From dce1ee4dc63c924a92c11a93d00e62cfd51ad4b5 Mon Sep 17 00:00:00 2001 From: Matthias Bertschy Date: Wed, 10 Dec 2025 17:59:14 +0100 Subject: [PATCH] cleaning up release action Signed-off-by: Matthias Bertschy --- .github/workflows/02-release.yaml | 121 ++---- .../b-binary-build-and-e2e-tests.yaml | 359 ------------------ .github/workflows/build-image.yaml | 41 -- .github/workflows/c-create-release.yaml | 86 ----- .github/workflows/d-publish-image.yaml | 108 ------ .github/workflows/e-post-release.yaml | 46 --- 6 files changed, 35 insertions(+), 726 deletions(-) delete mode 100644 .github/workflows/b-binary-build-and-e2e-tests.yaml delete mode 100644 .github/workflows/build-image.yaml delete mode 100644 .github/workflows/c-create-release.yaml delete mode 100644 .github/workflows/d-publish-image.yaml delete mode 100644 .github/workflows/e-post-release.yaml diff --git a/.github/workflows/02-release.yaml b/.github/workflows/02-release.yaml index 42fe3d55..4a10d376 100644 --- a/.github/workflows/02-release.yaml +++ b/.github/workflows/02-release.yaml @@ -15,10 +15,11 @@ jobs: uses: ./.github/actions/tag-action with: SUB_STRING: "-rc" - binary-build: + release: permissions: actions: read checks: read + contents: write deployments: read discussions: read id-token: write @@ -28,92 +29,40 @@ jobs: pages: read pull-requests: read repository-projects: read - security-events: read statuses: read - contents: write - attestations: write + security-events: read + attestations: read artifact-metadata: read needs: [retag] - uses: ./.github/workflows/b-binary-build-and-e2e-tests.yaml - with: - COMPONENT_NAME: kubescape - CGO_ENABLED: 0 - GO111MODULE: "" - GO_VERSION: "1.25" - RELEASE: ${{ needs.retag.outputs.NEW_TAG }} - CLIENT: release - secrets: inherit - create-release: - permissions: - actions: read - checks: read - contents: write - deployments: read - discussions: read - id-token: write - issues: read - models: read - packages: read - pages: read - pull-requests: read - repository-projects: read - statuses: read - security-events: read - attestations: read - artifact-metadata: read - needs: [retag, binary-build] - uses: ./.github/workflows/c-create-release.yaml - with: - RELEASE_NAME: "Release ${{ needs.retag.outputs.NEW_TAG }}" - TAG: ${{ needs.retag.outputs.NEW_TAG }} - DRAFT: false - secrets: inherit - publish-image: - permissions: - actions: read - checks: read - deployments: read - discussions: read - id-token: write - issues: read - models: read - packages: write - pages: read - pull-requests: read - repository-projects: read - security-events: read - statuses: read - attestations: read - contents: write - uses: ./.github/workflows/d-publish-image.yaml - needs: [create-release, retag] - with: - client: "image-release" - image_name: "quay.io/${{ github.repository_owner }}/kubescape-cli" - image_tag: ${{ needs.retag.outputs.NEW_TAG }} - support_platforms: true - cosign: true - secrets: inherit - post-release: - permissions: - actions: read - checks: read - deployments: read - discussions: read - id-token: write - issues: read - models: read - packages: write - pages: read - pull-requests: read - repository-projects: read - security-events: read - statuses: read - attestations: read - contents: write - artifact-metadata: read - uses: ./.github/workflows/e-post-release.yaml - needs: [retag, publish-image] - with: - TAG: ${{ needs.retag.outputs.NEW_TAG }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - uses: actions/setup-go@v5 + with: + go-version: "1.25" + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.5.0 + + - name: Create Cosign Key + run: echo "${{ secrets.COSIGN_PRIVATE_KEY_V1 }}" > cosign.key + + - name: Tag Release + run: | + git tag ${{ needs.retag.outputs.NEW_TAG }} + + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v6 + with: + distribution: goreleaser + version: latest + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COSIGN_PWD: ${{ secrets.COSIGN_PRIVATE_KEY_V1_PASSWORD }} + RELEASE: ${{ needs.retag.outputs.NEW_TAG }} + CLIENT: release secrets: inherit diff --git a/.github/workflows/b-binary-build-and-e2e-tests.yaml b/.github/workflows/b-binary-build-and-e2e-tests.yaml deleted file mode 100644 index 3d81dd91..00000000 --- a/.github/workflows/b-binary-build-and-e2e-tests.yaml +++ /dev/null @@ -1,359 +0,0 @@ -name: b-binary-build-and-e2e-tests -permissions: read-all -on: - workflow_dispatch: - inputs: - COMPONENT_NAME: - required: false - type: string - default: "kubescape" - RELEASE: - required: false - type: string - default: "" - CLIENT: - required: false - type: string - default: "test" - GO_VERSION: - required: false - type: string - default: "1.25" - GO111MODULE: - required: false - type: string - default: "" - CGO_ENABLED: - type: number - default: 1 - required: false - BINARY_TESTS: - type: string - required: false - default: '[ - "ks_microservice_create_2_cronjob_mitre_and_nsa_proxy", - "ks_microservice_triggering_with_cron_job", - "ks_microservice_update_cronjob_schedule", - "ks_microservice_delete_cronjob", - "ks_microservice_create_2_cronjob_mitre_and_nsa", - "ks_microservice_ns_creation", - "ks_microservice_on_demand", - "ks_microservice_mitre_framework_on_demand", - "ks_microservice_nsa_and_mitre_framework_demand", - "scan_nsa", - "scan_mitre", - "scan_with_exceptions", - "scan_repository", - "scan_local_file", - "scan_local_glob_files", - "scan_local_list_of_files", - "scan_with_exception_to_backend", - "scan_nsa_and_submit_to_backend", - "scan_mitre_and_submit_to_backend", - "scan_local_repository_and_submit_to_backend", - "scan_repository_from_url_and_submit_to_backend", - "scan_with_custom_framework", - "scan_customer_configuration", - "scan_compliance_score" - ]' - - workflow_call: - inputs: - COMPONENT_NAME: - required: true - type: string - RELEASE: - required: true - type: string - CLIENT: - required: true - type: string - GO_VERSION: - type: string - default: "1.25" - GO111MODULE: - required: true - type: string - CGO_ENABLED: - type: number - default: 1 - BINARY_TESTS: - type: string - default: '[ - "scan_nsa", - "scan_mitre", - "scan_with_exceptions", - "scan_repository", - "scan_local_file", - "scan_local_glob_files", - "scan_local_list_of_files", - "scan_nsa_and_submit_to_backend", - "scan_mitre_and_submit_to_backend", - "scan_local_repository_and_submit_to_backend", - "scan_repository_from_url_and_submit_to_backend", - "scan_with_custom_framework", - "scan_customer_configuration", - "scan_compliance_score", - "scan_custom_framework_scanning_file_scope_testing", - "scan_custom_framework_scanning_cluster_scope_testing", - "scan_custom_framework_scanning_cluster_and_file_scope_testing" - ]' - -jobs: - wf-preparation: - name: secret-validator - runs-on: ubuntu-latest - outputs: - TEST_NAMES: ${{ steps.export_tests_to_env.outputs.TEST_NAMES }} - is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }} - - steps: - - name: check if the necessary secrets are set in github secrets - id: check-secret-set - env: - CUSTOMER: ${{ secrets.CUSTOMER }} - USERNAME: ${{ secrets.USERNAME }} - PASSWORD: ${{ secrets.PASSWORD }} - CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }} - SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }} - REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} - REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} - run: "echo \"is-secret-set=${{ env.CUSTOMER != '' && env.USERNAME != '' && env.PASSWORD != '' && env.CLIENT_ID != '' && env.SECRET_KEY != '' && env.REGISTRY_USERNAME != '' && env.REGISTRY_PASSWORD != '' }}\" >> $GITHUB_OUTPUT\n" - - - id: export_tests_to_env - name: set test name - run: | - echo "TEST_NAMES=$input" >> $GITHUB_OUTPUT - env: - input: ${{ inputs.BINARY_TESTS }} - - check-secret: - name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets - runs-on: ubuntu-latest - outputs: - is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }} - steps: - - name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets - id: check-secret-set - env: - QUAYIO_REGISTRY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }} - QUAYIO_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }} - run: | - echo "is-secret-set=${{ env.QUAYIO_REGISTRY_USERNAME != '' && env.QUAYIO_REGISTRY_PASSWORD != '' }}" >> $GITHUB_OUTPUT - - binary-build: - name: Create cross-platform build - needs: wf-preparation - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - runs-on: ubuntu-large - steps: - - name: (debug) Step 1 - Check disk space before checkout - run: df -h - - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - submodules: recursive - - - name: (debug) Step 2 - Check disk space before installing Go - run: df -h - - - uses: actions/setup-go@v4 - name: Installing go - with: - go-version: ${{ inputs.GO_VERSION }} - - - name: (debug) Step 3 - Check disk space before build - run: df -h - - - name: Test core pkg - run: ${{ env.DOCKER_CMD }} go test -v ./... - if: startsWith(github.ref, 'refs/tags') - - - name: (debug) Step 4 - Check disk space before testing httphandler pkg - run: df -h - - - name: Test httphandler pkg - run: ${{ env.DOCKER_CMD }} sh -c 'cd httphandler && go test -v ./...' - if: startsWith(github.ref, 'refs/tags') - - - name: (debug) Step 5 - Check disk space before setting up Syft - run: df -h - - - uses: anchore/sbom-action/download-syft@v0 - name: Setup Syft - - - name: (debug) Step 6 - Check disk space before goreleaser - run: df -h - - - uses: goreleaser/goreleaser-action@v6 - name: Build - with: - distribution: goreleaser - version: latest - args: release --clean --snapshot - env: - RELEASE: ${{ inputs.RELEASE }} - CLIENT: ${{ inputs.CLIENT }} - CGO_ENABLED: ${{ inputs.CGO_ENABLED }} - - - name: (debug) Step 7 - Check disk space before smoke testing - run: df -h - - - name: Smoke Testing - env: - RELEASE: ${{ inputs.RELEASE }} - KUBESCAPE_SKIP_UPDATE_CHECK: "true" - run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ${PWD}/dist/kubescape-ubuntu-latest - - - name: (debug) Step 8 - Check disk space before golangci-lint - run: df -h - - - name: golangci-lint - continue-on-error: true - uses: golangci/golangci-lint-action@v3 - with: - version: latest - args: --timeout 10m - only-new-issues: true - skip-pkg-cache: true - skip-build-cache: true - - - name: (debug) Step 9 - Check disk space before uploading artifacts - run: df -h - - - uses: actions/upload-artifact@v4 - name: Upload artifacts - with: - name: kubescape - path: dist/* - if-no-files-found: error - - - name: (debug) Step 10 - Check disk space after uploading artifacts - run: df -h - - build-http-image: - permissions: - contents: write - id-token: write - packages: write - pull-requests: read - needs: [check-secret] - uses: kubescape/workflows/.github/workflows/incluster-comp-pr-merged.yaml@main - with: - IMAGE_NAME: quay.io/${{ github.repository_owner }}/kubescape - IMAGE_TAG: ${{ inputs.RELEASE }} - COMPONENT_NAME: kubescape - CGO_ENABLED: 0 - GO111MODULE: "on" - BUILD_PLATFORM: linux/amd64,linux/arm64 - GO_VERSION: "1.25" - REQUIRED_TESTS: '[ - "ks_microservice_create_2_cronjob_mitre_and_nsa_proxy", - "ks_microservice_triggering_with_cron_job", - "ks_microservice_update_cronjob_schedule", - "ks_microservice_delete_cronjob", - "ks_microservice_create_2_cronjob_mitre_and_nsa", - "ks_microservice_ns_creation", - "ks_microservice_on_demand", - "ks_microservice_mitre_framework_on_demand", - "ks_microservice_nsa_and_mitre_framework_demand", - "scan_nsa", - "scan_mitre", - "scan_with_exceptions", - "scan_repository", - "scan_local_file", - "scan_local_glob_files", - "scan_local_list_of_files", - "scan_with_exception_to_backend", - "scan_nsa_and_submit_to_backend", - "scan_mitre_and_submit_to_backend", - "scan_local_repository_and_submit_to_backend", - "scan_repository_from_url_and_submit_to_backend", - "scan_with_custom_framework", - "scan_customer_configuration", - "scan_compliance_score" - ]' - COSIGN: true - HELM_E2E_TEST: true - FORCE: true - secrets: inherit - - run-tests: - strategy: - fail-fast: false - matrix: - TEST: ${{ fromJson(needs.wf-preparation.outputs.TEST_NAMES) }} - needs: [wf-preparation, binary-build] - if: ${{ (needs.wf-preparation.outputs.is-secret-set == 'true') && (always() && (contains(needs.*.result, 'success') || contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }} - runs-on: ubuntu-latest # This cannot change - steps: - - uses: actions/download-artifact@v4 - id: download-artifact - with: - name: kubescape - path: "~" - - - run: ls -laR - - - name: chmod +x - run: chmod +x -R ${{steps.download-artifact.outputs.download-path}}/kubescape-ubuntu-latest - - - name: Checkout systests repo - uses: actions/checkout@v4 - with: - repository: armosec/system-tests - path: . - - - uses: actions/setup-python@v4 - with: - python-version: '3.9' - cache: 'pip' - - - name: create env - run: ./create_env.sh - - - name: Generate uuid - id: uuid - run: | - echo "RANDOM_UUID=$(uuidgen)" >> $GITHUB_OUTPUT - - - name: Create k8s Kind Cluster - id: kind-cluster-install - uses: helm/kind-action@v1.10.0 - with: - cluster_name: ${{ steps.uuid.outputs.RANDOM_UUID }} - - - name: run-tests-on-local-built-kubescape - env: - CUSTOMER: ${{ secrets.CUSTOMER }} - USERNAME: ${{ secrets.USERNAME }} - PASSWORD: ${{ secrets.PASSWORD }} - CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }} - SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }} - REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} - REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} - run: | - echo "Test history:" - echo " ${{ matrix.TEST }} " >/tmp/testhistory - cat /tmp/testhistory - source systests_python_env/bin/activate - - python3 systest-cli.py \ - -t ${{ matrix.TEST }} \ - -b production \ - -c CyberArmorTests \ - --duration 3 \ - --logger DEBUG \ - --kwargs kubescape=${{steps.download-artifact.outputs.download-path}}/kubescape-ubuntu-latest - - deactivate - - - name: Test Report - uses: mikepenz/action-junit-report@v5 - if: always() # always run even if the previous step fails - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - report_paths: '**/results_xml_format/**.xml' - commit: ${{github.event.workflow_run.head_sha}} diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml deleted file mode 100644 index 2cf19784..00000000 --- a/.github/workflows/build-image.yaml +++ /dev/null @@ -1,41 +0,0 @@ -name: build-image -permissions: read-all -on: - workflow_dispatch: - inputs: - CLIENT: - required: false - type: string - default: "test" - IMAGE_TAG: - required: true - type: string - CO_SIGN: - type: boolean - required: false - default: false - PLATFORMS: - type: boolean - required: false - default: false -jobs: - build-http-image: - permissions: - id-token: write - packages: write - contents: write - pull-requests: read - uses: kubescape/workflows/.github/workflows/incluster-comp-pr-merged.yaml@main - with: - IMAGE_NAME: quay.io/${{ github.repository_owner }}/kubescape - IMAGE_TAG: ${{ inputs.IMAGE_TAG }} - COMPONENT_NAME: kubescape - CGO_ENABLED: 0 - GO111MODULE: "on" - BUILD_PLATFORM: ${{ inputs.PLATFORMS && 'linux/amd64,linux/arm64' || 'linux/amd64' }} - GO_VERSION: "1.25" - REQUIRED_TESTS: '[]' - COSIGN: ${{ inputs.CO_SIGN }} - HELM_E2E_TEST: false - FORCE: true - secrets: inherit diff --git a/.github/workflows/c-create-release.yaml