mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 15:37:19 +00:00
Code Activity

Fix: CI job to release images (#2929)

Browse source 
* making required changes in images workflow

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* making required changes in release workflow

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

Co-authored-by: shuting <shutting06@gmail.com>
This commit is contained in:
Naman Lakhwani 2022-01-10 19:40:44 +05:30 committed by GitHub
parent 9a9326928c
commit 8350aadc58
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 54 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
.github/workflows/image.yaml vendored
View file

@ -26,7 +26,7 @@ jobs:
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@main uses: sigstore/cosign-installer@main
with: with:
cosign-release: 'v1.4.0' cosign-release: 'v1.4.1'
- name: login to GitHub Container Registry - name: login to GitHub Container Registry
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
@ -45,7 +45,7 @@ jobs:
- name: get digest - name: get digest
id: get-step id: get-step
run: | run: |
echo "::set-output name=digest::$(make docker-get-initContainer-digest)" echo "::set-output name=digest::$(make docker-get-initContainer-dev-digest)"
- name: Sign image - name: Sign image
env: env:
@ -78,7 +78,7 @@ jobs:
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@main uses: sigstore/cosign-installer@main
with: with:
cosign-release: 'v1.4.0' cosign-release: 'v1.4.1'
- name: login to GitHub Container Registry - name: login to GitHub Container Registry
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
@ -96,7 +96,7 @@ jobs:
- name: get digest - name: get digest
id: get-step id: get-step
run: | run: |
echo "::set-output name=digest::$(make docker-get-kyverno-digest)" echo "::set-output name=digest::$(make docker-get-kyverno-dev-digest)"
- name: Sign image - name: Sign image
env: env:
@ -129,7 +129,7 @@ jobs:
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@main uses: sigstore/cosign-installer@main
with: with:
cosign-release: 'v1.4.0' cosign-release: 'v1.4.1'
- name: login to GitHub Container Registry - name: login to GitHub Container Registry
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
@ -147,7 +147,7 @@ jobs:
- name: get digest - name: get digest
id: get-step id: get-step
run: | run: |
echo "::set-output name=digest::$(make docker-get-cli-digest)" echo "::set-output name=digest::$(make docker-get-cli-dev-digest)"
- name: Sign image - name: Sign image
env: env:

48
.github/workflows/release.yaml vendored
View file

@ -6,6 +6,10 @@ on:
jobs: jobs:
release-init-kyverno: release-init-kyverno:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v2 uses: actions/checkout@v2
@ -20,7 +24,7 @@ jobs:
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@main uses: sigstore/cosign-installer@main
with: with:
cosign-release: 'v1.2.1' cosign-release: 'v1.4.1'
- name: Cache Go modules - name: Cache Go modules
uses: actions/cache@v1 uses: actions/cache@v1
@ -50,23 +54,31 @@ jobs:
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")" echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
- name : docker images publish - name : docker images publish
id: push-step
run: | run: |
make docker-publish-sigs make docker-publish-sigs
make docker-publish-initContainer make docker-publish-initContainer
- name: get digest
id: get-step
run: |
echo "::set-output name=digest::$(make docker-get-initContainer-digest)"
- name: Sign image - name: Sign image
env: env:
COSIGN_EXPERIMENTAL: "true" COSIGN_EXPERIMENTAL: "true"
run: | run: |
cosign sign \ cosign sign \
-a "repo=${{ github.repository }}" \ -a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \ -a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \ -a "ref=${{ github.sha }}" \
ghcr.io/kyverno/kyvernopre@${{ steps.push-step.outputs.digest }} ghcr.io/kyverno/kyvernopre@sha256:${{ steps.get-step.outputs.digest }}
release-kyverno: release-kyverno:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v2 uses: actions/checkout@v2
@ -81,7 +93,7 @@ jobs:
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@main uses: sigstore/cosign-installer@main
with: with:
cosign-release: 'v1.2.1' cosign-release: 'v1.4.1'
- name: Cache Go modules - name: Cache Go modules
uses: actions/cache@v1 uses: actions/cache@v1
@ -123,20 +135,24 @@ jobs:
path: kyverno-v*-bom.cdx.json path: kyverno-v*-bom.cdx.json
- name : docker images publish - name : docker images publish
id: push-step
run: | run: |
make docker-publish-sbom make docker-publish-sbom
make docker-publish-kyverno make docker-publish-kyverno
- name: get digest
id: get-step
run: |
echo "::set-output name=digest::$(make docker-get-kyverno-digest)"
- name: Sign image and SBOM - name: Sign image and SBOM
env: env:
COSIGN_EXPERIMENTAL: "true" COSIGN_EXPERIMENTAL: "true"
run: | run: |
cosign sign \ cosign sign \
-a "repo=${{ github.repository }}" \ -a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \ -a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \ -a "ref=${{ github.sha }}" \
ghcr.io/kyverno/kyverno@${{ steps.push-step.outputs.digest }} ghcr.io/kyverno/kyverno@sha256:${{ steps.get-step.outputs.digest }}
cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/sbom:latest cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/sbom:latest
- name: Trivy Scan Image - name: Trivy Scan Image
@ -151,6 +167,10 @@ jobs:
release-kyverno-cli: release-kyverno-cli:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v2 uses: actions/checkout@v2
@ -165,7 +185,7 @@ jobs:
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@main uses: sigstore/cosign-installer@main
with: with:
cosign-release: 'v1.2.1' cosign-release: 'v1.4.1'
- name: Cache Go modules - name: Cache Go modules
uses: actions/cache@v1 uses: actions/cache@v1
@ -195,19 +215,23 @@ jobs:
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")" echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
- name : docker images publish - name : docker images publish
id: push-step
run: | run: |
make docker-publish-cli make docker-publish-cli
- name: get digest
id: get-step
run: |
echo "::set-output name=digest::$(make docker-get-cli-digest)"
- name: Sign image - name: Sign image
env: env:
COSIGN_EXPERIMENTAL: "true" COSIGN_EXPERIMENTAL: "true"
run: | run: |
cosign sign \ cosign sign \
-a "repo=${{ github.repository }}" \ -a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \ -a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \ -a "ref=${{ github.sha }}" \
ghcr.io/kyverno/kyverno-cli@${{ steps.push-step.outputs.digest }} ghcr.io/kyverno/kyverno-cli@sha256:${{ steps.get-step.outputs.digest }}
create-release: create-release:
runs-on: ubuntu-latest runs-on: ubuntu-latest

