name: image
on:
  push:
    branches:
      - 'main'
      - 'release*'

permissions:
  contents: read
  packages: write
  id-token: write 

jobs:
  push-init-kyverno:
    uses: ./.github/workflows/reuse.yaml
    with:
      publish_command: ko-publish-kyvernopre
      image_name: kyvernopre
      tag: image
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}
      
  push-kyverno:
    uses: ./.github/workflows/reuse.yaml
    with:
      publish_command: ko-publish-kyverno
      image_name: kyverno
      tag: image
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}

  push-kyverno-cli:
    uses: ./.github/workflows/reuse.yaml
    with:
      publish_command: ko-publish-cli
      image_name: kyverno-cli
      tag: image
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}

  generate-init-kyverno-provenance:
    needs: push-init-kyverno
    permissions:
      id-token: write # To sign the provenance.
      packages: write # To upload assets to release.
      actions: read #To read the workflow path.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@9dc6318aedc3d24ede4e946966d30c752769a4f9
    with:
      image: ghcr.io/${{ github.repository_owner }}/kyvernopre
      digest: "${{ needs.push-init-kyverno.outputs.init_sha256_digest }}"
      registry-username: ${{ github.actor }}
    # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
      compile-generator: true
    secrets:
      registry-password: ${{ secrets.CR_PAT }}

  generate-kyverno-provenance:
    needs: push-kyverno
    permissions:
      id-token: write # To sign the provenance.
      packages: write # To upload assets to release.
      actions: read #To read the workflow path.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@9dc6318aedc3d24ede4e946966d30c752769a4f9
    with:
      image: ghcr.io/${{ github.repository_owner }}/kyverno
      digest: "${{ needs.push-kyverno.outputs.kyverno_sha256_digest }}"
      registry-username: ${{ github.actor }}
    # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
      compile-generator: true
    secrets:
      registry-password: ${{ secrets.CR_PAT }}
      
  generate-kyverno-cli-provenance:
    needs: push-kyverno-cli
    permissions:
      id-token: write # To sign the provenance.
      packages: write # To upload assets to release.
      actions: read #To read the workflow path.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@9dc6318aedc3d24ede4e946966d30c752769a4f9
    with:
      image: ghcr.io/${{ github.repository_owner }}/kyverno-cli
      digest: "${{ needs.push-kyverno-cli.outputs.cli_sha256_digest }}"
      registry-username: ${{ github.actor }}
    # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
      compile-generator: true
    secrets:
      registry-password: ${{ secrets.CR_PAT }}