.github/workflows/image.yaml

name: image
on:
  push:
    tags:
      - v*

permissions:
  contents: read
  packages: write
  id-token: write 

jobs:
  push-policy-reporter-kyverno-plugin:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Push image
        id: params
        run: |
          # Strip git ref prefix from version
          VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
          # Strip "v" prefix from tag name
          [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
          echo VERSION=$VERSION
          echo "::set-output name=version::$VERSION"

      - name: Login to Github Packages
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.CR_PAT }}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        id: buildx
        with:
          install: true
          version: latest

      - name: Build image and push to GitHub Container Registry
        uses: docker/build-push-action@v3
        id: push
        with:
          push: true
          platforms: linux/arm64,linux/amd64,linux/s390x
          tags: |
            ghcr.io/kyverno/policy-reporter-kyverno-plugin:latest
            ghcr.io/kyverno/policy-reporter-kyverno-plugin:${{ steps.params.outputs.version }}

      - uses: CycloneDX/gh-gomod-generate-sbom@d4aee0cf5133055dbd98899978246c10c18c440f # v1.1.0
        with:
          version: v1
          args: app -licenses -json -output policy-reporter-kyverno-plugin-bom.cdx.json -main .

      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: policy-reporter-kyverno-plugin-bom-cdx
          path: policy-reporter-kyverno-plugin-bom.cdx.json

      - name: Install Cosign
        uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0

      - shell: bash
        env:
          COSIGN_EXPERIMENTAL: 'true'
          COSIGN_REPOSITORY: ghcr.io/kyverno/signatures
        run: |
          set -e
          cosign sign --yes \
            -a "repo=${{ github.repository }}" \
            -a "workflow=${{ github.workflow }}" \
            -a "ref=${{ github.sha }}" \
            ghcr.io/kyverno/policy-reporter-kyverno-plugin@${{ steps.push.outputs.digest }}
      
      - shell: bash
        env:
          COSIGN_REPOSITORY: ghcr.io/kyverno/sbom
        run: |
          cosign attach sbom --sbom ./policy-reporter-kyverno-plugin-bom.cdx.json --type cyclonedx ghcr.io/kyverno/policy-reporter-kyverno-plugin@${{ steps.push.outputs.digest }}