 	fi
 docker-publish-sigs: docker-buildx-builder docker-build-signature docker-push-signature
 docker-build-signature: docker-buildx-builder
 	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --tag $(REPO)/$(SIG_IMAGE):$(IMAGE_TAG) .
 docker-push-signature: docker-buildx-builder
 	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SIG_IMAGE):$(IMAGE_TAG) .
 	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SIG_IMAGE):latest .
 ##################################
 # SBOM CONTAINER
 ##################################
 ALPINE_PATH := cmd/alpineBase
 SBOM_IMAGE := sbom
 .PHONY: docker-build-sbom docker-push-sbom
 docker-publish-sbom: docker-buildx-builder docker-build-sbom docker-push-sbom
 docker-build-sbom: docker-buildx-builder
 	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --tag $(REPO)/$(SBOM_IMAGE):$(IMAGE_TAG) .
 docker-push-sbom: docker-buildx-builder
 	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SBOM_IMAGE):$(IMAGE_TAG) .
 	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SBOM_IMAGE):latest .
 ##################################
 # INIT CONTAINER
 ##################################
@ -96,6 +59,11 @@ initContainer: fmt vet
 .PHONY: docker-build-initContainer docker-push-initContainer
 docker-buildx-builder:
 	if ! docker buildx ls | grep -q kyverno; then\
 		docker buildx create --name kyverno --use;\
 	fi
 docker-publish-initContainer: docker-buildx-builder docker-build-initContainer docker-push-initContainer
 docker-build-initContainer: docker-buildx-builder
--- a/cmd/alpineBase/Dockerfile
+++ b/cmd/alpineBase/Dockerfile
@ -1 +0,0 @@
 FROM alpine:3.14
--- a/cosign.pub
+++ b/cosign.pub
@ -1,4 +0,0 @@
 -----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExxWHpvn2uMYqg174TmTcnGELOXXM
 7/cGqLZW88FFceihl1WA24yKxtMBZqw/s06XqPqujqRzhkaSKa2zkRUWUA==
 -----END PUBLIC KEY-----