mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 07:57:07 +00:00
Code Activity
kyverno/.github/workflows/release.yaml
Vinod Anandan a07274f234 Update gh-gomod-generate-sbom 
Signed-off-by: Vinod Anandan <vinod@owasp.org>
2021-10-23 14:41:05 +01:00

264 lines
7.3 KiB
YAML
Raw Blame History

name: releaser
on:
push:
tags:
- 'v*'
jobs:
release-init-kyverno:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.16
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.2.1'
- name: Cache Go modules
uses: actions/cache@v1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.16
- uses: creekorful/goreportcard-action@v1.0
- name: login to GitHub Container Registry
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
id: buildx
with:
install: true
- name: Set version
run: |
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
- name : docker images publish
run: |
make docker-publish-sigs
make docker-publish-initContainer
- name: Sign image
run: |
export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_VERSION}
release-kyverno:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.16
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.2.1'
- name: Cache Go modules
uses: actions/cache@v1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.16
- uses: creekorful/goreportcard-action@v1.0
- name: login to GitHub Container Registry
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
id: buildx
with:
install: true
- name: Set version
run: |
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
- name: Generate SBOM JSON
uses: CycloneDX/gh-gomod-generate-sbom@v1
with:
version: v1
args: mod -licenses -json -output kyverno-v${{ env.KYVERNO_VERSION }}-bom.cdx.json
- uses: actions/upload-artifact@v2
with:
name: kyverno-bom-cdx
path: kyverno-v*-bom.cdx.json
- name : docker images publish
run: |
make docker-publish-sbom
make docker-publish-kyverno
- name: Sign image and SBOM
run: |
export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_VERSION}
cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/sbom:latest
- name: Trivy Scan Image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/kyverno/kyverno:latest'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
release-kyverno-cli:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.16
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.2.1'
- name: Cache Go modules
uses: actions/cache@v1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.16
- uses: creekorful/goreportcard-action@v1.0
- name: login to GitHub Container Registry
run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
id: buildx
with:
install: true
- name: Set version
run: |
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")"
- name : docker images publish
run: |
make docker-publish-cli
- name: Sign image
run: |
export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno-cli:${KYVERNO_VERSION}
create-release:
runs-on: ubuntu-latest
needs:
- release-init-kyverno
- release-kyverno
- release-kyverno-cli
steps:
- name: Set version
id: version
run: echo ::set-output name=version::${GITHUB_REF#refs/*/}
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.16
- name: Cache Go modules
uses: actions/cache@v1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.16
- uses: creekorful/goreportcard-action@v1.0
- name: Make Release
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
rm -rf release
mkdir release
make release-notes > release/release-notes.out
cat release/release-notes.out
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v2
with:
version: latest
args: release --rm-dist --debug --release-notes=release/release-notes.out
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-cli-via-krew:
runs-on: ubuntu-latest
needs:
- create-release
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Unshallow
run: git fetch --prune --unshallow
- name: Check Tag
id: check-tag
run: |
if [[ ${{ github.event.ref }} =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo ::set-output name=match::true
fi
- name: Update new version in krew-index
if: steps.check-tag.outputs.match == 'true'
uses: rajatjindal/krew-release-bot@v0.0.38
View git blame Copy permalink