mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-04-16 01:07:14 +00:00
Code Activity

chore: improve publish images workflow (#6029)

Browse source 
* chore: improve publish images workflow

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* chore: improve publish images workflow

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* use action

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* test on PR

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* signature

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-01-18 18:57:58 +01:00 committed by GitHub
parent 2785827e77
commit 7608842569
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 177 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

86
.github/actions/publish-image/action.yaml vendored Normal file
View file

@ -0,0 +1,86 @@
name: Publish image
description: Publishes a docker image, SBOM, scans vulns, and signs the image.
inputs:
makefile-target:
required: true
description: makefile target to invoke for publishing image with ko
registry:
required: true
description: registry to publish image to
registry-username:
required: true
description: registry credentials username
registry-password:
required: true
description: registry credentials password
repository:
required: true
description: repository to publish image to
sign-image:
required: true
description: sign image
sbom-name:
required: true
description: name of the cyclonedx sbom
sbom-repository:
required: true
description: sbom repository
signature-repository:
required: true
description: signature repository
main-path:
required: true
description: path to main go entry point
outputs:
digest:
value: ${{ steps.digest.outputs.digest }}
description: published image digest
runs:
using: composite
steps:
- shell: bash
id: ko-publish
env:
REGISTRY: ${{ inputs.registry }}
REPO: ${{ inputs.repository }}
REGISTRY_PASSWORD: ${{ inputs.registry-password }}
COSIGN_REPOSITORY: ${{ inputs.sbom-repository }}
run: |
set -e
echo "digest=$(make ${{ inputs.makefile-target }})" >> $GITHUB_OUTPUT
- uses: CycloneDX/gh-gomod-generate-sbom@d4aee0cf5133055dbd98899978246c10c18c440f # v1.1.0
with:
version: v1
args: app -licenses -json -output ${{ inputs.sbom-name }}-bom.cdx.json -main ${{ inputs.main-path }}
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: ${{ inputs.sbom-name }}-bom-cdx
path: ${{ inputs.sbom-name }}-bom.cdx.json
- shell: bash
if: ${{ inputs.sign-image == 'true' }}
env:
COSIGN_EXPERIMENTAL: 'true'
COSIGN_REPOSITORY: ${{ inputs.signature-repository }}
run: |
set -e
cosign sign \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
${{ steps.ko-publish.outputs.digest }}
- shell: bash
env:
COSIGN_REPOSITORY: ${{ inputs.sbom-repository }}
run: |
cosign attach sbom --sbom ./${{ inputs.sbom-name }}-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }}
- shell: bash
id: digest
run: |
echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}"
DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2)
echo "Digest from image is: $DIGEST"
echo "digest=$DIGEST" >> $GITHUB_OUTPUT

56
.github/workflows/image.yaml vendored
View file

@ -1,56 +0,0 @@
name: image
on:
push:
branches:
- 'main'
- 'release*'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
packages: write
id-token: write
jobs:
push-init-kyverno:
uses: ./.github/workflows/reuse.yaml
with:
publish_command: ko-publish-kyvernopre
image_name: kyvernopre
tag: image
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
push-kyverno:
uses: ./.github/workflows/reuse.yaml
with:
publish_command: ko-publish-kyverno
image_name: kyverno
tag: image
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
push-cleanup-controller:
uses: ./.github/workflows/reuse.yaml
with:
publish_command: ko-publish-cleanup-controller
image_name: cleanup-controller
tag: image
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
push-kyverno-cli:
uses: ./.github/workflows/reuse.yaml
with:
publish_command: ko-publish-cli
image_name: kyverno-cli
tag: image
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}

91
.github/workflows/images-publish.yaml vendored Normal file
View file

@ -0,0 +1,91 @@
name: Publish images
on:
push:
branches:
- 'main'
- 'release*'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
packages: write
id-token: write
jobs:
publish-images:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Setup build env
uses: ./.github/actions/setup-build-env
with:
build-cache-key: publish-images
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
with:
cosign-release: 'v1.13.0'
- name: Publish kyverno
uses: ./.github/actions/publish-image
with:
makefile-target: ko-publish-kyverno-dev
registry: ghcr.io
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.CR_PAT }}
repository: ${{ github.repository_owner }}
sign-image: true
sbom-name: kyverno
sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
main-path: ./cmd/kyverno
- name: Publish kyvernopre
uses: ./.github/actions/publish-image
with:
makefile-target: ko-publish-kyvernopre-dev
registry: ghcr.io
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.CR_PAT }}
repository: ${{ github.repository_owner }}
sign-image: true
sbom-name: kyvernopre
sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
main-path: ./cmd/initContainer
- name: Publish cleanup-controller
uses: ./.github/actions/publish-image
with:
makefile-target: ko-publish-cleanup-controller-dev
registry: ghcr.io
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.CR_PAT }}
repository: ${{ github.repository_owner }}
sign-image: true
sbom-name: cleanup-controller
sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
main-path: ./cmd/cleanup-controller
- name: Publish cli
uses: ./.github/actions/publish-image
with:
makefile-target: ko-publish-cli-dev
registry: ghcr.io
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.CR_PAT }}
repository: ${{ github.repository_owner }}
sign-image: true
sbom-name: cli
sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
main-path: ./cmd/cli/kubectl-kyverno