diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index b4aa9ca016..978a38f414 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -26,7 +26,7 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@main with: - cosign-release: 'v1.4.0' + cosign-release: 'v1.4.1' - name: login to GitHub Container Registry run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin @@ -45,7 +45,7 @@ jobs: - name: get digest id: get-step run: | - echo "::set-output name=digest::$(make docker-get-initContainer-digest)" + echo "::set-output name=digest::$(make docker-get-initContainer-dev-digest)" - name: Sign image env: @@ -78,7 +78,7 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@main with: - cosign-release: 'v1.4.0' + cosign-release: 'v1.4.1' - name: login to GitHub Container Registry run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin @@ -96,7 +96,7 @@ jobs: - name: get digest id: get-step run: | - echo "::set-output name=digest::$(make docker-get-kyverno-digest)" + echo "::set-output name=digest::$(make docker-get-kyverno-dev-digest)" - name: Sign image env: @@ -129,7 +129,7 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@main with: - cosign-release: 'v1.4.0' + cosign-release: 'v1.4.1' - name: login to GitHub Container Registry run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin @@ -147,7 +147,7 @@ jobs: - name: get digest id: get-step run: | - echo "::set-output name=digest::$(make docker-get-cli-digest)" + echo "::set-output name=digest::$(make docker-get-cli-dev-digest)" - name: Sign image env: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ff0eda6b15..907ee1c504 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -6,6 +6,10 @@ on: jobs: release-init-kyverno: runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write steps: - name: Checkout uses: actions/checkout@v2 @@ -20,7 +24,7 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@main with: - cosign-release: 'v1.2.1' + cosign-release: 'v1.4.1' - name: Cache Go modules uses: actions/cache@v1 @@ -50,23 +54,31 @@ jobs: echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")" - name : docker images publish - id: push-step run: | make docker-publish-sigs make docker-publish-initContainer + - name: get digest + id: get-step + run: | + echo "::set-output name=digest::$(make docker-get-initContainer-digest)" + - name: Sign image env: COSIGN_EXPERIMENTAL: "true" run: | - cosign sign \ + cosign sign \ -a "repo=${{ github.repository }}" \ -a "workflow=${{ github.workflow }}" \ -a "ref=${{ github.sha }}" \ - ghcr.io/kyverno/kyvernopre@${{ steps.push-step.outputs.digest }} + ghcr.io/kyverno/kyvernopre@sha256:${{ steps.get-step.outputs.digest }} release-kyverno: runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write steps: - name: Checkout uses: actions/checkout@v2 @@ -81,7 +93,7 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@main with: - cosign-release: 'v1.2.1' + cosign-release: 'v1.4.1' - name: Cache Go modules uses: actions/cache@v1 @@ -123,20 +135,24 @@ jobs: path: kyverno-v*-bom.cdx.json - name : docker images publish - id: push-step run: | make docker-publish-sbom make docker-publish-kyverno + - name: get digest + id: get-step + run: | + echo "::set-output name=digest::$(make docker-get-kyverno-digest)" + - name: Sign image and SBOM env: COSIGN_EXPERIMENTAL: "true" run: | - cosign sign \ + cosign sign \ -a "repo=${{ github.repository }}" \ -a "workflow=${{ github.workflow }}" \ -a "ref=${{ github.sha }}" \ - ghcr.io/kyverno/kyverno@${{ steps.push-step.outputs.digest }} + ghcr.io/kyverno/kyverno@sha256:${{ steps.get-step.outputs.digest }} cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/sbom:latest - name: Trivy Scan Image @@ -151,6 +167,10 @@ jobs: release-kyverno-cli: runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write steps: - name: Checkout uses: actions/checkout@v2 @@ -165,7 +185,7 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@main with: - cosign-release: 'v1.2.1' + cosign-release: 'v1.4.1' - name: Cache Go modules uses: actions/cache@v1 @@ -195,19 +215,23 @@ jobs: echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")" - name : docker images publish - id: push-step run: | make docker-publish-cli + - name: get digest + id: get-step + run: | + echo "::set-output name=digest::$(make docker-get-cli-digest)" + - name: Sign image env: COSIGN_EXPERIMENTAL: "true" run: | - cosign sign \ + cosign sign \ -a "repo=${{ github.repository }}" \ -a "workflow=${{ github.workflow }}" \ -a "ref=${{ github.sha }}" \ - ghcr.io/kyverno/kyverno-cli@${{ steps.push-step.outputs.digest }} + ghcr.io/kyverno/kyverno-cli@sha256:${{ steps.get-step.outputs.digest }} create-release: runs-on: ubuntu-latest diff --git a/Makefile b/Makefile index 3259b65eba..1bc866f38e 100644 --- a/Makefile +++ b/Makefile @@ -108,6 +108,9 @@ docker-push-initContainer: docker-buildx-builder @docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) @docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS) +docker-get-initContainer-digest: + @docker buildx imagetools inspect --raw $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' + docker-build-initContainer-local: CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(INITC_PATH)/kyvernopre -tags $(TAGS) -ldflags=$(LD_FLAGS) $(PWD)/$(INITC_PATH)/main.go @docker build -f $(PWD)/$(INITC_PATH)/localDockerfile -t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) $(PWD)/$(INITC_PATH) @@ -119,7 +122,7 @@ docker-push-initContainer-dev: docker-buildx-builder @docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) @docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) -docker-get-initContainer-digest: +docker-get-initContainer-dev-digest: @docker buildx imagetools inspect --raw $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' ################################## # KYVERNO CONTAINER @@ -152,13 +155,16 @@ docker-push-kyverno: docker-buildx-builder @docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TAGS=$(TAGS) @docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TAGS=$(TAGS) +docker-get-kyverno-digest: + @docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' + docker-publish-kyverno-dev: docker-buildx-builder docker-push-kyverno-dev docker-push-kyverno-dev: docker-buildx-builder @docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) --build-arg TAGS=$(TAGS) @docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) --build-arg TAGS=$(TAGS) -docker-get-kyverno-digest: +docker-get-kyverno-dev-digest: @docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' ################################## @@ -191,13 +197,16 @@ docker-push-cli: docker-buildx-builder @docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) @docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS) +docker-get-cli-digest: + @docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' + docker-publish-cli-dev: docker-buildx-builder docker-push-cli-dev docker-push-cli-dev: docker-buildx-builder @docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_DEV) . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) @docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) -docker-get-cli-digest: +docker-get-cli-dev-digest: @docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' ##################################