clean up jobs (#14)

Author: cpanato

.github/ISSUE_TEMPLATE/bug_report.md

@@ -17,21 +17,21 @@ Steps to reproduce the behavior:
 2. ...
 
 **Additional Information**
- - Dockerfile 
+ - Dockerfile
    Please provide either the Dockerfile you're trying to build or one that can reproduce this error.
  - Build Context
    Please provide or clearly describe any files needed to build the Dockerfile (ADD/COPY commands)
  - Kaniko Image (fully qualified with digest)
- 
+
  **Triage Notes for the Maintainers**
  <!-- 🎉🎉🎉 Thank you for an opening an issue !!! 🎉🎉🎉
 We are doing our best to get to this. Please help us by helping us prioritize your issue by filling the section below -->
 
- 
+
  | **Description** | **Yes/No** |
  |----------------|---------------|
  | Please check if this a new feature you are proposing        | <ul><li>- [ ] </li></ul>|
- | Please check if the build works in docker but not in kaniko | <ul><li>- [ ] </li></ul>| 
+ | Please check if the build works in docker but not in kaniko | <ul><li>- [ ] </li></ul>|
  | Please check if this error is seen when you use `--cache` flag | <ul><li>- [ ] </li></ul>|
- | Please check if your dockerfile is a multistage dockerfile | <ul><li>- [ ] </li></ul>| 
- 
+ | Please check if your dockerfile is a multistage dockerfile | <ul><li>- [ ] </li></ul>|
+

.github/dependabot.yml

@@ -1,14 +1,17 @@
+---
 version: 2
 updates:
-- package-ecosystem: gomod
-  directory: /
-  schedule:
-    interval: daily
-- package-ecosystem: github-actions
-  directory: /
-  schedule:
-    interval: daily
-- package-ecosystem: docker
-  directory: /deploy
-  schedule:
-    interval: weekly
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /deploy
+    schedule:
+      interval: daily

.github/pull_request_template.md

@@ -21,7 +21,7 @@ _See [the contribution guide](../CONTRIBUTING.md) for more details._
 
 **Reviewer Notes**
 
-- [ ] The code flow looks good. 
+- [ ] The code flow looks good.
 - [ ] Unit tests and or integration tests added.
 
 

.github/workflows/images.yaml

@@ -22,121 +22,128 @@ jobs:
       # want an image built and tagged for each commit.
       group: build-images-${{ matrix.image }}-${{ github.head_ref || github.sha }}
       cancel-in-progress: true
+
     permissions:
       contents: read  # Read the repo contents.
       id-token: write # Produce identity token for keyless signing.
+
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         image:
-        - executor
-        - executor-debug
-        - executor-slim
-        - warmer
+          - executor
+          - executor-debug
+          - executor-slim
+          - warmer
 
         include:
-        - image: executor
-          target: kaniko-executor
-          platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
-          image-name: gcr.io/kaniko-project/executor
-          tag: ${{ github.sha }}
-          release-tag: latest
-
-        - image: executor-debug
-          target: kaniko-debug
-          platforms: linux/amd64,linux/arm64,linux/s390x
-          image-name: gcr.io/kaniko-project/executor
-          tag: ${{ github.sha }}-debug
-          release-tag: debug
-
-        - image: executor-slim
-          target: kaniko-slim
-          platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
-          image-name: gcr.io/kaniko-project/executor
-          tag: ${{ github.sha }}-slim
-          release-tag: slim
-
-        - image: warmer
-          target: kaniko-warmer
-          platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
-          image-name: gcr.io/kaniko-project/warmer
-          tag: ${{ github.sha }}
-          release-tag: latest
+          - image: executor
+            target: kaniko-executor
+            platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
+            image-name: gcr.io/kaniko-project/executor
+            tag: ${{ github.sha }}
+            release-tag: latest
+
+          - image: executor-debug
+            target: kaniko-debug
+            platforms: linux/amd64,linux/arm64,linux/s390x
+            image-name: gcr.io/kaniko-project/executor
+            tag: ${{ github.sha }}-debug
+            release-tag: debug
+
+          - image: executor-slim
+            target: kaniko-slim
+            platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
+            image-name: gcr.io/kaniko-project/executor
+            tag: ${{ github.sha }}-slim
+            release-tag: slim
+
+          - image: warmer
+            target: kaniko-warmer
+            platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
+            image-name: gcr.io/kaniko-project/warmer
+            tag: ${{ github.sha }}
+            release-tag: latest
 
