diff --git a/.github/workflows/cnspec.yaml b/.github/workflows/cnspec.yaml index 209e95c0..81677c7c 100644 --- a/.github/workflows/cnspec.yaml +++ b/.github/workflows/cnspec.yaml @@ -12,7 +12,8 @@ on: default: 'latest' env: - IMAGE: ghcr.io/mondoohq/mondoo-operator/cnspec + GHCR_IMAGE: ghcr.io/mondoohq/mondoo-operator/cnspec + GCP_IMAGE: us-docker.pkg.dev/mondoohq/release/mondoo-operator-cnspec jobs: build-cnspec: @@ -55,11 +56,27 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Authenticate with Google Cloud + uses: "google-github-actions/auth@v2" + with: + credentials_json: "${{ secrets.GCP_ARTIFACT_REGISTRY_SA }}" + + - name: "Set up Cloud SDK" + uses: "google-github-actions/setup-gcloud@v2" + + - name: Docker Login (GCR) + run: | + gcloud auth configure-docker + - name: "Setup Docker Buildx" + uses: docker/setup-buildx-action@v3 + - name: Extract Docker metadata id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.IMAGE }} + images: | + ${{ env.GHCR_IMAGE }} + ${{ env.GCP_IMAGE }} tags: | type=semver,pattern={{version}},value=${{ env.VERSION }} type=semver,pattern={{major}},value=${{ env.VERSION }} diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 5c21fd08..6de53480 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -12,13 +12,23 @@ on: branches: [main] # Publish semver tags as releases. tags: ["v*.*.*"] + workflow_dispatch: + inputs: + version: + description: 'Version of the cnspec container to publish' + type: string + required: false + default: 'latest' env: # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io # github.repository as / IMAGE_NAME: ${{ github.repository }} - RELEASE: ${{ github.ref_name }} + + GHCR_IMAGE: ghcr.io/${{ github.repository }} + GCP_IMAGE: us-docker.pkg.dev/mondoohq/release/${{ github.repository }} + RELEASE: ${{ inputs.version }} jobs: debug-event: @@ -174,6 +184,44 @@ jobs: TAGS: ${{ steps.meta.outputs.tags }} CPU_ARCHS: amd64 arm64 arm + push-gcp: + name: Push to GCP + runs-on: ubuntu-latest + needs: + - push-virtual-tag + + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Install Skopeo + run: | + sudo apt-get update + sudo apt-get -y install skopeo + + - name: Push to GCP + run: | + tags = ${{ steps.meta.outputs.tags }} + for tag in $tags; do + gcpRepo = "${$tag/$GHCR_IMAGE/"${{ env.GCP_IMAGE }}"}" + skopeo copy --all $tag ${{ env.GCP_IMAGE }}:$tag + done + build-bundle: if: startsWith(github.ref, 'refs/tags/v') needs: