chore: build cleanup controller image (#5737)

* chore: build cleanup controller image Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * image Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * release Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * reuse Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-13 19:28:55 +00:00 · 2022-12-21 13:07:59 +01:00 · 2022-12-21 13:07:59 +01:00 · 9d312d740c
commit 9d312d740c
parent 4e29ebca86
4 changed files with 76 additions and 6 deletions
--- a/.github/workflows/image-build.yaml
+++ b/.github/workflows/image-build.yaml
@ -131,6 +131,34 @@ jobs:
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'

+  build-kyverno-cleanup-controller:
+    runs-on: ubuntu-latest
+    needs: pre-checks
+    steps:
+      - name: Checkout
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+
+      - name: Unshallow
+        run: git fetch --prune --unshallow
+
+      - name: Set up Go
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        with:
+          go-version: ~1.19.4
+
+      - name: Cache Go modules
+        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # pin@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: ko build
+        run: make ko-build-cleanup-controller
+
  build-kyverno-cli:
    runs-on: ubuntu-latest
    needs: pre-checks
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@ -24,7 +24,7 @@ jobs:
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}
-      
+
  push-kyverno:
    uses: ./.github/workflows/reuse.yaml
    with:
@ -35,6 +35,16 @@ jobs:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}

+  push-cleanup-controller:
+    uses: ./.github/workflows/reuse.yaml
+    with:
+      publish_command: ko-publish-cleanup-controller
+      image_name: cleanup-controller
+      tag: image
+    secrets:
+      registry_username: ${{ github.actor }}
+      registry_password: ${{ secrets.CR_PAT }}
+
  push-kyverno-cli:
    uses: ./.github/workflows/reuse.yaml
    with:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -35,6 +35,21 @@ jobs:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}

+  release-cleanup-controller:
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    uses: ./.github/workflows/reuse.yaml
+    with:
+      publish_command: ko-publish-cleanup-controller
+      image_name: cleanup-controller
+      tag: release
+      main: cmd/cleanup-controller
+    secrets:
+      registry_username: ${{ github.actor }}
+      registry_password: ${{ secrets.CR_PAT }}
+
  release-kyverno-cli:
    permissions:
      contents: read
@ -80,6 +95,21 @@ jobs:
    secrets:
      registry-password: ${{ secrets.CR_PAT }}

+  generate-cleanup-controller-provenance:
+    needs: release-cleanup-controller
+    permissions:
+      id-token: write # To sign the provenance.
+      packages: write # To upload assets to release.
+      actions: read #To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/cleanup-controller
+      digest: "${{ needs.release-cleanup-controller.outputs.cleanup-controller-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.CR_PAT }}
+
  generate-kyverno-cli-provenance:
    needs: release-kyverno-cli
    permissions:
@ -100,6 +130,7 @@ jobs:
    needs:
      - release-init-kyverno
      - release-kyverno
+      - release-cleanup-controller
      - release-kyverno-cli
    steps:
      - name: Set version
@ -145,7 +176,6 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

-
  push-and-sign-install-manifest:
    runs-on: ubuntu-latest
    permissions:
--- a/.github/workflows/reuse.yaml
+++ b/.github/workflows/reuse.yaml
@ -146,10 +146,10 @@ jobs:
        run: |
          set -e
          cosign sign \
-          -a "repo=${{ github.repository }}" \
-          -a "workflow=${{ github.workflow }}" \
-          -a "ref=${{ github.sha }}" \
-          ${{ steps.ko-publish-dev.outputs.digest }}
+            -a "repo=${{ github.repository }}" \
+            -a "workflow=${{ github.workflow }}" \
+            -a "ref=${{ github.sha }}" \
+            ${{ steps.ko-publish-dev.outputs.digest }}

      - name: Sign release-image
        if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
@ -181,6 +181,8 @@ jobs:
            echo "init-container-digest=$DIGEST" >> $GITHUB_OUTPUT
          elif [[ "${{inputs.publish_command}}" = "ko-publish-kyverno" ]]; then
            echo "kyverno-digest=$DIGEST" >> $GITHUB_OUTPUT
+          elif [[ "${{inputs.publish_command}}" = "ko-publish-cleanup-controller" ]]; then
+            echo "cleanup-controller-digest=$DIGEST" >> $GITHUB_OUTPUT
          else
            echo "name=cli-digest=$DIGEST" >> $GITHUB_OUTPUT
          fi