1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 07:26:55 +00:00

chore: build cleanup controller image (#5737)

* chore: build cleanup controller image

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* image

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* release

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* reuse

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2022-12-21 13:07:59 +01:00 committed by GitHub
parent 4e29ebca86
commit 9d312d740c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 76 additions and 6 deletions

View file

@ -131,6 +131,34 @@ jobs:
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
build-kyverno-cleanup-controller:
runs-on: ubuntu-latest
needs: pre-checks
steps:
- name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: Unshallow
run: git fetch --prune --unshallow
- name: Set up Go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: ~1.19.4
- name: Cache Go modules
uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # pin@v3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: ko build
run: make ko-build-cleanup-controller
build-kyverno-cli:
runs-on: ubuntu-latest
needs: pre-checks

View file

@ -24,7 +24,7 @@ jobs:
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
push-kyverno:
uses: ./.github/workflows/reuse.yaml
with:
@ -35,6 +35,16 @@ jobs:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
push-cleanup-controller:
uses: ./.github/workflows/reuse.yaml
with:
publish_command: ko-publish-cleanup-controller
image_name: cleanup-controller
tag: image
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
push-kyverno-cli:
uses: ./.github/workflows/reuse.yaml
with:

View file

@ -35,6 +35,21 @@ jobs:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
release-cleanup-controller:
permissions:
contents: read
packages: write
id-token: write
uses: ./.github/workflows/reuse.yaml
with:
publish_command: ko-publish-cleanup-controller
image_name: cleanup-controller
tag: release
main: cmd/cleanup-controller
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.CR_PAT }}
release-kyverno-cli:
permissions:
contents: read
@ -80,6 +95,21 @@ jobs:
secrets:
registry-password: ${{ secrets.CR_PAT }}
generate-cleanup-controller-provenance:
needs: release-cleanup-controller
permissions:
id-token: write # To sign the provenance.
packages: write # To upload assets to release.
actions: read #To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
with:
image: ghcr.io/${{ github.repository_owner }}/cleanup-controller
digest: "${{ needs.release-cleanup-controller.outputs.cleanup-controller-digest }}"
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.CR_PAT }}
generate-kyverno-cli-provenance:
needs: release-kyverno-cli
permissions:
@ -100,6 +130,7 @@ jobs:
needs:
- release-init-kyverno
- release-kyverno
- release-cleanup-controller
- release-kyverno-cli
steps:
- name: Set version
@ -145,7 +176,6 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
push-and-sign-install-manifest:
runs-on: ubuntu-latest
permissions:

View file

@ -146,10 +146,10 @@ jobs:
run: |
set -e
cosign sign \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
${{ steps.ko-publish-dev.outputs.digest }}
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
${{ steps.ko-publish-dev.outputs.digest }}
- name: Sign release-image
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
@ -181,6 +181,8 @@ jobs:
echo "init-container-digest=$DIGEST" >> $GITHUB_OUTPUT
elif [[ "${{inputs.publish_command}}" = "ko-publish-kyverno" ]]; then
echo "kyverno-digest=$DIGEST" >> $GITHUB_OUTPUT
elif [[ "${{inputs.publish_command}}" = "ko-publish-cleanup-controller" ]]; then
echo "cleanup-controller-digest=$DIGEST" >> $GITHUB_OUTPUT
else
echo "name=cli-digest=$DIGEST" >> $GITHUB_OUTPUT
fi