mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
7258f7ae3c
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](755da8c3cf...ac59398561)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
192 lines
7.3 KiB
YAML
192 lines
7.3 KiB
YAML
name: Create Publish and Sign Docker Image
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
publish_command:
|
|
required: true
|
|
type: string
|
|
image_name:
|
|
required: true
|
|
type: string
|
|
tag:
|
|
required: true
|
|
type: string
|
|
main:
|
|
type: string
|
|
secrets:
|
|
registry_username:
|
|
required: true
|
|
registry_password:
|
|
required: true
|
|
outputs:
|
|
init-container-digest:
|
|
description: "sha256 digest of kyverno init docker image"
|
|
value: ${{ jobs.build.outputs.init-container-digest }}
|
|
kyverno-digest:
|
|
description: "sha256 digest of kyverno docker image"
|
|
value: ${{ jobs.build.outputs.kyverno-digest }}
|
|
cleanup-controller-digest:
|
|
description: "sha256 digest of cleanup-controller docker image"
|
|
value: ${{ jobs.build.outputs.cleanup-controller-digest }}
|
|
cli-digest:
|
|
description: "sha256 digest of kyverno docker image"
|
|
value: ${{ jobs.build.outputs.cli-digest }}
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write
|
|
outputs:
|
|
init-container-digest: ${{ steps.set-sha256sum-digest.outputs.init-container-digest }}
|
|
kyverno-digest: ${{ steps.set-sha256sum-digest.outputs.kyverno-digest }}
|
|
cleanup-controller-digest: ${{ steps.set-sha256sum-digest.outputs.cleanup-controller-digest }}
|
|
cli-digest: ${{ steps.set-sha256sum-digest.outputs.cli-digest }}
|
|
steps:
|
|
- name: Checkout release
|
|
if: ${{ inputs.tag == 'release'}}
|
|
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Checkout image
|
|
if: ${{ inputs.tag == 'image'}}
|
|
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
|
|
|
- name: Unshallow
|
|
if: ${{ inputs.tag == 'image'}}
|
|
run: git fetch --prune --unshallow --tags
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
|
|
with:
|
|
go-version: ~1.19.4
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
|
|
with:
|
|
cosign-release: 'v1.13.0'
|
|
|
|
- name: Cache Go modules
|
|
uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # pin@v3
|
|
with:
|
|
path: |
|
|
~/.cache/go-build
|
|
~/go/pkg/mod
|
|
/tmp/ko-cache
|
|
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-
|
|
|
|
- name: Run Trivy vulnerability scanner in repo mode
|
|
if: ${{inputs.tag == 'release'}}
|
|
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
|
|
with:
|
|
scan-type: 'fs'
|
|
ignore-unfixed: true
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
severity: 'CRITICAL,HIGH'
|
|
|
|
- name: Set Version
|
|
if: ${{ inputs.tag == 'release'}}
|
|
run: |
|
|
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))" >> $GITHUB_ENV
|
|
|
|
- name: Generate SBOM JSON
|
|
if: ${{inputs.tag == 'release'}}
|
|
uses: CycloneDX/gh-gomod-generate-sbom@d4aee0cf5133055dbd98899978246c10c18c440f # v1.1.0
|
|
with:
|
|
version: v1
|
|
args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}}
|
|
|
|
- name: Upload SBOM JSON
|
|
if: ${{inputs.tag == 'release'}}
|
|
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v2.3.1
|
|
with:
|
|
name: ${{inputs.image_name}}-bom-cdx
|
|
path: ${{inputs.image_name}}-v*-bom.cdx.json
|
|
|
|
- name: Extract branch name
|
|
if: ${{inputs.tag == 'image'}}
|
|
shell: bash
|
|
run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
|
|
id: extract_branch
|
|
|
|
- name: Check branch
|
|
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}}
|
|
id: check-branch
|
|
run: |
|
|
if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then
|
|
echo "match=true" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
- name: ko build dev image
|
|
id: ko-publish-dev
|
|
env:
|
|
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
|
|
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
|
|
run: |
|
|
set -e
|
|
echo "digest=$(REGISTRY=ghcr.io REPO=${{ github.repository_owner }} REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}}-dev)" >> $GITHUB_OUTPUT
|
|
|
|
- name: ko build release image
|
|
id: ko-publish
|
|
env:
|
|
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
|
|
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
|
|
run: |
|
|
set -e
|
|
echo "digest=$(REGISTRY=ghcr.io REPO=${{ github.repository_owner }} REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}})" >> $GITHUB_OUTPUT
|
|
|
|
- name: Sign dev image
|
|
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "true"
|
|
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures"
|
|
run: |
|
|
set -e
|
|
cosign sign \
|
|
-a "repo=${{ github.repository }}" \
|
|
-a "workflow=${{ github.workflow }}" \
|
|
-a "ref=${{ github.sha }}" \
|
|
${{ steps.ko-publish-dev.outputs.digest }}
|
|
|
|
- name: Sign release-image
|
|
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "true"
|
|
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures"
|
|
run: |
|
|
set -e
|
|
cosign sign \
|
|
-a "repo=${{ github.repository }}" \
|
|
-a "workflow=${{ github.workflow }}" \
|
|
-a "ref=${{ github.sha }}" \
|
|
${{ steps.ko-publish.outputs.digest }}
|
|
|
|
- name : Attach SBOM
|
|
if: ${{inputs.tag == 'release'}}
|
|
env:
|
|
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
|
|
run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }}
|
|
|
|
- name: get sha256sum image digest
|
|
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
|
|
id: set-sha256sum-digest
|
|
run: |
|
|
echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}"
|
|
DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2)
|
|
echo "Digest from image is: $DIGEST"
|
|
if [[ "${{inputs.publish_command}}" = "ko-publish-kyvernopre" ]]; then
|
|
echo "init-container-digest=$DIGEST" >> $GITHUB_OUTPUT
|
|
elif [[ "${{inputs.publish_command}}" = "ko-publish-kyverno" ]]; then
|
|
echo "kyverno-digest=$DIGEST" >> $GITHUB_OUTPUT
|
|
elif [[ "${{inputs.publish_command}}" = "ko-publish-cleanup-controller" ]]; then
|
|
echo "cleanup-controller-digest=$DIGEST" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "cli-digest=$DIGEST" >> $GITHUB_OUTPUT
|
|
fi
|