add slsa3

.github/workflows/image-push.yml

@@ -23,12 +23,6 @@ jobs:
       run: |
         echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
 
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
-
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
-
     - name: "Read secrets"
       uses: rancher-eio/read-vault-secrets@main
       with:
@@ -42,26 +36,24 @@ jobs:
         username: ${{ env.DOCKER_USERNAME }}
         password: ${{ env.DOCKER_PASSWORD }}
 
-    - name: Build thin plugin image
-      uses: docker/build-push-action@v6
+    - name: Build and push thin plugin image
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
       with:
-        context: .
-        push: true
-        tags: rancher/hardened-multus-cni:${{ github.event.release.tag_name }}
-        file: Dockerfile
-        target: multus-thin
-        platforms: linux/amd64, linux/arm64
-        build-args: |
-          TAG=${{ env.TAG }}
-
-    - name: Build thick plugin image
-      uses: docker/build-push-action@v6
+        image: hardened-multus-cni
+        tag: ${{ github.event.release.tag_name }}
+        public-repo: rancher
+        public-username: ${{ env.DOCKER_USERNAME }}
+        public-password: ${{ env.DOCKER_PASSWORD }}
+        push-to-prime: false
+        make-target: push-image-thin
+
+    - name: Build and push thick plugin image
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
       with:
-        context: .
-        push: true
-        tags: rancher/hardened-multus-thick:${{ github.event.release.tag_name }}
-        file: Dockerfile
-        target: multus-thick
-        platforms: linux/amd64, linux/arm64
-        build-args: |
-          TAG=${{ env.TAG }}
+        image: hardened-multus-thick
+        tag: ${{ github.event.release.tag_name }}
+        public-repo: rancher
+        public-username: ${{ env.DOCKER_USERNAME }}
+        public-password: ${{ env.DOCKER_PASSWORD }}
+        push-to-prime: false
+        make-target: push-image-thick

Makefile

@@ -10,6 +10,16 @@ else
 	ARCH=$(UNAME_M)
 endif
 
+ifndef TARGET_PLATFORMS
+	ifeq ($(UNAME_M), x86_64)
+		TARGET_PLATFORMS:=linux/amd64
+	else ifeq ($(UNAME_M), aarch64)
+		TARGET_PLATFORMS:=linux/arm64
+	else 
+		TARGET_PLATFORMS:=linux/$(UNAME_M)
+	endif
+endif
+
 BUILD_META=-build$(shell date +%Y%m%d)
 ORG ?= rancher
 PKG ?= github.com/k8snetworkplumbingwg/multus-cni
@@ -37,6 +47,21 @@ image-build-thin:
 		--load \
 	.
 
+.PHONY: push-image-thin
+push-image-thin:
+	docker buildx build \
+		--sbom=true \
+		--attest type=provenance,mode=max \
+		--platform=$(TARGET_PLATFORMS) \
+		--build-arg PKG=$(PKG) \
+		--build-arg SRC=$(SRC) \
+		--build-arg TAG=$(TAG:$(BUILD_META)=) \
+		--target multus-thin \
+		--tag $(ORG)/hardened-multus-cni:$(TAG) \
+		--tag $(ORG)/hardened-multus-cni:$(TAG)-$(ARCH) \
+		--push \
+		.
+
 .PHONY: image-build-thick
 image-build-thick:
 	docker buildx build \
@@ -50,6 +75,21 @@ image-build-thick:
 		--load \
 	.
 
+.PHONY: push-image-thick
+push-image-thick:
+	docker buildx build \
+		--sbom=true \
+		--attest type=provenance,mode=max \
+		--platform=$(TARGET_PLATFORMS) \
+		--build-arg PKG=$(PKG) \
+		--build-arg SRC=$(SRC) \
+		--build-arg TAG=$(TAG:$(BUILD_META)=) \
+		--target multus-thick \
+		--tag $(ORG)/hardened-multus-thick:$(TAG) \
+		--tag $(ORG)/hardened-multus-thick:$(TAG)-$(ARCH) \
+		--push \
+		.
+
 .PHONY: image-push
 image-push:
 	docker push $(ORG)/hardened-multus-cni:$(TAG)-$(ARCH)