diff --git a/.github/workflows/test-releaser.yml b/.github/workflows/test-releaser.yml new file mode 100644 index 000000000000..967ab3eae030 --- /dev/null +++ b/.github/workflows/test-releaser.yml @@ -0,0 +1,353 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: test-releaser + +permissions: {} + +on: + push: + tags: + - 'v*' + +jobs: + release-images: + runs-on: ubuntu-latest + permissions: + packages: write + id-token: write + outputs: + kyverno-digest: ${{ steps.release-kyverno.outputs.digest }} + kyverno-init-digest: ${{ steps.release-kyverno-init.outputs.digest }} + background-controller-digest: ${{ steps.release-background-controller.outputs.digest }} + cleanup-controller-digest: ${{ steps.release-cleanup-controller.outputs.digest }} + cli-digest: ${{ steps.release-cli.outputs.digest }} + reports-controller-digest: ${{ steps.release-reports-controller.outputs.digest }} + steps: + - name: Checkout + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: release-images + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 30 + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + - name: image scanning + id: scan + uses: nirmata/reusable-workflows/.github/actions/image-scanning@main + with: + pcc-url: ${{ secrets.PCC_URL }} + pcc-user: ${{ secrets.PCC_USER }} + pcc-pass: ${{ secrets.PCC_PASS }} + dest_env: ${{ inputs.dest_env }} + - name: Install Cosign + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + - name: Publish kyverno + id: release-kyverno + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-kyverno + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: kyverno + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/kyverno + - name: Publish kyverno-init + id: release-kyverno-init + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-kyverno-init + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: kyverno-init + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/kyverno-init + - name: Publish background-controller + id: release-background-controller + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-background-controller + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: background-controller + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/background-controller + - name: Publish cleanup-controller + id: release-cleanup-controller + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-cleanup-controller + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: cleanup-controller + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/cleanup-controller + - name: Publish cli + id: release-cli + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-cli + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: cli + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/cli/kubectl-kyverno + - name: Publish reports-controller + id: release-reports-controller + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-reports-controller + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: reports-controller + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/reports-controller + + generate-kyverno-provenance: + needs: release-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ghcr.io/${{ github.repository_owner }}/kyverno + digest: "${{ needs.release-images.outputs.kyverno-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + + generate-kyverno-init-provenance: + needs: release-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ghcr.io/${{ github.repository_owner }}/kyvernopre + digest: "${{ needs.release-images.outputs.kyverno-init-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + + generate-background-controller-provenance: + needs: release-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ghcr.io/${{ github.repository_owner }}/background-controller + digest: "${{ needs.release-images.outputs.background-controller-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + + generate-cleanup-controller-provenance: + needs: release-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ghcr.io/${{ github.repository_owner }}/cleanup-controller + digest: "${{ needs.release-images.outputs.cleanup-controller-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + + generate-kyverno-cli-provenance: + needs: release-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ghcr.io/${{ github.repository_owner }}/kyverno-cli + digest: "${{ needs.release-images.outputs.cli-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + + generate-reports-controller-provenance: + needs: release-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ghcr.io/${{ github.repository_owner }}/reports-controller + digest: "${{ needs.release-images.outputs.reports-controller-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + + create-release: + runs-on: ubuntu-latest + needs: release-images + permissions: + contents: write + id-token: write + steps: + - name: Checkout + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 30 + - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0 + - name: Install Cosign + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + - name: Make Release + env: + VERSION: ${{ github.ref_name }} + run: | + rm -rf release + mkdir release + make release-notes > release/release-notes.out + cat release/release-notes.out + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 + with: + version: latest + args: release --clean --timeout 90m --debug --release-notes=release/release-notes.out + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + push-and-sign-install-manifest: + runs-on: ubuntu-latest + needs: create-release + permissions: + contents: write # needed to write releases + id-token: write # needed for keyless signing + packages: write # needed for ghcr access + steps: + - name: Checkout + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + - name: Setup Flux CLI + uses: fluxcd/flux2/action@534684601ec8888beb0cc4f51117b59e97606c4d # v2.2.3 + with: + version: 0.35.0 + - name: Install Cosign + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + - name: Build yaml manifest + run: VERSION=${{ github.ref_name }} make codegen-manifest-release + - name: Upload install manifest + uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0 + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} + file: .manifest/release.yaml + asset_name: install.yaml + tag: ${{ github.ref }} + - name: Upload CRD manifest + uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0 + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} + file: config/crds/**/*.yaml + file_glob: true + tag: ${{ github.ref }} + - name: Login to GHCR + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Push manifests to GHCR with Flux + env: + CR_PAT_ARTIFACTS: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + mkdir -p config/.release-manifests + cp .manifest/release.yaml config/.release-manifests/install.yaml + cd config/.release-manifests/ && \ + flux push artifact oci://ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ github.ref_name }} \ + --path="." \ + --source="$(git config --get remote.origin.url)" \ + --revision="${{ github.ref_name }}/$(git rev-parse HEAD)" + - name: Sign manifests in GHCR with Cosign + run: | + cosign sign --yes ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ github.ref_name }} + + release-cli-via-krew: + runs-on: ubuntu-latest + needs: create-release + steps: + - name: Checkout + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + - name: Check Tag + id: check-tag + run: | + if [[ ${{ github.event.ref }} =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "match=true" >> $GITHUB_OUTPUT + fi + - name: Update new version in krew-index + if: steps.check-tag.outputs.match == 'true' + uses: rajatjindal/krew-release-bot@df3eb197549e3568be8b4767eec31c5e8e8e6ad8 # v0.0.46