refactoring github actions to remove duplication and enhancement for versioned sbom's (#2979)

* initial commit Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * adding docker-buildx-builder to makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * reverting git describe in makefile Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * uploading sbom for each kyverno image Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * small nits Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * scanning image before pushing and removed cosign.pub Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
2025-03-31 03:45:17 +00:00 · 2022-01-19 04:37:59 +05:30 · 2022-01-19 04:37:59 +05:30 · 1580837526
commit 1580837526
parent cde1d0f2b2
6 changed files with 196 additions and 412 deletions
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@ -8,152 +8,34 @@ permissions: read-all

 jobs:
  push-init-kyverno:
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      id-token: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
-
-      - name: Unshallow
-        run: git fetch --prune --unshallow
-
-      - name: Set up Go
-        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
-        with:
-          go-version: 1.16
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
-        with:
-          cosign-release: 'v1.4.1'
-
-      - name: login to GitHub Container Registry
-        run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
-        id: buildx
-        with:
-          install: true
-
-      - name: docker images publish
-        run: |
-          make docker-publish-sigs
-          make docker-publish-initContainer-dev
-
-      - name: get digest
-        id: get-step
-        run: |
-          echo "::set-output name=digest::$(make docker-get-initContainer-dev-digest)"
-
-      - name: Sign image
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-          cosign sign \
-          -a "repo=${{ github.repository }}" \
-          -a "workflow=${{ github.workflow }}" \
-          -a "ref=${{ github.sha }}" \
-          ghcr.io/kyverno/kyvernopre@sha256:${{ steps.get-step.outputs.digest }}
+    uses: kyverno/kyverno/.github/workflows/reuse.yaml@main
+    with:
+      publish_command: docker-publish-initContainer-dev
+      digest_command: docker-get-initContainer-dev-digest
+      image_name: kyvernopre
+      tag: image
+    secrets:
+      registry_username: ${{ github.actor }}
+      registry_password: ${{ secrets.CR_PAT }}

  push-kyverno:
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      id-token: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
-
-      - name: Unshallow
-        run: git fetch --prune --unshallow
-
-      - name: Set up Go
-        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
-        with:
-          go-version: 1.16
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
-        with:
-          cosign-release: 'v1.4.1'
-
-      - name: login to GitHub Container Registry
-        run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
-        id: buildx
-        with:
-          install: true
-
-      - name: docker images publish
-        run: |
-          make docker-publish-kyverno-dev
-
-      - name: get digest
-        id: get-step
-        run: |
-          echo "::set-output name=digest::$(make docker-get-kyverno-dev-digest)"
-
-      - name: Sign image
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-          cosign sign \
-          -a "repo=${{ github.repository }}" \
-          -a "workflow=${{ github.workflow }}" \
-          -a "ref=${{ github.sha }}" \
-          ghcr.io/kyverno/kyverno@sha256:${{ steps.get-step.outputs.digest }}
+    uses: kyverno/kyverno/.github/workflows/reuse.yaml@main
+    with:
+      publish_command: docker-publish-kyverno-dev
+      digest_command: docker-get-kyverno-dev-digest
+      image_name: kyverno
+      tag: image
+    secrets:
+      registry_username: ${{ github.actor }}
+      registry_password: ${{ secrets.CR_PAT }}

  push-kyverno-cli:
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      id-token: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
-
-      - name: Unshallow
-        run: git fetch --prune --unshallow
-
-      - name: Set up Go
-        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
-        with:
-          go-version: 1.16
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
-        with:
-          cosign-release: 'v1.4.1'
-
-      - name: login to GitHub Container Registry
-        run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
-        id: buildx
-        with:
-          install: true
-
-      - name: docker images publish
-        run: |
-          make docker-publish-cli-dev
-
-      - name: get digest
-        id: get-step
-        run: |
-          echo "::set-output name=digest::$(make docker-get-cli-dev-digest)"
-
-      - name: Sign image
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-          cosign sign \
-          -a "repo=${{ github.repository }}" \
-          -a "workflow=${{ github.workflow }}" \
-          -a "ref=${{ github.sha }}" \
-          ghcr.io/kyverno/kyverno-cli@sha256:${{ steps.get-step.outputs.digest }}
+    uses: kyverno/kyverno/.github/workflows/reuse.yaml@main
+    with:
+      publish_command: docker-publish-cli-dev
+      digest_command: docker-get-cli-dev-digest
+      image_name: kyverno-cli
+      tag: image
+    secrets:
+      registry_username: ${{ github.actor }}
+      registry_password: ${{ secrets.CR_PAT }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -8,230 +8,40 @@ permissions: read-all

