Merge branch 'master' into davjlee/feature/gator-verify-expansion

open-policy-agent · Nov 13, 2024 · 9103f81 · 9103f81
2 parents 6ac1628 + 649980c
commit 9103f81
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 10 deletions.
diff --git a/.github/workflows/pre-release.yaml b/.github/workflows/pre-release.yaml
@@ -17,6 +17,9 @@ jobs:
     runs-on: "ubuntu-22.04"
     if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'open-policy-agent/gatekeeper'
     timeout-minutes: 30
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -26,6 +29,13 @@ jobs:
       - name: Check out code into the Go module directory
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Publish development
         run: |
           make docker-login
@@ -42,7 +52,8 @@ jobs:
               DEV_TAG=${GITHUB_SHA::7} \
               PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
               OUTPUT_TYPE=type=registry \
-              GENERATE_ATTESTATIONS=true
+              GENERATE_ATTESTATIONS=true \
+              PUSH_TO_GHCR=true
           fi
 
           listUri="https://registry-1.docker.io/v2/${{ env.CRD_IMAGE_REPO }}/tags/list"
@@ -54,7 +65,8 @@ jobs:
               DEV_TAG=${GITHUB_SHA::7} \
               PLATFORM="linux/amd64,linux/arm64" \
               OUTPUT_TYPE=type=registry \
-              GENERATE_ATTESTATIONS=true
+              GENERATE_ATTESTATIONS=true \
+              PUSH_TO_GHCR=true
           fi
 
           listUri="https://registry-1.docker.io/v2/${{ env.GATOR_IMAGE_REPO }}/tags/list"
@@ -66,7 +78,8 @@ jobs:
               DEV_TAG=${GITHUB_SHA::7} \
               PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
               OUTPUT_TYPE=type=registry \
-              GENERATE_ATTESTATIONS=true
+              GENERATE_ATTESTATIONS=true \
+              PUSH_TO_GHCR=true
           fi
         env:
           DOCKER_USER: ${{ secrets.DOCKER_USER }}

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -9,15 +9,15 @@ env:
   CRD_IMAGE_REPO: openpolicyagent/gatekeeper-crds
   GATOR_IMAGE_REPO: openpolicyagent/gator
 
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   tagged-release:
     name: "Tagged Release"
     runs-on: "ubuntu-22.04"
     permissions:
       contents: write
+      packages: write
     if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'open-policy-agent/gatekeeper'
     timeout-minutes: 45
     steps:
@@ -45,6 +45,13 @@ jobs:
         run: |
           echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Publish release
         run: |
           make docker-login
@@ -61,7 +68,8 @@ jobs:
               VERSION=${TAG} \
               PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
               OUTPUT_TYPE=type=registry \
-              GENERATE_ATTESTATIONS=true
+              GENERATE_ATTESTATIONS=true \
+              PUSH_TO_GHCR=true
           fi
 
           listUri="https://registry-1.docker.io/v2/${{ env.CRD_IMAGE_REPO }}/tags/list"
@@ -73,7 +81,8 @@ jobs:
               VERSION=${TAG} \
               PLATFORM="linux/amd64,linux/arm64" \
               OUTPUT_TYPE=type=registry \
-              GENERATE_ATTESTATIONS=true
+              GENERATE_ATTESTATIONS=true \
+              PUSH_TO_GHCR=true
           fi
 
           listUri="https://registry-1.docker.io/v2/${{ env.GATOR_IMAGE_REPO }}/tags/list"
@@ -85,7 +94,8 @@ jobs:
               VERSION=${TAG} \
               PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
               OUTPUT_TYPE=type=registry \
-              GENERATE_ATTESTATIONS=true
+              GENERATE_ATTESTATIONS=true \
+              PUSH_TO_GHCR=true
           fi
         env:
           DOCKER_USER: ${{ secrets.DOCKER_USER }}

diff --git a/Makefile b/Makefile
@@ -5,6 +5,7 @@ GATOR_REPOSITORY ?= openpolicyagent/gator
 IMG := $(REPOSITORY):latest
 CRD_IMG := $(CRD_REPOSITORY):latest
 GATOR_IMG := $(GATOR_REPOSITORY):latest
+PUSH_TO_GHCR ?= false
 # DEV_TAG will be replaced with short Git SHA on pre-release stage in CI
 DEV_TAG ?= dev
 USE_LOCAL_IMG ?= false
@@ -416,7 +417,9 @@ docker-buildx-dev: docker-buildx-builder
 		--platform="$(PLATFORM)" \
 		--output=$(OUTPUT_TYPE) \
 		-t $(REPOSITORY):$(DEV_TAG) \
-		-t $(REPOSITORY):dev .
+		-t $(REPOSITORY):dev \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(REPOSITORY):$(DEV_TAG)) \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(REPOSITORY):dev) .
 
 docker-buildx-crds-dev: build-crds docker-buildx-builder
 	docker buildx build \
@@ -426,6 +429,8 @@ docker-buildx-crds-dev: build-crds docker-buildx-builder
 		--output=$(OUTPUT_TYPE) \
 		-t $(CRD_REPOSITORY):$(DEV_TAG) \
 		-t $(CRD_REPOSITORY):dev \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_REPOSITORY):$(DEV_TAG)) \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_REPOSITORY):dev) \
 		-f crd.Dockerfile .staging/crds/
 
 docker-buildx-release: docker-buildx-builder
@@ -434,7 +439,8 @@ docker-buildx-release: docker-buildx-builder
 		--build-arg LDFLAGS=${LDFLAGS} \
 		--platform="$(PLATFORM)" \
 		--output=$(OUTPUT_TYPE) \
-		-t $(REPOSITORY):$(VERSION) .
+		-t $(REPOSITORY):$(VERSION) \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(REPOSITORY):$(VERSION)) .
 
 docker-buildx-crds-release: build-crds docker-buildx-builder
 	docker buildx build \
@@ -443,6 +449,7 @@ docker-buildx-crds-release: build-crds docker-buildx-builder
 		--platform="$(PLATFORM)" \
 		--output=$(OUTPUT_TYPE) \
 		-t $(CRD_REPOSITORY):$(VERSION) \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_REPOSITORY):$(VERSION)) \
 		-f crd.Dockerfile .staging/crds/
 
 # Build gator image
@@ -454,6 +461,8 @@ docker-buildx-gator-dev: docker-buildx-builder
 		--output=$(OUTPUT_TYPE) \
 		-t ${GATOR_REPOSITORY}:${DEV_TAG} \
 		-t ${GATOR_REPOSITORY}:dev \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/${GATOR_REPOSITORY}:${DEV_TAG}) \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/${GATOR_REPOSITORY}:dev) \
 		-f gator.Dockerfile .
 
 docker-buildx-gator-release: docker-buildx-builder
@@ -463,6 +472,7 @@ docker-buildx-gator-release: docker-buildx-builder
 		--platform="$(PLATFORM)" \
 		--output=$(OUTPUT_TYPE) \
 		-t ${GATOR_REPOSITORY}:${VERSION} \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/${GATOR_REPOSITORY}:${VERSION}) \
 		-f gator.Dockerfile .
 
 # Update manager_image_patch.yaml with image tag