mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/.github/workflows/reuse.yaml
Shubham Gupta f70cd4222f
Update hash of dependencies instead of mutable version (#3582) 
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-04-12 10:22:38 +01:00

173 lines
6.1 KiB
YAML
Raw Blame History

name: Create Publish and Sign Docker Image
on:
workflow_call:
inputs:
publish_command:
required: true
type: string
digest_command:
required: true
type: string
image_name:
required: true
type: string
tag:
required: true
type: string
main:
type: string
secrets:
registry_username:
required: true
registry_password:
required: true
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout release
if: ${{ inputs.tag == 'release'}}
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
with:
fetch-depth: 0
- name: Checkout image
if: ${{ inputs.tag == 'image'}}
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- name: Unshallow
if: ${{ inputs.tag == 'image'}}
run: git fetch --prune --unshallow --tags
- name: Set up Go
uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
with:
go-version: 1.17
- name: Install Cosign
uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
with:
cosign-release: 'v1.4.1'
- name: Cache Go modules
uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Log into ghcr.io
uses: docker/login-action@7c79b598eaa33458e78e8d0d71e0a9c217dd92af
with:
registry: ghcr.io
username: ${{secrets.registry_username}}
password: ${{secrets.registry_password}}
- name: Set up QEMU
uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
id: buildx
with:
install: true
- name: Run Trivy vulnerability scanner in repo mode
if: ${{inputs.tag == 'release'}}
uses: aquasecurity/trivy-action@40c4ca9e7421287d0c5576712fdff370978f9c3c
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Set Version
if: ${{ inputs.tag == 'release'}}
run: |
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))" >> $GITHUB_ENV
- name: Generate SBOM JSON
if: ${{inputs.tag == 'release'}}
uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0
with:
version: v1
args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}}
- name: Upload SBOM JSON
if: ${{inputs.tag == 'release'}}
uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
with:
name: ${{inputs.image_name}}-bom-cdx
path: ${{inputs.image_name}}-v*-bom.cdx.json
- name: Extract branch name
if: ${{inputs.tag == 'image'}}
shell: bash
run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
id: extract_branch
- name: Check branch
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}}
id: check-branch
run: |
if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then
echo ::set-output name=match::true
fi
- name : Docker images publish
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
run: make ${{inputs.publish_command}}-dev
- name : Docker release-images publish
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
run: make ${{inputs.publish_command}}
- name: get image digest
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
id: get-step-image
run: |
echo "::set-output name=digest::$(make ${{inputs.digest_command}}-dev)"
- name: get release-image digest
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
id: get-step
run: |
echo "::set-output name=digest::$(make ${{inputs.digest_command}})"
- name: Sign image
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures"
run: |
cosign sign \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ghcr.io/${{ github.repository_owner }}/${{inputs.image_name}}@sha256:${{ steps.get-step-image.outputs.digest }}
- name: Sign release-image
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures"
run: |
cosign sign \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ghcr.io/${{ github.repository_owner }}/${{inputs.image_name}}@sha256:${{ steps.get-step.outputs.digest }}
- name : Attach SBOM
if: ${{inputs.tag == 'release'}}
env:
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ghcr.io/${{ github.repository_owner }}/${{inputs.image_name}}@sha256:${{ steps.get-step.outputs.digest }}
View git blame Copy permalink