diff --git a/.github/workflows/post.yml b/.github/workflows/post.yml index 58a0e9917..f00b01ea1 100644 --- a/.github/workflows/post.yml +++ b/.github/workflows/post.yml @@ -18,6 +18,8 @@ env: permissions: contents: read + id-token: write + attestations: write jobs: coverage: @@ -47,6 +49,7 @@ jobs: strategy: matrix: arch: [ amd64, arm64 ] + image-name: [ registration-operator, registration, work, placement, addon-manager ] steps: - name: checkout code uses: actions/checkout@v4 @@ -57,84 +60,80 @@ jobs: - name: install imagebuilder run: go install github.com/openshift/imagebuilder/cmd/imagebuilder@v1.2.3 - name: pull base image - run: docker pull registry.access.redhat.com/ubi8/ubi-minimal:latest --platform=linux/${{ matrix.arch }} + run: docker pull registry.access.redhat.com/ubi9/ubi-minimal:latest --platform=linux/${{ matrix.arch }} - name: images run: | IMAGE_TAG=latest-${{ matrix.arch }} \ + IMAGE_REGISTRY=quay.io/open-cluster-management \ IMAGE_BUILD_EXTRA_FLAGS="--build-arg OS=linux --build-arg ARCH=${{ matrix.arch }}" \ - make images + make image-${{ matrix.image-name }} - name: push run: | echo ${{ secrets.DOCKER_PASSWORD }} | docker login quay.io --username ${{ secrets.DOCKER_USER }} --password-stdin - docker push quay.io/open-cluster-management/registration-operator:latest-${{ matrix.arch }} - docker push quay.io/open-cluster-management/registration:latest-${{ matrix.arch }} - docker push quay.io/open-cluster-management/work:latest-${{ matrix.arch }} - docker push quay.io/open-cluster-management/placement:latest-${{ matrix.arch }} - docker push quay.io/open-cluster-management/addon-manager:latest-${{ matrix.arch }} + docker push quay.io/open-cluster-management/${{ matrix.image-name }}:latest-${{ matrix.arch }} + image_digest=$(docker inspect --format='{{index .RepoDigests 0}}' "quay.io/open-cluster-management/${{ matrix.image-name }}:latest-${{ matrix.arch }}" | cut -d'@' -f2) + echo "IMAGE_DIGEST=${image_digest}" >> $GITHUB_ENV + - name: Generate SBOM + uses: anchore/sbom-action@v0 + with: + image: quay.io/open-cluster-management/${{ matrix.image-name }}:latest-${{ matrix.arch }} + format: 'spdx-json' + output-file: 'sbom.spdx.json' + - name: Attest + uses: actions/attest-sbom@v2 + id: attest + with: + subject-name: quay.io/open-cluster-management/${{ matrix.image-name }} + subject-digest: ${{ env.IMAGE_DIGEST }} + sbom-path: 'sbom.spdx.json' + push-to-registry: true image-manifest: name: image manifest runs-on: ubuntu-latest + strategy: + matrix: + image-name: [ registration-operator, registration, work, placement, addon-manager ] needs: [ images ] steps: - name: checkout code uses: actions/checkout@v4 + # Step to install Skopeo + - name: Install Skopeo and jq + run: | + sudo apt-get update + sudo apt-get install -y skopeo jq - name: create run: | echo ${{ secrets.DOCKER_PASSWORD }} | docker login quay.io --username ${{ secrets.DOCKER_USER }} --password-stdin - # registration-operator - docker manifest create quay.io/open-cluster-management/registration-operator:latest \ - quay.io/open-cluster-management/registration-operator:latest-amd64 \ - quay.io/open-cluster-management/registration-operator:latest-arm64 - # registration - docker manifest create quay.io/open-cluster-management/registration:latest \ - quay.io/open-cluster-management/registration:latest-amd64 \ - quay.io/open-cluster-management/registration:latest-arm64 - # work - docker manifest create quay.io/open-cluster-management/work:latest \ - quay.io/open-cluster-management/work:latest-amd64 \ - quay.io/open-cluster-management/work:latest-arm64 - # placement - docker manifest create quay.io/open-cluster-management/placement:latest \ - quay.io/open-cluster-management/placement:latest-amd64 \ - quay.io/open-cluster-management/placement:latest-arm64 - # addon-manager - docker manifest create quay.io/open-cluster-management/addon-manager:latest \ - quay.io/open-cluster-management/addon-manager:latest-amd64 \ - quay.io/open-cluster-management/addon-manager:latest-arm64 + docker manifest create quay.io/open-cluster-management/${{ matrix.image-name }}:latest \ + quay.io/open-cluster-management/${{ matrix.image-name }}:latest-amd64 \ + quay.io/open-cluster-management/${{ matrix.image-name }}:latest-arm64 - name: annotate run: | - # registration-operator - docker manifest annotate quay.io/open-cluster-management/registration-operator:latest \ - quay.io/open-cluster-management/registration-operator:latest-amd64 --arch amd64 - docker manifest annotate quay.io/open-cluster-management/registration-operator:latest \ - quay.io/open-cluster-management/registration-operator:latest-arm64 --arch arm64 - # registration - docker manifest annotate quay.io/open-cluster-management/registration:latest \ - quay.io/open-cluster-management/registration:latest-amd64 --arch amd64 - docker manifest annotate quay.io/open-cluster-management/registration:latest \ - quay.io/open-cluster-management/registration:latest-arm64 --arch arm64 - # work - docker manifest annotate quay.io/open-cluster-management/work:latest \ - quay.io/open-cluster-management/work:latest-amd64 --arch amd64 - docker manifest annotate quay.io/open-cluster-management/work:latest \ - quay.io/open-cluster-management/work:latest-arm64 --arch arm64 - # placement - docker manifest annotate quay.io/open-cluster-management/placement:latest \ - quay.io/open-cluster-management/placement:latest-amd64 --arch amd64 - docker manifest annotate quay.io/open-cluster-management/placement:latest \ - quay.io/open-cluster-management/placement:latest-arm64 --arch arm64 - # addon-manager - docker manifest annotate quay.io/open-cluster-management/addon-manager:latest \ - quay.io/open-cluster-management/addon-manager:latest-amd64 --arch amd64 - docker manifest annotate quay.io/open-cluster-management/addon-manager:latest \ - quay.io/open-cluster-management/addon-manager:latest-arm64 --arch arm64 + docker manifest annotate quay.io/open-cluster-management/${{ matrix.image-name }}:latest \ + quay.io/open-cluster-management/${{ matrix.image-name }}:latest-amd64 --arch amd64 + docker manifest annotate quay.io/open-cluster-management/${{ matrix.image-name }}:latest \ + quay.io/open-cluster-management/${{ matrix.image-name }}:latest-arm64 --arch arm64 - name: push run: | - docker manifest push quay.io/open-cluster-management/registration-operator:latest - docker manifest push quay.io/open-cluster-management/registration:latest - docker manifest push quay.io/open-cluster-management/work:latest - docker manifest push quay.io/open-cluster-management/placement:latest - docker manifest push quay.io/open-cluster-management/addon-manager:latest + docker manifest push quay.io/open-cluster-management/${{ matrix.image-name }}:latest + docker pull quay.io/open-cluster-management/${{ matrix.image-name }}:latest + image_digest_latest=$(skopeo inspect docker://quay.io/open-cluster-management/${{ matrix.image-name }}:latest | jq -r '.Digest') + echo "IMAGE_DIGEST_LATEST=${image_digest_latest}" >> $GITHUB_ENV + - name: Generate SBOM + uses: anchore/sbom-action@v0 + with: + image: quay.io/open-cluster-management/${{ matrix.image-name }}:latest + format: 'spdx-json' + output-file: 'sbom.spdx.json' + - name: Attest + uses: actions/attest-sbom@v2 + id: attest + with: + subject-name: quay.io/open-cluster-management/${{ matrix.image-name }} + subject-digest: ${{ env.IMAGE_DIGEST_LATEST }} + sbom-path: 'sbom.spdx.json' + push-to-registry: true trigger-clusteradm-e2e: needs: [ images, image-manifest ] name: trigger clusteradm e2e diff --git a/.github/workflows/releaseimage.yml b/.github/workflows/releaseimage.yml index 9a02ab769..208f6fed9 100644 --- a/.github/workflows/releaseimage.yml +++ b/.github/workflows/releaseimage.yml @@ -58,7 +58,7 @@ jobs: - name: install imagebuilder run: go install github.com/openshift/imagebuilder/cmd/imagebuilder@v1.2.3 - name: pull base image - run: docker pull registry.access.redhat.com/ubi8/ubi-minimal:latest --platform=linux/${{ matrix.arch }} + run: docker pull registry.access.redhat.com/ubi9/ubi-minimal:latest --platform=linux/${{ matrix.arch }} - name: images run: | IMAGE_TAG=${{ needs.env.outputs.RELEASE_VERSION }}-${{ matrix.arch }} \