refactor: apply review comment #3658 (review)

Signed-off-by: TakahiroTsuruda <[email protected]>
open-policy-agent · Oct 24, 2024 · d1e8d7b · d1e8d7b
1 parent 42b7466
commit d1e8d7b
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 184 deletions.
diff --git a/.github/workflows/pre-release.yaml b/.github/workflows/pre-release.yaml
@@ -4,7 +4,9 @@ on:
     branches:
       - master
 
-permissions: read-all
+permissions:
+  contents: read
+  packages: write
 
 env:
   IMAGE_REPO: openpolicyagent/gatekeeper
@@ -26,6 +28,13 @@ jobs:
       - name: Check out code into the Go module directory
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Publish development
         run: |
           make docker-login
@@ -38,7 +47,7 @@ jobs:
           exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)')
           if [[ $exists == null ]]
           then
-            make docker-buildx-dev \
+            make PUSH_TO_GHCR=true docker-buildx-dev \
               DEV_TAG=${GITHUB_SHA::7} \
               PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
               OUTPUT_TYPE=type=registry \
@@ -50,7 +59,7 @@ jobs:
           exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)')
           if [[ $exists == null ]]
           then
-            make docker-buildx-crds-dev \
+            make PUSH_TO_GHCR=true docker-buildx-crds-dev \
               DEV_TAG=${GITHUB_SHA::7} \
               PLATFORM="linux/amd64,linux/arm64" \
               OUTPUT_TYPE=type=registry \
@@ -62,7 +71,7 @@ jobs:
           exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)')
           if [[ $exists == null ]]
           then
-            make docker-buildx-gator-dev \
+            make PUSH_TO_GHCR=true docker-buildx-gator-dev \
               DEV_TAG=${GITHUB_SHA::7} \
               PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
               OUTPUT_TYPE=type=registry \
@@ -71,85 +80,3 @@ jobs:
         env:
           DOCKER_USER: ${{ secrets.DOCKER_USER }}
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-
-  pre-release-ghcr:
-    name: "Pre Release ghcr.io"
-    runs-on: "ubuntu-22.04"
-    if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'open-policy-agent/gatekeeper'
-    timeout-minutes: 30
-    permissions:
-      packages: write
-      contents: read
-      actions: read
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
-        with:
-          egress-policy: audit
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Check if tag already exists in ghcr.io/${{ env.IMAGE_REPO }}
-        id: check-ghcr-image
-        run: |
-          if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_REPO }}:${GITHUB_SHA::7} > /dev/null 2>&1; then
-            echo "exists=true" >> $GITHUB_OUTPUT
-          else
-            echo "exists=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Build and push ${{ env.IMAGE_REPO }} to GHCR
-        if: steps.check-ghcr-image.outputs.exists == 'false'
-        run: |
-          make REPOSITORY=ghcr.io/${{ env.IMAGE_REPO }} docker-buildx-dev \
-            DEV_TAG=${GITHUB_SHA::7} \
-            PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
-            OUTPUT_TYPE=type=registry \
-            GENERATE_ATTESTATIONS=true
-
-      - name: Check if tag already exists in ghcr.io/${{ env.CRD_IMAGE_REPO }}
-        id: check-ghcr-crd-image
-        run: |
-          if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.CRD_IMAGE_REPO }}:${GITHUB_SHA::7} > /dev/null 2>&1; then
-            echo "exists=true" >> $GITHUB_OUTPUT
-          else
-            echo "exists=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Build and push ghcr.io/${{ env.CRD_IMAGE_REPO }}
-        if: steps.check-ghcr-crd-image.outputs.exists == 'false'
-        run: |
-          make CRD_REPOSITORY=ghcr.io/${{ env.CRD_IMAGE_REPO }} docker-buildx-crds-dev \
-            DEV_TAG=${GITHUB_SHA::7} \
-            PLATFORM="linux/amd64,linux/arm64" \
-            OUTPUT_TYPE=type=registry \
-            GENERATE_ATTESTATIONS=true
-
-      - name: Check if tag already exists in ghcr.io/${{ env.GATOR_IMAGE_REPO }}
-        id: check-ghcr-gator-image
-        run: |
-          if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.GATOR_IMAGE_REPO }}:${GITHUB_SHA::7} > /dev/null 2>&1; then
-            echo "exists=true" >> $GITHUB_OUTPUT
-          else
-            echo "exists=false" >> $GITHUB_OUTPUT
-          fi
-          
-      - name: Build and push ghcr.io/${{ env.GATOR_IMAGE_REPO }}
-        if: steps.check-ghcr-gator-image.outputs.exists == 'false'
-        run: |
-          make GATOR_REPOSITORY=ghcr.io/${{ env.GATOR_IMAGE_REPO }} docker-buildx-gator-dev \
-            DEV_TAG=${GITHUB_SHA::7} \
-            PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
-            OUTPUT_TYPE=type=registry \
-            GENERATE_ATTESTATIONS=true
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -11,6 +11,7 @@ env:
 
 permissions:
   contents: read
+  packages: write
 
 jobs:
   tagged-release:
@@ -45,6 +46,13 @@ jobs:
         run: |
           echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Publish release
         run: |
           make docker-login
@@ -57,7 +65,7 @@ jobs:
           exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)')
           if [[ $exists == null ]]
           then
-            make docker-buildx-release \
+            make PUSH_TO_GHCR=true docker-buildx-release \
               VERSION=${TAG} \
               PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
               OUTPUT_TYPE=type=registry \
@@ -69,7 +77,7 @@ jobs:
           exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)')
           if [[ $exists == null ]]
           then
-            make docker-buildx-crds-release \
+            make PUSH_TO_GHCR=true docker-buildx-crds-release \
               VERSION=${TAG} \
               PLATFORM="linux/amd64,linux/arm64" \
               OUTPUT_TYPE=type=registry \
@@ -81,7 +89,7 @@ jobs:
           exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)')
           if [[ $exists == null ]]
           then
-            make docker-buildx-gator-release \
+            make PUSH_TO_GHCR=true docker-buildx-gator-release \
               VERSION=${TAG} \
               PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
               OUTPUT_TYPE=type=registry \
@@ -156,96 +164,3 @@ jobs:
           charts_dir: charts
           target_dir: charts
           linting: off
-
-  tagged-release-ghcr:
-    name: "Tagged Release GHCR"
-    runs-on: "ubuntu-22.04"
-    permissions:
-      packages: write
-      contents: read
-      actions: read
-    if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'open-policy-agent/gatekeeper'
-    timeout-minutes: 30
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
-        with:
-          egress-policy: audit
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
-
-      - name: Set up Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
-        with:
-          go-version: "1.22"
-          check-latest: true
-
-      - name: Get tag
-        id: get-version
-        run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Check if ${{ env.IMAGE_REPO }} exists in GHCR
-        id: check-ghcr-image
-        run: |
-          if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_REPO }}:${{ steps.get-version.outputs.TAG }} > /dev/null 2>&1; then
-            echo "exists=true" >> $GITHUB_OUTPUT
-          else
-            echo "exists=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Build and push ghcr.io/${{ env.IMAGE_REPO }}
-        if: steps.check-ghcr-image.outputs.exists == 'false'
-        run: |
-          make REPOSITORY=ghcr.io/${{ env.IMAGE_REPO }} docker-buildx-release \
-            VERSION=${{ steps.get-version.outputs.TAG }} \
-            PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
-            OUTPUT_TYPE=type=registry \
-            GENERATE_ATTESTATIONS=true
-
-
-      - name: Check if ${{ env.CRD_IMAGE_REPO }} exists in GHCR
-        id: check-ghcr-crd-image
-        run: |
-          if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.CRD_IMAGE_REPO }}:${{ steps.get-version.outputs.TAG }} > /dev/null 2>&1; then
-            echo "exists=true" >> $GITHUB_OUTPUT
-          else
-            echo "exists=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Build and push ghcr.io/${{ env.CRD_IMAGE_REPO }}
-        if: steps.check-ghcr-crd-image.outputs.exists == 'false'
-        run: |
-          make CRD_REPOSITORY=ghcr.io/${{ env.CRD_IMAGE_REPO }} docker-buildx-crds-release \
-            VERSION=${{ steps.get-version.outputs.TAG }} \
-            PLATFORM="linux/amd64,linux/arm64" \
-            OUTPUT_TYPE=type=registry \
-            GENERATE_ATTESTATIONS=true
-        
-      - name: Check if ${{ env.GATOR_IMAGE_REPO }} exists in GHCR
-        id: check-ghcr-gator-image
-        run: |
-          if docker manifest inspect ghcr.io/${{ github.repository_owner }}/${{ env.GATOR_IMAGE_REPO }}:${{ steps.get-version.outputs.TAG }} > /dev/null 2>&1; then
-            echo "exists=true" >> $GITHUB_OUTPUT
-          else
-            echo "exists=false" >> $GITHUB_OUTPUT
-          fi
-      
-      - name: Build and push ghcr.io/${{ env.GATOR_IMAGE_REPO }}
-        if: steps.check-ghcr-gator-image.outputs.exists == 'false'
-        run: |
-          make GATOR_REPOSITORY=ghcr.io/${{ env.GATOR_IMAGE_REPO }} docker-buildx-gator-release \
-            VERSION=${{ steps.get-version.outputs.TAG }} \
-            PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
-            OUTPUT_TYPE=type=registry \
-            GENERATE_ATTESTATIONS=true
diff --git a/Makefile b/Makefile
@@ -5,6 +5,7 @@ GATOR_REPOSITORY ?= openpolicyagent/gator
 IMG := $(REPOSITORY):latest
 CRD_IMG := $(CRD_REPOSITORY):latest
 GATOR_IMG := $(GATOR_REPOSITORY):latest
+PUSH_TO_GHCR ?= false
 # DEV_TAG will be replaced with short Git SHA on pre-release stage in CI
 DEV_TAG ?= dev
 USE_LOCAL_IMG ?= false
@@ -408,6 +409,7 @@ docker-buildx-crds: build-crds docker-buildx-builder
 		--platform="$(PLATFORM)" \
 		--output=$(OUTPUT_TYPE) \
 		-t $(CRD_IMG) \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_IMG)) \
 		-f crd.Dockerfile .staging/crds/
 
