From 5e71aebdfaa883222773f5862d9ac6209f871515 Mon Sep 17 00:00:00 2001
From: anushkamittal2001 <anushka@nirmata.com>
Date: Mon, 26 Feb 2024 12:57:49 +0530
Subject: [PATCH 1/3] add defaultBaseImage

Signed-off-by: anushkamittal2001 <anushka@nirmata.com>
---
 .ko.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.ko.yaml b/.ko.yaml
index 874a581f1ddb..134f57355ba4 100644
--- a/.ko.yaml
+++ b/.ko.yaml
@@ -1,3 +1,5 @@
+defaultBaseImage: alpine:latest
+
 builds:
 - id: kyverno
   main: ./cmd/kyverno

From a92792ff0a3da8089928c6150c612db42ed63642 Mon Sep 17 00:00:00 2001
From: anushkamittal2001 <anushka@nirmata.com>
Date: Wed, 28 Feb 2024 13:11:47 +0530
Subject: [PATCH 2/3] add publish workflows

Signed-off-by: anushkamittal2001 <anushka@nirmata.com>
---
 .github/workflows/image-alpine-publish.yaml | 224 ++++++++++++++++++++
 1 file changed, 224 insertions(+)
 create mode 100644 .github/workflows/image-alpine-publish.yaml

diff --git a/.github/workflows/image-alpine-publish.yaml b/.github/workflows/image-alpine-publish.yaml
new file mode 100644
index 000000000000..e711d0550f62
--- /dev/null
+++ b/.github/workflows/image-alpine-publish.yaml
@@ -0,0 +1,224 @@
+name: Publish alpine images
+
+on:
+  workflow_dispatch:
+    inputs:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write 
+
+jobs:
+  publish-images:
+    runs-on: ubuntu-latest
+    outputs:
+      kyverno-digest: ${{ steps.publish-kyverno.outputs.digest }}
+      kyverno-init-digest: ${{ steps.publish-kyverno-init.outputs.digest }}
+      background-controller-digest: ${{ steps.publish-background-controller.outputs.digest }}
+      cleanup-controller-digest: ${{ steps.publish-cleanup-controller.outputs.digest }}
+      cli-digest: ${{ steps.publish-cli.outputs.digest }}
+      reports-controller-digest: ${{ steps.publish-reports-controller.outputs.digest }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+      - name: Setup build env
+        uses: ./.github/actions/setup-build-env
+        with:
+          build-cache-key: publish-images
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # v0.9.2
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+        with:
+          cosign-release: 'v1.13.1'
+      - name: Publish kyverno
+        id: publish-kyverno
+        uses: ./.github/actions/publish-image
+        with:
+          makefile-target: ko-publish-kyverno
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.CR_PAT }}
+          repository: ${{ github.repository_owner }}
+          version: ${{ github.ref_name }}
+          sign-image: true
+          sbom-name: kyverno
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./cmd/kyverno
+      - name: Publish kyverno-init
+        id: publish-kyverno-init
+        uses: ./.github/actions/publish-image
+        with:
+          makefile-target: ko-publish-kyverno-init
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.CR_PAT }}
+          repository: ${{ github.repository_owner }}
+          version: ${{ github.ref_name }}
+          sign-image: true
+          sbom-name: kyverno-init
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./cmd/kyverno-init
+      - name: Publish background-controller
+        id: publish-background-controller
+        uses: ./.github/actions/publish-image
+        with:
+          makefile-target: ko-publish-background-controller
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.CR_PAT }}
+          repository: ${{ github.repository_owner }}
+          version: ${{ github.ref_name }}
+          sign-image: true
+          sbom-name: background-controller
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./cmd/background-controller
+      - name: Publish cleanup-controller
+        id: publish-cleanup-controller
+        uses: ./.github/actions/publish-image
+        with:
+          makefile-target: ko-publish-cleanup-controller
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.CR_PAT }}
+          repository: ${{ github.repository_owner }}
+          version: ${{ github.ref_name }}
+          sign-image: true
+          sbom-name: cleanup-controller
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./cmd/cleanup-controller
+      - name: Publish cli
+        id: publish-cli
+        uses: ./.github/actions/publish-image
+        with:
+          makefile-target: ko-publish-cli
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.CR_PAT }}
+          repository: ${{ github.repository_owner }}
+          version: ${{ github.ref_name }}
+          sign-image: true
+          sbom-name: cli
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./cmd/cli/kubectl-kyverno
+      - name: Publish reports-controller
+        id: publish-reports-controller
+        uses: ./.github/actions/publish-image
+        with:
+          makefile-target: ko-publish-reports-controller
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.CR_PAT }}
+          repository: ${{ github.repository_owner }}
+          version: ${{ github.ref_name }}
+          sign-image: true
+          sbom-name: reports-controller
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./cmd/reports-controller
+
+  generate-kyverno-provenance:
+    needs: publish-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/kyverno
+      digest: "${{ needs.publish-images.outputs.kyverno-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  generate-kyverno-init-provenance:
+    needs: publish-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/kyvernopre
+      digest: "${{ needs.publish-images.outputs.kyverno-init-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  generate-background-controller-provenance:
+    needs: publish-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/background-controller
+      digest: "${{ needs.publish-images.outputs.background-controller-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  generate-cleanup-controller-provenance:
+    needs: publish-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/cleanup-controller
+      digest: "${{ needs.publish-images.outputs.cleanup-controller-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  generate-kyverno-cli-provenance:
+    needs: publish-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/kyverno-cli
+      digest: "${{ needs.publish-images.outputs.cli-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  generate-reports-controller-provenance:
+    needs: publish-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/reports-controller
+      digest: "${{ needs.publish-images.outputs.reports-controller-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}

From 73eaf2c61769f7e0ee6e0c553b67ec653a57f009 Mon Sep 17 00:00:00 2001
From: anushkamittal2001 <anushka@nirmata.com>
Date: Thu, 29 Feb 2024 09:53:43 +0530
Subject: [PATCH 3/3] comment defaultBaseImage

Signed-off-by: anushkamittal2001 <anushka@nirmata.com>
---
 .ko.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.ko.yaml b/.ko.yaml
index 134f57355ba4..607ad81f971e 100644
--- a/.ko.yaml
+++ b/.ko.yaml
@@ -1,4 +1,6 @@
-defaultBaseImage: alpine:latest
+# defaultBaseImage: alpine:latest
+# switch to alpine when needed in a separate branch and manually run the workflow
+# 'Publish alpine images' to publish these images
 
 builds:
 - id: kyverno