name: image
on:
  push:
    branches:
      - 'main'
      - 'release*'

permissions:
  contents: read
  packages: write
  id-token: write 

jobs:
  push-init-kyverno:
    uses: ./.github/workflows/reuse.yaml
    with:
      publish_command: ko-publish-kyvernopre
      image_name: kyvernopre
      tag: image
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}
      
  push-kyverno:
    uses: ./.github/workflows/reuse.yaml
    with:
      publish_command: ko-publish-kyverno
      image_name: kyverno
      tag: image
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}

  push-kyverno-cli:
    uses: ./.github/workflows/reuse.yaml
    with:
      publish_command: ko-publish-cli
      image_name: kyverno-cli
      tag: image
    secrets:
      registry_username: ${{ github.actor }}
      registry_password: ${{ secrets.CR_PAT }}

  generate-init-kyverno-provenance:
    needs: push-init-kyverno
    permissions:
      id-token: write # To sign the provenance.
      packages: write # To upload assets to release.
      actions: read #To read the workflow path.
    # NOTE: The container generator workflow is not officially released as GA.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.3.0
    with:
      image: ghcr.io/${{ github.repository_owner }}/kyvernopre
      digest: "${{ needs.push-init-kyverno.outputs.init-container-digest }}"
      registry-username: ${{ github.actor }}
    secrets:
      registry-password: ${{ secrets.CR_PAT }}

  generate-kyverno-provenance:
    needs: push-kyverno
    permissions:
      id-token: write # To sign the provenance.
      packages: write # To upload assets to release.
      actions: read #To read the workflow path.
    # NOTE: The container generator workflow is not officially released as GA.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.3.0
    with:
      image: ghcr.io/${{ github.repository_owner }}/kyverno
      digest: "${{ needs.push-kyverno.outputs.kyverno-digest }}"
      registry-username: ${{ github.actor }}
    secrets:
      registry-password: ${{ secrets.CR_PAT }}

  generate-kyverno-cli-provenance:
    needs: push-kyverno-cli
    permissions:
      id-token: write # To sign the provenance.
      packages: write # To upload assets to release.
      actions: read #To read the workflow path.
    # NOTE: The container generator workflow is not officially released as GA.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.3.0
    with:
      image: ghcr.io/${{ github.repository_owner }}/kyverno-cli
      digest: "${{ needs.push-kyverno-cli.outputs.cli-digest }}"
      registry-username: ${{ github.actor }}
    secrets:
      registry-password: ${{ secrets.CR_PAT }}