Merge pull request #1954 from rksharma95/fix-snitch-rolebinding #52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci-latest-release | |
| on: | |
| push: | |
| branches: | |
| - "main" | |
| - "v*" | |
| paths: | |
| - "KubeArmor/**" | |
| - "protobuf/**" | |
| - ".github/workflows/ci-latest-release.yml" | |
| - "pkg/**" | |
| - "!STABLE-RELEASE" | |
| create: | |
| branches: | |
| - "v*" | |
| # Declare default permissions as read only. | |
| permissions: read-all | |
| jobs: | |
| check: | |
| name: Check what pkg were updated | |
| if: github.repository == 'kubearmor/kubearmor' | |
| runs-on: ubuntu-20.04 | |
| timeout-minutes: 5 | |
| outputs: | |
| kubearmor: ${{ steps.filter.outputs.kubearmor}} | |
| controller: ${{ steps.filter.outputs.controller }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: dorny/paths-filter@v2 | |
| id: filter | |
| with: | |
| filters: | | |
| kubearmor: | |
| - "KubeArmor/**" | |
| - "protobuf/**" | |
| controller: | |
| - 'pkg/KubeArmorController/**' | |
| build: | |
| name: Create KubeArmor latest release | |
| needs: check | |
| if: github.repository == 'kubearmor/kubearmor' && (needs.check.outputs.kubearmor == 'true' || ${{ github.ref }} != 'refs/heads/main') | |
| runs-on: ubuntu-latest-16-cores | |
| permissions: | |
| id-token: write | |
| timeout-minutes: 150 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| submodules: true | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'KubeArmor/go.mod' | |
| - name: Install the latest LLVM toolchain | |
| run: ./.github/workflows/install-llvm.sh | |
| - name: Compile libbpf | |
| run: ./.github/workflows/install-libbpf.sh | |
| - name: Get release tag | |
| id: vars | |
| run: | | |
| if [ ${{ github.ref }} == "refs/heads/main" ]; then | |
| echo "tag=latest" >> $GITHUB_OUTPUT | |
| else | |
| echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v2 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_AUTHTOK }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| with: | |
| platforms: linux/amd64,linux/arm64/v8 | |
| - name: Push KubeArmor images to Docker | |
| run: GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/push_kubearmor.sh ${{ steps.vars.outputs.tag }} | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@main | |
| - name: Get Image Digest | |
| id: digest | |
| run: | | |
| echo "imagedigest=$(jq -r '.["containerimage.digest"]' kubearmor.json)" >> $GITHUB_OUTPUT | |
| echo "initdigest=$(jq -r '.["containerimage.digest"]' kubearmor-init.json)" >> $GITHUB_OUTPUT | |
| echo "ubidigest=$(jq -r '.["containerimage.digest"]' kubearmor-ubi.json)" >> $GITHUB_OUTPUT | |
| - name: Sign the Container Images | |
| run: | | |
| cosign sign -r kubearmor/kubearmor@${{ steps.digest.outputs.imagedigest }} --yes | |
| cosign sign -r kubearmor/kubearmor-init@${{ steps.digest.outputs.initdigest }} --yes | |
| cosign sign -r kubearmor/kubearmor-ubi@${{ steps.digest.outputs.ubidigest }} --yes | |
| push-stable-version: | |
| name: Create KubeArmor stable release | |
| needs: [build, check] | |
| if: github.ref != 'refs/heads/main' | |
| runs-on: ubuntu-20.04 | |
| permissions: | |
| id-token: write | |
| timeout-minutes: 60 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| ref: main | |
| - name: Install regctl | |
| run: | | |
| curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 >regctl | |
| chmod 755 regctl | |
| mv regctl /usr/local/bin | |
| - name: Check install | |
| run: regctl version | |
| - name: Get tag | |
| id: match | |
| run: | | |
| value=`cat STABLE-RELEASE` | |
| if [ ${{ github.ref }} == "refs/heads/$value" ]; then | |
| echo "tag=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "tag=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Login to Docker Hub | |
| if: steps.match.outputs.tag == 'true' | |
| uses: docker/login-action@v2 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_AUTHTOK }} | |
| - name: Generate the stable version of KubeArmor in Docker Hub | |
| if: steps.match.outputs.tag == 'true' | |
| run: | | |
| STABLE_VERSION=`cat STABLE-RELEASE` | |
| regctl image copy kubearmor/kubearmor:$STABLE_VERSION kubearmor/kubearmor:stable --digest-tags | |
| regctl image copy kubearmor/kubearmor-ubi:$STABLE_VERSION kubearmor/kubearmor-ubi:stable --digest-tags | |
| regctl image copy kubearmor/kubearmor-controller:$STABLE_VERSION kubearmor/kubearmor-controller:stable --digest-tags | |
| kubearmor-controller-release: | |
| name: Build & Push KubeArmorController | |
| needs: check | |
| if: github.repository == 'kubearmor/kubearmor' && (needs.check.outputs.controller == 'true' || ${{ github.ref }} != 'refs/heads/main') | |
| defaults: | |
| run: | |
| working-directory: ./pkg/KubeArmorController | |
| runs-on: ubuntu-latest-16-cores | |
| timeout-minutes: 60 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'KubeArmor/go.mod' | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| with: | |
| platforms: linux/amd64,linux/arm64/v8 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v2 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_AUTHTOK }} | |
| - name: Get tag | |
| id: tag | |
| run: | | |
| if [ ${{ github.ref }} == "refs/heads/main" ]; then | |
| echo "tag=latest" >> $GITHUB_OUTPUT | |
| else | |
| echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Build & Push KubeArmorController | |
| run: make docker-buildx TAG=${{ steps.tag.outputs.tag }} |