From cc789e16c89c1498f9162559271c4ebbc0a0bd35 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Fri, 23 Feb 2024 23:14:19 +0530 Subject: [PATCH] fix: build and release flow Signed-off-by: Vishal Choudhary --- .github/actions/publish-image/action.yaml | 9 +++++++-- .github/workflows/image-publish.yaml | 21 +++++++++++---------- .github/workflows/release.yaml | 22 +++++++++++----------- Makefile | 23 ++++++++++++----------- 4 files changed, 41 insertions(+), 34 deletions(-) diff --git a/.github/actions/publish-image/action.yaml b/.github/actions/publish-image/action.yaml index 2dbf105..7c90f28 100644 --- a/.github/actions/publish-image/action.yaml +++ b/.github/actions/publish-image/action.yaml @@ -5,7 +5,7 @@ description: Publishes a docker image, SBOM, scans vulns, and signs the image. inputs: makefile-target: required: true - description: makefile target to invoke for publishing image with ko + description: makefile target to invoke for publishing image with docker buildx registry: required: true description: registry to publish image to @@ -36,6 +36,9 @@ inputs: main-path: required: true description: path to main go entry point + image-tag: + required: true + description: the tag used to publish the image outputs: digest: @@ -45,6 +48,7 @@ outputs: runs: using: composite steps: + - uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3.0 - shell: bash id: docker-publish env: @@ -52,10 +56,11 @@ runs: REPO: ${{ inputs.repository }} REGISTRY_PASSWORD: ${{ inputs.registry-password }} COSIGN_REPOSITORY: ${{ inputs.sbom-repository }} + IMAGE_TAG: ${{ inputs.image-tag }} run: | set -e make ${{ inputs.makefile-target }} - echo "digest=$(docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/${{ github.repository }}:${{ github.sha }})" >> $GITHUB_OUTPUT + echo "digest=ghcr.io/${{ github.repository }}@$(crane digest ghcr.io/${{ github.repository }}:${{ inputs.image-tag }})" >> $GITHUB_OUTPUT - uses: CycloneDX/gh-gomod-generate-sbom@d4aee0cf5133055dbd98899978246c10c18c440f # v1.1.0 with: version: v1 diff --git a/.github/workflows/image-publish.yaml b/.github/workflows/image-publish.yaml index 1239a0d..380f6e6 100644 --- a/.github/workflows/image-publish.yaml +++ b/.github/workflows/image-publish.yaml @@ -1,3 +1,4 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: Publish images permissions: {} @@ -5,7 +6,7 @@ permissions: {} on: push: branches: - - 'main' + - "main" concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -16,7 +17,7 @@ jobs: runs-on: ubuntu-latest permissions: packages: write - id-token: write + id-token: write outputs: image-digest: ${{ steps.publish-kyverno-notation-aws.outputs.digest }} steps: @@ -35,11 +36,11 @@ jobs: - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1 with: - scan-type: 'fs' + scan-type: "fs" ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' + format: "sarif" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" - name: Install Cosign uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 - name: Publish image @@ -57,14 +58,14 @@ jobs: sbom-repository: ghcr.io/${{ github.repository }}/sbom signature-repository: ghcr.io/${{ github.repository }}/signatures main-path: ./ - + image-tag: ${{ github.sha }} generate-kyverno-notation-aws-provenance: needs: publish-images permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. # NOTE: The container generator workflow is not officially released as GA. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 61bfdbe..2663870 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,3 +1,4 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: releaser permissions: {} @@ -5,14 +6,14 @@ permissions: {} on: push: tags: - - 'v*' + - "v*" jobs: publish-images: runs-on: ubuntu-latest permissions: packages: write - id-token: write + id-token: write outputs: image-digest: ${{ steps.publish-kyverno-notation-aws.outputs.digest }} steps: @@ -31,11 +32,11 @@ jobs: - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1 with: - scan-type: 'fs' + scan-type: "fs" ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' + format: "sarif" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" - name: Install Cosign uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 - name: Publish image @@ -53,14 +54,14 @@ jobs: sbom-repository: ghcr.io/${{ github.repository }}/sbom signature-repository: ghcr.io/${{ github.repository }}/signatures main-path: ./ - + image-tag: ${{ github.ref_name }} generate-kyverno-notation-aws-provenance: needs: publish-images permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. # NOTE: The container generator workflow is not officially released as GA. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 with: @@ -69,7 +70,6 @@ jobs: registry-username: ${{ github.actor }} secrets: registry-password: ${{ secrets.GITHUB_TOKEN }} - create-release: runs-on: ubuntu-latest diff --git a/Makefile b/Makefile index 5e4b9da..4c7ca65 100644 --- a/Makefile +++ b/Makefile @@ -87,15 +87,15 @@ code-cov-report: test-clean ## Generate code coverage report # BUILD (LOCAL)# ################ -CMD_DIR := cmd -KYVERNO_DIR := $(CMD_DIR)/kyverno -IMAGE_TAG_SHA := $(GIT_SHA) -IMAGE_TAG_LATEST := latest -PACKAGE ?= github.com/nirmata/kyverno-notation-aws +CMD_DIR := cmd +KYVERNO_DIR := $(CMD_DIR)/kyverno +IMAGE_TAG_SHA := $(GIT_SHA) +IMAGE_TAG ?= latest +PACKAGE ?= github.com/nirmata/kyverno-notation-aws ifdef VERSION -LD_FLAGS := "-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(VERSION)" +LD_FLAGS := "-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(VERSION)" else -LD_FLAGS := "-s -w" +LD_FLAGS := "-s -w" endif build: @@ -107,16 +107,17 @@ build: docker-build: @echo Build kyverno-notation-aws image with docker... >&2 - docker buildx create --name multiarch --driver docker-container --use - docker buildx build --platform linux/amd64,linux/arm64 -t $(REPO_IMAGE):$(IMAGE_TAG_LATEST) --push . - docker buildx rm multiarch + docker buildx build -t $(REPO_IMAGE):$(IMAGE_TAG) . --load docker-publish: @echo Build kyverno-notation-aws image with docker... >&2 docker buildx create --name multiarch --driver docker-container --use - docker buildx build --platform linux/amd64,linux/arm64 -t $(REPO_IMAGE):$(IMAGE_TAG_LATEST) --push . + docker buildx build --platform linux/amd64,linux/arm64 -t $(REPO_IMAGE):$(IMAGE_TAG) --push . docker buildx rm multiarch +t: + @echo $(IMAGE_TAG) + ######## # HELM # ########