From 0804e024574284626e113151aa152f35de72b4b8 Mon Sep 17 00:00:00 2001 From: TakahiroTsuruda Date: Wed, 23 Oct 2024 13:52:14 +0900 Subject: [PATCH 1/3] ci: push container images to ghcr.io as well Signed-off-by: TakahiroTsuruda --- .github/workflows/pre-release.yaml | 82 ++++++++++++++++++++++++++ .github/workflows/release.yaml | 93 ++++++++++++++++++++++++++++++ 2 files changed, 175 insertions(+) diff --git a/.github/workflows/pre-release.yaml b/.github/workflows/pre-release.yaml index 432f3516653..3bdd3fa5c2d 100644 --- a/.github/workflows/pre-release.yaml +++ b/.github/workflows/pre-release.yaml @@ -71,3 +71,85 @@ jobs: env: DOCKER_USER: ${{ secrets.DOCKER_USER }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} + + pre-release-ghcr: + name: "Pre Release ghcr.io" + runs-on: "ubuntu-22.04" + if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'open-policy-agent/gatekeeper' + timeout-minutes: 30 + permissions: + packages: write + contents: read + actions: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - name: Check out code into the Go module directory + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + + - name: Login to GitHub Container Registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Check if tag already exists in ghcr.io/${{ env.IMAGE_REPO }} + id: check-ghcr-image + run: | + if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_REPO }}:${GITHUB_SHA::7} > /dev/null 2>&1; then + echo "exists=true" >> $GITHUB_OUTPUT + else + echo "exists=false" >> $GITHUB_OUTPUT + fi + + - name: Build and push ${{ env.IMAGE_REPO }} to GHCR + if: steps.check-ghcr-image.outputs.exists == 'false' + run: | + make REPOSITORY=ghcr.io/${{ env.IMAGE_REPO }} docker-buildx-dev \ + DEV_TAG=${GITHUB_SHA::7} \ + PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ + OUTPUT_TYPE=type=registry \ + GENERATE_ATTESTATIONS=true + + - name: Check if tag already exists in ghcr.io/${{ env.CRD_IMAGE_REPO }} + id: check-ghcr-crd-image + run: | + if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.CRD_IMAGE_REPO }}:${GITHUB_SHA::7} > /dev/null 2>&1; then + echo "exists=true" >> $GITHUB_OUTPUT + else + echo "exists=false" >> $GITHUB_OUTPUT + fi + + - name: Build and push ghcr.io/${{ env.CRD_IMAGE_REPO }} + if: steps.check-ghcr-crd-image.outputs.exists == 'false' + run: | + make CRD_REPOSITORY=ghcr.io/${{ env.CRD_IMAGE_REPO }} docker-buildx-crds-dev \ + DEV_TAG=${GITHUB_SHA::7} \ + PLATFORM="linux/amd64,linux/arm64" \ + OUTPUT_TYPE=type=registry \ + GENERATE_ATTESTATIONS=true + + - name: Check if tag already exists in ghcr.io/${{ env.GATOR_IMAGE_REPO }} + id: check-ghcr-gator-image + run: | + if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.GATOR_IMAGE_REPO }}:${GITHUB_SHA::7} > /dev/null 2>&1; then + echo "exists=true" >> $GITHUB_OUTPUT + else + echo "exists=false" >> $GITHUB_OUTPUT + fi + + - name: Build and push ghcr.io/${{ env.GATOR_IMAGE_REPO }} + if: steps.check-ghcr-gator-image.outputs.exists == 'false' + run: | + make GATOR_REPOSITORY=ghcr.io/${{ env.GATOR_IMAGE_REPO }} docker-buildx-gator-dev \ + DEV_TAG=${GITHUB_SHA::7} \ + PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ + OUTPUT_TYPE=type=registry \ + GENERATE_ATTESTATIONS=true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 02eec37c6e2..4cc6909fd19 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -156,3 +156,96 @@ jobs: charts_dir: charts target_dir: charts linting: off + + tagged-release-ghcr: + name: "Tagged Release GHCR" + runs-on: "ubuntu-22.04" + permissions: + packages: write + contents: read + actions: read + if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'open-policy-agent/gatekeeper' + timeout-minutes: 30 + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - name: Check out code into the Go module directory + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + + - name: Set up Go + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version: "1.22" + check-latest: true + + - name: Get tag + id: get-version + run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + + - name: Login to GitHub Container Registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Check if ${{ env.IMAGE_REPO }} exists in GHCR + id: check-ghcr-image + run: | + if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_REPO }}:${{ steps.get-version.outputs.TAG }} > /dev/null 2>&1; then + echo "exists=true" >> $GITHUB_OUTPUT + else + echo "exists=false" >> $GITHUB_OUTPUT + fi + + - name: Build and push ghcr.io/${{ env.IMAGE_REPO }} + if: steps.check-ghcr-image.outputs.exists == 'false' + run: | + make REPOSITORY=ghcr.io/${{ env.IMAGE_REPO }} docker-buildx-release \ + VERSION=${{ steps.get-version.outputs.TAG }} \ + PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ + OUTPUT_TYPE=type=registry \ + GENERATE_ATTESTATIONS=true + + + - name: Check if ${{ env.CRD_IMAGE_REPO }} exists in GHCR + id: check-ghcr-crd-image + run: | + if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.CRD_IMAGE_REPO }}:${{ steps.get-version.outputs.TAG }} > /dev/null 2>&1; then + echo "exists=true" >> $GITHUB_OUTPUT + else + echo "exists=false" >> $GITHUB_OUTPUT + fi + + - name: Build and push ghcr.io/${{ env.CRD_IMAGE_REPO }} + if: steps.check-ghcr-crd-image.outputs.exists == 'false' + run: | + make CRD_REPOSITORY=ghcr.io/${{ env.CRD_IMAGE_REPO }} docker-buildx-crds-release \ + VERSION=${{ steps.get-version.outputs.TAG }} \ + PLATFORM="linux/amd64,linux/arm64" \ + OUTPUT_TYPE=type=registry \ + GENERATE_ATTESTATIONS=true + + - name: Check if ${{ env.GATOR_IMAGE_REPO }} exists in GHCR + id: check-ghcr-gator-image + run: | + if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.GATOR_IMAGE_REPO }}:${{ steps.get-version.outputs.TAG }} > /dev/null 2>&1; then + echo "exists=true" >> $GITHUB_OUTPUT + else + echo "exists=false" >> $GITHUB_OUTPUT + fi + + - name: Build and push ghcr.io/${{ env.GATOR_IMAGE_REPO }} + if: steps.check-ghcr-gator-image.outputs.exists == 'false' + run: | + make GATOR_REPOSITORY=ghcr.io/${{ env.GATOR_IMAGE_REPO }} docker-buildx-gator-release \ + VERSION=${{ steps.get-version.outputs.TAG }} \ + PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ + OUTPUT_TYPE=type=registry \ + GENERATE_ATTESTATIONS=true From d1e8d7bf105cb8028d337a0e57e5fd6575d7d899 Mon Sep 17 00:00:00 2001 From: TakahiroTsuruda Date: Thu, 24 Oct 2024 14:30:05 +0900 Subject: [PATCH 2/3] refactor: apply review comment https://github.com/open-policy-agent/gatekeeper/pull/3658#pullrequestreview-2391129266 Signed-off-by: TakahiroTsuruda --- .github/workflows/pre-release.yaml | 99 ++++---------------------- .github/workflows/release.yaml | 107 +++-------------------------- Makefile | 15 +++- 3 files changed, 37 insertions(+), 184 deletions(-) diff --git a/.github/workflows/pre-release.yaml b/.github/workflows/pre-release.yaml index 3bdd3fa5c2d..b0dc8526865 100644 --- a/.github/workflows/pre-release.yaml +++ b/.github/workflows/pre-release.yaml @@ -4,7 +4,9 @@ on: branches: - master -permissions: read-all +permissions: + contents: read + packages: write env: IMAGE_REPO: openpolicyagent/gatekeeper @@ -26,6 +28,13 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - name: Login to GitHub Container Registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Publish development run: | make docker-login @@ -38,7 +47,7 @@ jobs: exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)') if [[ $exists == null ]] then - make docker-buildx-dev \ + make PUSH_TO_GHCR=true docker-buildx-dev \ DEV_TAG=${GITHUB_SHA::7} \ PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ OUTPUT_TYPE=type=registry \ @@ -50,7 +59,7 @@ jobs: exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)') if [[ $exists == null ]] then - make docker-buildx-crds-dev \ + make PUSH_TO_GHCR=true docker-buildx-crds-dev \ DEV_TAG=${GITHUB_SHA::7} \ PLATFORM="linux/amd64,linux/arm64" \ OUTPUT_TYPE=type=registry \ @@ -62,7 +71,7 @@ jobs: exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)') if [[ $exists == null ]] then - make docker-buildx-gator-dev \ + make PUSH_TO_GHCR=true docker-buildx-gator-dev \ DEV_TAG=${GITHUB_SHA::7} \ PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ OUTPUT_TYPE=type=registry \ @@ -71,85 +80,3 @@ jobs: env: DOCKER_USER: ${{ secrets.DOCKER_USER }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} - - pre-release-ghcr: - name: "Pre Release ghcr.io" - runs-on: "ubuntu-22.04" - if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'open-policy-agent/gatekeeper' - timeout-minutes: 30 - permissions: - packages: write - contents: read - actions: read - steps: - - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 - with: - egress-policy: audit - - - name: Check out code into the Go module directory - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - - - name: Login to GitHub Container Registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Check if tag already exists in ghcr.io/${{ env.IMAGE_REPO }} - id: check-ghcr-image - run: | - if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_REPO }}:${GITHUB_SHA::7} > /dev/null 2>&1; then - echo "exists=true" >> $GITHUB_OUTPUT - else - echo "exists=false" >> $GITHUB_OUTPUT - fi - - - name: Build and push ${{ env.IMAGE_REPO }} to GHCR - if: steps.check-ghcr-image.outputs.exists == 'false' - run: | - make REPOSITORY=ghcr.io/${{ env.IMAGE_REPO }} docker-buildx-dev \ - DEV_TAG=${GITHUB_SHA::7} \ - PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ - OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true - - - name: Check if tag already exists in ghcr.io/${{ env.CRD_IMAGE_REPO }} - id: check-ghcr-crd-image - run: | - if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.CRD_IMAGE_REPO }}:${GITHUB_SHA::7} > /dev/null 2>&1; then - echo "exists=true" >> $GITHUB_OUTPUT - else - echo "exists=false" >> $GITHUB_OUTPUT - fi - - - name: Build and push ghcr.io/${{ env.CRD_IMAGE_REPO }} - if: steps.check-ghcr-crd-image.outputs.exists == 'false' - run: | - make CRD_REPOSITORY=ghcr.io/${{ env.CRD_IMAGE_REPO }} docker-buildx-crds-dev \ - DEV_TAG=${GITHUB_SHA::7} \ - PLATFORM="linux/amd64,linux/arm64" \ - OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true - - - name: Check if tag already exists in ghcr.io/${{ env.GATOR_IMAGE_REPO }} - id: check-ghcr-gator-image - run: | - if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.GATOR_IMAGE_REPO }}:${GITHUB_SHA::7} > /dev/null 2>&1; then - echo "exists=true" >> $GITHUB_OUTPUT - else - echo "exists=false" >> $GITHUB_OUTPUT - fi - - - name: Build and push ghcr.io/${{ env.GATOR_IMAGE_REPO }} - if: steps.check-ghcr-gator-image.outputs.exists == 'false' - run: | - make GATOR_REPOSITORY=ghcr.io/${{ env.GATOR_IMAGE_REPO }} docker-buildx-gator-dev \ - DEV_TAG=${GITHUB_SHA::7} \ - PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ - OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4cc6909fd19..0d4911f965e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -11,6 +11,7 @@ env: permissions: contents: read + packages: write jobs: tagged-release: @@ -45,6 +46,13 @@ jobs: run: | echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV + - name: Login to GitHub Container Registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Publish release run: | make docker-login @@ -57,7 +65,7 @@ jobs: exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)') if [[ $exists == null ]] then - make docker-buildx-release \ + make PUSH_TO_GHCR=true docker-buildx-release \ VERSION=${TAG} \ PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ OUTPUT_TYPE=type=registry \ @@ -69,7 +77,7 @@ jobs: exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)') if [[ $exists == null ]] then - make docker-buildx-crds-release \ + make PUSH_TO_GHCR=true docker-buildx-crds-release \ VERSION=${TAG} \ PLATFORM="linux/amd64,linux/arm64" \ OUTPUT_TYPE=type=registry \ @@ -81,7 +89,7 @@ jobs: exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)') if [[ $exists == null ]] then - make docker-buildx-gator-release \ + make PUSH_TO_GHCR=true docker-buildx-gator-release \ VERSION=${TAG} \ PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ OUTPUT_TYPE=type=registry \ @@ -156,96 +164,3 @@ jobs: charts_dir: charts target_dir: charts linting: off - - tagged-release-ghcr: - name: "Tagged Release GHCR" - runs-on: "ubuntu-22.04" - permissions: - packages: write - contents: read - actions: read - if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'open-policy-agent/gatekeeper' - timeout-minutes: 30 - steps: - - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 - with: - egress-policy: audit - - - name: Check out code into the Go module directory - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 - - - name: Set up Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version: "1.22" - check-latest: true - - - name: Get tag - id: get-version - run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - - - name: Login to GitHub Container Registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Check if ${{ env.IMAGE_REPO }} exists in GHCR - id: check-ghcr-image - run: | - if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_REPO }}:${{ steps.get-version.outputs.TAG }} > /dev/null 2>&1; then - echo "exists=true" >> $GITHUB_OUTPUT - else - echo "exists=false" >> $GITHUB_OUTPUT - fi - - - name: Build and push ghcr.io/${{ env.IMAGE_REPO }} - if: steps.check-ghcr-image.outputs.exists == 'false' - run: | - make REPOSITORY=ghcr.io/${{ env.IMAGE_REPO }} docker-buildx-release \ - VERSION=${{ steps.get-version.outputs.TAG }} \ - PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ - OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true - - - - name: Check if ${{ env.CRD_IMAGE_REPO }} exists in GHCR - id: check-ghcr-crd-image - run: | - if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.CRD_IMAGE_REPO }}:${{ steps.get-version.outputs.TAG }} > /dev/null 2>&1; then - echo "exists=true" >> $GITHUB_OUTPUT - else - echo "exists=false" >> $GITHUB_OUTPUT - fi - - - name: Build and push ghcr.io/${{ env.CRD_IMAGE_REPO }} - if: steps.check-ghcr-crd-image.outputs.exists == 'false' - run: | - make CRD_REPOSITORY=ghcr.io/${{ env.CRD_IMAGE_REPO }} docker-buildx-crds-release \ - VERSION=${{ steps.get-version.outputs.TAG }} \ - PLATFORM="linux/amd64,linux/arm64" \ - OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true - - - name: Check if ${{ env.GATOR_IMAGE_REPO }} exists in GHCR - id: check-ghcr-gator-image - run: | - if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.GATOR_IMAGE_REPO }}:${{ steps.get-version.outputs.TAG }} > /dev/null 2>&1; then - echo "exists=true" >> $GITHUB_OUTPUT - else - echo "exists=false" >> $GITHUB_OUTPUT - fi - - - name: Build and push ghcr.io/${{ env.GATOR_IMAGE_REPO }} - if: steps.check-ghcr-gator-image.outputs.exists == 'false' - run: | - make GATOR_REPOSITORY=ghcr.io/${{ env.GATOR_IMAGE_REPO }} docker-buildx-gator-release \ - VERSION=${{ steps.get-version.outputs.TAG }} \ - PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ - OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true diff --git a/Makefile b/Makefile index a02eb707abb..734da29ad8b 100644 --- a/Makefile +++ b/Makefile @@ -5,6 +5,7 @@ GATOR_REPOSITORY ?= openpolicyagent/gator IMG := $(REPOSITORY):latest CRD_IMG := $(CRD_REPOSITORY):latest GATOR_IMG := $(GATOR_REPOSITORY):latest +PUSH_TO_GHCR ?= false # DEV_TAG will be replaced with short Git SHA on pre-release stage in CI DEV_TAG ?= dev USE_LOCAL_IMG ?= false @@ -408,6 +409,7 @@ docker-buildx-crds: build-crds docker-buildx-builder --platform="$(PLATFORM)" \ --output=$(OUTPUT_TYPE) \ -t $(CRD_IMG) \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_IMG)) \ -f crd.Dockerfile .staging/crds/ docker-buildx-dev: docker-buildx-builder @@ -417,7 +419,9 @@ docker-buildx-dev: docker-buildx-builder --platform="$(PLATFORM)" \ --output=$(OUTPUT_TYPE) \ -t $(REPOSITORY):$(DEV_TAG) \ - -t $(REPOSITORY):dev . + -t $(REPOSITORY):dev \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(REPOSITORY):$(DEV_TAG)) \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(REPOSITORY):dev) . docker-buildx-crds-dev: build-crds docker-buildx-builder docker buildx build \ @@ -427,6 +431,8 @@ docker-buildx-crds-dev: build-crds docker-buildx-builder --output=$(OUTPUT_TYPE) \ -t $(CRD_REPOSITORY):$(DEV_TAG) \ -t $(CRD_REPOSITORY):dev \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_REPOSITORY):$(DEV_TAG)) \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_REPOSITORY):dev) \ -f crd.Dockerfile .staging/crds/ docker-buildx-release: docker-buildx-builder @@ -435,7 +441,8 @@ docker-buildx-release: docker-buildx-builder --build-arg LDFLAGS=${LDFLAGS} \ --platform="$(PLATFORM)" \ --output=$(OUTPUT_TYPE) \ - -t $(REPOSITORY):$(VERSION) . + -t $(REPOSITORY):$(VERSION) \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(REPOSITORY):$(VERSION)) . docker-buildx-crds-release: build-crds docker-buildx-builder docker buildx build \ @@ -444,6 +451,7 @@ docker-buildx-crds-release: build-crds docker-buildx-builder --platform="$(PLATFORM)" \ --output=$(OUTPUT_TYPE) \ -t $(CRD_REPOSITORY):$(VERSION) \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_REPOSITORY):$(VERSION)) \ -f crd.Dockerfile .staging/crds/ # Build gator image @@ -455,6 +463,8 @@ docker-buildx-gator-dev: docker-buildx-builder --output=$(OUTPUT_TYPE) \ -t ${GATOR_REPOSITORY}:${DEV_TAG} \ -t ${GATOR_REPOSITORY}:dev \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/${GATOR_REPOSITORY}:${DEV_TAG}) \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/${GATOR_REPOSITORY}:dev) \ -f gator.Dockerfile . docker-buildx-gator-release: docker-buildx-builder @@ -464,6 +474,7 @@ docker-buildx-gator-release: docker-buildx-builder --platform="$(PLATFORM)" \ --output=$(OUTPUT_TYPE) \ -t ${GATOR_REPOSITORY}:${VERSION} \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/${GATOR_REPOSITORY}:${VERSION}) \ -f gator.Dockerfile . # Update manager_image_patch.yaml with image tag From d4e9b92f2ad07e02df0ca1c6609462c4ba26d7ea Mon Sep 17 00:00:00 2001 From: Sertac Ozercan Date: Wed, 13 Nov 2024 22:01:16 +0000 Subject: [PATCH 3/3] minor update Signed-off-by: Sertac Ozercan --- .github/workflows/pre-release.yaml | 22 +++++++++++++--------- .github/workflows/release.yaml | 20 +++++++++++--------- Makefile | 1 - 3 files changed, 24 insertions(+), 19 deletions(-) diff --git a/.github/workflows/pre-release.yaml b/.github/workflows/pre-release.yaml index d1fc9d6aaac..af2f1a31eaf 100644 --- a/.github/workflows/pre-release.yaml +++ b/.github/workflows/pre-release.yaml @@ -4,9 +4,7 @@ on: branches: - master -permissions: - contents: read - packages: write +permissions: read-all env: IMAGE_REPO: openpolicyagent/gatekeeper @@ -19,6 +17,9 @@ jobs: runs-on: "ubuntu-22.04" if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'open-policy-agent/gatekeeper' timeout-minutes: 30 + permissions: + contents: read + packages: write steps: - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 @@ -47,11 +48,12 @@ jobs: exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)') if [[ $exists == null ]] then - make PUSH_TO_GHCR=true docker-buildx-dev \ + make docker-buildx-dev \ DEV_TAG=${GITHUB_SHA::7} \ PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true + GENERATE_ATTESTATIONS=true \ + PUSH_TO_GHCR=true fi listUri="https://registry-1.docker.io/v2/${{ env.CRD_IMAGE_REPO }}/tags/list" @@ -59,11 +61,12 @@ jobs: exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)') if [[ $exists == null ]] then - make PUSH_TO_GHCR=true docker-buildx-crds-dev \ + make docker-buildx-crds-dev \ DEV_TAG=${GITHUB_SHA::7} \ PLATFORM="linux/amd64,linux/arm64" \ OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true + GENERATE_ATTESTATIONS=true \ + PUSH_TO_GHCR=true fi listUri="https://registry-1.docker.io/v2/${{ env.GATOR_IMAGE_REPO }}/tags/list" @@ -71,11 +74,12 @@ jobs: exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)') if [[ $exists == null ]] then - make PUSH_TO_GHCR=true docker-buildx-gator-dev \ + make docker-buildx-gator-dev \ DEV_TAG=${GITHUB_SHA::7} \ PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true + GENERATE_ATTESTATIONS=true \ + PUSH_TO_GHCR=true fi env: DOCKER_USER: ${{ secrets.DOCKER_USER }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9c182bea0a2..da99074fd39 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -9,9 +9,7 @@ env: CRD_IMAGE_REPO: openpolicyagent/gatekeeper-crds GATOR_IMAGE_REPO: openpolicyagent/gator -permissions: - contents: read - packages: write +permissions: read-all jobs: tagged-release: @@ -19,6 +17,7 @@ jobs: runs-on: "ubuntu-22.04" permissions: contents: write + packages: write if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'open-policy-agent/gatekeeper' timeout-minutes: 45 steps: @@ -65,11 +64,12 @@ jobs: exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)') if [[ $exists == null ]] then - make PUSH_TO_GHCR=true docker-buildx-release \ + make docker-buildx-release \ VERSION=${TAG} \ PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true + GENERATE_ATTESTATIONS=true \ + PUSH_TO_GHCR=true fi listUri="https://registry-1.docker.io/v2/${{ env.CRD_IMAGE_REPO }}/tags/list" @@ -77,11 +77,12 @@ jobs: exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)') if [[ $exists == null ]] then - make PUSH_TO_GHCR=true docker-buildx-crds-release \ + make docker-buildx-crds-release \ VERSION=${TAG} \ PLATFORM="linux/amd64,linux/arm64" \ OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true + GENERATE_ATTESTATIONS=true \ + PUSH_TO_GHCR=true fi listUri="https://registry-1.docker.io/v2/${{ env.GATOR_IMAGE_REPO }}/tags/list" @@ -89,11 +90,12 @@ jobs: exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)') if [[ $exists == null ]] then - make PUSH_TO_GHCR=true docker-buildx-gator-release \ + make docker-buildx-gator-release \ VERSION=${TAG} \ PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true + GENERATE_ATTESTATIONS=true \ + PUSH_TO_GHCR=true fi env: DOCKER_USER: ${{ secrets.DOCKER_USER }} diff --git a/Makefile b/Makefile index d40830631d4..0862520dcef 100644 --- a/Makefile +++ b/Makefile @@ -408,7 +408,6 @@ docker-buildx-crds: build-crds docker-buildx-builder --platform="$(PLATFORM)" \ --output=$(OUTPUT_TYPE) \ -t $(CRD_IMG) \ - $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_IMG)) \ -f crd.Dockerfile .staging/crds/ docker-buildx-dev: docker-buildx-builder