feat: NVSHAS-9494 make manager SLSA capable

neuvector · Dec 12, 2024 · 7c21211 · 7c21211
1 parent 1043bdf
commit 7c21211
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 14 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -24,6 +24,8 @@ jobs:
       uses: rancher-eio/read-vault-secrets@main
       with:
         secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | RANCHER_DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | RANCHER_DOCKER_PASSWORD ;
           secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ;
           secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ;
           secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
@@ -33,12 +35,11 @@ jobs:
       run: |
         TARGET=${{ github.ref_name }}
         echo "TAG=${TARGET#v}" >> $GITHUB_ENV
-    - name: Publish public manifest
+    - name: Publish neuvector manifest
       uses: rancher/ecm-distro-tools/actions/publish-image@master
       with:
         push-to-public: true
         push-to-prime: false
-        make-target: push-image
         image: manager
         tag: ${{ env.TAG }}
         platforms: linux/amd64,linux/arm64
@@ -47,16 +48,20 @@ jobs:
         public-repo: neuvector
         public-username: ${{ env.DOCKER_USERNAME }}
         public-password: ${{ env.DOCKER_PASSWORD }}
-    - name: Publish prime manifest
+    - name: Publish rancher manifest
       uses: rancher/ecm-distro-tools/actions/publish-image@master
+      env:
+        IMAGE_PREFIX: neuvector-
       with:
-        push-to-public: false
-        push-to-prime: true
-        make-target: push-rancher-image
         image: neuvector-manager
         tag: ${{ env.TAG }}
         platforms: linux/amd64,linux/arm64
 
+        public-registry: docker.io
+        public-repo: rancher
+        public-username: ${{ env.RANCHER_DOCKER_USERNAME }}
+        public-password: ${{ env.RANCHER_DOCKER_PASSWORD }}
+
         prime-registry: ${{ env.PRIME_REGISTRY }}
         prime-repo: rancher
         prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}

diff --git a/Makefile b/Makefile
@@ -95,11 +95,5 @@ build-image: buildx-machine ## build (and load) the container image targeting th
 push-image: buildx-machine
 	$(IMAGE_BUILDER) build -f package/Dockerfile \
 		--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
-		--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/manager:$(TAG)" --push .
-	@echo "Pushed $(IMAGE)"
-
-push-rancher-image: buildx-machine
-	$(IMAGE_BUILDER) build -f package/Dockerfile \
-		--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
-		--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/neuvector-manager:$(TAG)" --push .
-	@echo "Pushed $(IMAGE)"
+		--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/$(IMAGE_PREFIX)manager:$(TAG)" --push .
+	@echo "Pushed $(REPO)/$(IMAGE_PREFIX)manager:$(TAG)"