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-    # Setup auth if not a PR.
-    - if: github.event_name != 'pull_request'
-      uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
-      with:
-        credentials_json: '${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}'
-        export_environment_variables: true
-        create_credentials_file: true
-    - if: github.event_name != 'pull_request'
-      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
-    - if: github.event_name != 'pull_request'
-      run: gcloud auth configure-docker
-
-    # Don't build for all platforms on PRs.
-    - id: platforms
-      run: |
-        event="${{ github.event_name }}"
-        if [[ "$event" == "pull_request" ]]; then
-          echo "platforms=linux/amd64" >> $GITHUB_OUTPUT
-        else
-          platforms="${{ matrix.platforms }}"
-          echo "platforms=${platforms}" >> $GITHUB_OUTPUT
-        fi
-    # Build and push with Docker.
-    - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
-      with:
-        platforms: ${{ matrix.platforms }}
-    - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
-    - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-      id: build-and-push
-      with:
-        context: .
-        file: ./deploy/Dockerfile
-        platforms: ${{ steps.platforms.outputs.platforms }}
-        push: ${{ github.event_name != 'pull_request' }} # Only push if not a PR.
-        tags: ${{ matrix.image-name }}:${{ matrix.tag }}
-        no-cache-filters: certs
-        # https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#github-cache
-        cache-from: type=gha
-        cache-to: type=gha,mode=max
-        target: ${{ matrix.target }}
-
-    # Sign images if not a PR.
-    - if: github.event_name != 'pull_request'
-      uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
-    - if: github.event_name != 'pull_request'
-      run: |
-        cosign sign --yes \
-            --key gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign \
-            ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }}
-        cosign sign --yes \
-            ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }}
-
-    # If a tag push, use crane to add more tags.
-    - if: startsWith(github.ref, 'refs/tags/v')
-      uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
-    - if: startsWith(github.ref, 'refs/tags/v')
-      name: Apply release tags
-      run: |
-        tag=${GITHUB_REF/refs\/tags\//}
-
-        # Tag :latest, :debug, :slim
-        crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \
-            ${{ matrix.image-name }}:${{ matrix.release-tag }}
-
-        if [[ "${{ matrix.release-tag }}" == "latest" ]]; then
-          # Tag :latest images as :v1.X.Y
-          crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \
-              ${{ matrix.image-name }}:${tag}
-        else
-          # Or tag :v1.X.Y-debug and :v1.X.Y-slim
+      - name: Harden Runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      # Setup auth if not a PR.
+      - if: github.event_name != 'pull_request'
+        uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
+        with:
+          credentials_json: '${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}'
+          export_environment_variables: true
+          create_credentials_file: true
+      - if: github.event_name != 'pull_request'
+        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+      - if: github.event_name != 'pull_request'
+        run: gcloud auth configure-docker
+
+      # Don't build for all platforms on PRs.
+      - id: platforms
+        run: |
+          event="${{ github.event_name }}"
+          if [[ "$event" == "pull_request" ]]; then
+            echo "platforms=linux/amd64" >> $GITHUB_OUTPUT
+          else
+            platforms="${{ matrix.platforms }}"
+            echo "platforms=${platforms}" >> $GITHUB_OUTPUT
+          fi
+      # Build and push with Docker.
+      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        with:
+          platforms: ${{ matrix.platforms }}
+      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        id: build-and-push
+        with:
+          context: .
+          file: ./deploy/Dockerfile
+          platforms: ${{ steps.platforms.outputs.platforms }}
+          push: ${{ github.event_name != 'pull_request' }} # Only push if not a PR.
+          tags: ${{ matrix.image-name }}:${{ matrix.tag }}
+          no-cache-filters: certs
+          # https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#github-cache
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          target: ${{ matrix.target }}
+
+      # Sign images if not a PR.
+      - if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+      - if: github.event_name != 'pull_request'
+        run: |
+          cosign sign --yes \
+              --key gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign \
+              ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }}
+          cosign sign --yes \
+              ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }}
+
+      # If a tag push, use crane to add more tags.
+      - if: startsWith(github.ref, 'refs/tags/v')
+        uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
+      - if: startsWith(github.ref, 'refs/tags/v')
+        name: Apply release tags
+        run: |
+          tag=${GITHUB_REF/refs\/tags\//}
+
+          # Tag :latest, :debug, :slim
           crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \
-              ${{ matrix.image-name }}:${tag}-${{ matrix.release-tag }}
-        fi
+              ${{ matrix.image-name }}:${{ matrix.release-tag }}
+
+          if [[ "${{ matrix.release-tag }}" == "latest" ]]; then
+            # Tag :latest images as :v1.X.Y
+            crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \
+                ${{ matrix.image-name }}:${tag}
+          else
+            # Or tag :v1.X.Y-debug and :v1.X.Y-slim
+            crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \
+                ${{ matrix.image-name }}:${tag}-${{ matrix.release-tag }}
+          fi

.github/workflows/integration-tests.yaml

@@ -21,6 +21,7 @@ jobs:
       IMAGE_REPO: 'localhost:5000'
       REGISTRY: 'localhost:5000'
       DOCKER_BUILDKIT: '0'
+
     strategy:
       fail-fast: false
       matrix:
@@ -31,20 +32,28 @@ jobs:
         - k8s-executor-build-push integration-test-k8s
 
     steps:
-    - name: Maximize build space
-      uses: AdityaGarg8/remove-unwanted-software@90e01b21170618765a73370fcc3abbd1684a7793 # v5
-      with:
-        remove-android: 'true'
-        remove-dotnet: 'true'
-        remove-haskell: 'true'
-
-    - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-      with:
-        go-version: '1.24'
-        check-latest: true
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
-
-    - run: make install-container-diff k3s-setup
-    - run: make ${{ matrix.make-target }}
+      - name: Harden Runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Maximize build space
+        uses: AdityaGarg8/remove-unwanted-software@90e01b21170618765a73370fcc3abbd1684a7793 # v5
+        with:
+          remove-android: 'true'
+          remove-dotnet: 'true'
+          remove-haskell: 'true'
+
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: '1.24'
+          check-latest: true
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - run: make install-container-diff k3s-setup
+      - run: make ${{ matrix.make-target }}