SLSA provenance added for background and reports controller (#6384)

Signed-off-by: Abhishek Kumar <abhishek22512@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2025-04-08 10:04:25 +00:00 · 2023-02-28 22:24:37 +05:30 · 2023-02-28 22:24:37 +05:30 · c4acd2da96
commit c4acd2da96
parent 6b5307dbb2
1 changed files with 56 additions and 0 deletions
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -57,6 +57,19 @@ jobs:
          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
          main-path: ./cmd/kyverno-init
+      - name: Publish background-controller
+        uses: ./.github/actions/publish-image
+        with:
+          makefile-target: ko-publish-background-controller
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.CR_PAT }}
+          repository: ${{ github.repository_owner }}
+          sign-image: true
+          sbom-name: background-controller
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./cmd/background-controller
      - name: Publish cleanup-controller
        uses: ./.github/actions/publish-image
        with:
@ -83,6 +96,19 @@ jobs:
          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
          main-path: ./cmd/cli/kubectl-kyverno
+      - name: Publish reports-controller
+        uses: ./.github/actions/publish-image
+        with:
+          makefile-target: ko-publish-reports-controller
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.CR_PAT }}
+          repository: ${{ github.repository_owner }}
+          sign-image: true
+          sbom-name: reports-controller
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./cmd/reports-controller

  generate-init-kyverno-provenance:
    needs: release-images
@ -114,6 +140,21 @@ jobs:
    secrets:
      registry-password: ${{ secrets.CR_PAT }}

+  generate-background-controller-provenance:
+    needs: release-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/background-controller
+      digest: "${{ needs.release-background-controller.outputs.background-controller-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.CR_PAT }}
+
  generate-cleanup-controller-provenance:
    needs: release-images
    permissions:
@ -144,6 +185,21 @@ jobs:
    secrets:
      registry-password: ${{ secrets.CR_PAT }}

+  generate-reports-controller-provenance:
+    needs: release-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/reports-controller
+      digest: "${{ needs.release-reports-controller.outputs.reports-controller-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.CR_PAT }}
+
  create-release:
    runs-on: ubuntu-latest
    needs: release-images