feat: update files and cleanup

.github/actions/publish-image/action.yaml

@@ -5,7 +5,7 @@ description: Publishes a docker image, SBOM, scans vulns, and signs the image.
 inputs:
   makefile-target:
     required: true
-    description: makefile target to invoke for publishing image with ko
+    description: makefile target to invoke for publishing image with docker buildx
   registry:
     required: true
     description: registry to publish image to
@@ -36,6 +36,9 @@ inputs:
   main-path:
     required: true
     description: path to main go entry point
+  image-tag:
+    required: true
+    description: the tag used to publish the image
 
 outputs:
   digest:
@@ -45,17 +48,19 @@ outputs:
 runs:
   using: composite
   steps:
+    - uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3.0
     - shell: bash
       id: docker-publish
       env:
         REGISTRY: ${{ inputs.registry }}
         REPO: ${{ inputs.repository }}
         REGISTRY_PASSWORD: ${{ inputs.registry-password }}
         COSIGN_REPOSITORY: ${{ inputs.sbom-repository }}
+        IMAGE_TAG: ${{ inputs.image-tag }}
       run: |
         set -e
         make ${{ inputs.makefile-target }}
-        echo "digest=$(docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/${{ github.repository }}:${{ github.sha }})" >> $GITHUB_OUTPUT
+        echo "digest=ghcr.io/${{ github.repository }}@$(crane digest ghcr.io/${{ github.repository }}:${{ inputs.image-tag }})" >> $GITHUB_OUTPUT
     - uses: CycloneDX/gh-gomod-generate-sbom@d4aee0cf5133055dbd98899978246c10c18c440f # v1.1.0
       with:
         version: v1

.github/workflows/image-build.yaml

@@ -16,18 +16,25 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Setup build env
         uses: ./.github/actions/setup-build-env
         with:
           build-cache-key: build-images
+      - name: Log into registry ghcr.io
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
       - name: docker build
         run: VERSION=${{ github.ref_name }} make docker-build
       - name: Trivy Scan Image
-        uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.11.2
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
         with:
           scan-type: 'fs'
           ignore-unfixed: true
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
+

.github/workflows/image-publish.yaml

@@ -1,11 +1,12 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Publish images
 
 permissions: {}
 
 on:
   push:
     branches:
-      - 'main'
+      - "main"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -16,32 +17,32 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       packages: write
-      id-token: write 
+      id-token: write
     outputs:
       image-digest: ${{ steps.publish-kyverno-notation-venafi.outputs.digest }}
     steps:
       - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Setup build env
         uses: ./.github/actions/setup-build-env
         with:
           build-cache-key: publish-images
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.11.2
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
         with:
-          scan-type: 'fs'
+          scan-type: "fs"
           ignore-unfixed: true
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH'
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH"
       - name: Install Cosign
-        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
+        uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
       - name: Publish image
         id: publish-kyverno-notation-venafi
         uses: ./.github/actions/publish-image
@@ -57,19 +58,20 @@ jobs:
           sbom-repository: ghcr.io/${{ github.repository }}/sbom
           signature-repository: ghcr.io/${{ github.repository }}/signatures
           main-path: ./
-
+          image-tag: ${{ github.sha }}
 
   generate-kyverno-notation-venafi-provenance:
     needs: publish-images
     permissions:
-      id-token: write   # To sign the provenance.
-      packages: write   # To upload assets to release.
-      actions: read     # To read the workflow path.
+      id-token: write # To sign the provenance.
+      packages: write # To upload assets to release.
+      actions: read # To read the workflow path.
     # NOTE: The container generator workflow is not officially released as GA.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
     with:
       image: ghcr.io/${{ github.repository_owner }}/kyverno-notation-venafi
       digest: "${{ needs.publish-images.outputs.image-digest }}"
       registry-username: ${{ github.actor }}
     secrets:
       registry-password: ${{ secrets.GITHUB_TOKEN }}
+

.github/workflows/release.yaml

@@ -1,43 +1,44 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: releaser
 
 permissions: {}
 
 on:
   push:
     tags:
-      - 'v*'
+      - "v*"
 
 jobs:
   publish-images:
     runs-on: ubuntu-latest
     permissions:
       packages: write
-      id-token: write 
+      id-token: write
     outputs:
       image-digest: ${{ steps.publish-kyverno-notation-venafi.outputs.digest }}
     steps:
       - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Setup build env
         uses: ./.github/actions/setup-build-env
         with:
           build-cache-key: publish-images
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.11.2
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
         with:
-          scan-type: 'fs'
+          scan-type: "fs"
           ignore-unfixed: true
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH'
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH"
       - name: Install Cosign
-        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
+        uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
       - name: Publish image
         id: publish-kyverno-notation-venafi
         uses: ./.github/actions/publish-image
@@ -53,23 +54,22 @@ jobs:
           sbom-repository: ghcr.io/${{ github.repository }}/sbom
           signature-repository: ghcr.io/${{ github.repository }}/signatures
           main-path: ./
+          image-tag: ${{ github.ref_name }}
 
