mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 07:26:55 +00:00
Code Activity

Fix: CI job to release images (#2929)

Browse source 
* making required changes in images workflow

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* making required changes in release workflow

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

Co-authored-by: shuting <shutting06@gmail.com>
This commit is contained in:
Naman Lakhwani 2022-01-10 19:40:44 +05:30 committed by GitHub
parent 9a9326928c
commit 8350aadc58
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 54 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
.github/workflows/image.yaml vendored
View file

@ -26,7 +26,7 @@ jobs:
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.4.0'
cosign-release: 'v1.4.1'
- name: login to GitHub Container Registry
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
@ -45,7 +45,7 @@ jobs:
- name: get digest
id: get-step
run: |
echo "::set-output name=digest::$(make docker-get-initContainer-digest)"
echo "::set-output name=digest::$(make docker-get-initContainer-dev-digest)"
- name: Sign image
env:
@ -78,7 +78,7 @@ jobs:
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.4.0'
cosign-release: 'v1.4.1'
- name: login to GitHub Container Registry
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
@ -96,7 +96,7 @@ jobs:
- name: get digest
id: get-step
run: |
echo "::set-output name=digest::$(make docker-get-kyverno-digest)"
echo "::set-output name=digest::$(make docker-get-kyverno-dev-digest)"
- name: Sign image
env:
@ -129,7 +129,7 @@ jobs:
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.4.0'
cosign-release: 'v1.4.1'
- name: login to GitHub Container Registry
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
@ -147,7 +147,7 @@ jobs:
- name: get digest
id: get-step
run: |
echo "::set-output name=digest::$(make docker-get-cli-digest)"
echo "::set-output name=digest::$(make docker-get-cli-dev-digest)"
- name: Sign image
env:

48
.github/workflows/release.yaml vendored
View file

@ -6,6 +6,10 @@ on:
jobs:
release-init-kyverno:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v2
@ -20,7 +24,7 @@ jobs:
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.2.1'
cosign-release: 'v1.4.1'
- name: Cache Go modules
uses: actions/cache@v1
@ -50,23 +54,31 @@ jobs:
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
- name : docker images publish
id: push-step
run: |
make docker-publish-sigs
make docker-publish-initContainer
- name: get digest
id: get-step
run: |
echo "::set-output name=digest::$(make docker-get-initContainer-digest)"
- name: Sign image
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign \
cosign sign \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ghcr.io/kyverno/kyvernopre@${{ steps.push-step.outputs.digest }}
ghcr.io/kyverno/kyvernopre@sha256:${{ steps.get-step.outputs.digest }}
release-kyverno:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v2
@ -81,7 +93,7 @@ jobs:
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.2.1'
cosign-release: 'v1.4.1'
- name: Cache Go modules
uses: actions/cache@v1
@ -123,20 +135,24 @@ jobs:
path: kyverno-v*-bom.cdx.json
- name : docker images publish
id: push-step
run: |
make docker-publish-sbom
make docker-publish-kyverno
- name: get digest
id: get-step
run: |
echo "::set-output name=digest::$(make docker-get-kyverno-digest)"
- name: Sign image and SBOM
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign \
cosign sign \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ghcr.io/kyverno/kyverno@${{ steps.push-step.outputs.digest }}
ghcr.io/kyverno/kyverno@sha256:${{ steps.get-step.outputs.digest }}
cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/sbom:latest
- name: Trivy Scan Image
@ -151,6 +167,10 @@ jobs:
release-kyverno-cli:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v2
@ -165,7 +185,7 @@ jobs:
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.2.1'
cosign-release: 'v1.4.1'
- name: Cache Go modules
uses: actions/cache@v1
@ -195,19 +215,23 @@ jobs:
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
- name : docker images publish
id: push-step
run: |
make docker-publish-cli
- name: get digest
id: get-step
run: |
echo "::set-output name=digest::$(make docker-get-cli-digest)"
- name: Sign image
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign \
cosign sign \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ghcr.io/kyverno/kyverno-cli@${{ steps.push-step.outputs.digest }}
ghcr.io/kyverno/kyverno-cli@sha256:${{ steps.get-step.outputs.digest }}
create-release:
runs-on: ubuntu-latest

15
Makefile
View file

@ -108,6 +108,9 @@ docker-push-initContainer: docker-buildx-builder
@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS)
docker-get-initContainer-digest:
@docker buildx imagetools inspect --raw $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
docker-build-initContainer-local:
CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(INITC_PATH)/kyvernopre -tags $(TAGS) -ldflags=$(LD_FLAGS) $(PWD)/$(INITC_PATH)/main.go
@docker build -f $(PWD)/$(INITC_PATH)/localDockerfile -t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) $(PWD)/$(INITC_PATH)
@ -119,7 +122,7 @@ docker-push-initContainer-dev: docker-buildx-builder
@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) . --build-arg LD_FLAGS=$(LD_FLAGS_DEV)
@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest . --build-arg LD_FLAGS=$(LD_FLAGS_DEV)
docker-get-initContainer-digest:
docker-get-initContainer-dev-digest:
@docker buildx imagetools inspect --raw $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
##################################
# KYVERNO CONTAINER
@ -152,13 +155,16 @@ docker-push-kyverno: docker-buildx-builder
@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TAGS=$(TAGS)
@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TAGS=$(TAGS)
docker-get-kyverno-digest:
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
docker-publish-kyverno-dev: docker-buildx-builder docker-push-kyverno-dev
docker-push-kyverno-dev: docker-buildx-builder
@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) --build-arg TAGS=$(TAGS)
@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) --build-arg TAGS=$(TAGS)
docker-get-kyverno-digest:
docker-get-kyverno-dev-digest:
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
##################################
@ -191,13 +197,16 @@ docker-push-cli: docker-buildx-builder
@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS)
docker-get-cli-digest:
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
docker-publish-cli-dev: docker-buildx-builder docker-push-cli-dev
docker-push-cli-dev: docker-buildx-builder
@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_DEV) . --build-arg LD_FLAGS=$(LD_FLAGS_DEV)
@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest . --build-arg LD_FLAGS=$(LD_FLAGS_DEV)
docker-get-cli-digest:
docker-get-cli-dev-digest:
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
##################################