ci: generate attestations during a release (#2785)

* ci: use keyless signing for main and release branches Signed-off-by: Justin Marquis <[email protected]> * fix typo Signed-off-by: Justin Marquis <[email protected]> * ci: generate attestations during a release Signed-off-by: Justin Marquis <[email protected]> * add release trigger script Signed-off-by: Justin Marquis <[email protected]> --------- Signed-off-by: Justin Marquis <[email protected]> Signed-off-by: zachaller <[email protected]> Co-authored-by: zachaller <[email protected]>
argoproj · Jul 12, 2023 · 48e9aa3 · 48e9aa3
1 parent 3c5ac36
commit 48e9aa3
Show file tree

Hide file tree

Showing 8 changed files with 439 additions and 171 deletions.
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -0,0 +1,39 @@
+# Workflows
+
+| Workflow            | Description                                                     |
+|---------------------|-----------------------------------------------------------------|
+| changelog.yml       | Updates changelog when a release is published                   |
+| codeql.yaml         | CodeQL analysis                                                 |
+| docker-publish.yaml | Build container image for PR's & publish for push events        |
+| image-reuse.yaml    | Build, push, and Sign container images                          |
+| go.yaml             | lint, build, codegen                                            |
+| pr-title-check.yaml | Lint PR for semantic information                                |
+| init-release.yaml   | Build manifests and version then create a PR for release branch |
+| release.yaml        | Build images, cli-binaries, provenances, and post actions       |
+
+
+# Reusable workflows
+
+## image-reuse.yaml
+
+- The resuable workflow can be used to publish or build images with multiple container registries(Quay,GHCR, dockerhub), and then sign them with cosign when an image is published.
+- A GO version `must` be specified e.g. 1.19
+- The image name for each registry *must* contain the tag. Note: multiple tags are allowed for each registry using a CSV type.
+- Multiple platforms can be specified e.g. linux/amd64,linux/arm64
+- Images are not published by default. A boolean value must be set to `true` to push images.
+- An optional target can be specified.
+
+| Inputs            | Description                         | Type        | Required | Defaults        |
+|-------------------|-------------------------------------|-------------|----------|-----------------|
+| go-version        | Version of Go to be used            | string      | true     | none            |
+| quay_image_name   | Full image name and tag             | CSV, string | false    | none            |
+| ghcr_image_name   | Full image name and tag             | CSV, string | false    | none            |
+| docker_image_name | Full image name and tag             | CSV, string | false    | none            |
+| platforms         | Platforms to build (linux/amd64)    | CSV, string | false    | linux/amd64     |
+| push              | Whether to push image/s to registry | boolean     | false    | false           |
+| target            | Target build stage                  | string      | false    | none            |
+
+| Outputs     | Description                              | Type  |
+|-------------|------------------------------------------|-------|
+|image-digest | Image digest of image container created  | string|
+