Merge pull request #153 from nirmata/image-ci-fix

fix: image build and publish flow
nirmata · Feb 26, 2024 · 8f83153 · 8f83153
2 parents abaf18c + cc789e1
commit 8f83153
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 34 deletions.
diff --git a/.github/actions/publish-image/action.yaml b/.github/actions/publish-image/action.yaml
@@ -5,7 +5,7 @@ description: Publishes a docker image, SBOM, scans vulns, and signs the image.
 inputs:
   makefile-target:
     required: true
-    description: makefile target to invoke for publishing image with ko
+    description: makefile target to invoke for publishing image with docker buildx
   registry:
     required: true
     description: registry to publish image to
@@ -36,6 +36,9 @@ inputs:
   main-path:
     required: true
     description: path to main go entry point
+  image-tag:
+    required: true
+    description: the tag used to publish the image
 
 outputs:
   digest:
@@ -45,17 +48,19 @@ outputs:
 runs:
   using: composite
   steps:
+    - uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3.0
     - shell: bash
       id: docker-publish
       env:
         REGISTRY: ${{ inputs.registry }}
         REPO: ${{ inputs.repository }}
         REGISTRY_PASSWORD: ${{ inputs.registry-password }}
         COSIGN_REPOSITORY: ${{ inputs.sbom-repository }}
+        IMAGE_TAG: ${{ inputs.image-tag }}
       run: |
         set -e
         make ${{ inputs.makefile-target }}
-        echo "digest=$(docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/${{ github.repository }}:${{ github.sha }})" >> $GITHUB_OUTPUT
+        echo "digest=ghcr.io/${{ github.repository }}@$(crane digest ghcr.io/${{ github.repository }}:${{ inputs.image-tag }})" >> $GITHUB_OUTPUT
     - uses: CycloneDX/gh-gomod-generate-sbom@d4aee0cf5133055dbd98899978246c10c18c440f # v1.1.0
       with:
         version: v1

diff --git a/.github/workflows/image-publish.yaml b/.github/workflows/image-publish.yaml
@@ -1,11 +1,12 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Publish images
 
 permissions: {}
 
 on:
   push:
     branches:
-      - 'main'
+      - "main"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -16,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       packages: write
-      id-token: write 
+      id-token: write
     outputs:
       image-digest: ${{ steps.publish-kyverno-notation-aws.outputs.digest }}
     steps:
@@ -35,11 +36,11 @@ jobs:
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
         with:
-          scan-type: 'fs'
+          scan-type: "fs"
           ignore-unfixed: true
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH'
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH"
       - name: Install Cosign
         uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
       - name: Publish image
@@ -57,14 +58,14 @@ jobs:
           sbom-repository: ghcr.io/${{ github.repository }}/sbom
           signature-repository: ghcr.io/${{ github.repository }}/signatures
           main-path: ./
-
+          image-tag: ${{ github.sha }}
 
   generate-kyverno-notation-aws-provenance:
     needs: publish-images
     permissions:
-      id-token: write   # To sign the provenance.
-      packages: write   # To upload assets to release.
-      actions: read     # To read the workflow path.
+      id-token: write # To sign the provenance.
+      packages: write # To upload assets to release.
+      actions: read # To read the workflow path.
     # NOTE: The container generator workflow is not officially released as GA.
     uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
     with:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,18 +1,19 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: releaser
 
 permissions: {}
 
 on:
   push:
     tags:
-      - 'v*'
+      - "v*"
 
 jobs:
   publish-images:
     runs-on: ubuntu-latest
     permissions:
       packages: write
-      id-token: write 
+      id-token: write
     outputs:
       image-digest: ${{ steps.publish-kyverno-notation-aws.outputs.digest }}
     steps:
@@ -31,11 +32,11 @@ jobs:
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
         with:
-          scan-type: 'fs'
+          scan-type: "fs"
           ignore-unfixed: true
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH'
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH"
       - name: Install Cosign
         uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
       - name: Publish image
@@ -53,14 +54,14 @@ jobs:
           sbom-repository: ghcr.io/${{ github.repository }}/sbom
           signature-repository: ghcr.io/${{ github.repository }}/signatures
           main-path: ./
-
+          image-tag: ${{ github.ref_name }}
 
   generate-kyverno-notation-aws-provenance:
     needs: publish-images
     permissions:
-      id-token: write   # To sign the provenance.
-      packages: write   # To upload assets to release.
-      actions: read     # To read the workflow path.
+      id-token: write # To sign the provenance.
+      packages: write # To upload assets to release.
+      actions: read # To read the workflow path.
     # NOTE: The container generator workflow is not officially released as GA.
     uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
     with:
@@ -69,7 +70,6 @@ jobs:
       registry-username: ${{ github.actor }}
     secrets:
       registry-password: ${{ secrets.GITHUB_TOKEN }}
-
 
   create-release:
     runs-on: ubuntu-latest

diff --git a/Makefile b/Makefile
@@ -87,15 +87,15 @@ code-cov-report: test-clean ## Generate code coverage report
 # BUILD (LOCAL)#
 ################
 
-CMD_DIR           := cmd
-KYVERNO_DIR       := $(CMD_DIR)/kyverno
-IMAGE_TAG_SHA     := $(GIT_SHA)
-IMAGE_TAG_LATEST  := latest
-PACKAGE           ?= github.com/nirmata/kyverno-notation-aws
+CMD_DIR       := cmd
+KYVERNO_DIR   := $(CMD_DIR)/kyverno
+IMAGE_TAG_SHA := $(GIT_SHA)
+IMAGE_TAG     ?= latest
+PACKAGE       ?= github.com/nirmata/kyverno-notation-aws
 ifdef VERSION
-LD_FLAGS          := "-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(VERSION)"
+LD_FLAGS      := "-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(VERSION)"
 else
-LD_FLAGS          := "-s -w"
+LD_FLAGS      := "-s -w"
 endif
 
 build:
@@ -107,16 +107,17 @@ build:
 
 docker-build:
 	@echo Build kyverno-notation-aws image with docker... >&2
-	docker buildx create --name multiarch --driver docker-container --use
-	docker buildx build --platform linux/amd64,linux/arm64 -t $(REPO_IMAGE):$(IMAGE_TAG_LATEST) --push .
-	docker buildx rm multiarch
+	docker buildx build -t $(REPO_IMAGE):$(IMAGE_TAG) . --load
 
 docker-publish:
 	@echo Build kyverno-notation-aws image with docker... >&2
 	docker buildx create --name multiarch --driver docker-container --use
-	docker buildx build --platform linux/amd64,linux/arm64 -t $(REPO_IMAGE):$(IMAGE_TAG_LATEST) --push .
+	docker buildx build --platform linux/amd64,linux/arm64 -t $(REPO_IMAGE):$(IMAGE_TAG) --push .
 	docker buildx rm multiarch
 
+t:
+	@echo $(IMAGE_TAG)
+
 ########
 # HELM #
 ########