1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

chore: simplify release workflow (#6031)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-01-19 07:28:26 +01:00 committed by GitHub
parent af3882f869
commit 7176e7282b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 95 additions and 284 deletions

View file

@ -6,72 +6,90 @@ on:
- 'v*'
jobs:
release-init-kyverno:
release-images:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
uses: ./.github/workflows/reuse.yaml
steps:
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Setup build env
uses: ./.github/actions/setup-build-env
with:
publish_command: ko-publish-kyvernopre
image_name: kyvernopre
tag: release
main: cmd/initContainer
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
release-kyverno:
permissions:
contents: read
packages: write
id-token: write
uses: ./.github/workflows/reuse.yaml
build-cache-key: release-images
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0
with:
publish_command: ko-publish-kyverno
image_name: kyverno
tag: release
main: cmd/kyverno
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
release-cleanup-controller:
permissions:
contents: read
packages: write
id-token: write
uses: ./.github/workflows/reuse.yaml
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
with:
publish_command: ko-publish-cleanup-controller
image_name: cleanup-controller
tag: release
main: cmd/cleanup-controller
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
release-kyverno-cli:
permissions:
contents: read
packages: write
id-token: write
uses: ./.github/workflows/reuse.yaml
cosign-release: 'v1.13.0'
- name: Publish kyverno
uses: ./.github/actions/publish-image
with:
publish_command: ko-publish-cli
image_name: kyverno-cli
tag: release
main: cmd/cli/kubectl-kyverno
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
makefile-target: ko-publish-kyverno
registry: ghcr.io
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.CR_PAT }}
repository: ${{ github.repository_owner }}
sign-image: true
sbom-name: kyverno
sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
main-path: ./cmd/kyverno
- name: Publish kyvernopre
uses: ./.github/actions/publish-image
with:
makefile-target: ko-publish-kyvernopre
registry: ghcr.io
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.CR_PAT }}
repository: ${{ github.repository_owner }}
sign-image: true
sbom-name: kyvernopre
sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
main-path: ./cmd/initContainer
- name: Publish cleanup-controller
uses: ./.github/actions/publish-image
with:
makefile-target: ko-publish-cleanup-controller
registry: ghcr.io
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.CR_PAT }}
repository: ${{ github.repository_owner }}
sign-image: true
sbom-name: cleanup-controller
sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
main-path: ./cmd/cleanup-controller
- name: Publish cli
uses: ./.github/actions/publish-image
with:
makefile-target: ko-publish-cli
registry: ghcr.io
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.CR_PAT }}
repository: ${{ github.repository_owner }}
sign-image: true
sbom-name: cli
sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
main-path: ./cmd/cli/kubectl-kyverno
generate-init-kyverno-provenance:
needs: release-init-kyverno
needs: release-images
permissions:
id-token: write # To sign the provenance.
packages: write # To upload assets to release.
actions: read #To read the workflow path.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
with:
@ -82,11 +100,11 @@ jobs:
registry-password: ${{ secrets.CR_PAT }}
generate-kyverno-provenance:
needs: release-kyverno
needs: release-images
permissions:
id-token: write # To sign the provenance.
packages: write # To upload assets to release.
actions: read #To read the workflow path.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
with:
@ -97,11 +115,11 @@ jobs:
registry-password: ${{ secrets.CR_PAT }}
generate-cleanup-controller-provenance:
needs: release-cleanup-controller
needs: release-images
permissions:
id-token: write # To sign the provenance.
packages: write # To upload assets to release.
actions: read #To read the workflow path.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
with:
@ -112,11 +130,11 @@ jobs:
registry-password: ${{ secrets.CR_PAT }}
generate-kyverno-cli-provenance:
needs: release-kyverno-cli
needs: release-images
permissions:
id-token: write # To sign the provenance.
packages: write # To upload assets to release.
actions: read #To read the workflow path.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
with:
@ -128,11 +146,7 @@ jobs:
create-release:
runs-on: ubuntu-latest
needs:
- release-init-kyverno
- release-kyverno
- release-cleanup-controller
- release-kyverno-cli
needs: release-images
steps:
- name: Set version
id: version
@ -141,8 +155,7 @@ jobs:
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Setup build env
uses: ./.github/actions/setup-build-env
- uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # pin@v1.0
- uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
- name: Make Release
env:
VERSION: ${{ steps.version.outputs.version }}
@ -151,9 +164,8 @@ jobs:
mkdir release
make release-notes > release/release-notes.out
cat release/release-notes.out
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # pin@v4.1.0
uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0
with:
version: latest
args: release --rm-dist --debug --release-notes=release/release-notes.out
@ -162,12 +174,11 @@ jobs:
push-and-sign-install-manifest:
runs-on: ubuntu-latest
needs: create-release
permissions:
contents: write # needed to write releases
id-token: write # needed for keyless signing
packages: write # needed for ghcr access
needs:
- create-release
steps:
- name: Set version
id: version
@ -180,15 +191,12 @@ jobs:
uses: fluxcd/flux2/action@a9f53b4f1aef910fab68f790f7bf5b49c9a1677c # v0.38.3
with:
version: 0.35.0
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
with:
cosign-release: 'v1.13.0'
- name: Build yaml manifest
run: make codegen-manifest-release
- name: Upload install manifest
uses: svenstaro/upload-release-action@2728235f7dc9ff598bd86ce3c274b74f802d2208 # 2.4.0
with:
@ -196,7 +204,6 @@ jobs:
file: .manifest/release.yaml
asset_name: install.yaml
tag: ${{ github.ref }}
- name: Upload CRD manifest
uses: svenstaro/upload-release-action@2728235f7dc9ff598bd86ce3c274b74f802d2208 # 2.4.0
with:
@ -204,14 +211,12 @@ jobs:
file: config/crds/*.yaml
file_glob: true
tag: ${{ github.ref }}
- name: Login to GHCR
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push manifests to GHCR with Flux
env:
CR_PAT_ARTIFACTS: ${{ secrets.CR_PAT_ARTIFACTS }}
@ -224,7 +229,6 @@ jobs:
--path="." \
--source="$(git config --get remote.origin.url)" \
--revision="${{ steps.version.outputs.version }}/$(git rev-parse HEAD)"
- name: Sign manifests in GHCR with Cosign
env:
COSIGN_EXPERIMENTAL: 1
@ -233,8 +237,7 @@ jobs:
release-cli-via-krew:
runs-on: ubuntu-latest
needs:
- create-release
needs: create-release
steps:
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
@ -248,4 +251,4 @@ jobs:
fi
- name: Update new version in krew-index
if: steps.check-tag.outputs.match == 'true'
uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # pin@v0.0.43
uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # v0.0.43

