mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

chore: simplify release workflow (#6031)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-01-19 07:28:26 +01:00 committed by GitHub
parent af3882f869
commit 7176e7282b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 95 additions and 284 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

187
.github/workflows/release.yaml vendored
View file

@ -6,72 +6,90 @@ on:
- 'v*' - 'v*'
jobs: jobs:
release-init-kyverno: release-images:
runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
packages: write packages: write
id-token: write id-token: write
uses: ./.github/workflows/reuse.yaml steps:
with: - name: Checkout
publish_command: ko-publish-kyvernopre uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
image_name: kyvernopre - name: Setup build env
tag: release uses: ./.github/actions/setup-build-env
main: cmd/initContainer with:
secrets: build-cache-key: release-images
registry_username: ${{ github.actor }} - name: Run Trivy vulnerability scanner in repo mode
registry_password: ${{ secrets.CR_PAT }} uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0
with:
release-kyverno: scan-type: 'fs'
permissions: ignore-unfixed: true
contents: read format: 'sarif'
packages: write output: 'trivy-results.sarif'
id-token: write severity: 'CRITICAL,HIGH'
uses: ./.github/workflows/reuse.yaml - name: Install Cosign
with: uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
publish_command: ko-publish-kyverno with:
image_name: kyverno cosign-release: 'v1.13.0'
tag: release - name: Publish kyverno
main: cmd/kyverno uses: ./.github/actions/publish-image
secrets: with:
registry_username: ${{ github.actor }} makefile-target: ko-publish-kyverno
registry_password: ${{ secrets.CR_PAT }} registry: ghcr.io
registry-username: ${{ github.actor }}
release-cleanup-controller: registry-password: ${{ secrets.CR_PAT }}
permissions: repository: ${{ github.repository_owner }}
contents: read sign-image: true
packages: write sbom-name: kyverno
id-token: write sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
uses: ./.github/workflows/reuse.yaml signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
with: main-path: ./cmd/kyverno
publish_command: ko-publish-cleanup-controller - name: Publish kyvernopre
image_name: cleanup-controller uses: ./.github/actions/publish-image
tag: release with:
main: cmd/cleanup-controller makefile-target: ko-publish-kyvernopre
secrets: registry: ghcr.io
registry_username: ${{ github.actor }} registry-username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }} registry-password: ${{ secrets.CR_PAT }}
repository: ${{ github.repository_owner }}
release-kyverno-cli: sign-image: true
permissions: sbom-name: kyvernopre
contents: read sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
packages: write signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
id-token: write main-path: ./cmd/initContainer
uses: ./.github/workflows/reuse.yaml - name: Publish cleanup-controller
with: uses: ./.github/actions/publish-image
publish_command: ko-publish-cli with:
image_name: kyverno-cli makefile-target: ko-publish-cleanup-controller
tag: release registry: ghcr.io
main: cmd/cli/kubectl-kyverno registry-username: ${{ github.actor }}
secrets: registry-password: ${{ secrets.CR_PAT }}
registry_username: ${{ github.actor }} repository: ${{ github.repository_owner }}
registry_password: ${{ secrets.CR_PAT }} sign-image: true
sbom-name: cleanup-controller
sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
main-path: ./cmd/cleanup-controller
- name: Publish cli
uses: ./.github/actions/publish-image
with:
makefile-target: ko-publish-cli
registry: ghcr.io
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.CR_PAT }}
repository: ${{ github.repository_owner }}
sign-image: true
sbom-name: cli
sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
main-path: ./cmd/cli/kubectl-kyverno
generate-init-kyverno-provenance: generate-init-kyverno-provenance:
needs: release-init-kyverno needs: release-images
permissions: permissions:
id-token: write # To sign the provenance. id-token: write # To sign the provenance.
packages: write # To upload assets to release. packages: write # To upload assets to release.
actions: read #To read the workflow path. actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA. # NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
with: with:
@ -82,11 +100,11 @@ jobs:
registry-password: ${{ secrets.CR_PAT }} registry-password: ${{ secrets.CR_PAT }}
generate-kyverno-provenance: generate-kyverno-provenance:
needs: release-kyverno needs: release-images
permissions: permissions:
id-token: write # To sign the provenance. id-token: write # To sign the provenance.
packages: write # To upload assets to release. packages: write # To upload assets to release.
actions: read #To read the workflow path. actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA. # NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
with: with:
@ -97,11 +115,11 @@ jobs:
registry-password: ${{ secrets.CR_PAT }} registry-password: ${{ secrets.CR_PAT }}
generate-cleanup-controller-provenance: generate-cleanup-controller-provenance:
needs: release-cleanup-controller needs: release-images
permissions: permissions:
id-token: write # To sign the provenance. id-token: write # To sign the provenance.
