ci: generate sbom and provenance (#2540)

Signed-off-by: Sertac Ozercan <[email protected]>
open-policy-agent · Mar 27, 2023 · 30eaf1b · 30eaf1b
1 parent 8b7a861
commit 30eaf1b
Show file tree

Hide file tree

Showing 14 changed files with 402 additions and 285 deletions.
diff --git a/.github/workflows/benchmark.yaml b/.github/workflows/benchmark.yaml
@@ -7,7 +7,7 @@ jobs:
   benchmark:
     name: "Benchmark"
     if: github.event.issue.pull_request && github.event.comment.body == '/benchmark'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     timeout-minutes: 60
     permissions:
       contents: write

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -11,7 +11,7 @@ permissions: read-all
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       security-events: write
 

diff --git a/.github/workflows/pre-release.yaml b/.github/workflows/pre-release.yaml
@@ -0,0 +1,68 @@
+name: pre-release
+on:
+  push:
+    branches:
+      - master
+
+permissions: read-all
+
+env:
+  IMAGE_REPO: openpolicyagent/gatekeeper
+  CRD_IMAGE_REPO: openpolicyagent/gatekeeper-crds
+  GATOR_IMAGE_REPO: openpolicyagent/gator
+
+jobs:
+  pre-release:
+    name: "Pre Release"
+    runs-on: "ubuntu-22.04"
+    if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'open-policy-agent/gatekeeper'
+    timeout-minutes: 30
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+
+      - name: Publish development
+        run: |
+          make docker-login
+
+          tokenUri="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${{ env.IMAGE_REPO }}:pull&scope=repository:${{ env.CRD_IMAGE_REPO }}:pull&scope=repository:${{ env.GATOR_IMAGE_REPO }}:pull"
+          bearerToken="$(curl --silent --get $tokenUri | jq --raw-output '.token')"
+          listUri="https://registry-1.docker.io/v2/${{ env.IMAGE_REPO }}/tags/list"
+          authz="Authorization: Bearer $bearerToken"
+          version_list="$(curl --silent --get -H "Accept: application/json" -H "$authz" $listUri | jq --raw-output '.')"
+          exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)')
+          if [[ $exists == null ]]
+          then
+            make docker-buildx-dev \
+              DEV_TAG=${GITHUB_SHA::7} \
+              PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
+              OUTPUT_TYPE=type=registry \
+              GENERATE_ATTESTATIONS=true
+          fi
+
+          listUri="https://registry-1.docker.io/v2/${{ env.CRD_IMAGE_REPO }}/tags/list"
+          version_list="$(curl --silent --get -H "Accept: application/json" -H "$authz" $listUri | jq --raw-output '.')"
+          exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)')
+          if [[ $exists == null ]]
+          then
+            make docker-buildx-crds-dev \
+              DEV_TAG=${GITHUB_SHA::7}
+              PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
+              OUTPUT_TYPE=type=registry \
+              GENERATE_ATTESTATIONS=true
+          fi
+
+          listUri="https://registry-1.docker.io/v2/${{ env.GATOR_IMAGE_REPO }}/tags/list"
+          version_list="$(curl --silent --get -H "Accept: application/json" -H "$authz" $listUri | jq --raw-output '.')"
+          exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)')
+          if [[ $exists == null ]]
+          then
+            make docker-buildx-gator-dev \
+              DEV_TAG=${GITHUB_SHA::7} \
+              PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
+              OUTPUT_TYPE=type=registry \
+              GENERATE_ATTESTATIONS=true
+          fi
+        env:
+          DOCKER_USER: ${{ secrets.DOCKER_USER }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
diff --git a/.github/workflows/release-pr.yaml b/.github/workflows/release-pr.yaml
@@ -15,7 +15,7 @@ permissions:
 
 jobs:
   create-release-pull-request:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Set up Go 1.20
         uses: actions/setup-go@v4

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,127 @@
+name: release
+on:
+  push:
+    tags:
+      - 'v*'
+
+env:
+  IMAGE_REPO: openpolicyagent/gatekeeper
+  CRD_IMAGE_REPO: openpolicyagent/gatekeeper-crds
+  GATOR_IMAGE_REPO: openpolicyagent/gator
+
+jobs:
+  tagged-release:
+    name: "Tagged Release"
+    runs-on: "ubuntu-22.04"
+    permissions:
+      contents: write
+    if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'open-policy-agent/gatekeeper'
+    timeout-minutes: 45
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+
+      - name: Get tag
+        id: get_version
+        run: |
+          echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+
+      - name: Publish release
+        run: |
+          make docker-login
+
+          tokenUri="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${{ env.IMAGE_REPO }}:pull&scope=repository:${{ env.CRD_IMAGE_REPO }}:pull&scope=repository:${{ env.GATOR_IMAGE_REPO }}:pull"
+          bearerToken="$(curl --silent --get $tokenUri | jq --raw-output '.token')"
+          listUri="https://registry-1.docker.io/v2/${{ env.IMAGE_REPO }}/tags/list"
+          authz="Authorization: Bearer $bearerToken"
+          version_list="$(curl --silent --get -H "Accept: application/json" -H $authz $listUri | jq --raw-output '.')"
+          exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)')
+          if [[ $exists == null ]]
+          then
+            make docker-buildx-release \
+              VERSION=${TAG} \
+              PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
+              OUTPUT_TYPE=type=registry \
+              GENERATE_ATTESTATIONS=true
+          fi
+
+          listUri="https://registry-1.docker.io/v2/${{ env.CRD_IMAGE_REPO }}/tags/list"
+          version_list="$(curl --silent --get -H "Accept: application/json" -H $authz $listUri | jq --raw-output '.')"
+          exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)')
+          if [[ $exists == null ]]
+          then
+            make docker-buildx-crds-release \
+              VERSION=${TAG} \
+              PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
+              OUTPUT_TYPE=type=registry \
+              GENERATE_ATTESTATIONS=true
+          fi
+
+          listUri="https://registry-1.docker.io/v2/${{ env.GATOR_IMAGE_REPO }}/tags/list"
+          version_list="$(curl --silent --get -H "Accept: application/json" -H $authz $listUri | jq --raw-output '.')"
+          exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)')
+          if [[ $exists == null ]]
+          then
+            make docker-buildx-gator-release \
+              VERSION=${TAG} \
+              PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
+              OUTPUT_TYPE=type=registry \
+              GENERATE_ATTESTATIONS=true
+          fi
+        env:
+          DOCKER_USER: ${{ secrets.DOCKER_USER }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Bootstrap e2e
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/bin
+          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
+          make e2e-bootstrap
+
+      - name: Verify release
+        run: |
+          make e2e-verify-release IMG=${{ env.IMAGE_REPO }}:${TAG} USE_LOCAL_IMG=false
+
+      - name: Build gator-cli
+        run: |
+          build() {
+            export GOOS="$(echo ${1} | cut -d '-' -f 1)"
+            export GOARCH="$(echo ${1} | cut -d '-' -f 2)"
+            FILENAME=${GITHUB_WORKSPACE}/_dist/gator-${TAG}-${GOOS}-${GOARCH}
+            # build the binary
+            make bin/gator-${GOOS}-${GOARCH}
+            # rename the binary to gator
+            tmp_dir=$(mktemp -d)
+            cp bin/gator-${GOOS}-${GOARCH} ${tmp_dir}/gator
+            pushd ${tmp_dir}
+            tar -czf ${FILENAME}.tar.gz gator*
+            popd
+          }
+          mkdir -p _dist
+          for os_arch_extension in $PLATFORMS; do
+            build ${os_arch_extension} &
+          done
+          wait
+          pushd _dist
+          # consolidate tar's sha256sum into a single file
+          find . -type f -name '*.tar.gz' | sort | xargs sha256sum >> sha256sums.txt
+          popd
+        env:
+          PLATFORMS: "linux-amd64 linux-arm64 darwin-amd64 darwin-arm64"
+
+      - name: Create GitHub release
+        uses: "marvinpinto/[email protected]"
+        with:
+          repo_token: "${{ secrets.GITHUB_TOKEN }}"
+          prerelease: false
+          files: |
+            _dist/sha256sums.txt
+            _dist/*.tar.gz
+
+      - name: Publish Helm chart
+        uses: stefanprodan/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          charts_dir: charts
+          target_dir: charts
+          linting: off
diff --git a/.github/workflows/upgrade.yaml b/.github/workflows/upgrade.yaml
@@ -18,7 +18,7 @@ env:
 jobs:
   helm_upgrade:
     name: "[Helm] Upgrade test"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     timeout-minutes: 15
     strategy:
       matrix:
@@ -61,8 +61,26 @@ jobs:
 
       - name: Upgrade Helm version
         run: |
-          make e2e-build-load-image IMG=gatekeeper-e2e-helm:latest CRD_IMG=gatekeeper-crds:latest
-          make e2e-helm-upgrade HELM_VERSION=${{ matrix.HELM_VERSION }}  HELM_REPO=gatekeeper-e2e-helm HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest
+          make docker-buildx \
+            IMG=gatekeeper-e2e:latest \
+            GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}
+
+          make docker-buildx-crds \
+            CRD_IMG=gatekeeper-crds:latest \
+            GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}
+
+          make e2e-build-load-externaldata-image \
+            GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}
+
+          kind load docker-image --name kind \
+            gatekeeper-e2e:latest \
+            gatekeeper-crds:latest
+
+          make e2e-helm-upgrade \
+            HELM_VERSION=${{ matrix.HELM_VERSION }} \
+            HELM_REPO=gatekeeper-e2e \
+            HELM_CRD_REPO=gatekeeper-crds \
+            HELM_RELEASE=latest
 
       - name: Run e2e after upgrade
         run: |

diff --git a/.github/workflows/website.yaml b/.github/workflows/website.yaml
@@ -13,7 +13,7 @@ permissions:
 
 jobs:
   deploy:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     defaults:
       run:
         working-directory: website