alpine image publish

Signed-off-by: anushkamittal2001 <[email protected]>
nirmata · Mar 11, 2024 · 4924e6e · 4924e6e
1 parent a3c64b3
commit 4924e6e
Showing 1 changed file with 224 additions and 0 deletions.
diff --git a/.github/workflows/images-alpine-publish.yaml b/.github/workflows/images-alpine-publish.yaml
@@ -0,0 +1,224 @@
+name: Publish alpine images
+
+on:
+  workflow_dispatch:
+    inputs:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write 
+
+jobs:
+  publish-alpine-images:
+    runs-on: ubuntu-latest
+    outputs:
+      kyverno-digest: ${{ steps.publish-kyverno.outputs.digest }}
+      kyverno-init-digest: ${{ steps.publish-kyverno-init.outputs.digest }}
+      background-controller-digest: ${{ steps.publish-background-controller.outputs.digest }}
+      cleanup-controller-digest: ${{ steps.publish-cleanup-controller.outputs.digest }}
+      cli-digest: ${{ steps.publish-cli.outputs.digest }}
+      reports-controller-digest: ${{ steps.publish-reports-controller.outputs.digest }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+      - name: Setup build env
+        uses: ./.github/actions/setup-build-env
+        with:
+          build-cache-key: publish-alpine-images
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # v0.9.2
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+        with:
+          cosign-release: 'v1.13.1'
+      - name: Publish kyverno
+        id: publish-kyverno
+        uses: ./.github/actions/publish-image
+        with:
+          makefile-target: ko-publish-kyverno
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.CR_PAT }}
+          repository: ${{ github.repository_owner }}
+          version: ${{ github.ref_name }}
+          sign-image: true
+          sbom-name: kyverno
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./cmd/kyverno
+      - name: Publish kyverno-init
+        id: publish-kyverno-init
+        uses: ./.github/actions/publish-image
+        with:
+          makefile-target: ko-publish-kyverno-init
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.CR_PAT }}
+          repository: ${{ github.repository_owner }}
+          version: ${{ github.ref_name }}
+          sign-image: true
+          sbom-name: kyverno-init
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./cmd/kyverno-init
+      - name: Publish background-controller
+        id: publish-background-controller
+        uses: ./.github/actions/publish-image
+        with:
+          makefile-target: ko-publish-background-controller
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.CR_PAT }}
+          repository: ${{ github.repository_owner }}
+          version: ${{ github.ref_name }}
+          sign-image: true
+          sbom-name: background-controller
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./cmd/background-controller
+      - name: Publish cleanup-controller
+        id: publish-cleanup-controller
+        uses: ./.github/actions/publish-image
+        with:
+          makefile-target: ko-publish-cleanup-controller
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.CR_PAT }}
+          repository: ${{ github.repository_owner }}
+          version: ${{ github.ref_name }}
+          sign-image: true
+          sbom-name: cleanup-controller
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./cmd/cleanup-controller
+      - name: Publish cli
+        id: publish-cli
+        uses: ./.github/actions/publish-image
+        with:
+          makefile-target: ko-publish-cli
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.CR_PAT }}
+          repository: ${{ github.repository_owner }}
+          version: ${{ github.ref_name }}
+          sign-image: true
+          sbom-name: cli
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./cmd/cli/kubectl-kyverno
+      - name: Publish reports-controller
+        id: publish-reports-controller
+        uses: ./.github/actions/publish-image
+        with:
+          makefile-target: ko-publish-reports-controller
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.CR_PAT }}
+          repository: ${{ github.repository_owner }}
+          version: ${{ github.ref_name }}
+          sign-image: true
+          sbom-name: reports-controller
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./cmd/reports-controller
+
+  generate-kyverno-alpine-provenance:
+    needs: publish-alpine-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/kyverno
+      digest: "${{ needs.publish-alpine-images.outputs.kyverno-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  generate-kyverno-init-alpine-provenance:
+    needs: publish-alpine-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/kyvernopre
+      digest: "${{ needs.publish-alpine-images.outputs.kyverno-init-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  generate-background-controller-alpine-provenance:
+    needs: publish-alpine-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/background-controller
+      digest: "${{ needs.publish-alpine-images.outputs.background-controller-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  generate-cleanup-controller-alpine-provenance:
+    needs: publish-alpine-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/cleanup-controller
+      digest: "${{ needs.publish-alpine-images.outputs.cleanup-controller-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  generate-kyverno-cli-alpine-provenance:
+    needs: publish-alpine-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/kyverno-cli
+      digest: "${{ needs.publish-alpine-images.outputs.cli-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  generate-reports-controller-alpine-provenance:
+    needs: publish-alpine-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/reports-controller
+      digest: "${{ needs.publish-alpine-images.outputs.reports-controller-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}