From 9d312d740c612b83ed246188ec2c9beff92c0b33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Wed, 21 Dec 2022 13:07:59 +0100 Subject: [PATCH] chore: build cleanup controller image (#5737) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * chore: build cleanup controller image Signed-off-by: Charles-Edouard Brétéché * image Signed-off-by: Charles-Edouard Brétéché * release Signed-off-by: Charles-Edouard Brétéché * reuse Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Charles-Edouard Brétéché --- .github/workflows/image-build.yaml | 28 ++++++++++++++++++++++++++ .github/workflows/image.yaml | 12 ++++++++++- .github/workflows/release.yaml | 32 +++++++++++++++++++++++++++++- .github/workflows/reuse.yaml | 10 ++++++---- 4 files changed, 76 insertions(+), 6 deletions(-) diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml index 2da13ad7d4..74e2625e19 100644 --- a/.github/workflows/image-build.yaml +++ b/.github/workflows/image-build.yaml @@ -131,6 +131,34 @@ jobs: output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' + build-kyverno-cleanup-controller: + runs-on: ubuntu-latest + needs: pre-checks + steps: + - name: Checkout + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + + - name: Unshallow + run: git fetch --prune --unshallow + + - name: Set up Go + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + with: + go-version: ~1.19.4 + + - name: Cache Go modules + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # pin@v3 + with: + path: | + ~/.cache/go-build + ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + + - name: ko build + run: make ko-build-cleanup-controller + build-kyverno-cli: runs-on: ubuntu-latest needs: pre-checks diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index e7a431747a..53311e1f17 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -24,7 +24,7 @@ jobs: secrets: registry_username: ${{ github.actor }} registry_password: ${{ secrets.CR_PAT }} - + push-kyverno: uses: ./.github/workflows/reuse.yaml with: @@ -35,6 +35,16 @@ jobs: registry_username: ${{ github.actor }} registry_password: ${{ secrets.CR_PAT }} + push-cleanup-controller: + uses: ./.github/workflows/reuse.yaml + with: + publish_command: ko-publish-cleanup-controller + image_name: cleanup-controller + tag: image + secrets: + registry_username: ${{ github.actor }} + registry_password: ${{ secrets.CR_PAT }} + push-kyverno-cli: uses: ./.github/workflows/reuse.yaml with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 91a615a7f1..dc181b8475 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -35,6 +35,21 @@ jobs: registry_username: ${{ github.actor }} registry_password: ${{ secrets.CR_PAT }} + release-cleanup-controller: + permissions: + contents: read + packages: write + id-token: write + uses: ./.github/workflows/reuse.yaml + with: + publish_command: ko-publish-cleanup-controller + image_name: cleanup-controller + tag: release + main: cmd/cleanup-controller + secrets: + registry_username: ${{ github.actor }} + registry_password: ${{ secrets.CR_PAT }} + release-kyverno-cli: permissions: contents: read @@ -80,6 +95,21 @@ jobs: secrets: registry-password: ${{ secrets.CR_PAT }} + generate-cleanup-controller-provenance: + needs: release-cleanup-controller + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read #To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0 + with: + image: ghcr.io/${{ github.repository_owner }}/cleanup-controller + digest: "${{ needs.release-cleanup-controller.outputs.cleanup-controller-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.CR_PAT }} + generate-kyverno-cli-provenance: needs: release-kyverno-cli permissions: @@ -100,6 +130,7 @@ jobs: needs: - release-init-kyverno - release-kyverno + - release-cleanup-controller - release-kyverno-cli steps: - name: Set version @@ -145,7 +176,6 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - push-and-sign-install-manifest: runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml index 6e461f64c1..43c21577e5 100644 --- a/.github/workflows/reuse.yaml +++ b/.github/workflows/reuse.yaml @@ -146,10 +146,10 @@ jobs: run: | set -e cosign sign \ - -a "repo=${{ github.repository }}" \ - -a "workflow=${{ github.workflow }}" \ - -a "ref=${{ github.sha }}" \ - ${{ steps.ko-publish-dev.outputs.digest }} + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "ref=${{ github.sha }}" \ + ${{ steps.ko-publish-dev.outputs.digest }} - name: Sign release-image if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}} @@ -181,6 +181,8 @@ jobs: echo "init-container-digest=$DIGEST" >> $GITHUB_OUTPUT elif [[ "${{inputs.publish_command}}" = "ko-publish-kyverno" ]]; then echo "kyverno-digest=$DIGEST" >> $GITHUB_OUTPUT + elif [[ "${{inputs.publish_command}}" = "ko-publish-cleanup-controller" ]]; then + echo "cleanup-controller-digest=$DIGEST" >> $GITHUB_OUTPUT else echo "name=cli-digest=$DIGEST" >> $GITHUB_OUTPUT fi