packages: write # To upload assets to release. packages: write # To upload assets to release.
actions: read #To read the workflow path. actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA. # NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
with: with:
@ -112,11 +130,11 @@ jobs:
registry-password: ${{ secrets.CR_PAT }} registry-password: ${{ secrets.CR_PAT }}
generate-kyverno-cli-provenance: generate-kyverno-cli-provenance:
needs: release-kyverno-cli needs: release-images
permissions: permissions:
id-token: write # To sign the provenance. id-token: write # To sign the provenance.
packages: write # To upload assets to release. packages: write # To upload assets to release.
actions: read #To read the workflow path. actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA. # NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
with: with:
@ -128,11 +146,7 @@ jobs:
create-release: create-release:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: needs: release-images
- release-init-kyverno
- release-kyverno
- release-cleanup-controller
- release-kyverno-cli
steps: steps:
- name: Set version - name: Set version
id: version id: version
@ -141,8 +155,7 @@ jobs:
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Setup build env - name: Setup build env
uses: ./.github/actions/setup-build-env uses: ./.github/actions/setup-build-env
- uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # pin@v1.0 - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
- name: Make Release - name: Make Release
env: env:
VERSION: ${{ steps.version.outputs.version }} VERSION: ${{ steps.version.outputs.version }}
@ -151,9 +164,8 @@ jobs:
mkdir release mkdir release
make release-notes > release/release-notes.out make release-notes > release/release-notes.out
cat release/release-notes.out cat release/release-notes.out
- name: Run GoReleaser - name: Run GoReleaser
uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # pin@v4.1.0 uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0
with: with:
version: latest version: latest
args: release --rm-dist --debug --release-notes=release/release-notes.out args: release --rm-dist --debug --release-notes=release/release-notes.out
@ -162,12 +174,11 @@ jobs:
push-and-sign-install-manifest: push-and-sign-install-manifest:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: create-release
permissions: permissions:
contents: write # needed to write releases contents: write # needed to write releases
id-token: write # needed for keyless signing id-token: write # needed for keyless signing
packages: write # needed for ghcr access packages: write # needed for ghcr access
needs:
- create-release
steps: steps:
- name: Set version - name: Set version
id: version id: version
@ -180,15 +191,12 @@ jobs:
uses: fluxcd/flux2/action@a9f53b4f1aef910fab68f790f7bf5b49c9a1677c # v0.38.3 uses: fluxcd/flux2/action@a9f53b4f1aef910fab68f790f7bf5b49c9a1677c # v0.38.3
with: with:
version: 0.35.0 version: 0.35.0
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
with: with:
cosign-release: 'v1.13.0' cosign-release: 'v1.13.0'
- name: Build yaml manifest - name: Build yaml manifest
run: make codegen-manifest-release run: make codegen-manifest-release
- name: Upload install manifest - name: Upload install manifest
uses: svenstaro/upload-release-action@2728235f7dc9ff598bd86ce3c274b74f802d2208 # 2.4.0 uses: svenstaro/upload-release-action@2728235f7dc9ff598bd86ce3c274b74f802d2208 # 2.4.0
with: with:
@ -196,7 +204,6 @@ jobs:
file: .manifest/release.yaml file: .manifest/release.yaml
asset_name: install.yaml asset_name: install.yaml
tag: ${{ github.ref }} tag: ${{ github.ref }}
- name: Upload CRD manifest - name: Upload CRD manifest
uses: svenstaro/upload-release-action@2728235f7dc9ff598bd86ce3c274b74f802d2208 # 2.4.0 uses: svenstaro/upload-release-action@2728235f7dc9ff598bd86ce3c274b74f802d2208 # 2.4.0
with: with:
@ -204,14 +211,12 @@ jobs:
file: config/crds/*.yaml file: config/crds/*.yaml
file_glob: true file_glob: true
tag: ${{ github.ref }} tag: ${{ github.ref }}
- name: Login to GHCR - name: Login to GHCR
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Push manifests to GHCR with Flux - name: Push manifests to GHCR with Flux
env: env:
CR_PAT_ARTIFACTS: ${{ secrets.CR_PAT_ARTIFACTS }} CR_PAT_ARTIFACTS: ${{ secrets.CR_PAT_ARTIFACTS }}
@ -224,7 +229,6 @@ jobs:
--path="." \ --path="." \
--source="$(git config --get remote.origin.url)" \ --source="$(git config --get remote.origin.url)" \
--revision="${{ steps.version.outputs.version }}/$(git rev-parse HEAD)" --revision="${{ steps.version.outputs.version }}/$(git rev-parse HEAD)"
- name: Sign manifests in GHCR with Cosign - name: Sign manifests in GHCR with Cosign
env: env:
COSIGN_EXPERIMENTAL: 1 COSIGN_EXPERIMENTAL: 1
@ -233,8 +237,7 @@ jobs:
release-cli-via-krew: release-cli-via-krew:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: needs: create-release
- create-release
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
@ -248,4 +251,4 @@ jobs:
fi fi
- name: Update new version in krew-index - name: Update new version in krew-index
if: steps.check-tag.outputs.match == 'true' if: steps.check-tag.outputs.match == 'true'
uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # pin@v0.0.43 uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # v0.0.43