View file

@ -1,192 +0,0 @@
name: Create Publish and Sign Docker Image
on:
workflow_call:
inputs:
publish_command:
required: true
type: string
image_name:
required: true
type: string
tag:
required: true
type: string
main:
type: string
secrets:
registry_username:
required: true
registry_password:
required: true
outputs:
init-container-digest:
description: "sha256 digest of kyverno init docker image"
value: ${{ jobs.build.outputs.init-container-digest }}
kyverno-digest:
description: "sha256 digest of kyverno docker image"
value: ${{ jobs.build.outputs.kyverno-digest }}
cleanup-controller-digest:
description: "sha256 digest of cleanup-controller docker image"
value: ${{ jobs.build.outputs.cleanup-controller-digest }}
cli-digest:
description: "sha256 digest of kyverno docker image"
value: ${{ jobs.build.outputs.cli-digest }}
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
outputs:
init-container-digest: ${{ steps.set-sha256sum-digest.outputs.init-container-digest }}
kyverno-digest: ${{ steps.set-sha256sum-digest.outputs.kyverno-digest }}
cleanup-controller-digest: ${{ steps.set-sha256sum-digest.outputs.cleanup-controller-digest }}
cli-digest: ${{ steps.set-sha256sum-digest.outputs.cli-digest }}
steps:
- name: Checkout release
if: ${{ inputs.tag == 'release'}}
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
fetch-depth: 0
- name: Checkout image
if: ${{ inputs.tag == 'image'}}
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Unshallow
if: ${{ inputs.tag == 'image'}}
run: git fetch --prune --unshallow --tags
- name: Set up Go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: ~1.19.4
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
with:
cosign-release: 'v1.13.0'
- name: Cache Go modules
uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # pin@v3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
/tmp/ko-cache
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Run Trivy vulnerability scanner in repo mode
if: ${{inputs.tag == 'release'}}
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Set Version
if: ${{ inputs.tag == 'release'}}
run: |
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))" >> $GITHUB_ENV
- name: Generate SBOM JSON
if: ${{inputs.tag == 'release'}}
uses: CycloneDX/gh-gomod-generate-sbom@d4aee0cf5133055dbd98899978246c10c18c440f # v1.1.0
with:
version: v1
args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}}
- name: Upload SBOM JSON
if: ${{inputs.tag == 'release'}}
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: ${{inputs.image_name}}-bom-cdx
path: ${{inputs.image_name}}-v*-bom.cdx.json
- name: Extract branch name
if: ${{inputs.tag == 'image'}}
shell: bash
run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
id: extract_branch
- name: Check branch
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}}
id: check-branch
run: |
if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then
echo "match=true" >> $GITHUB_OUTPUT
fi
- name: ko build dev image
id: ko-publish-dev
env:
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
run: |
set -e
echo "digest=$(REGISTRY=ghcr.io REPO=${{ github.repository_owner }} REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}}-dev)" >> $GITHUB_OUTPUT
- name: ko build release image
id: ko-publish
env:
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
run: |
set -e
echo "digest=$(REGISTRY=ghcr.io REPO=${{ github.repository_owner }} REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}})" >> $GITHUB_OUTPUT
- name: Sign dev image
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures"
run: |
set -e
cosign sign \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
${{ steps.ko-publish-dev.outputs.digest }}
- name: Sign release-image
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures"
run: |
set -e
cosign sign \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
${{ steps.ko-publish.outputs.digest }}
- name : Attach SBOM
if: ${{inputs.tag == 'release'}}
env:
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }}
- name: get sha256sum image digest
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
id: set-sha256sum-digest
run: |
echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}"
DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2)
echo "Digest from image is: $DIGEST"
if [[ "${{inputs.publish_command}}" = "ko-publish-kyvernopre" ]]; then
echo "init-container-digest=$DIGEST" >> $GITHUB_OUTPUT
elif [[ "${{inputs.publish_command}}" = "ko-publish-kyverno" ]]; then
echo "kyverno-digest=$DIGEST" >> $GITHUB_OUTPUT
elif [[ "${{inputs.publish_command}}" = "ko-publish-cleanup-controller" ]]; then
echo "cleanup-controller-digest=$DIGEST" >> $GITHUB_OUTPUT
else
echo "cli-digest=$DIGEST" >> $GITHUB_OUTPUT
fi