name: Create Publish and Sign Docker Image on: workflow_call: inputs: publish_command: required: true type: string image_name: required: true type: string tag: required: true type: string main: type: string secrets: registry_username: required: true registry_password: required: true outputs: init_sha256_digest: description: "sha256 digest of kyverno init docker image" value: ${{ jobs.build.outputs.init-container-digest }} kyverno_sha256_digest: description: "sha256 digest of kyverno docker image" value: ${{ jobs.build.outputs.kyverno-digest }} cli_sha256_digest: description: "sha256 digest of kyverno docker image" value: ${{ jobs.build.outputs.cli-digest }} jobs: build: runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write outputs: init-container-digest: ${{ steps.set-sha256sum-digest.outputs.init-container-digest }} kyverno-digest: ${{ steps.set-sha256sum-digest.outputs.kyverno-digest }} cli-digest: ${{ steps.set-sha256sum-digest.outputs.cli-digest }} steps: - name: Checkout release if: ${{ inputs.tag == 'release'}} uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: fetch-depth: 0 - name: Checkout image if: ${{ inputs.tag == 'image'}} uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - name: Unshallow if: ${{ inputs.tag == 'image'}} run: git fetch --prune --unshallow --tags - name: Set up Go uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0 with: go-version: ~1.18.6 - name: Install Cosign uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 with: cosign-release: 'v1.13.0' - name: Cache Go modules uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # pin@v3 with: path: | ~/.cache/go-build ~/go/pkg/mod /tmp/ko-cache key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Run Trivy vulnerability scanner in repo mode if: ${{inputs.tag == 'release'}} uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 with: scan-type: 'fs' ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - name: Set Version if: ${{ inputs.tag == 'release'}} run: | echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))" >> $GITHUB_ENV - name: Generate SBOM JSON if: ${{inputs.tag == 'release'}} uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0 with: version: v1 args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}} - name: Upload SBOM JSON if: ${{inputs.tag == 'release'}} uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v2.3.1 with: name: ${{inputs.image_name}}-bom-cdx path: ${{inputs.image_name}}-v*-bom.cdx.json - name: Extract branch name if: ${{inputs.tag == 'image'}} shell: bash run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" id: extract_branch - name: Check branch if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}} id: check-branch run: | if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then echo "match=true" >> $GITHUB_OUTPUT fi - name: ko build dev image id: ko-publish-dev env: COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom" if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}} run: | set -e echo "digest=$(REGISTRY=ghcr.io REPO=${{ github.repository_owner }} REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}}-dev)" >> $GITHUB_OUTPUT - name: ko build release image id: ko-publish env: COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom" if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}} run: | set -e echo "digest=$(REGISTRY=ghcr.io REPO=${{ github.repository_owner }} REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}})" >> $GITHUB_OUTPUT - name: Sign dev image if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}} env: COSIGN_EXPERIMENTAL: "true" COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures" run: | set -e cosign sign \ -a "repo=${{ github.repository }}" \ -a "workflow=${{ github.workflow }}" \ -a "ref=${{ github.sha }}" \ ${{ steps.ko-publish-dev.outputs.digest }} - name: Sign release-image if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}} env: COSIGN_EXPERIMENTAL: "true" COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures" run: | set -e cosign sign \ -a "repo=${{ github.repository }}" \ -a "workflow=${{ github.workflow }}" \ -a "ref=${{ github.sha }}" \ ${{ steps.ko-publish.outputs.digest }} - name : Attach SBOM if: ${{inputs.tag == 'release'}} env: COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom" run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }} - name: get sha256sum image digest if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}} id: set-sha256sum-digest run: | echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}" DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2) echo "Digest from image is: $DIGEST" if [[ "${{inputs.publish_command}}" = "ko-publish-kyvernopre" ]]; then echo "init-container-digest=$DIGEST" >> $GITHUB_OUTPUT elif [[ "${{inputs.publish_command}}" = "ko-publish-kyverno" ]]; then echo "kyverno-digest=$DIGEST" >> $GITHUB_OUTPUT else echo "name=cli-digest=$DIGEST" >> $GITHUB_OUTPUT fi