-
-  generate-kyverno-notation-venafi-provenance:
+  ggenerate-kyverno-notation-venafi-provenance:
     needs: publish-images
     permissions:
-      id-token: write   # To sign the provenance.
-      packages: write   # To upload assets to release.
-      actions: read     # To read the workflow path.
+      id-token: write # To sign the provenance.
+      packages: write # To upload assets to release.
+      actions: read # To read the workflow path.
     # NOTE: The container generator workflow is not officially released as GA.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
     with:
       image: ghcr.io/${{ github.repository_owner }}/kyverno-notation-venafi
       digest: "${{ needs.publish-images.outputs.image-digest }}"
       registry-username: ${{ github.actor }}
     secrets:
       registry-password: ${{ secrets.GITHUB_TOKEN }}
-
 
   create-release:
     runs-on: ubuntu-latest
@@ -79,12 +79,12 @@ jobs:
       id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
       - name: Install Cosign
-        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
+        uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0
+        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
         with:
           version: latest
           args: release --rm-dist --debug

Dockerfile

@@ -1,5 +1,5 @@
 ARG BUILD_PLATFORM="linux/amd64"
-ARG BUILDER_IMAGE="golang:1.20.6-alpine3.18"
+ARG BUILDER_IMAGE="golang:1.21.6-alpine3.18"
 
 FROM --platform=$BUILD_PLATFORM $BUILDER_IMAGE as builder
 
@@ -16,7 +16,7 @@ RUN make build
 WORKDIR /
 
 # Build Go binary
-RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-w -s" -o kyverno-notation-venafi .
+RUN GOOS=linux GOARCH=amd64 go build -ldflags="-w -s" -o kyverno-notation-venafi .
 
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /

Makefile

@@ -90,7 +90,7 @@ code-cov-report: test-clean ## Generate code coverage report
 CMD_DIR           := cmd
 KYVERNO_DIR       := $(CMD_DIR)/kyverno
 IMAGE_TAG_SHA     := $(GIT_SHA)
-IMAGE_TAG_LATEST  := latest
+IMAGE_TAG         ?= latest
 PACKAGE           ?= github.com/nirmata/kyverno-notation-venafi
 ifdef VERSION
 LD_FLAGS          := "-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(VERSION)"
@@ -101,22 +101,23 @@ endif
 build:
 	go build -o kyverno-notation-venafi
 
+
 #################
 # BUILD (DOCKER)#
 #################
 
 docker-build:
 	@echo Build kyverno-notation-venafi image with docker... >&2
-	GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=0 LD_FLAGS=$(LD_FLAGS) go build -o kyverno-notation-venafi .
-	docker buildx build --platform linux/arm64/v8 -t $(REPO_IMAGE):$(IMAGE_TAG_LATEST) --load .
+	docker buildx build -t $(REPO_IMAGE):$(IMAGE_TAG) . --load
 
 docker-publish:
 	@echo Build kyverno-notation-venafi image with docker... >&2
-	GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=0 LD_FLAGS=$(LD_FLAGS) go build -o kyverno-notation-venafi .
-	docker buildx build --platform linux/arm64/v8 -t $(REPO_IMAGE):$(IMAGE_TAG_LATEST) --load .
-	docker tag $(REPO_IMAGE):$(IMAGE_TAG_LATEST) $(REPO_IMAGE):$(IMAGE_TAG_SHA)
-	docker push $(REPO_IMAGE):$(IMAGE_TAG_SHA)
-	docker push $(REPO_IMAGE):$(IMAGE_TAG_LATEST)
+	docker buildx create --name multiarch --driver docker-container --use
+	docker buildx build --platform linux/amd64,linux/arm64 -t $(REPO_IMAGE):$(IMAGE_TAG) --push .
+	docker buildx rm multiarch
+
+t:
+	@echo $(IMAGE_TAG)
 
 ########
 # HELM #

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/kyverno/kyverno v1.10.2
 	github.com/kyverno/pkg/certmanager v0.0.10
 	github.com/kyverno/pkg/tls v0.0.9
-	github.com/nirmata/kyverno-notation-verifier v1.0.1
+	github.com/nirmata/kyverno-notation-verifier v1.0.2-0.20240226100808-71a312da903f
 	github.com/notaryproject/notation-core-go v1.0.2
 	github.com/pkg/errors v0.9.1
 	go.uber.org/zap v1.25.0

go.sum

@@ -1012,8 +1012,8 @@ github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxzi
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354/go.mod h1:KSVJerMDfblTH7p5MZaTt+8zaT2iEk3AkVb9PQdZuE8=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/nirmata/kyverno-notation-verifier v1.0.1 h1:s39gh3HfYQvaxtCw6pdge5DWlvmbGYjTC0m3pse4YZI=
-github.com/nirmata/kyverno-notation-verifier v1.0.1/go.mod h1:LfI5AAZGleWLm5/fInN+bdv5/NukgxTPJSFCvob7Vhg=
+github.com/nirmata/kyverno-notation-verifier v1.0.2-0.20240226100808-71a312da903f h1:OL1hg1pzV/NK64MPZKfrasaWGg4OJzhG+/DGj94XevM=
+github.com/nirmata/kyverno-notation-verifier v1.0.2-0.20240226100808-71a312da903f/go.mod h1:LfI5AAZGleWLm5/fInN+bdv5/NukgxTPJSFCvob7Vhg=
 github.com/nishanths/exhaustive v0.1.0/go.mod h1:S1j9110vxV1ECdCudXRkeMnFQ/DQk9ajLT0Uf2MYZQQ=
 github.com/nishanths/predeclared v0.0.0-20190419143655-18a43bb90ffc/go.mod h1:62PewwiQTlm/7Rj+cxVYqZvDIUc+JjZq6GHAC1fsObQ=
 github.com/nishanths/predeclared v0.2.1/go.mod h1:HvkGJcA3naj4lOwnFXFDkFxVtSqQMB9sbB1usJ+xjQE=