Merge pull request kubearmor#1764 from DelusionalOptimist/oci-artifacts

chore(CI): publish KubeArmor tars to dockerhub

Author: daemon1024

.github/workflows/ci-latest-helm-chart-release.yaml

@@ -13,7 +13,7 @@ permissions: read-all
 jobs:
   publish-chart:
     name: Update Stable Helm Chart With Latest Changes
-    if: ${{ (github.repository == 'kubearmor/kubearmor') && (!contains(github.event.head_commit.message, '[skip ci]')) }}
+    if: ${{ (github.repository == 'kubearmor/kubearmor') }}
     runs-on: ubuntu-20.04
     permissions:
       contents: write

.github/workflows/ci-latest-release.yml

@@ -46,7 +46,7 @@ jobs:
     if: github.repository == 'kubearmor/kubearmor' && (needs.check.outputs.kubearmor == 'true' || ${{ github.ref }} != 'refs/heads/main')
     runs-on: ubuntu-latest-16-cores
     permissions:
-      id-token: write 
+      id-token: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v3
@@ -81,7 +81,7 @@ jobs:
         run: |
           make docker-build TAG=${{ steps.vars.outputs.tag }}
 
-      - name: deploy pre existing pod 
+      - name: deploy pre existing pod
         run: |
           kubectl apply -f ./tests/k8s_env/ksp/pre-run-pod.yaml
           sleep 60
@@ -93,7 +93,7 @@ jobs:
           docker save kubearmor/kubearmor:${{ steps.vars.outputs.tag }} | sudo k3s ctr images import -
           docker save kubearmor/kubearmor-operator:${{ steps.vars.outputs.tag }} | sudo k3s ctr images import -
           docker save kubearmor/kubearmor-snitch:${{ steps.vars.outputs.tag }} | sudo k3s ctr images import -
-        
+
           helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace --set kubearmorOperator.image.tag=${{ steps.vars.outputs.tag }}
           kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator
           kubectl get pods -A
@@ -145,12 +145,12 @@ jobs:
       - name: Push KubeArmor images to Docker
         run: GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/push_kubearmor.sh ${{ steps.vars.outputs.tag }}
 
-      - name: Install Cosign 
+      - name: Install Cosign
         uses: sigstore/cosign-installer@main
 
       - name: Get Image Digest
         id: digest
-        run: | 
+        run: |
           echo "imagedigest=$(jq -r '.["containerimage.digest"]' kubearmor.json)" >> $GITHUB_OUTPUT
           echo "initdigest=$(jq -r '.["containerimage.digest"]' kubearmor-init.json)" >> $GITHUB_OUTPUT
           echo "ubidigest=$(jq -r '.["containerimage.digest"]' kubearmor-ubi.json)" >> $GITHUB_OUTPUT
@@ -207,7 +207,7 @@ jobs:
           regctl image copy kubearmor/kubearmor:$STABLE_VERSION kubearmor/kubearmor:stable --digest-tags
           regctl image copy kubearmor/kubearmor-ubi:$STABLE_VERSION kubearmor/kubearmor-ubi:stable --digest-tags
           regctl image copy kubearmor/kubearmor-controller:$STABLE_VERSION kubearmor/kubearmor-controller:stable --digest-tags
-  
+
   kubearmor-controller-release:
     name: Build & Push KubeArmorController
     needs: check
@@ -223,7 +223,7 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version-file: 'KubeArmor/go.mod'
-  
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
 

.github/workflows/ci-marketplace-release.yml

@@ -7,6 +7,9 @@ on:
       - "STABLE-RELEASE"
       - ".github/workflows/ci-marketplace-release.yml"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   certify-images-on-redhat:
     runs-on: ubuntu-latest
@@ -249,4 +252,4 @@ jobs:
 
             Assignees: @kubearmor/triagers
 
-            Refer the documentation [here](https://github.com/kubearmor/KubeArmor/wiki/Update-KubeArmor-Marketplace-Releases) for update listing instructions.
+            Refer the documentation [here](https://github.com/kubearmor/KubeArmor/wiki/Update-KubeArmor-Marketplace-Releases) for update listing instructions.

