name: releaser on: push: tags: - 'v*' jobs: release-init-kyverno: permissions: contents: read packages: write id-token: write uses: ./.github/workflows/reuse.yaml with: publish_command: ko-publish-kyvernopre image_name: kyvernopre tag: release main: cmd/initContainer secrets: registry_username: ${{ github.actor }} registry_password: ${{ secrets.CR_PAT }} release-kyverno: permissions: contents: read packages: write id-token: write uses: ./.github/workflows/reuse.yaml with: publish_command: ko-publish-kyverno image_name: kyverno tag: release main: cmd/kyverno secrets: registry_username: ${{ github.actor }} registry_password: ${{ secrets.CR_PAT }} release-cleanup-controller: permissions: contents: read packages: write id-token: write uses: ./.github/workflows/reuse.yaml with: publish_command: ko-publish-cleanup-controller image_name: cleanup-controller tag: release main: cmd/cleanup-controller secrets: registry_username: ${{ github.actor }} registry_password: ${{ secrets.CR_PAT }} release-kyverno-cli: permissions: contents: read packages: write id-token: write uses: ./.github/workflows/reuse.yaml with: publish_command: ko-publish-cli image_name: kyverno-cli tag: release main: cmd/cli/kubectl-kyverno secrets: registry_username: ${{ github.actor }} registry_password: ${{ secrets.CR_PAT }} generate-init-kyverno-provenance: needs: release-init-kyverno permissions: id-token: write # To sign the provenance. packages: write # To upload assets to release. actions: read #To read the workflow path. # NOTE: The container generator workflow is not officially released as GA. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0 with: image: ghcr.io/${{ github.repository_owner }}/kyvernopre digest: "${{ needs.release-init-kyverno.outputs.init-container-digest }}" registry-username: ${{ github.actor }} secrets: registry-password: ${{ secrets.CR_PAT }} generate-kyverno-provenance: needs: release-kyverno permissions: id-token: write # To sign the provenance. packages: write # To upload assets to release. actions: read #To read the workflow path. # NOTE: The container generator workflow is not officially released as GA. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0 with: image: ghcr.io/${{ github.repository_owner }}/kyverno digest: "${{ needs.release-kyverno.outputs.kyverno-digest }}" registry-username: ${{ github.actor }} secrets: registry-password: ${{ secrets.CR_PAT }} generate-cleanup-controller-provenance: needs: release-cleanup-controller permissions: id-token: write # To sign the provenance. packages: write # To upload assets to release. actions: read #To read the workflow path. # NOTE: The container generator workflow is not officially released as GA. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0 with: image: ghcr.io/${{ github.repository_owner }}/cleanup-controller digest: "${{ needs.release-cleanup-controller.outputs.cleanup-controller-digest }}" registry-username: ${{ github.actor }} secrets: registry-password: ${{ secrets.CR_PAT }} generate-kyverno-cli-provenance: needs: release-kyverno-cli permissions: id-token: write # To sign the provenance. packages: write # To upload assets to release. actions: read #To read the workflow path. # NOTE: The container generator workflow is not officially released as GA. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0 with: image: ghcr.io/${{ github.repository_owner }}/kyverno-cli digest: "${{ needs.release-kyverno-cli.outputs.cli-digest }}" registry-username: ${{ github.actor }} secrets: registry-password: ${{ secrets.CR_PAT }} create-release: runs-on: ubuntu-latest needs: - release-init-kyverno - release-kyverno - release-cleanup-controller - release-kyverno-cli steps: - name: Set version id: version run: echo "version=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Setup build env uses: ./.github/actions/setup-build-env - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # pin@v1.0 - name: Make Release env: VERSION: ${{ steps.version.outputs.version }} run: | rm -rf release mkdir release make release-notes > release/release-notes.out cat release/release-notes.out - name: Run GoReleaser uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # pin@v4.1.0 with: version: latest args: release --rm-dist --debug --release-notes=release/release-notes.out env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} push-and-sign-install-manifest: runs-on: ubuntu-latest permissions: contents: write # needed to write releases id-token: write # needed for keyless signing packages: write # needed for ghcr access needs: - create-release steps: - name: Set version id: version run: echo "version=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Setup build env uses: ./.github/actions/setup-build-env - name: Setup Flux CLI uses: fluxcd/flux2/action@f58b82fb4ed53939dc1c9d7e370deab885527368 # v0.38.2 with: version: 0.35.0 - name: Install Cosign uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 with: cosign-release: 'v1.13.0' - name: Build yaml manifest run: make codegen-manifest-release - name: Upload yaml manifest uses: svenstaro/upload-release-action@2728235f7dc9ff598bd86ce3c274b74f802d2208 # pin@v2 with: repo_token: ${{ secrets.GITHUB_TOKEN }} file: .manifest/release.yaml asset_name: install.yaml tag: ${{ github.ref }} - name: Login to GHCR uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Push manifests to GHCR with Flux env: CR_PAT_ARTIFACTS: ${{ secrets.CR_PAT_ARTIFACTS }} run: | set -e mkdir -p config/.release-manifests cp .manifest/release.yaml config/.release-manifests/install.yaml cd config/.release-manifests/ && \ flux push artifact oci://ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ steps.version.outputs.version }} \ --path="." \ --source="$(git config --get remote.origin.url)" \ --revision="${{ steps.version.outputs.version }}/$(git rev-parse HEAD)" - name: Sign manifests in GHCR with Cosign env: COSIGN_EXPERIMENTAL: 1 run: | cosign sign ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ steps.version.outputs.version }} release-cli-via-krew: runs-on: ubuntu-latest needs: - create-release steps: - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Setup build env uses: ./.github/actions/setup-build-env - name: Check Tag id: check-tag run: | if [[ ${{ github.event.ref }} =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo "match=true" >> $GITHUB_OUTPUT fi - name: Update new version in krew-index if: steps.check-tag.outputs.match == 'true' uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # pin@v0.0.43