Merge pull request #4 from linuxfoundation/jme/LFXV2-54

feature: add ko build workflow

Author: jordane

.github/workflows/ko-build-main.yaml

@@ -0,0 +1,36 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+---
+name: Publish Main
+
+'on':
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    name: Publish Main
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - uses: ko-build/setup-ko@v0.8
+        with:
+          version: v0.17.1
+      - run: |
+          ko build github.com/linuxfoundation/lfx-v2-query-service/cmd \
+            -B \
+            --platform linux/amd64,linux/arm64 \
+            -t ${{ github.sha }} \
+            -t development \
+            --sbom spdx

.github/workflows/ko-build-tag.yaml

@@ -0,0 +1,124 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+---
+name: Publish Tagged Release
+
+on:
+  push:
+    tags:
+      - v*
+
+env:
+  COSIGN_VERSION: v2.5.3
+  HELM_VERSION: v3.18.4
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    name: Publish Tagged Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      app_version: ${{ steps.prepare.outputs.app_version }}
+      chart_name: ${{ steps.prepare.outputs.chart_name }}
+      chart_version: ${{ steps.prepare.outputs.chart_version }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Prepare versions and chart name
+        id: prepare
+        run: |
+          set -euo pipefail
+          APP_VERSION=$(echo ${{ github.ref_name }} | sed 's/v//g')
+          CHART_NAME="$(yq '.name' charts/*/Chart.yaml)"
+          CHART_VERSION="$(yq '.version' charts/*/Chart.yaml)"
+          {
+            echo "app_version=$APP_VERSION"
+            echo "chart_name=$CHART_NAME"
+            echo "chart_version=$CHART_VERSION"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Setup Ko
+        uses: ko-build/setup-ko@v0.8
+        with:
+          version: v0.17.1
+
+      - name: Build and publish query service image
+        run: |
+          ko build github.com/linuxfoundation/lfx-v2-query-service/cmd \
+            -B \
+            --platform linux/amd64,linux/arm64 \
+            -t ${{ github.ref_name }} \
+            -t ${{ steps.prepare.outputs.app_version }} \
+            -t latest \
+            --sbom spdx
+
+  release-helm-chart:
+    needs: publish
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+    outputs:
+      digest: ${{ steps.publish-ghcr.outputs.digest }}
+      image_name: ${{ steps.publish-ghcr.outputs.image_name }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Publish Chart to GHCR
+        id: publish-ghcr
+        uses: linuxfoundation/lfx-public-workflows/.github/actions/helm-chart-oci-publisher@c465d6571fa0b8be9d551d902955164ea04a00af # main
+        with:
+          name: ${{ needs.publish.outputs.chart_name }}
+          repository: ${{ github.repository }}/chart
+          chart_version: ${{ needs.publish.outputs.chart_version }}
+          app_version: ${{ needs.publish.outputs.app_version }}
+          registry: ghcr.io
+          registry_username: ${{ github.actor }}
+          registry_password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+        with:
+          cosign-release: "${{ env.COSIGN_VERSION }}"
+
+      - name: Login to GitHub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Sign the Helm chart in GHCR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          cosign sign --yes '${{ steps.publish-ghcr.outputs.image_name }}@${{ steps.publish-ghcr.outputs.digest }}'
+
+  create-ghcr-helm-provenance:
+    needs:
+      - release-helm-chart
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ${{ needs.release-helm-chart.outputs.image_name }}
+      digest: ${{ needs.release-helm-chart.outputs.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}

charts/lfx-v2-query-service/Chart.yaml

@@ -6,4 +6,4 @@ name: lfx-v2-query-service
 description: LFX Platform V2 Query Service chart
 type: application
 version: 0.1.0
-appVersion: "0.1.0"
+appVersion: "latest"

charts/lfx-v2-query-service/templates/deployment.yaml

@@ -7,7 +7,7 @@ metadata:
   name: query-svc
   namespace: lfx
 spec:
-  replicas: {{ .Values.replicaCount }} 
+  replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
       app: query-svc
@@ -18,8 +18,8 @@ spec:
     spec:
       containers:
         - name: app
-          image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
-          imagePullPolicy: Never
+          image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
             - name: OPENSEARCH_URL
               value: {{.Values.opensearch.url}}

charts/lfx-v2-query-service/values.yaml

@@ -5,8 +5,9 @@ replicaCount: 1
 
 # Override from CLI/CI: --set image.tag=<git-sha>, etc.
 image:
-  tag: "0.1.0"
-  repository: linuxfoundation/lfx-query-svc
+  repository: ghcr.io/linuxfoundation/lfx-v2-query-service/cmd
+  tag: ""
+  pullPolicy: IfNotPresent
 
 # ingress is the configuration for the ingress routing
 ingress: