diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..1166e10 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,65 @@ +name: release +on: + push: + tags: [ 'v*' ] + +permissions: + contents: read + +jobs: + manifests: + strategy: + matrix: + variant: + - distroless + - alpine + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Setup Flux + uses: fluxcd/flux2/action@5c5c15ea212b8f029a110f9975851d25c8272695 #v2.2.2 + with: + version: ${{ github.ref_name }} + - name: Login to GHCR + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build manifests + run: | + mkdir -p bin/${{ matrix.variant }} + flux install \ + --components-extra="image-reflector-controller,image-automation-controller" \ + --registry=ghcr.io/controlplaneio-fluxcd/${{ matrix.variant }} \ + --image-pull-secret=flux-enterprise-auth \ + --export > --export > bin/${{ matrix.variant }}/gotk-components.yaml + - name: Push manifests + id: push + run: | + set -euo pipefail + + img_digest=$(flux push artifact \ + oci://ghcr.io/controlplaneio-fluxcd/${{ matrix.variant }}/flux-manifests:${{ github.ref_name }} \ + --path=bin/${{ matrix.variant }} \ + --source=${{ github.repositoryUrl }} \ + --revision="${{ github.ref_name }}@sha1:${{ github.sha }}" + --annotations='org.opencontainers.image.description=ControlPLane Enterprise for Flux CD' \ + --output=json | jq -r '.digest') + + echo "img_digest=$img_digest" >> $GITHUB_OUTPUT + + img_repository=ghcr.io/controlplaneio-fluxcd/${{ matrix.variant }}/flux-manifests + echo "img_repository=$img_repository" >> $GITHUB_OUTPUT + + img_url=${img_repository}:${{ github.ref_name }} + echo "img_url=$img_url" >> $GITHUB_OUTPUT + - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 + - name: Sign manifests + run: | + cosign sign --yes ${{ steps.push.outputs.img_repository }}@${{ steps.push.outputs.img_digest }} diff --git a/.gitignore b/.gitignore index 3b735ec..7dc3a29 100644 --- a/.gitignore +++ b/.gitignore @@ -1,21 +1,2 @@ -# If you prefer the allow list template instead of the deny list, see community template: -# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore -# -# Binaries for programs and plugins -*.exe -*.exe~ -*.dll -*.so -*.dylib - -# Test binary, built with `go test -c` -*.test - -# Output of the go coverage tool, specifically when used with LiteIDE -*.out - -# Dependency directories (remove the comment below to include it) -# vendor/ - -# Go workspace file -go.work +bin/ +workspace/ diff --git a/README.md b/README.md index 78c429f..7c0702b 100644 --- a/README.md +++ b/README.md @@ -3,15 +3,14 @@ [![e2e-fips](https://github.com/controlplaneio-fluxcd/distribution/actions/workflows/e2e-fips.yaml/badge.svg)](https://github.com/controlplaneio-fluxcd/distribution/actions/workflows/e2e-fips.yaml) The [ControlPlane](https://control-plane.io) distribution for [Flux CD](https://fluxcd.io) -comes with enterprise-hardened container images for the -[GitOps Toolkit controllers](https://fluxcd.io/flux/components/) including: +comes with enterprise-hardened Flux controllers including: - Hardened container images and SBOMs in-sync with upstream Flux releases. - Continuous scanning and CVE patching for Flux container base images. - SLAs for remediation of critical vulnerabilities affecting Flux functionality. - FIPS-compliant Flux builds based on FIPS 140-2 validated BoringSSL. - Extended compatibility of Flux controllers for the latest six minor releases of Kubernetes. -- Assured compatibility with Kubernetes LTS versions provided by cloud vendors such as Azure, AWS, Google and others. +- Assured compatibility with Kubernetes LTS versions provided by cloud vendors. ## Distribution Channels