 jobs:
  release-init-kyverno:
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      id-token: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
-        with:
-          fetch-depth: 0
-
-      - name: Set up Go
-        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
-        with:
-          go-version: 1.16
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
-        with:
-          cosign-release: 'v1.4.1'
-
-      - name: Cache Go modules
-        uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Set up Go
-        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
-        with:
-          go-version: 1.16
-      - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
-
-      - name: login to GitHub Container Registry
-        run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
-        id: buildx
-        with:
-          install: true
-
-      - name: Set version
-        run: |
-          echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
-
-      - name :  docker images publish
-        run: |
-          make docker-publish-sigs
-          make docker-publish-initContainer
-
-      - name: get digest
-        id: get-step
-        run: |
-          echo "::set-output name=digest::$(make docker-get-initContainer-digest)"
-
-      - name: Sign image
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-          cosign sign \
-          -a "repo=${{ github.repository }}" \
-          -a "workflow=${{ github.workflow }}" \
-          -a "ref=${{ github.sha }}" \
-          ghcr.io/kyverno/kyvernopre@sha256:${{ steps.get-step.outputs.digest }}
+    uses: kyverno/kyverno/.github/workflows/reuse.yaml@main
+    with:
+      publish_command: docker-publish-initContainer
+      digest_command: docker-get-initContainer-digest
+      image_name: kyvernopre
+      tag: release
+      main: cmd/initContainer
+    secrets:
+      registry_username: ${{ github.actor }}
+      registry_password: ${{ secrets.CR_PAT }}

  release-kyverno:
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      id-token: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
-        with:
-          fetch-depth: 0
-
-      - name: Set up Go
-        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
-        with:
-          go-version: 1.16
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
-        with:
-          cosign-release: 'v1.4.1'
-
-      - name: Cache Go modules
-        uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Set up Go
-        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
-        with:
-          go-version: 1.16
-      - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
-
-      - name: login to GitHub Container Registry
-        run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
-        id: buildx
-        with:
-          install: true
-
-      - name: Set version
-        run: |
-          echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
-          echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")" >> $GITHUB_ENV
-
-      - name: Generate SBOM JSON
-        uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0
-        with:
-          version: v1
-          args: mod -licenses -json -output kyverno-v${{ env.KYVERNO_VERSION }}-bom.cdx.json
-          
-      - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
-        with:
-          name: kyverno-bom-cdx
-          path: kyverno-v*-bom.cdx.json
-
-      - name :  docker images publish
-        run: |
-          make docker-publish-sbom
-          make docker-publish-kyverno
-
-      - name: get digest
-        id: get-step
-        run: |
-          echo "::set-output name=digest::$(make docker-get-kyverno-digest)"
-
-      - name: Sign image and SBOM
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-          cosign sign \
-          -a "repo=${{ github.repository }}" \
-          -a "workflow=${{ github.workflow }}" \
-          -a "ref=${{ github.sha }}" \
-          ghcr.io/kyverno/kyverno@sha256:${{ steps.get-step.outputs.digest }}
-          cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/sbom:latest
-
-      - name: Trivy Scan Image
-        uses: aquasecurity/trivy-action@8f4c7160b470bafe4299efdc1c8a1fb495f8325a # v0.2.1
-        with: 
-          image-ref: 'ghcr.io/kyverno/kyverno:${{env.KYVERNO_VERSION}}'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+    uses: kyverno/kyverno/.github/workflows/reuse.yaml@main
+    with:
+      publish_command: docker-publish-kyverno
+      digest_command: docker-get-kyverno-digest
+      image_name: kyverno
+      tag: release
+      main: cmd/kyverno
+    secrets:
+      registry_username: ${{ github.actor }}
+      registry_password: ${{ secrets.CR_PAT }}