b/.github/workflows/c-create-release.yaml deleted file mode 100644 index e05879fa..00000000 --- a/.github/workflows/c-create-release.yaml +++ /dev/null @@ -1,86 +0,0 @@ -name: c-create_release -permissions: read-all -on: - workflow_call: - inputs: - RELEASE_NAME: - description: 'Release name' - required: true - type: string - TAG: - description: 'Tag name' - required: true - type: string - DRAFT: - description: 'Create draft release' - required: false - type: boolean - default: false -jobs: - create-release: - name: create-release - runs-on: ubuntu-latest - env: - MAC_OS: macos-latest - UBUNTU_OS: ubuntu-latest - WINDOWS_OS: windows-latest - permissions: - contents: write - steps: - - uses: actions/download-artifact@v4 - id: download-artifact - with: - name: kubescape - path: . - - # TODO: kubescape-windows-latest is deprecated and should be removed - - name: Get kubescape.exe from kubescape-windows-latest.exe - run: cp ${{steps.download-artifact.outputs.download-path}}/kubescape-${{ env.WINDOWS_OS }}.exe ${{steps.download-artifact.outputs.download-path}}/kubescape.exe - - - name: Set release token - id: set-token - run: | - if [ "${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" != "" ]; then - echo "token=${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" >> $GITHUB_OUTPUT; - else - echo "token=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_OUTPUT; - fi - - - name: List artifacts - run: | - find . -type f -print - - - name: Release - uses: softprops/action-gh-release@v2 - with: - token: ${{ steps.set-token.outputs.token }} - name: ${{ inputs.RELEASE_NAME }} - tag_name: ${{ inputs.TAG }} - body: ${{ github.event.pull_request.body }} - draft: ${{ inputs.DRAFT }} - prerelease: false - fail_on_unmatched_files: true - files: | - ./checksums.sha256 - ./kubescape-${{ env.MAC_OS }} - ./kubescape-${{ env.MAC_OS }}.sbom - ./kubescape-${{ env.MAC_OS }}.tar.gz - ./kubescape-${{ env.UBUNTU_OS }} - ./kubescape-${{ env.UBUNTU_OS }}.sbom - ./kubescape-${{ env.UBUNTU_OS }}.tar.gz - ./kubescape-${{ env.WINDOWS_OS }}.exe - ./kubescape-${{ env.WINDOWS_OS }}.exe.sbom - ./kubescape-${{ env.WINDOWS_OS }}.tar.gz - ./kubescape-arm64-${{ env.MAC_OS }} - ./kubescape-arm64-${{ env.MAC_OS }}.sbom - ./kubescape-arm64-${{ env.MAC_OS }}.tar.gz - ./kubescape-arm64-${{ env.UBUNTU_OS }} - ./kubescape-arm64-${{ env.UBUNTU_OS }}.sbom - ./kubescape-arm64-${{ env.UBUNTU_OS }}.tar.gz - ./kubescape-arm64-${{ env.WINDOWS_OS }}.exe - ./kubescape-arm64-${{ env.WINDOWS_OS }}.exe.sbom - ./kubescape-arm64-${{ env.WINDOWS_OS }}.tar.gz - ./kubescape-riscv64-${{ env.UBUNTU_OS }} - ./kubescape-riscv64-${{ env.UBUNTU_OS }}.sbom - ./kubescape-riscv64-${{ env.UBUNTU_OS }}.tar.gz - ./kubescape.exe diff --git a/.github/workflows/d-publish-image.yaml b/.github/workflows/d-publish-image.yaml deleted file mode 100644 index 9a11fd95..00000000 --- a/.github/workflows/d-publish-image.yaml +++ /dev/null @@ -1,108 +0,0 @@ -name: d-publish-image -permissions: - actions: read - checks: read - contents: write - deployments: read - discussions: read - id-token: write - issues: read - models: read - packages: read - pages: read - pull-requests: read - repository-projects: read - statuses: read - security-events: read -on: - workflow_call: - inputs: - client: - description: 'client name' - required: true - type: string - image_tag: - description: 'image tag' - required: true - type: string - image_name: - description: 'image registry and name' - required: true - type: string - cosign: - required: false - default: false - type: boolean - description: 'run cosign on released image' - support_platforms: - required: false - default: true - type: boolean - description: 'support amd64/arm64' -jobs: - check-secret: - name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets - runs-on: ubuntu-latest - outputs: - is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }} - steps: - - name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets - id: check-secret-set - env: - QUAYIO_REGISTRY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }} - QUAYIO_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }} - run: | - echo "is-secret-set=${{ env.QUAYIO_REGISTRY_USERNAME != '' && env.QUAYIO_REGISTRY_PASSWORD != '' }}" >> $GITHUB_OUTPUT - - build-cli-image: - needs: [check-secret] - if: needs.check-secret.outputs.is-secret-set == 'true' - name: Build image and upload to registry - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - submodules: recursive - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Login to Quay.io - env: - QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }} - QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }} - run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io - - uses: actions/download-artifact@v4 - id: download-artifact - with: - name: kubescape - path: . - - name: mv kubescape amd64 binary - run: mv kubescape-ubuntu-latest kubescape-amd64-ubuntu-latest - - name: chmod +x - run: chmod +x -v kubescape-a* - - name: Build and push images - run: docker buildx build . --file build/kubescape-cli.Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push --platform linux/amd64,linux/arm64 - - name: Install cosign - uses: sigstore/cosign-installer@main - with: - cosign-release: 'v2.2.2' - - name: sign kubescape container image - if: ${{ inputs.cosign }} - env: - COSIGN_EXPERIMENTAL: "true" - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY_V1 }} - COSIGN_PRIVATE_KEY_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_V1_PASSWORD }} - COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY_V1 }} - run: | - # Sign the image with keyless mode - cosign sign -y ${{ inputs.image_name }}:${{ inputs.image_tag }} - - # Sign the image with key for verifier clients without keyless support - # Put the key from environment variable to a file - echo "$COSIGN_PRIVATE_KEY" > cosign.key - printf "$COSIGN_PRIVATE_KEY_PASSWORD" | cosign sign -key cosign.key -y ${{ inputs.image_name }}:${{ inputs.image_tag }} - rm cosign.key - # Verify the image - echo "$COSIGN_PUBLIC_KEY" > cosign.pub - cosign verify -key cosign.pub ${{ inputs.image_name }}:${{ inputs.image_tag }} diff --git a/.github/workflows/e-post-release.yaml b/.github/workflows/e-post-release.yaml deleted file mode 100644 index f644423e..00000000 --- a/.github/workflows/e-post-release.yaml +++ /dev/null @@ -1,46 +0,0 @@ -name: e-post_release -permissions: read-all -on: - workflow_call: - inputs: - TAG: - description: 'Tag name' - required: true - type: string -jobs: - post_release: - name: Post release jobs - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - submodules: recursive - - name: Update new version in krew-index - uses: rajatjindal/krew-release-bot@v0.0.47 - if: github.repository_owner == 'kubescape' - env: - GITHUB_REF: refs/tags/${{ inputs.TAG }} - - name: Invoke workflow to update packaging - uses: benc-uk/workflow-dispatch@v1 - if: github.repository_owner == 'kubescape' - with: - workflow: release.yml - repo: kubescape/packaging - ref: refs/heads/main - token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} - - name: Invoke workflow to update homebrew tap - uses: benc-uk/workflow-dispatch@v1 - if: github.repository_owner == 'kubescape' - with: - workflow: release.yml - repo: kubescape/homebrew-tap - ref: refs/heads/main - token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} - - name: Invoke workflow to update github action - uses: benc-uk/workflow-dispatch@v1 - if: github.repository_owner == 'kubescape' - with: - workflow: release.yaml - repo: kubescape/github-action - ref: refs/heads/main - token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}