 docker-buildx-dev: docker-buildx-builder
@@ -417,7 +419,9 @@ docker-buildx-dev: docker-buildx-builder
 		--platform="$(PLATFORM)" \
 		--output=$(OUTPUT_TYPE) \
 		-t $(REPOSITORY):$(DEV_TAG) \
-		-t $(REPOSITORY):dev .
+		-t $(REPOSITORY):dev \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(REPOSITORY):$(DEV_TAG)) \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(REPOSITORY):dev) .
 
 docker-buildx-crds-dev: build-crds docker-buildx-builder
 	docker buildx build \
@@ -427,6 +431,8 @@ docker-buildx-crds-dev: build-crds docker-buildx-builder
 		--output=$(OUTPUT_TYPE) \
 		-t $(CRD_REPOSITORY):$(DEV_TAG) \
 		-t $(CRD_REPOSITORY):dev \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_REPOSITORY):$(DEV_TAG)) \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_REPOSITORY):dev) \
 		-f crd.Dockerfile .staging/crds/
 
 docker-buildx-release: docker-buildx-builder
@@ -435,7 +441,8 @@ docker-buildx-release: docker-buildx-builder
 		--build-arg LDFLAGS=${LDFLAGS} \
 		--platform="$(PLATFORM)" \
 		--output=$(OUTPUT_TYPE) \
-		-t $(REPOSITORY):$(VERSION) .
+		-t $(REPOSITORY):$(VERSION) \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(REPOSITORY):$(VERSION)) .
 
 docker-buildx-crds-release: build-crds docker-buildx-builder
 	docker buildx build \
@@ -444,6 +451,7 @@ docker-buildx-crds-release: build-crds docker-buildx-builder
 		--platform="$(PLATFORM)" \
 		--output=$(OUTPUT_TYPE) \
 		-t $(CRD_REPOSITORY):$(VERSION) \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/$(CRD_REPOSITORY):$(VERSION)) \
 		-f crd.Dockerfile .staging/crds/
 
 # Build gator image
@@ -455,6 +463,8 @@ docker-buildx-gator-dev: docker-buildx-builder
 		--output=$(OUTPUT_TYPE) \
 		-t ${GATOR_REPOSITORY}:${DEV_TAG} \
 		-t ${GATOR_REPOSITORY}:dev \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/${GATOR_REPOSITORY}:${DEV_TAG}) \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/${GATOR_REPOSITORY}:dev) \
 		-f gator.Dockerfile .
 
 docker-buildx-gator-release: docker-buildx-builder
@@ -464,6 +474,7 @@ docker-buildx-gator-release: docker-buildx-builder
 		--platform="$(PLATFORM)" \
 		--output=$(OUTPUT_TYPE) \
 		-t ${GATOR_REPOSITORY}:${VERSION} \
+		$(if $(filter true,$(PUSH_TO_GHCR)),-t ghcr.io/${GATOR_REPOSITORY}:${VERSION}) \
 		-f gator.Dockerfile .
 
 # Update manager_image_patch.yaml with image tag