minor update

Signed-off-by: Sertac Ozercan <[email protected]>

.github/workflows/pre-release.yaml

@@ -4,9 +4,7 @@ on:
     branches:
       - master
 
-permissions:
-  contents: read
-  packages: write
+permissions: read-all
 
 env:
   IMAGE_REPO: openpolicyagent/gatekeeper
@@ -19,6 +17,9 @@ jobs:
     runs-on: "ubuntu-22.04"
     if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'open-policy-agent/gatekeeper'
     timeout-minutes: 30
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -47,35 +48,38 @@ jobs:
           exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)')
           if [[ $exists == null ]]
           then
-            make PUSH_TO_GHCR=true docker-buildx-dev \
+            make docker-buildx-dev \
               DEV_TAG=${GITHUB_SHA::7} \
               PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
               OUTPUT_TYPE=type=registry \
-              GENERATE_ATTESTATIONS=true
+              GENERATE_ATTESTATIONS=true \
+              PUSH_TO_GHCR=true
           fi
 
           listUri="https://registry-1.docker.io/v2/${{ env.CRD_IMAGE_REPO }}/tags/list"
           version_list="$(curl --silent --get -H "Accept: application/json" -H "$authz" $listUri | jq --raw-output '.')"
           exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)')
           if [[ $exists == null ]]
           then
-            make PUSH_TO_GHCR=true docker-buildx-crds-dev \
+            make docker-buildx-crds-dev \
               DEV_TAG=${GITHUB_SHA::7} \
               PLATFORM="linux/amd64,linux/arm64" \
               OUTPUT_TYPE=type=registry \
-              GENERATE_ATTESTATIONS=true
+              GENERATE_ATTESTATIONS=true \
+              PUSH_TO_GHCR=true
           fi
 
           listUri="https://registry-1.docker.io/v2/${{ env.GATOR_IMAGE_REPO }}/tags/list"
           version_list="$(curl --silent --get -H "Accept: application/json" -H "$authz" $listUri | jq --raw-output '.')"
           exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)')
           if [[ $exists == null ]]
           then
-            make PUSH_TO_GHCR=true docker-buildx-gator-dev \
+            make docker-buildx-gator-dev \
               DEV_TAG=${GITHUB_SHA::7} \
               PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
               OUTPUT_TYPE=type=registry \
-              GENERATE_ATTESTATIONS=true
+              GENERATE_ATTESTATIONS=true \
+              PUSH_TO_GHCR=true
           fi
         env:
           DOCKER_USER: ${{ secrets.DOCKER_USER }}

.github/workflows/release.yaml

@@ -9,16 +9,15 @@ env:
   CRD_IMAGE_REPO: openpolicyagent/gatekeeper-crds
   GATOR_IMAGE_REPO: openpolicyagent/gator
 
-permissions:
-  contents: read
-  packages: write
+permissions: read-all
 
 jobs:
   tagged-release:
     name: "Tagged Release"
     runs-on: "ubuntu-22.04"
     permissions:
       contents: write
+      packages: write
     if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'open-policy-agent/gatekeeper'
     timeout-minutes: 45
     steps:
@@ -65,35 +64,38 @@ jobs:
           exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)')
           if [[ $exists == null ]]
           then
-            make PUSH_TO_GHCR=true docker-buildx-release \
+            make docker-buildx-release \
               VERSION=${TAG} \
               PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
               OUTPUT_TYPE=type=registry \
-              GENERATE_ATTESTATIONS=true
+              GENERATE_ATTESTATIONS=true \
+              PUSH_TO_GHCR=true
           fi
 
           listUri="https://registry-1.docker.io/v2/${{ env.CRD_IMAGE_REPO }}/tags/list"
           version_list="$(curl --silent --get -H "Accept: application/json" -H $authz $listUri | jq --raw-output '.')"
           exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)')
           if [[ $exists == null ]]
           then
-            make PUSH_TO_GHCR=true docker-buildx-crds-release \
+            make docker-buildx-crds-release \
               VERSION=${TAG} \
               PLATFORM="linux/amd64,linux/arm64" \
               OUTPUT_TYPE=type=registry \
-              GENERATE_ATTESTATIONS=true
+              GENERATE_ATTESTATIONS=true \
+              PUSH_TO_GHCR=true
           fi
 
           listUri="https://registry-1.docker.io/v2/${{ env.GATOR_IMAGE_REPO }}/tags/list"
           version_list="$(curl --silent --get -H "Accept: application/json" -H $authz $listUri | jq --raw-output '.')"
           exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)')
           if [[ $exists == null ]]
           then
-            make PUSH_TO_GHCR=true docker-buildx-gator-release \
+            make docker-buildx-gator-release \
               VERSION=${TAG} \
               PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
               OUTPUT_TYPE=type=registry \
-              GENERATE_ATTESTATIONS=true
+              GENERATE_ATTESTATIONS=true \
+              PUSH_TO_GHCR=true
           fi
         env:
           DOCKER_USER: ${{ secrets.DOCKER_USER }}

Makefile

@@ -408,7 +408,6 @@ docker-buildx-crds: build-crds docker-buildx-builder
 		--platform="$(PLATFORM)" \
 		--output=$(OUTPUT_TYPE) \
 		-t $(CRD_IMG) \
-		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_IMG)) \
 		-f crd.Dockerfile .staging/crds/
 
 docker-buildx-dev: docker-buildx-builder