mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-10 18:06:55 +00:00
b93dff34bb
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.2.3 to 0.8.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/0.2.3...9ab158e8597f3b310480b9a69402b419bc03dbd5) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com>
186 lines
6.9 KiB
YAML
186 lines
6.9 KiB
YAML
name: Create Publish and Sign Docker Image
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
publish_command:
|
|
required: true
|
|
type: string
|
|
image_name:
|
|
required: true
|
|
type: string
|
|
tag:
|
|
required: true
|
|
type: string
|
|
main:
|
|
type: string
|
|
secrets:
|
|
registry_username:
|
|
required: true
|
|
registry_password:
|
|
required: true
|
|
outputs:
|
|
init_sha256_digest:
|
|
description: "sha256 digest of kyverno init docker image"
|
|
value: ${{ jobs.build.outputs.init-container-digest }}
|
|
kyverno_sha256_digest:
|
|
description: "sha256 digest of kyverno docker image"
|
|
value: ${{ jobs.build.outputs.kyverno-digest }}
|
|
cli_sha256_digest:
|
|
description: "sha256 digest of kyverno docker image"
|
|
value: ${{ jobs.build.outputs.cli-digest }}
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write
|
|
outputs:
|
|
init-container-digest: ${{ steps.set-sha256sum-digest.outputs.init-container-digest }}
|
|
kyverno-digest: ${{ steps.set-sha256sum-digest.outputs.kyverno-digest }}
|
|
cli-digest: ${{ steps.set-sha256sum-digest.outputs.cli-digest }}
|
|
steps:
|
|
- name: Checkout release
|
|
if: ${{ inputs.tag == 'release'}}
|
|
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Checkout image
|
|
if: ${{ inputs.tag == 'image'}}
|
|
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
|
|
|
|
- name: Unshallow
|
|
if: ${{ inputs.tag == 'image'}}
|
|
run: git fetch --prune --unshallow --tags
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
|
|
with:
|
|
go-version: ~1.18.6
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
|
|
with:
|
|
cosign-release: 'v1.13.0'
|
|
|
|
- name: Cache Go modules
|
|
uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # pin@v3
|
|
with:
|
|
path: |
|
|
~/.cache/go-build
|
|
~/go/pkg/mod
|
|
/tmp/ko-cache
|
|
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-
|
|
|
|
- name: Run Trivy vulnerability scanner in repo mode
|
|
if: ${{inputs.tag == 'release'}}
|
|
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
|
|
with:
|
|
scan-type: 'fs'
|
|
ignore-unfixed: true
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
severity: 'CRITICAL,HIGH'
|
|
|
|
- name: Set Version
|
|
if: ${{ inputs.tag == 'release'}}
|
|
run: |
|
|
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))" >> $GITHUB_ENV
|
|
|
|
- name: Generate SBOM JSON
|
|
if: ${{inputs.tag == 'release'}}
|
|
uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0
|
|
with:
|
|
version: v1
|
|
args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}}
|
|
|
|
- name: Upload SBOM JSON
|
|
if: ${{inputs.tag == 'release'}}
|
|
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v2.3.1
|
|
with:
|
|
name: ${{inputs.image_name}}-bom-cdx
|
|
path: ${{inputs.image_name}}-v*-bom.cdx.json
|
|
|
|
- name: Extract branch name
|
|
if: ${{inputs.tag == 'image'}}
|
|
shell: bash
|
|
run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
|
|
id: extract_branch
|
|
|
|
- name: Check branch
|
|
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}}
|
|
id: check-branch
|
|
run: |
|
|
if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then
|
|
echo "match=true" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
- name: ko build dev image
|
|
id: ko-publish-dev
|
|
env:
|
|
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
|
|
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
|
|
run: |
|
|
set -e
|
|
echo "digest=$(REGISTRY=ghcr.io REPO=${{ github.repository_owner }} REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}}-dev)" >> $GITHUB_OUTPUT
|
|
|
|
- name: ko build release image
|
|
id: ko-publish
|
|
env:
|
|
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
|
|
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
|
|
run: |
|
|
set -e
|
|
echo "digest=$(REGISTRY=ghcr.io REPO=${{ github.repository_owner }} REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}})" >> $GITHUB_OUTPUT
|
|
|
|
- name: Sign dev image
|
|
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "true"
|
|
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures"
|
|
run: |
|
|
set -e
|
|
cosign sign \
|
|
-a "repo=${{ github.repository }}" \
|
|
-a "workflow=${{ github.workflow }}" \
|
|
-a "ref=${{ github.sha }}" \
|
|
${{ steps.ko-publish-dev.outputs.digest }}
|
|
|
|
- name: Sign release-image
|
|
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "true"
|
|
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures"
|
|
run: |
|
|
set -e
|
|
cosign sign \
|
|
-a "repo=${{ github.repository }}" \
|
|
-a "workflow=${{ github.workflow }}" \
|
|
-a "ref=${{ github.sha }}" \
|
|
${{ steps.ko-publish.outputs.digest }}
|
|
|
|
- name : Attach SBOM
|
|
if: ${{inputs.tag == 'release'}}
|
|
env:
|
|
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
|
|
run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }}
|
|
|
|
- name: get sha256sum image digest
|
|
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
|
|
id: set-sha256sum-digest
|
|
run: |
|
|
echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}"
|
|
DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2)
|
|
echo "Digest from image is: $DIGEST"
|
|
if [[ "${{inputs.publish_command}}" = "ko-publish-kyvernopre" ]]; then
|
|
echo "init-container-digest=$DIGEST" >> $GITHUB_OUTPUT
|
|
elif [[ "${{inputs.publish_command}}" = "ko-publish-kyverno" ]]; then
|
|
echo "kyverno-digest=$DIGEST" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "name=cli-digest=$DIGEST" >> $GITHUB_OUTPUT
|
|
fi
|