.github/workflows/ci-systemd-release.yml

@@ -1,10 +1,19 @@
 name: ci-systemd-release
 
 on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Release tag which has to be updated"
+        type: "string"
+        required: true
   push:
     tags:
       - "*"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   goreleaser:
     runs-on: ubuntu-20.04
@@ -16,34 +25,70 @@ jobs:
       - uses: actions/checkout@v3
         with:
           submodules: true
+          fetch-depth: 0
 
       - uses: actions/setup-go@v5
         with:
           go-version-file: 'KubeArmor/go.mod'
-      
 
       - name: Install the latest LLVM toolchain
         run: ./.github/workflows/install-llvm.sh
 
       - name: Compile libbpf
         run: ./.github/workflows/install-libbpf.sh
+
       - name: Install Cosign
         uses: sigstore/cosign-installer@main
 
       - name: Install karmor
         run: curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b .
         working-directory: KubeArmor
-      
+
       - name: Build KubeArmor object files
-        run: make 
+        run: make
         working-directory: KubeArmor/BPF
-      
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_AUTHTOK }}
+
+      - name: Get release tag
+        id: vars
+        run: |
+          cp KubeArmor/.goreleaser.yaml /tmp/.goreleaser.yaml
+          if [[ ${{ github.event_name }} == "workflow_dispatch" ]]; then
+            # checkout branch but use goreleaser config from latest
+            echo "Checking out tag: ${{ inputs.tag }}"
+            git checkout ${{ inputs.tag }}
+            echo "GORELEASER_CURRENT_TAG=${{ inputs.tag }}" >> $GITHUB_OUTPUT
+
+            REF=${{ inputs.tag }}
+            echo "tag=${REF#v}" >> $GITHUB_OUTPUT
+          else
+            REF=${GITHUB_REF#refs/*/}
+            echo "tag=${REF#v}" >> $GITHUB_OUTPUT
+          fi
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5
         with:
           distribution: goreleaser
           version: v1.25.0
-          args: release --clean
+          args: release --config=/tmp/.goreleaser.yaml
           workdir: KubeArmor
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GORELEASER_CURRENT_TAG: ${{ steps.vars.outputs.GORELEASER_CURRENT_TAG }}
+
+      - name: Setup ORAS
+        uses: oras-project/setup-oras@v1
+        with:
+          version: 1.0.0
+
+      - name: Publish release artifacts to Dockerhub
+        working-directory: KubeArmor/dist
+        run: |
+          oras push docker.io/kubearmor/kubearmor-systemd:${{ steps.vars.outputs.tag }}_linux-amd64 kubearmor_${{ steps.vars.outputs.tag }}_linux-amd64.tar.gz
+          oras push docker.io/kubearmor/kubearmor-systemd:${{ steps.vars.outputs.tag }}_linux-arm64 kubearmor_${{ steps.vars.outputs.tag }}_linux-arm64.tar.gz

KubeArmor/.goreleaser.yaml

@@ -11,6 +11,11 @@ builds:
     env:
       - CGO_ENABLED=0
 
+release:
+  replace_existing_artifacts: true
+  mode: replace
+  make_latest: false
+
 signs:
   - cmd: cosign
     certificate: '${artifact}.cert'
@@ -22,7 +27,7 @@ signs:
       - --yes
     artifacts: all
     output: true
-    
+
 archives:
   - id: "kubearmor"
     builds:

KubeArmor/go.mod

@@ -45,6 +45,7 @@ require (
 	k8s.io/apimachinery v0.29.0
 	k8s.io/client-go v0.29.0
 	k8s.io/cri-api v0.29.0
+	k8s.io/klog/v2 v2.120.0
 	k8s.io/utils v0.0.0-20240310230437-4693a0247e57
 	sigs.k8s.io/controller-runtime v0.15.3
 )
@@ -130,7 +131,6 @@ require (
 	gotest.tools/v3 v3.4.0 // indirect
 	k8s.io/apiextensions-apiserver v0.29.0 // indirect
 	k8s.io/component-base v0.29.0 // indirect
-	k8s.io/klog/v2 v2.120.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20240105020646-a37d4de58910 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect