policylibrary: consolidate privileges raising operations into privileges-raise.yaml single policy #6910
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Image CI Build | |
on: | |
pull_request_target: | |
types: | |
- opened | |
- synchronize | |
- reopened | |
paths-ignore: | |
- 'docs/**' | |
push: | |
branches: | |
- main | |
- test* | |
paths-ignore: | |
- 'docs/**' | |
permissions: | |
# To be able to access the repository with `actions/checkout` | |
contents: read | |
# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication | |
id-token: write | |
jobs: | |
build-and-push-prs: | |
runs-on: ubuntu-22.04 | |
strategy: | |
matrix: | |
include: | |
- name: tetragon | |
dockerfile: ./Dockerfile | |
- name: tetragon-operator | |
dockerfile: ./Dockerfile.operator | |
steps: | |
# https://github.com/docker/setup-qemu-action | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | |
with: | |
platforms: arm64 | |
# https://github.com/docker/setup-buildx-action | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
- name: Login to quay.io for CI | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_USERNAME_CI }} | |
password: ${{ secrets.QUAY_PASSWORD_CI }} | |
- name: Getting image tag | |
id: tag | |
run: | | |
if [ ${{ github.event.pull_request.head.sha }} != "" ]; then | |
echo "tag=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT | |
else | |
echo "tag=${{ github.sha }}" >> $GITHUB_OUTPUT | |
fi | |
if [ ${{ github.event_name }} == "push" ]; then | |
if [ ${{ github.ref_name }} == "main" ]; then | |
echo "name=latest" | tee -a $GITHUB_OUTPUT | |
else | |
echo "name=${{ github.ref_name }}" | tee -a $GITHUB_OUTPUT | |
fi | |
fi | |
- name: Checkout main branch | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
persist-credentials: false | |
ref: ${{ github.event.repository.default_branch }} | |
fetch-depth: 0 | |
- name: Get version | |
run: | | |
echo "TETRAGON_VERSION=$(make version)" >> $GITHUB_ENV | |
# Warning: since this is a privileged workflow, subsequent workflow job | |
# steps must take care not to execute untrusted code. | |
- name: Checkout pull request branch (NOT TRUSTED) | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
persist-credentials: false | |
ref: ${{ steps.tag.outputs.tag }} | |
fetch-depth: 0 | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
- name: Install Go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
# renovate: datasource=golang-version depName=go | |
go-version: '1.21.6' | |
- name: Install Bom | |
shell: bash | |
env: | |
# renovate: datasource=github-releases depName=kubernetes-sigs/bom | |
BOM_VERSION: v0.6.0 | |
run: | | |
go install sigs.k8s.io/bom/cmd/bom@${{ env.BOM_VERSION }} | |
# main branch pushes | |
- name: CI Build (main) | |
if: ${{ github.event_name == 'push' }} | |
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 | |
id: docker_build_ci_main | |
with: | |
provenance: false | |
context: . | |
file: ${{ matrix.dockerfile }} | |
push: true | |
platforms: linux/amd64,linux/arm64 | |
build-args: | | |
TETRAGON_VERSION=${{ env.TETRAGON_VERSION }} | |
tags: | | |
quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | |
quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.name }} | |
- name: Sign Container Image | |
if: github.event_name == 'push' | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
run: | | |
cosign sign -y quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main.outputs.digest }} | |
- name: Generate SBOM | |
if: github.event_name == 'push' | |
shell: bash | |
# To-Do: Format SBOM output to JSON after a new version of cosign is released after v1.13.1. Ref: https://github.com/sigstore/cosign/pull/2479 | |
run: | | |
bom generate -o sbom_ci_main_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ | |
--dirs=. \ | |
--image=quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | |
- name: Attach SBOM to container images | |
if: github.event_name == 'push' | |
run: | | |
cosign attach sbom --sbom sbom_ci_main_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main.outputs.digest }} | |
- name: Sign SBOM Image | |
if: github.event_name == 'push' | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
run: | | |
docker_build_ci_main_digest="${{ steps.docker_build_ci_main.outputs.digest }}" | |
image_name="quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${docker_build_ci_main_digest/:/-}.sbom" | |
docker_build_ci_main_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" | |
cosign sign -y "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${docker_build_ci_main_sbom_digest}" | |
- name: CI Image Releases digests (main) | |
if: github.event_name == 'push' | |
shell: bash | |
run: | | |
mkdir -p image-digest/ | |
echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_main.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
# PR updates | |
- name: CI Build (PR) | |
if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' | |
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 | |
id: docker_build_ci_pr | |
with: | |
provenance: false | |
context: . | |
file: ${{ matrix.dockerfile }} | |
push: true | |
platforms: linux/amd64,linux/arm64 | |
build-args: | | |
TETRAGON_VERSION=${{ env.TETRAGON_VERSION }} | |
tags: | | |
quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | |
- name: Sign Container Image | |
if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
run: | | |
cosign sign -y quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }} | |
- name: Generate SBOM | |
if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' | |
shell: bash | |
# To-Do: Format SBOM output to JSON after a new version of cosign is released after v1.13.1. Ref: https://github.com/sigstore/cosign/pull/2479 | |
run: | | |
bom generate --format json -o sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ | |
--dirs=. \ | |
--image=quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | |
- name: Attach SBOM to container images | |
if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' | |
run: | | |
cosign attach sbom --sbom sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }} | |
- name: Sign SBOM Image | |
if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
run: | | |
docker_build_ci_pr_digest="${{ steps.docker_build_ci_pr.outputs.digest }}" | |
image_name="quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${docker_build_ci_pr_digest/:/-}.sbom" | |
docker_build_ci_pr_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" | |
cosign sign -y "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${docker_build_ci_pr_sbom_digest}" | |
- name: CI Image Releases digests (PR) | |
if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' | |
shell: bash | |
run: | | |
mkdir -p image-digest/ | |
echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
# Upload artifact digests | |
- name: Upload artifact digests | |
uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 | |
with: | |
name: image-digest ${{ matrix.name }} | |
path: image-digest | |
retention-days: 1 | |
image-digests: | |
if: ${{ always() }} | |
name: Display Digests | |
runs-on: ubuntu-22.04 | |
needs: [build-and-push-prs] | |
steps: | |
- name: Downloading Image Digests | |
shell: bash | |
run: | | |
mkdir -p image-digest/ | |
- name: Download digests of all images built | |
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 | |
with: | |
path: image-digest/ | |
- name: Image Digests Output | |
shell: bash | |
run: | | |
cd image-digest/ | |
find -type f | sort | xargs -d '\n' cat |