192
.github/workflows/reuse.yaml vendored
View file

@ -1,192 +0,0 @@
name: Create Publish and Sign Docker Image
on:
workflow_call:
inputs:
publish_command:
required: true
type: string
image_name:
required: true
type: string
tag:
required: true
type: string
main:
type: string
secrets:
registry_username:
required: true
registry_password:
required: true
outputs:
init-container-digest:
description: "sha256 digest of kyverno init docker image"
value: ${{ jobs.build.outputs.init-container-digest }}
kyverno-digest:
description: "sha256 digest of kyverno docker image"
value: ${{ jobs.build.outputs.kyverno-digest }}
cleanup-controller-digest:
description: "sha256 digest of cleanup-controller docker image"
value: ${{ jobs.build.outputs.cleanup-controller-digest }}
cli-digest:
description: "sha256 digest of kyverno docker image"
value: ${{ jobs.build.outputs.cli-digest }}
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
outputs:
init-container-digest: ${{ steps.set-sha256sum-digest.outputs.init-container-digest }}
kyverno-digest: ${{ steps.set-sha256sum-digest.outputs.kyverno-digest }}
cleanup-controller-digest: ${{ steps.set-sha256sum-digest.outputs.cleanup-controller-digest }}
cli-digest: ${{ steps.set-sha256sum-digest.outputs.cli-digest }}
steps:
- name: Checkout release
if: ${{ inputs.tag == 'release'}}
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
fetch-depth: 0
- name: Checkout image
if: ${{ inputs.tag == 'image'}}
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Unshallow
if: ${{ inputs.tag == 'image'}}
run: git fetch --prune --unshallow --tags
- name: Set up Go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: ~1.19.4
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
with:
cosign-release: 'v1.13.0'
- name: Cache Go modules
uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # pin@v3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
/tmp/ko-cache
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Run Trivy vulnerability scanner in repo mode
if: ${{inputs.tag == 'release'}}
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Set Version
if: ${{ inputs.tag == 'release'}}
run: |
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))" >> $GITHUB_ENV
- name: Generate SBOM JSON
if: ${{inputs.tag == 'release'}}
uses: CycloneDX/gh-gomod-generate-sbom@d4aee0cf5133055dbd98899978246c10c18c440f # v1.1.0
with:
version: v1
args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}}
- name: Upload SBOM JSON
if: ${{inputs.tag == 'release'}}
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: ${{inputs.image_name}}-bom-cdx
path: ${{inputs.image_name}}-v*-bom.cdx.json
- name: Extract branch name
if: ${{inputs.tag == 'image'}}
shell: bash
run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
id: extract_branch
- name: Check branch
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}}
id: check-branch
run: |
if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then
echo "match=true" >> $GITHUB_OUTPUT
fi
- name: ko build dev image
id: ko-publish-dev
env:
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
run: |
set -e
echo "digest=$(REGISTRY=ghcr.io REPO=${{ github.repository_owner }} REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}}-dev)" >> $GITHUB_OUTPUT
- name: ko build release image
id: ko-publish
env:
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
run: |
set -e
echo "digest=$(REGISTRY=ghcr.io REPO=${{ github.repository_owner }} REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}})" >> $GITHUB_OUTPUT
- name: Sign dev image
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures"
run: |
set -e
cosign sign \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
${{ steps.ko-publish-dev.outputs.digest }}
- name: Sign release-image
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures"
run: |
set -e
cosign sign \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
${{ steps.ko-publish.outputs.digest }}
- name : Attach SBOM
if: ${{inputs.tag == 'release'}}
env:
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }}
- name: get sha256sum image digest
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
id: set-sha256sum-digest
run: |
echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}"
DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2)
echo "Digest from image is: $DIGEST"
if [[ "${{inputs.publish_command}}" = "ko-publish-kyvernopre" ]]; then
echo "init-container-digest=$DIGEST" >> $GITHUB_OUTPUT
elif [[ "${{inputs.publish_command}}" = "ko-publish-kyverno" ]]; then
echo "kyverno-digest=$DIGEST" >> $GITHUB_OUTPUT
elif [[ "${{inputs.publish_command}}" = "ko-publish-cleanup-controller" ]]; then
echo "cleanup-controller-digest=$DIGEST" >> $GITHUB_OUTPUT
else
echo "cli-digest=$DIGEST" >> $GITHUB_OUTPUT
fi