From 4e29ebca865d32b53528cbbc83f5ecbaf1861e8a Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Wed, 21 Dec 2022 19:13:21 +0800
Subject: [PATCH] generate SLSA provenance on releases (#5735)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
---
 .github/workflows/image.yaml   | 45 ----------------------------------
 .github/workflows/release.yaml | 45 ++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+), 45 deletions(-)

diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
index 4a5fcc8f4e..e7a431747a 100644
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -44,48 +44,3 @@ jobs:
     secrets:
       registry_username: ${{ github.actor }}
       registry_password: ${{ secrets.CR_PAT }}
-
-  generate-init-kyverno-provenance:
-    needs: push-init-kyverno
-    permissions:
-      id-token: write # To sign the provenance.
-      packages: write # To upload assets to release.
-      actions: read #To read the workflow path.
-    # NOTE: The container generator workflow is not officially released as GA.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
-    with:
-      image: ghcr.io/${{ github.repository_owner }}/kyvernopre
-      digest: "${{ needs.push-init-kyverno.outputs.init-container-digest }}"
-      registry-username: ${{ github.actor }}
-    secrets:
-      registry-password: ${{ secrets.CR_PAT }}
-
-  generate-kyverno-provenance:
-    needs: push-kyverno
-    permissions:
-      id-token: write # To sign the provenance.
-      packages: write # To upload assets to release.
-      actions: read #To read the workflow path.
-    # NOTE: The container generator workflow is not officially released as GA.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
-    with:
-      image: ghcr.io/${{ github.repository_owner }}/kyverno
-      digest: "${{ needs.push-kyverno.outputs.kyverno-digest }}"
-      registry-username: ${{ github.actor }}
-    secrets:
-      registry-password: ${{ secrets.CR_PAT }}
-
-  generate-kyverno-cli-provenance:
-    needs: push-kyverno-cli
-    permissions:
-      id-token: write # To sign the provenance.
-      packages: write # To upload assets to release.
-      actions: read #To read the workflow path.
-    # NOTE: The container generator workflow is not officially released as GA.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
-    with:
-      image: ghcr.io/${{ github.repository_owner }}/kyverno-cli
-      digest: "${{ needs.push-kyverno-cli.outputs.cli-digest }}"
-      registry-username: ${{ github.actor }}
-    secrets:
-      registry-password: ${{ secrets.CR_PAT }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 2c683fad9a..91a615a7f1 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -50,6 +50,51 @@ jobs:
       registry_username: ${{ github.actor }}
       registry_password: ${{ secrets.CR_PAT }}
 
+  generate-init-kyverno-provenance:
+    needs: release-init-kyverno
+    permissions:
+      id-token: write # To sign the provenance.
+      packages: write # To upload assets to release.
+      actions: read #To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/kyvernopre
+      digest: "${{ needs.release-init-kyverno.outputs.init-container-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.CR_PAT }}
+
+  generate-kyverno-provenance:
+    needs: release-kyverno
+    permissions:
+      id-token: write # To sign the provenance.
+      packages: write # To upload assets to release.
+      actions: read #To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/kyverno
+      digest: "${{ needs.release-kyverno.outputs.kyverno-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.CR_PAT }}
+
+  generate-kyverno-cli-provenance:
+    needs: release-kyverno-cli
+    permissions:
+      id-token: write # To sign the provenance.
+      packages: write # To upload assets to release.
+      actions: read #To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/kyverno-cli
+      digest: "${{ needs.release-kyverno-cli.outputs.cli-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.CR_PAT }}
+
   create-release:
     runs-on: ubuntu-latest
     needs: