From dfa8344eb4e7b95824bcb2f3d186de0d0741c4fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 7 Apr 2023 15:47:15 +0200 Subject: [PATCH] fix: slsa provenance generation (#6821) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: slsa provenance generation Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché --- .github/workflows/images-publish.yaml | 5 ++- .github/workflows/release.yaml | 57 ++++++++++++++++----------- 2 files changed, 38 insertions(+), 24 deletions(-) diff --git a/.github/workflows/images-publish.yaml b/.github/workflows/images-publish.yaml index 14ec5896db..3602761a14 100644 --- a/.github/workflows/images-publish.yaml +++ b/.github/workflows/images-publish.yaml @@ -45,12 +45,13 @@ jobs: registry-username: ${{ github.actor }} registry-password: ${{ secrets.CR_PAT }} repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} sign-image: true sbom-name: kyverno sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom signature-repository: ghcr.io/${{ github.repository_owner }}/signatures main-path: ./cmd/kyverno - - name: Publish kyvernopre + - name: Publish kyverno-init uses: ./.github/actions/publish-image with: makefile-target: ko-publish-kyverno-init @@ -60,7 +61,7 @@ jobs: repository: ${{ github.repository_owner }} version: ${{ github.ref_name }} sign-image: true - sbom-name: kyvernopre + sbom-name: kyverno-init sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom signature-repository: ghcr.io/${{ github.repository_owner }}/signatures main-path: ./cmd/kyverno-init diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5c07dcaee5..83df5d9db4 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -12,6 +12,13 @@ jobs: contents: read packages: write id-token: write + outputs: + kyverno-digest: ${{ steps.release-kyverno.outputs.digest }} + kyverno-init-digest: ${{ steps.release-kyverno-init.outputs.digest }} + background-controller-digest: ${{ steps.release-background-controller.outputs.digest }} + cleanup-controller-digest: ${{ steps.release-cleanup-controller.outputs.digest }} + cli-digest: ${{ steps.release-cli.outputs.digest }} + reports-controller: ${{ steps.release-reports-controller.outputs.digest }} steps: - name: Checkout uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 @@ -32,6 +39,7 @@ jobs: with: cosign-release: 'v1.13.0' - name: Publish kyverno + id: release-kyverno uses: ./.github/actions/publish-image with: makefile-target: ko-publish-kyverno @@ -45,7 +53,8 @@ jobs: sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom signature-repository: ghcr.io/${{ github.repository_owner }}/signatures main-path: ./cmd/kyverno - - name: Publish kyvernopre + - name: Publish kyverno-init + id: release-kyverno-init uses: ./.github/actions/publish-image with: makefile-target: ko-publish-kyverno-init @@ -55,11 +64,12 @@ jobs: repository: ${{ github.repository_owner }} version: ${{ github.ref_name }} sign-image: true - sbom-name: kyvernopre + sbom-name: kyverno-init sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom signature-repository: ghcr.io/${{ github.repository_owner }}/signatures main-path: ./cmd/kyverno-init - name: Publish background-controller + id: release-background-controller uses: ./.github/actions/publish-image with: makefile-target: ko-publish-background-controller @@ -74,6 +84,7 @@ jobs: signature-repository: ghcr.io/${{ github.repository_owner }}/signatures main-path: ./cmd/background-controller - name: Publish cleanup-controller + id: release-cleanup-controller uses: ./.github/actions/publish-image with: makefile-target: ko-publish-cleanup-controller @@ -88,6 +99,7 @@ jobs: signature-repository: ghcr.io/${{ github.repository_owner }}/signatures main-path: ./cmd/cleanup-controller - name: Publish cli + id: release-cli uses: ./.github/actions/publish-image with: makefile-target: ko-publish-cli @@ -102,6 +114,7 @@ jobs: signature-repository: ghcr.io/${{ github.repository_owner }}/signatures main-path: ./cmd/cli/kubectl-kyverno - name: Publish reports-controller + id: release-reports-controller uses: ./.github/actions/publish-image with: makefile-target: ko-publish-reports-controller @@ -116,21 +129,6 @@ jobs: signature-repository: ghcr.io/${{ github.repository_owner }}/signatures main-path: ./cmd/reports-controller - generate-init-kyverno-provenance: - needs: release-images - permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. - # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 - with: - image: ghcr.io/${{ github.repository_owner }}/kyvernopre - digest: "${{ needs.release-init-kyverno.outputs.init-container-digest }}" - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.CR_PAT }} - generate-kyverno-provenance: needs: release-images permissions: @@ -141,7 +139,22 @@ jobs: uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 with: image: ghcr.io/${{ github.repository_owner }}/kyverno - digest: "${{ needs.release-kyverno.outputs.kyverno-digest }}" + digest: "${{ needs.release-images.outputs.kyverno-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.CR_PAT }} + + generate-kyverno-init-provenance: + needs: release-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 + with: + image: ghcr.io/${{ github.repository_owner }}/kyvernopre + digest: "${{ needs.release-images.outputs.kyverno-init-digest }}" registry-username: ${{ github.actor }} secrets: registry-password: ${{ secrets.CR_PAT }} @@ -156,7 +169,7 @@ jobs: uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 with: image: ghcr.io/${{ github.repository_owner }}/background-controller - digest: "${{ needs.release-background-controller.outputs.background-controller-digest }}" + digest: "${{ needs.release-images.outputs.background-controller-digest }}" registry-username: ${{ github.actor }} secrets: registry-password: ${{ secrets.CR_PAT }} @@ -171,7 +184,7 @@ jobs: uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 with: image: ghcr.io/${{ github.repository_owner }}/cleanup-controller - digest: "${{ needs.release-cleanup-controller.outputs.cleanup-controller-digest }}" + digest: "${{ needs.release-images.outputs.cleanup-controller-digest }}" registry-username: ${{ github.actor }} secrets: registry-password: ${{ secrets.CR_PAT }} @@ -186,7 +199,7 @@ jobs: uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 with: image: ghcr.io/${{ github.repository_owner }}/kyverno-cli - digest: "${{ needs.release-kyverno-cli.outputs.cli-digest }}" + digest: "${{ needs.release-images.outputs.cli-digest }}" registry-username: ${{ github.actor }} secrets: registry-password: ${{ secrets.CR_PAT }} @@ -201,7 +214,7 @@ jobs: uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 with: image: ghcr.io/${{ github.repository_owner }}/reports-controller - digest: "${{ needs.release-reports-controller.outputs.reports-controller-digest }}" + digest: "${{ needs.release-images.outputs.reports-controller-digest }}" registry-username: ${{ github.actor }} secrets: registry-password: ${{ secrets.CR_PAT }}