opendatahub-io
diff --git a/‎.github/workflows/build-and-push-controller-image.yml‎
Lines changed: 102 additions & 0 deletions b/‎.github/workflows/build-and-push-controller-image.yml‎
Lines changed: 102 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 1 addition & 1 deletion b/‎Makefile‎
Lines changed: 1 addition & 1 deletion
@@ -0,0 +1,102 @@
+name: Controller container image build and tag
+on:
+  push:
+    branches:
+      - 'main'
+    tags:
+      - 'v*'
+    paths-ignore:
+      - 'LICENSE*'
+      - '**.gitignore'
+      - '**.md'
+      - '**.txt'
+      - '.github/ISSUE_TEMPLATE/**'
+      - '.github/dependabot.yml'
+      - 'docs/**'
+permissions: # set contents: read at top-level, per OpenSSF ScoreCard rule TokenPermissionsID\
+  contents: read
+env:
+  IMG_REGISTRY: ghcr.io
+  IMG_ORG: kubeflow
+  IMG_REPO: model-registry/controller
+  PUSH_IMAGE: true
+  DOCKER_USER: ${{ github.actor }}
+  DOCKER_PWD: ${{ secrets.GITHUB_TOKEN }}
+  PLATFORMS: linux/arm64,linux/amd64
+jobs:
+  build-controller-image:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read # anchore/sbom-action for syft
+      contents: write # anchore/sbom-action for syft
+      packages: write
+      id-token: write # cosign
+    steps:
+      # Assign context variable for various action contexts (tag, main, CI)
+      - name: Assigning tag context
+        if: github.head_ref == '' && startsWith(github.ref, 'refs/tags/v')
+        run: echo "BUILD_CONTEXT=tag" >> $GITHUB_ENV
+      - name: Assigning main context
+        if: github.head_ref == '' && github.ref == 'refs/heads/main'
+        run: echo "BUILD_CONTEXT=main" >> $GITHUB_ENV
+      # checkout branch
+      - uses: actions/checkout@v6.0.1
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      # set image version
+      - name: Set main-branch environment
+        if: env.BUILD_CONTEXT == 'main'
+        run: |
+          commit_sha=${{ github.event.after }}
+          tag=main-${commit_sha:0:7}
+          echo "VERSION=${tag}" >> $GITHUB_ENV
+      - name: Set tag environment
+        if: env.BUILD_CONTEXT == 'tag'
+        run: |
+          echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
+      # docker login
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.IMG_REGISTRY }}
+          username: ${{ env.DOCKER_USER }}
+          password: ${{ env.DOCKER_PWD }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}"
+          tags: |
+            type=raw,value=${{ env.VERSION }}
+            type=raw,value=latest,enable=${{ env.BUILD_CONTEXT == 'main' }}
+            type=raw,value=main,enable=${{ env.BUILD_CONTEXT == 'main' }}
+      - name: Build and push Docker image
+        id: build-push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./cmd/controller/Dockerfile.controller
+          platforms: ${{ env.PLATFORMS }}
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: mode=max
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+      - name: Sign image with cosign
+        run: |
+          cosign sign --yes "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}@${{ steps.build-push.outputs.digest }}"
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          image: "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}@${{ steps.build-push.outputs.digest }}"
+          format: spdx-json # default, but making sure of the format
+          artifact-name: "controller-${{ env.VERSION }}-sbom.spdx.json"
+          output-file: "controller-${{ env.VERSION }}-sbom.spdx.json" # pin the file to use it later below
+      - name: Attest SBOM to image
+        run: |
+          cosign attest --yes --predicate controller-${{ env.VERSION }}-sbom.spdx.json --type spdxjson "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}@${{ steps.build-push.outputs.digest }}"
@@ -169,7 +169,7 @@ clean/odh:
 	rm -Rf ./model-registry
 
 bin/envtest:
-	GOBIN=$(PROJECT_BIN) ${GO} install sigs.k8s.io/controller-runtime/tools/setup-envtest@release-0.21
+	GOBIN=$(PROJECT_BIN) ${GO} install sigs.k8s.io/controller-runtime/tools/setup-envtest@release-0.23
 
 GOLANGCI_LINT ?= ${PROJECT_BIN}/golangci-lint
 bin/golangci-lint: