diff --git a/.github/workflows/lib-publish.yaml b/.github/workflows/lib-publish.yaml index 383459682..6edefef68 100644 --- a/.github/workflows/lib-publish.yaml +++ b/.github/workflows/lib-publish.yaml @@ -1,11 +1,16 @@ name: publish on: + workflow_dispatch: workflow_call: inputs: image_tag: default: "devel" required: false type: string + registry: + default: "docker.io/intel" + required: false + type: string env: no_base_check: "['intel-qat-plugin-kerneldrv', 'intel-idxd-config-initcontainer', 'crypto-perf', 'opae-nlb-demo']" @@ -20,27 +25,27 @@ jobs: fail-fast: false matrix: image: - - intel-fpga-admissionwebhook - - intel-fpga-initcontainer - - intel-gpu-initcontainer + #- intel-fpga-admissionwebhook + # - intel-fpga-initcontainer + # - intel-gpu-initcontainer - intel-gpu-plugin - - intel-fpga-plugin - - intel-qat-initcontainer - - intel-qat-plugin - - intel-deviceplugin-operator - - intel-sgx-admissionwebhook - - intel-sgx-plugin - - intel-sgx-initcontainer - - intel-dsa-plugin - - intel-iaa-plugin - - intel-idxd-config-initcontainer - - intel-dlb-plugin - - intel-dlb-initcontainer - - intel-xpumanager-sidecar + # - intel-fpga-plugin + # - intel-qat-initcontainer + # - intel-qat-plugin + # - intel-deviceplugin-operator + # - intel-sgx-admissionwebhook + # - intel-sgx-plugin + # - intel-sgx-initcontainer + # - intel-dsa-plugin + # - intel-iaa-plugin + # - intel-idxd-config-initcontainer + # - intel-dlb-plugin + # - intel-dlb-initcontainer + # - intel-xpumanager-sidecar # # Demo images - - crypto-perf - - opae-nlb-demo + #- crypto-perf + #- opae-nlb-demo steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5 @@ -52,21 +57,56 @@ jobs: env: IMAGE_NAME: ${{ matrix.image }} run: | - REG=intel/ make ${IMAGE_NAME} BUILDER=docker + ORG=${{ inputs.registry }} TAG=${{ inputs.image_tag }} make ${IMAGE_NAME} BUILDER=docker + - name: List images + run: docker images - name: Trivy scan for image uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: scan-type: image - image-ref: intel/${{ matrix.image }}:${{ inputs.image_tag }} + image-ref: ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }} exit-code: 1 - name: Test image base layer # Don't run base layer check for selected images if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }} - run: IMG=intel/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker + run: IMG=${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker - name: Login uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 with: + registry: ghcr.io username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_PASS }} - - name: Push - run: docker push intel/${{ matrix.image }}:${{ inputs.image_tag }} + - name: Extract Docker metadata + if: ${{ inputs.image_tag != 'devel' }} + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + with: + images: ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }} + - name: Push & Pull + run: | + docker push ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }} + docker pull ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }} + - name: Get image digest + if: ${{ inputs.image_tag != 'devel' }} + id: digest + run: | + echo "image_sha=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }})" >> $GITHUB_OUTPUT + - name: Install cosign + if: ${{ inputs.image_tag != 'devel' }} + uses: sigstore/cosign-installer@v3.6.0 + with: + cosign-release: 'v2.4.0' + - name: Keyless image sign + if: ${{ inputs.image_tag != 'devel' }} + env: + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.digest.outputs.image_sha }} + run: | + echo "${TAGS}" + echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + #run: | + # echo ${{ steps.digest.outputs.image_sha }} + # cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" ${{ steps.digest.outputs.image_sha }} + #- name: Verify the image signing + # run: | + # cosign verify --rekor-url "https://rekor.sigstore.dev/" ${{ steps.digest.outputs.image_sha }} --certificate-identity "https://github.com/saintmalik/sign-container-images/.github/workflows/keyless.yaml@refs/heads/main" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq . diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 000000000..a65c1dabd --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,18 @@ +name: Test +on: + workflow_dispatch: + push: + +permissions: + contents: read + pull-requests: read + id-token: write + +jobs: + build: + name: Build & Publish + uses: "./.github/workflows/lib-publish.yaml" + secrets: inherit + with: + image_tag: v9.99.9 + registry: ghcr.io/tkatila diff --git a/go.mod b/go.mod index 9393f845f..e99b4de5f 100644 --- a/go.mod +++ b/go.mod @@ -17,16 +17,16 @@ require ( golang.org/x/text v0.17.0 google.golang.org/grpc v1.65.0 gopkg.in/yaml.v2 v2.4.0 - k8s.io/api v0.31.0-beta.0 - k8s.io/apimachinery v0.31.0-beta.0 - k8s.io/client-go v0.31.0-beta.0 - k8s.io/component-base v0.31.0-beta.0 + k8s.io/api v0.31.0-rc.1 + k8s.io/apimachinery v0.31.0-rc.1 + k8s.io/client-go v0.31.0-rc.1 + k8s.io/component-base v0.31.0-rc.1 k8s.io/klog/v2 v2.130.1 k8s.io/kubelet v0.31.0-beta.0 k8s.io/kubernetes v1.31.0-beta.0 k8s.io/pod-security-admission v0.0.0 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 - sigs.k8s.io/controller-runtime v0.18.1-0.20240717190548-1ed345090869 + sigs.k8s.io/controller-runtime v0.19.0-beta.0 sigs.k8s.io/yaml v1.4.0 tags.cncf.io/container-device-interface/specs-go v0.8.0 ) @@ -114,8 +114,8 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.31.0-beta.0 // indirect - k8s.io/apiserver v0.31.0-beta.0 // indirect + k8s.io/apiextensions-apiserver v0.31.0-rc.1 // indirect + k8s.io/apiserver v0.31.0-rc.1 // indirect k8s.io/cloud-provider v0.0.0 // indirect k8s.io/component-helpers v0.31.0-beta.0 // indirect k8s.io/controller-manager v0.31.0-beta.0 // indirect diff --git a/go.sum b/go.sum index ca09602a5..1fa4298f8 100644 --- a/go.sum +++ b/go.sum @@ -338,8 +338,8 @@ k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= -sigs.k8s.io/controller-runtime v0.18.1-0.20240717190548-1ed345090869 h1:9+0SFkDM+/1JJQQoG+Zk/lZXTT87mZwc6qmIezGhEq8= -sigs.k8s.io/controller-runtime v0.18.1-0.20240717190548-1ed345090869/go.mod h1:0N/oS51dz0ZJriISp1SloFWkR7uKCDC6LBt65tRt2J0= +sigs.k8s.io/controller-runtime v0.19.0-beta.0 h1:2dhsJeWBmzrnSE+NMourFWen0lSRg3JYs3Pp04+cJss= +sigs.k8s.io/controller-runtime v0.19.0-beta.0/go.mod h1:DsWafTWWtE45ewmWCXm3Tsend5uwveZCkpYfod82SXE= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=