mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-07 00:17:13 +00:00
Code Activity
kyverno/.github/workflows/reuse.yaml
Mritunjay Kumar Sharma cdedf11a1c
bumps k8s libraries for k8s v1.23 upgrade for kyverno (#3043) 
* bumps k8s libraries for k8s v1.23 upgrade for kyverno

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixes kustomize version

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* updates golang to v1.17 to test fails

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* updates logr package to 1.2.2

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* Fixed tests for `pkg/cosign` and `pkg/webhooks/generation`

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

* fix go-logr deps version issue

Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>

* fix kube-openapi commit hash

Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>

Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: Abhinav Sinha <abhinav@nirmata.com>
Co-authored-by: prateekpandey14 <prateekpandey14@gmail.com>
2022-01-22 20:26:53 +08:00

132 lines
4.1 KiB
YAML
Raw Blame History

name: Create Publish and Sign Docker Image
on:
workflow_call:
inputs:
publish_command:
required: true
type: string
digest_command:
required: true
type: string
image_name:
required: true
type: string
tag:
required: true
type: string
main:
type: string
secrets:
registry_username:
required: true
registry_password:
required: true
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout release
if: ${{ inputs.tag == 'release'}}
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
with:
fetch-depth: 0
- name: Checkout image
if: ${{ inputs.tag == 'image'}}
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- name: Unshallow
if: ${{ inputs.tag == 'image'}}
run: git fetch --prune --unshallow --tags
- name: Set up Go
uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
with:
go-version: 1.17
- name: Install Cosign
uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
with:
cosign-release: 'v1.4.1'
- name: Cache Go modules
uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Log into ghcr.io
uses: docker/login-action@master
with:
registry: ghcr.io
username: ${{secrets.registry_username}}
password: ${{secrets.registry_password}}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
id: buildx
with:
install: true
- name: Run Trivy vulnerability scanner in repo mode
if: ${{inputs.tag == 'release'}}
uses: aquasecurity/trivy-action@8f4c7160b470bafe4299efdc1c8a1fb495f8325a # v0.2.1
with:
scan-type: 'fs'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Set Version
if: ${{ inputs.tag == 'release'}}
run: |
echo "KYVERNO_VERSION=$(git tag --list --sort=-version:refname "v[0-9]*" | head -n 1)" >> $GITHUB_ENV
- name: Generate SBOM JSON
if: ${{inputs.tag == 'release'}}
uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0
with:
version: v1
args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}}
- name: Upload SBOM JSON
if: ${{inputs.tag == 'release'}}
uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
with:
name: ${{inputs.image_name}}-bom-cdx
path: ${{inputs.image_name}}-v*-bom.cdx.json
- name : Docker images publish
run: make ${{inputs.publish_command}}
- name: get digest
id: get-step
run: |
echo "::set-output name=digest::$(make ${{inputs.digest_command}})"
- name: Sign image
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_REPOSITORY: "ghcr.io/kyverno/signatures"
run: |
cosign sign \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ghcr.io/kyverno/${{inputs.image_name}}@sha256:${{ steps.get-step.outputs.digest }}
- name : Attach SBOM
if: ${{inputs.tag == 'release'}}
env:
COSIGN_REPOSITORY: "ghcr.io/kyverno/sbom"
run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ghcr.io/kyverno/${{inputs.image_name}}@sha256:${{ steps.get-step.outputs.digest }}
View git blame Copy permalink