name: Create Publish and Sign Docker Image on: workflow_call: inputs: publish_command: required: true type: string digest_command: required: true type: string image_name: required: true type: string tag: required: true type: string main: type: string secrets: registry_username: required: true registry_password: required: true jobs: build: runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write steps: - name: Checkout release if: ${{ inputs.tag == 'release'}} uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 with: fetch-depth: 0 - name: Checkout image if: ${{ inputs.tag == 'image'}} uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 - name: Unshallow if: ${{ inputs.tag == 'image'}} run: git fetch --prune --unshallow --tags - name: Set up Go uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5 with: go-version: 1.17 - name: Install Cosign uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1 with: cosign-release: 'v1.4.1' - name: Cache Go modules uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Log into ghcr.io uses: docker/login-action@master with: registry: ghcr.io username: ${{secrets.registry_username}} password: ${{secrets.registry_password}} - name: Set up Docker Buildx uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0 id: buildx with: install: true - name: Run Trivy vulnerability scanner in repo mode if: ${{inputs.tag == 'release'}} uses: aquasecurity/trivy-action@8f4c7160b470bafe4299efdc1c8a1fb495f8325a # v0.2.1 with: scan-type: 'fs' format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - name: Set Version if: ${{ inputs.tag == 'release'}} run: | echo "KYVERNO_VERSION=$(git tag --list --sort=-version:refname "v[0-9]*" | head -n 1)" >> $GITHUB_ENV - name: Generate SBOM JSON if: ${{inputs.tag == 'release'}} uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0 with: version: v1 args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}} - name: Upload SBOM JSON if: ${{inputs.tag == 'release'}} uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: ${{inputs.image_name}}-bom-cdx path: ${{inputs.image_name}}-v*-bom.cdx.json - name : Docker images publish run: make ${{inputs.publish_command}} - name: get digest id: get-step run: | echo "::set-output name=digest::$(make ${{inputs.digest_command}})" - name: Sign image env: COSIGN_EXPERIMENTAL: "true" COSIGN_REPOSITORY: "ghcr.io/kyverno/signatures" run: | cosign sign \ -a "repo=${{ github.repository }}" \ -a "workflow=${{ github.workflow }}" \ -a "ref=${{ github.sha }}" \ ghcr.io/kyverno/${{inputs.image_name}}@sha256:${{ steps.get-step.outputs.digest }} - name : Attach SBOM if: ${{inputs.tag == 'release'}} env: COSIGN_REPOSITORY: "ghcr.io/kyverno/sbom" run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ghcr.io/kyverno/${{inputs.image_name}}@sha256:${{ steps.get-step.outputs.digest }}