  release-kyverno-cli:
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      id-token: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
-        with:
-          fetch-depth: 0
-
-      - name: Set up Go
-        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
-        with:
-          go-version: 1.16
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
-        with:
-          cosign-release: 'v1.4.1'
-
-      - name: Cache Go modules
-        uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Set up Go
-        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
-        with:
-          go-version: 1.16
-      - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
-
-      - name: login to GitHub Container Registry
-        run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
-        id: buildx
-        with:
-          install: true
-
-      - name: Set version
-        run: |
-          echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
-
-      - name :  docker images publish
-        run: |
-          make docker-publish-cli
-
-      - name: get digest
-        id: get-step
-        run: |
-          echo "::set-output name=digest::$(make docker-get-cli-digest)"
-
-      - name: Sign image
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-          cosign sign \
-          -a "repo=${{ github.repository }}" \
-          -a "workflow=${{ github.workflow }}" \
-          -a "ref=${{ github.sha }}" \
-          ghcr.io/kyverno/kyverno-cli@sha256:${{ steps.get-step.outputs.digest }}
+    uses: kyverno/kyverno/.github/workflows/reuse.yaml@main
+    with:
+      publish_command: docker-publish-cli
+      digest_command: docker-get-cli-digest
+      image_name: kyverno-cli
+      tag: release
+      main: cmd/cli/kubectl-kyverno
+    secrets:
+      registry_username: ${{ github.actor }}
+      registry_password: ${{ secrets.CR_PAT }}
  
  create-release:
    runs-on: ubuntu-latest
@ -261,10 +71,7 @@ jobs:
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
-      - name: Set up Go
-        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
-        with:
-          go-version: 1.16
+            
      - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0

      - name: Make Release
@ -304,4 +111,4 @@ jobs:

      - name: Update new version in krew-index
        if: steps.check-tag.outputs.match == 'true'
-        uses: rajatjindal/krew-release-bot@3320c0b546b5d2320613c46762bd3f73e2801bdc # v0.0.38
+        uses: rajatjindal/krew-release-bot@3320c0b546b5d2320613c46762bd3f73e2801bdc # v0.0.38
--- a/.github/workflows/reuse.yaml
+++ b/.github/workflows/reuse.yaml
@ -0,0 +1,132 @@
+name: Create Publish and Sign Docker Image
+
+on:
+  workflow_call:
+    inputs:
+      publish_command:
+        required: true
+        type: string
+      digest_command: 
+        required: true
+        type: string
+      image_name: 
+        required: true
+        type: string
+      tag: 
+        required: true
+        type: string
+      main: 
+        type: string
+    secrets:
+      registry_username:
+        required: true
+      registry_password:
+        required: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+      - name: Checkout release
+        if: ${{ inputs.tag == 'release'}}
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+        with:
+          fetch-depth: 0
+
+      - name: Checkout image
+        if: ${{ inputs.tag == 'image'}}
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+
+      - name: Unshallow
+        if: ${{ inputs.tag == 'image'}}
+        run: git fetch --prune --unshallow --tags
+
+      - name: Set up Go
+        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
+        with:
+          go-version: 1.16
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
+        with:
+          cosign-release: 'v1.4.1'
+
+      - name: Cache Go modules
+        uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Log into ghcr.io
+        uses: docker/login-action@master
+        with:
+          registry: ghcr.io
+          username: ${{secrets.registry_username}}
+          password: ${{secrets.registry_password}}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4ab11c41e45d028884a99163086648e898eed25 # v1.6.0
+        id: buildx
+        with:
+          install: true
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        if: ${{inputs.tag == 'release'}}
+        uses: aquasecurity/trivy-action@8f4c7160b470bafe4299efdc1c8a1fb495f8325a # v0.2.1
+        with: 
+          scan-type: 'fs'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Set Version
+        if: ${{ inputs.tag == 'release'}}
+        run: |
+          echo "KYVERNO_VERSION=$(git tag --list --sort=-version:refname "v[0-9]*" | head -n 1)" >> $GITHUB_ENV
+
+      - name: Generate SBOM JSON
+        if: ${{inputs.tag == 'release'}}
+        uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0
+        with:
+          version: v1
+          args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}}
+          
+      - name: Upload SBOM JSON
+        if: ${{inputs.tag == 'release'}}
+        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
+        with:
+          name: ${{inputs.image_name}}-bom-cdx
+          path: ${{inputs.image_name}}-v*-bom.cdx.json
+
+      - name : Docker images publish
+        run: make ${{inputs.publish_command}}
+
+      - name: get digest
+        id: get-step
+        run: |
+          echo "::set-output name=digest::$(make ${{inputs.digest_command}})"
+
+      - name: Sign image
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+          COSIGN_REPOSITORY: "ghcr.io/kyverno/signatures"
+        run: |          
+          cosign sign \
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          ghcr.io/kyverno/${{inputs.image_name}}@sha256:${{ steps.get-step.outputs.digest }}
+
+      - name : Attach SBOM
+        if: ${{inputs.tag == 'release'}}
+        env:
+          COSIGN_REPOSITORY: "ghcr.io/kyverno/sbom"
+        run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx  ghcr.io/kyverno/${{inputs.image_name}}@sha256:${{ steps.get-step.outputs.digest }}
--- a/42
+++ b/42
@ -49,43 +49,6 @@ KYVERNO_PATH:= cmd/kyverno
 build: kyverno
 PWD := $(CURDIR)