15
Makefile
View file

@ -108,6 +108,9 @@ docker-push-initContainer: docker-buildx-builder
@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) @docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS) @docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS)
docker-get-initContainer-digest:
@docker buildx imagetools inspect --raw $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
docker-build-initContainer-local: docker-build-initContainer-local:
CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(INITC_PATH)/kyvernopre -tags $(TAGS) -ldflags=$(LD_FLAGS) $(PWD)/$(INITC_PATH)/main.go CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(INITC_PATH)/kyvernopre -tags $(TAGS) -ldflags=$(LD_FLAGS) $(PWD)/$(INITC_PATH)/main.go
@docker build -f $(PWD)/$(INITC_PATH)/localDockerfile -t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) $(PWD)/$(INITC_PATH) @docker build -f $(PWD)/$(INITC_PATH)/localDockerfile -t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) $(PWD)/$(INITC_PATH)
@ -119,7 +122,7 @@ docker-push-initContainer-dev: docker-buildx-builder
@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) @docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) . --build-arg LD_FLAGS=$(LD_FLAGS_DEV)
@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) @docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest . --build-arg LD_FLAGS=$(LD_FLAGS_DEV)
docker-get-initContainer-digest: docker-get-initContainer-dev-digest:
@docker buildx imagetools inspect --raw $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' @docker buildx imagetools inspect --raw $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
################################## ##################################
# KYVERNO CONTAINER # KYVERNO CONTAINER
@ -152,13 +155,16 @@ docker-push-kyverno: docker-buildx-builder
@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TAGS=$(TAGS) @docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TAGS=$(TAGS)
@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TAGS=$(TAGS) @docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TAGS=$(TAGS)
docker-get-kyverno-digest:
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
docker-publish-kyverno-dev: docker-buildx-builder docker-push-kyverno-dev docker-publish-kyverno-dev: docker-buildx-builder docker-push-kyverno-dev
docker-push-kyverno-dev: docker-buildx-builder docker-push-kyverno-dev: docker-buildx-builder
@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) --build-arg TAGS=$(TAGS) @docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) --build-arg TAGS=$(TAGS)
@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) --build-arg TAGS=$(TAGS) @docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) --build-arg TAGS=$(TAGS)
docker-get-kyverno-digest: docker-get-kyverno-dev-digest:
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' @docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
################################## ##################################
@ -191,13 +197,16 @@ docker-push-cli: docker-buildx-builder
@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) @docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS) @docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS)
docker-get-cli-digest:
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
docker-publish-cli-dev: docker-buildx-builder docker-push-cli-dev docker-publish-cli-dev: docker-buildx-builder docker-push-cli-dev
docker-push-cli-dev: docker-buildx-builder docker-push-cli-dev: docker-buildx-builder
@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_DEV) . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) @docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_DEV) . --build-arg LD_FLAGS=$(LD_FLAGS_DEV)
@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) @docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest . --build-arg LD_FLAGS=$(LD_FLAGS_DEV)
docker-get-cli-digest: docker-get-cli-dev-digest:
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' @docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
################################## ##################################