mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 07:57:07 +00:00
8350aadc58
* making required changes in images workflow Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * making required changes in release workflow Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> Co-authored-by: shuting <shutting06@gmail.com>
307 lines
8.2 KiB
YAML
307 lines
8.2 KiB
YAML
name: releaser
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
jobs:
|
|
release-init-kyverno:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v2
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v2
|
|
with:
|
|
go-version: 1.16
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@main
|
|
with:
|
|
cosign-release: 'v1.4.1'
|
|
|
|
- name: Cache Go modules
|
|
uses: actions/cache@v1
|
|
with:
|
|
path: ~/go/pkg/mod
|
|
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v2
|
|
with:
|
|
go-version: 1.16
|
|
- uses: creekorful/goreportcard-action@v1.0
|
|
|
|
- name: login to GitHub Container Registry
|
|
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v1
|
|
id: buildx
|
|
with:
|
|
install: true
|
|
|
|
- name: Set version
|
|
run: |
|
|
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
|
|
|
|
- name : docker images publish
|
|
run: |
|
|
make docker-publish-sigs
|
|
make docker-publish-initContainer
|
|
|
|
- name: get digest
|
|
id: get-step
|
|
run: |
|
|
echo "::set-output name=digest::$(make docker-get-initContainer-digest)"
|
|
|
|
- name: Sign image
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "true"
|
|
run: |
|
|
cosign sign \
|
|
-a "repo=${{ github.repository }}" \
|
|
-a "workflow=${{ github.workflow }}" \
|
|
-a "ref=${{ github.sha }}" \
|
|
ghcr.io/kyverno/kyvernopre@sha256:${{ steps.get-step.outputs.digest }}
|
|
|
|
release-kyverno:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v2
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v2
|
|
with:
|
|
go-version: 1.16
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@main
|
|
with:
|
|
cosign-release: 'v1.4.1'
|
|
|
|
- name: Cache Go modules
|
|
uses: actions/cache@v1
|
|
with:
|
|
path: ~/go/pkg/mod
|
|
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v2
|
|
with:
|
|
go-version: 1.16
|
|
- uses: creekorful/goreportcard-action@v1.0
|
|
|
|
- name: login to GitHub Container Registry
|
|
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v1
|
|
id: buildx
|
|
with:
|
|
install: true
|
|
|
|
- name: Set version
|
|
run: |
|
|
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
|
|
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")" >> $GITHUB_ENV
|
|
|
|
- name: Generate SBOM JSON
|
|
uses: CycloneDX/gh-gomod-generate-sbom@v1
|
|
with:
|
|
version: v1
|
|
args: mod -licenses -json -output kyverno-v${{ env.KYVERNO_VERSION }}-bom.cdx.json
|
|
|
|
- uses: actions/upload-artifact@v2
|
|
with:
|
|
name: kyverno-bom-cdx
|
|
path: kyverno-v*-bom.cdx.json
|
|
|
|
- name : docker images publish
|
|
run: |
|
|
make docker-publish-sbom
|
|
make docker-publish-kyverno
|
|
|
|
- name: get digest
|
|
id: get-step
|
|
run: |
|
|
echo "::set-output name=digest::$(make docker-get-kyverno-digest)"
|
|
|
|
- name: Sign image and SBOM
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "true"
|
|
run: |
|
|
cosign sign \
|
|
-a "repo=${{ github.repository }}" \
|
|
-a "workflow=${{ github.workflow }}" \
|
|
-a "ref=${{ github.sha }}" \
|
|
ghcr.io/kyverno/kyverno@sha256:${{ steps.get-step.outputs.digest }}
|
|
cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/sbom:latest
|
|
|
|
- name: Trivy Scan Image
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: 'ghcr.io/kyverno/kyverno:${{env.KYVERNO_VERSION}}'
|
|
format: 'table'
|
|
exit-code: '1'
|
|
ignore-unfixed: true
|
|
vuln-type: 'os,library'
|
|
severity: 'CRITICAL,HIGH'
|
|
|
|
release-kyverno-cli:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v2
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v2
|
|
with:
|
|
go-version: 1.16
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@main
|
|
with:
|
|
cosign-release: 'v1.4.1'
|
|
|
|
- name: Cache Go modules
|
|
uses: actions/cache@v1
|
|
with:
|
|
path: ~/go/pkg/mod
|
|
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v2
|
|
with:
|
|
go-version: 1.16
|
|
- uses: creekorful/goreportcard-action@v1.0
|
|
|
|
- name: login to GitHub Container Registry
|
|
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v1
|
|
id: buildx
|
|
with:
|
|
install: true
|
|
|
|
- name: Set version
|
|
run: |
|
|
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
|
|
|
|
- name : docker images publish
|
|
run: |
|
|
make docker-publish-cli
|
|
|
|
- name: get digest
|
|
id: get-step
|
|
run: |
|
|
echo "::set-output name=digest::$(make docker-get-cli-digest)"
|
|
|
|
- name: Sign image
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "true"
|
|
run: |
|
|
cosign sign \
|
|
-a "repo=${{ github.repository }}" \
|
|
-a "workflow=${{ github.workflow }}" \
|
|
-a "ref=${{ github.sha }}" \
|
|
ghcr.io/kyverno/kyverno-cli@sha256:${{ steps.get-step.outputs.digest }}
|
|
|
|
create-release:
|
|
runs-on: ubuntu-latest
|
|
needs:
|
|
- release-init-kyverno
|
|
- release-kyverno
|
|
- release-kyverno-cli
|
|
steps:
|
|
- name: Set version
|
|
id: version
|
|
run: echo ::set-output name=version::${GITHUB_REF#refs/*/}
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@v2
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v2
|
|
with:
|
|
go-version: 1.16
|
|
|
|
- name: Cache Go modules
|
|
uses: actions/cache@v1
|
|
with:
|
|
path: ~/go/pkg/mod
|
|
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v2
|
|
with:
|
|
go-version: 1.16
|
|
- uses: creekorful/goreportcard-action@v1.0
|
|
|
|
- name: Make Release
|
|
env:
|
|
VERSION: ${{ steps.version.outputs.version }}
|
|
run: |
|
|
rm -rf release
|
|
mkdir release
|
|
make release-notes > release/release-notes.out
|
|
cat release/release-notes.out
|
|
|
|
- name: Run GoReleaser
|
|
uses: goreleaser/goreleaser-action@v2
|
|
with:
|
|
version: latest
|
|
args: release --rm-dist --debug --release-notes=release/release-notes.out
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
release-cli-via-krew:
|
|
runs-on: ubuntu-latest
|
|
needs:
|
|
- create-release
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v2
|
|
|
|
- name: Unshallow
|
|
run: git fetch --prune --unshallow
|
|
|
|
- name: Check Tag
|
|
id: check-tag
|
|
run: |
|
|
if [[ ${{ github.event.ref }} =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
|
echo ::set-output name=match::true
|
|
fi
|
|
|
|
- name: Update new version in krew-index
|
|
if: steps.check-tag.outputs.match == 'true'
|
|
uses: rajatjindal/krew-release-bot@v0.0.38
|