diff --git a/.github/workflows/pre-release.yaml b/.github/workflows/pre-release.yaml index 845d375bda9..af2f1a31eaf 100644 --- a/.github/workflows/pre-release.yaml +++ b/.github/workflows/pre-release.yaml @@ -17,6 +17,9 @@ jobs: runs-on: "ubuntu-22.04" if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'open-policy-agent/gatekeeper' timeout-minutes: 30 + permissions: + contents: read + packages: write steps: - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 @@ -26,6 +29,13 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - name: Login to GitHub Container Registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Publish development run: | make docker-login @@ -42,7 +52,8 @@ jobs: DEV_TAG=${GITHUB_SHA::7} \ PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true + GENERATE_ATTESTATIONS=true \ + PUSH_TO_GHCR=true fi listUri="https://registry-1.docker.io/v2/${{ env.CRD_IMAGE_REPO }}/tags/list" @@ -54,7 +65,8 @@ jobs: DEV_TAG=${GITHUB_SHA::7} \ PLATFORM="linux/amd64,linux/arm64" \ OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true + GENERATE_ATTESTATIONS=true \ + PUSH_TO_GHCR=true fi listUri="https://registry-1.docker.io/v2/${{ env.GATOR_IMAGE_REPO }}/tags/list" @@ -66,7 +78,8 @@ jobs: DEV_TAG=${GITHUB_SHA::7} \ PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true + GENERATE_ATTESTATIONS=true \ + PUSH_TO_GHCR=true fi env: DOCKER_USER: ${{ secrets.DOCKER_USER }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2973b9565d9..da99074fd39 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -9,8 +9,7 @@ env: CRD_IMAGE_REPO: openpolicyagent/gatekeeper-crds GATOR_IMAGE_REPO: openpolicyagent/gator -permissions: - contents: read +permissions: read-all jobs: tagged-release: @@ -18,6 +17,7 @@ jobs: runs-on: "ubuntu-22.04" permissions: contents: write + packages: write if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'open-policy-agent/gatekeeper' timeout-minutes: 45 steps: @@ -45,6 +45,13 @@ jobs: run: | echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV + - name: Login to GitHub Container Registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Publish release run: | make docker-login @@ -61,7 +68,8 @@ jobs: VERSION=${TAG} \ PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true + GENERATE_ATTESTATIONS=true \ + PUSH_TO_GHCR=true fi listUri="https://registry-1.docker.io/v2/${{ env.CRD_IMAGE_REPO }}/tags/list" @@ -73,7 +81,8 @@ jobs: VERSION=${TAG} \ PLATFORM="linux/amd64,linux/arm64" \ OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true + GENERATE_ATTESTATIONS=true \ + PUSH_TO_GHCR=true fi listUri="https://registry-1.docker.io/v2/${{ env.GATOR_IMAGE_REPO }}/tags/list" @@ -85,7 +94,8 @@ jobs: VERSION=${TAG} \ PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \ OUTPUT_TYPE=type=registry \ - GENERATE_ATTESTATIONS=true + GENERATE_ATTESTATIONS=true \ + PUSH_TO_GHCR=true fi env: DOCKER_USER: ${{ secrets.DOCKER_USER }} diff --git a/Makefile b/Makefile index a704b2a3c5d..0862520dcef 100644 --- a/Makefile +++ b/Makefile @@ -5,6 +5,7 @@ GATOR_REPOSITORY ?= openpolicyagent/gator IMG := $(REPOSITORY):latest CRD_IMG := $(CRD_REPOSITORY):latest GATOR_IMG := $(GATOR_REPOSITORY):latest +PUSH_TO_GHCR ?= false # DEV_TAG will be replaced with short Git SHA on pre-release stage in CI DEV_TAG ?= dev USE_LOCAL_IMG ?= false @@ -416,7 +417,9 @@ docker-buildx-dev: docker-buildx-builder --platform="$(PLATFORM)" \ --output=$(OUTPUT_TYPE) \ -t $(REPOSITORY):$(DEV_TAG) \ - -t $(REPOSITORY):dev . + -t $(REPOSITORY):dev \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(REPOSITORY):$(DEV_TAG)) \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(REPOSITORY):dev) . docker-buildx-crds-dev: build-crds docker-buildx-builder docker buildx build \ @@ -426,6 +429,8 @@ docker-buildx-crds-dev: build-crds docker-buildx-builder --output=$(OUTPUT_TYPE) \ -t $(CRD_REPOSITORY):$(DEV_TAG) \ -t $(CRD_REPOSITORY):dev \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_REPOSITORY):$(DEV_TAG)) \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_REPOSITORY):dev) \ -f crd.Dockerfile .staging/crds/ docker-buildx-release: docker-buildx-builder @@ -434,7 +439,8 @@ docker-buildx-release: docker-buildx-builder --build-arg LDFLAGS=${LDFLAGS} \ --platform="$(PLATFORM)" \ --output=$(OUTPUT_TYPE) \ - -t $(REPOSITORY):$(VERSION) . + -t $(REPOSITORY):$(VERSION) \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(REPOSITORY):$(VERSION)) . docker-buildx-crds-release: build-crds docker-buildx-builder docker buildx build \ @@ -443,6 +449,7 @@ docker-buildx-crds-release: build-crds docker-buildx-builder --platform="$(PLATFORM)" \ --output=$(OUTPUT_TYPE) \ -t $(CRD_REPOSITORY):$(VERSION) \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_REPOSITORY):$(VERSION)) \ -f crd.Dockerfile .staging/crds/ # Build gator image @@ -454,6 +461,8 @@ docker-buildx-gator-dev: docker-buildx-builder --output=$(OUTPUT_TYPE) \ -t ${GATOR_REPOSITORY}:${DEV_TAG} \ -t ${GATOR_REPOSITORY}:dev \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/${GATOR_REPOSITORY}:${DEV_TAG}) \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/${GATOR_REPOSITORY}:dev) \ -f gator.Dockerfile . docker-buildx-gator-release: docker-buildx-builder @@ -463,6 +472,7 @@ docker-buildx-gator-release: docker-buildx-builder --platform="$(PLATFORM)" \ --output=$(OUTPUT_TYPE) \ -t ${GATOR_REPOSITORY}:${VERSION} \ + $(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/${GATOR_REPOSITORY}:${VERSION}) \ -f gator.Dockerfile . # Update manager_image_patch.yaml with image tag