-##################################
-# SIGNATURE CONTAINER
-##################################
-ALPINE_PATH := cmd/alpineBase
-SIG_IMAGE := signatures
-.PHONY: docker-build-signature docker-push-signature
-
-docker-buildx-builder:
-	if ! docker buildx ls | grep -q kyverno; then\
-		docker buildx create --name kyverno --use;\
-	fi
-
-docker-publish-sigs: docker-buildx-builder docker-build-signature docker-push-signature
-
-docker-build-signature: docker-buildx-builder
-	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --tag $(REPO)/$(SIG_IMAGE):$(IMAGE_TAG) .
-
-docker-push-signature: docker-buildx-builder
-	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SIG_IMAGE):$(IMAGE_TAG) .
-	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SIG_IMAGE):latest .
-
-##################################
-# SBOM CONTAINER
-##################################
-ALPINE_PATH := cmd/alpineBase
-SBOM_IMAGE := sbom
-.PHONY: docker-build-sbom docker-push-sbom
-
-docker-publish-sbom: docker-buildx-builder docker-build-sbom docker-push-sbom
-
-docker-build-sbom: docker-buildx-builder
-	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --tag $(REPO)/$(SBOM_IMAGE):$(IMAGE_TAG) .
-
-docker-push-sbom: docker-buildx-builder
-	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SBOM_IMAGE):$(IMAGE_TAG) .
-	@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SBOM_IMAGE):latest .
-
 ##################################
 # INIT CONTAINER
 ##################################
@ -96,6 +59,11 @@ initContainer: fmt vet

 .PHONY: docker-build-initContainer docker-push-initContainer

+docker-buildx-builder:
+	if ! docker buildx ls | grep -q kyverno; then\
+		docker buildx create --name kyverno --use;\
+	fi
+
 docker-publish-initContainer: docker-buildx-builder docker-build-initContainer docker-push-initContainer

 docker-build-initContainer: docker-buildx-builder
--- a/cmd/alpineBase/Dockerfile
+++ b/cmd/alpineBase/Dockerfile
@ -1 +0,0 @@
-FROM alpine:3.14
--- a/cosign.pub
+++ b/cosign.pub
@ -1,4 +0,0 @@
-----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExxWHpvn2uMYqg174TmTcnGELOXXM
-7/cGqLZW88FFceihl1WA24yKxtMBZqw/s06XqPqujqRzhkaSKa2zkRUWUA==
-----END PUBLIC KEY-----