name: releaser on: push: tags: - 'v*' jobs: release-init-kyverno: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@v2 with: go-version: 1.16 - name: Install Cosign uses: sigstore/cosign-installer@main with: cosign-release: 'v1.2.1' - name: Cache Go modules uses: actions/cache@v1 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Set up Go uses: actions/setup-go@v2 with: go-version: 1.16 - uses: creekorful/goreportcard-action@v1.0 - name: login to GitHub Container Registry run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 id: buildx with: install: true - name: Set version run: | echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")" - name : docker images publish run: | make docker-publish-sigs make docker-publish-initContainer - name: Sign image run: | export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_VERSION} release-kyverno: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@v2 with: go-version: 1.16 - name: Install Cosign uses: sigstore/cosign-installer@main with: cosign-release: 'v1.2.1' - name: Cache Go modules uses: actions/cache@v1 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Set up Go uses: actions/setup-go@v2 with: go-version: 1.16 - uses: creekorful/goreportcard-action@v1.0 - name: login to GitHub Container Registry run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 id: buildx with: install: true - name: Set version run: | echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")" - name: Generate SBOM JSON uses: CycloneDX/gh-gomod-generate-sbom@v1 with: version: v1 args: mod -licenses -json -output kyverno-v${{ env.KYVERNO_VERSION }}-bom.cdx.json - uses: actions/upload-artifact@v2 with: name: kyverno-bom-cdx path: kyverno-v*-bom.cdx.json - name : docker images publish run: | make docker-publish-sbom make docker-publish-kyverno - name: Sign image and SBOM run: | export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_VERSION} cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/sbom:latest - name: Trivy Scan Image uses: aquasecurity/trivy-action@master with: image-ref: 'ghcr.io/kyverno/kyverno:latest' format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' release-kyverno-cli: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@v2 with: go-version: 1.16 - name: Install Cosign uses: sigstore/cosign-installer@main with: cosign-release: 'v1.2.1' - name: Cache Go modules uses: actions/cache@v1 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Set up Go uses: actions/setup-go@v2 with: go-version: 1.16 - uses: creekorful/goreportcard-action@v1.0 - name: login to GitHub Container Registry run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 id: buildx with: install: true - name: Set version run: | echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")" - name : docker images publish run: | make docker-publish-cli - name: Sign image run: | export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno-cli:${KYVERNO_VERSION} create-release: runs-on: ubuntu-latest needs: - release-init-kyverno - release-kyverno - release-kyverno-cli steps: - name: Set version id: version run: echo ::set-output name=version::${GITHUB_REF#refs/*/} - name: Checkout uses: actions/checkout@v2 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@v2 with: go-version: 1.16 - name: Cache Go modules uses: actions/cache@v1 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Set up Go uses: actions/setup-go@v2 with: go-version: 1.16 - uses: creekorful/goreportcard-action@v1.0 - name: Make Release env: VERSION: ${{ steps.version.outputs.version }} run: | rm -rf release mkdir release make release-notes > release/release-notes.out cat release/release-notes.out - name: Run GoReleaser uses: goreleaser/goreleaser-action@v2 with: version: latest args: release --rm-dist --debug --release-notes=release/release-notes.out env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} release-cli-via-krew: runs-on: ubuntu-latest needs: - create-release steps: - name: Checkout uses: actions/checkout@v2 - name: Unshallow run: git fetch --prune --unshallow - name: Check Tag id: check-tag run: | if [[ ${{ github.event.ref }} =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo ::set-output name=match::true fi - name: Update new version in krew-index if: steps.check-tag.outputs.match == 'true' uses: rajatjindal/krew-release-bot@v0.0.38