mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-15 17:51:20 +00:00
ff7ed78b09
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
148 lines
5.2 KiB
YAML
148 lines
5.2 KiB
YAML
name: Create Publish and Sign Docker Image
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
publish_command:
|
|
required: true
|
|
type: string
|
|
image_name:
|
|
required: true
|
|
type: string
|
|
tag:
|
|
required: true
|
|
type: string
|
|
main:
|
|
type: string
|
|
secrets:
|
|
registry_username:
|
|
required: true
|
|
registry_password:
|
|
required: true
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write
|
|
steps:
|
|
- name: Checkout release
|
|
if: ${{ inputs.tag == 'release'}}
|
|
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Checkout image
|
|
if: ${{ inputs.tag == 'image'}}
|
|
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
|
|
|
|
- name: Unshallow
|
|
if: ${{ inputs.tag == 'image'}}
|
|
run: git fetch --prune --unshallow --tags
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
|
|
with:
|
|
go-version: 1.18
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
|
|
with:
|
|
cosign-release: 'v1.11.0'
|
|
|
|
- name: Cache Go modules
|
|
uses: actions/cache@fd5de65bc895cf536527842281bea11763fefd77 # pin@v3
|
|
with:
|
|
path: |
|
|
~/.cache/go-build
|
|
~/go/pkg/mod
|
|
/tmp/ko-cache
|
|
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-
|
|
|
|
- name: Run Trivy vulnerability scanner in repo mode
|
|
if: ${{inputs.tag == 'release'}}
|
|
uses: aquasecurity/trivy-action@40c4ca9e7421287d0c5576712fdff370978f9c3c
|
|
with:
|
|
scan-type: 'fs'
|
|
ignore-unfixed: true
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
severity: 'CRITICAL,HIGH'
|
|
|
|
- name: Set Version
|
|
if: ${{ inputs.tag == 'release'}}
|
|
run: |
|
|
echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))" >> $GITHUB_ENV
|
|
|
|
- name: Generate SBOM JSON
|
|
if: ${{inputs.tag == 'release'}}
|
|
uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0
|
|
with:
|
|
version: v1
|
|
args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}}
|
|
|
|
- name: Upload SBOM JSON
|
|
if: ${{inputs.tag == 'release'}}
|
|
uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
|
|
with:
|
|
name: ${{inputs.image_name}}-bom-cdx
|
|
path: ${{inputs.image_name}}-v*-bom.cdx.json
|
|
|
|
- name: Extract branch name
|
|
if: ${{inputs.tag == 'image'}}
|
|
shell: bash
|
|
run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
|
|
id: extract_branch
|
|
|
|
- name: Check branch
|
|
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}}
|
|
id: check-branch
|
|
run: |
|
|
if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then
|
|
echo ::set-output name=match::true
|
|
fi
|
|
|
|
- name: ko build dev image
|
|
id: ko-publish-dev
|
|
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
|
|
run: |
|
|
echo "::set-output name=digest::$(REGISTRY=ghcr.io REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}}-dev)"
|
|
|
|
- name: ko build release image
|
|
id: ko-publish
|
|
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
|
|
run: |
|
|
echo "::set-output name=digest::$(REGISTRY=ghcr.io REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}})"
|
|
|
|
- name: Sign dev image
|
|
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "true"
|
|
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures"
|
|
run: |
|
|
cosign sign \
|
|
-a "repo=${{ github.repository }}" \
|
|
-a "workflow=${{ github.workflow }}" \
|
|
-a "ref=${{ github.sha }}" \
|
|
${{ steps.ko-publish-dev.outputs.digest }}
|
|
|
|
- name: Sign release-image
|
|
if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "true"
|
|
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures"
|
|
run: |
|
|
cosign sign \
|
|
-a "repo=${{ github.repository }}" \
|
|
-a "workflow=${{ github.workflow }}" \
|
|
-a "ref=${{ github.sha }}" \
|
|
${{ steps.ko-publish.outputs.digest }}
|
|
|
|
- name : Attach SBOM
|
|
if: ${{inputs.tag == 'release'}}
|
|
env:
|
|
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
|
|
run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }}
|