From 2191cd3936816244ffd4386b09f54c179c93b6f2 Mon Sep 17 00:00:00 2001 From: Rafael Breno <32229014+rafaelbreno@users.noreply.github.com> Date: Mon, 16 Sep 2024 19:51:38 -0300 Subject: [PATCH] Add slsa3 --- .github/workflows/image-push.yml | 37 ++++++++++++++------------------ Makefile | 34 +++++++++++++++++++++++++++-- 2 files changed, 48 insertions(+), 23 deletions(-) diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml index 33fe2e6..e625659 100644 --- a/.github/workflows/image-push.yml +++ b/.github/workflows/image-push.yml @@ -23,32 +23,27 @@ jobs: run: | echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV" - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: "Read secrets" uses: rancher-eio/read-vault-secrets@main with: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; - secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD - - name: Login to Container Registry - uses: docker/login-action@v3 + - name: Build and push image + uses: rancher/ecm-distro-tools/actions/publish-image@master with: - username: ${{ env.DOCKER_USERNAME }} - password: ${{ env.DOCKER_PASSWORD }} + image: rancher/hardened-node-feature-discovery + tag: ${{ github.event.release.tag_name }} + public-repo: rancher + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} - - name: Build container image - uses: docker/build-push-action@v6 - with: - context: . - push: true - tags: rancher/hardened-node-feature-discovery:${{ github.event.release.tag_name }} - file: Dockerfile - platforms: linux/amd64, linux/arm64 - build-args: | - TAG=${{ env.TAG }} + + prime-repo: rancher + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} diff --git a/Makefile b/Makefile index 8da8843..6142b47 100644 --- a/Makefile +++ b/Makefile @@ -10,12 +10,26 @@ else ARCH=$(UNAME_M) endif +ifndef TARGET_PLATFORMS + ifeq ($(UNAME_M), x86_64) + TARGET_PLATFORMS:=linux/amd64 + else ifeq ($(UNAME_M), aarch64) + TARGET_PLATFORMS:=linux/arm64 + else + TARGET_PLATFORMS:=linux/$(UNAME_M) + endif +endif + + BUILD_META=-build$(shell date +%Y%m%d) ORG ?= rancher PKG ?= "github.com/kubernetes-sigs/node-feature-discovery" SRC ?= "github.com/kubernetes-sigs/node-feature-discovery" TAG ?= ${GITHUB_ACTION_TAG} +REPO ?= rancher +IMAGE ?= $(REPO)/hardened-node-feature-discovery:$(TAG) + ifeq ($(TAG),) TAG := v0.15.6$(BUILD_META) endif @@ -33,11 +47,27 @@ image-build: --build-arg PKG=$(PKG) \ --build-arg SRC=$(SRC) \ --build-arg TAG=$(TAG:$(BUILD_META)=) \ - --tag $(ORG)/hardened-node-feature-discovery:$(TAG) \ - --tag $(ORG)/hardened-node-feature-discovery:$(TAG)-$(ARCH) \ + --tag $(IMAGE) \ + --tag $(IMAGE)-$(ARCH) \ --load \ . +.PHONY: push-image +push-image: + docker buildx build \ + $(IID_FILE_FLAG) \ + --sbom=true \ + --attest type=provenance,mode=max \ + --platform=$(TARGET_PLATFORMS) \ + --build-arg ARCH=$(ARCH) \ + --build-arg PKG=$(PKG) \ + --build-arg SRC=$(SRC) \ + --build-arg TAG=$(TAG:$(BUILD_META)=) \ + --tag $(IMAGE) \ + --tag $(IMAGE)-$(ARCH) \ + --push \ + . + .PHONY: image-push image-push: docker push $(ORG)/hardened-node-feature-discovery:$(TAG)-$(ARCH)