workflow updates

.github/workflows/kubectl-shell.yaml

@@ -4,22 +4,37 @@ on:
   workflow_dispatch:
   push:
     branches:
-      - develop
+      - 'develop'
+      - 'release/*'
     paths:
       - 'kubectl-shell/**'
   pull_request:
+    types:
+      - 'opened'
+      - 'reopened'
+      - 'synchronize'
+      - 'ready_for_review'
     branches:
-      - develop
+      - 'develop'
+      - 'release/*'      
     paths:
       - 'kubectl-shell/**'
 
 env:
   DOCKER_HUB_REPO: portainerci/kubectl-shell
-  GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}
 
 jobs:
   build_images:
+    if: github.event.pull_request.draft == false  
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        config:
+          - { platform: linux, arch: amd64 }
+          - { platform: linux, arch: arm64 }
+          - { platform: linux, arch: arm }
+          - { platform: linux, arch: ppc64le }
     steps:
       - name: "[preparation] checkout"
         uses: actions/[email protected]
@@ -35,51 +50,110 @@ jobs:
         with:
           endpoint: builders
           driver-opts: image=moby/buildkit:v0.16.0
-          platforms: linux/amd64,linux/arm64,linux/arm,linux/ppc64le
 
       - name: "[preparation] docker login"
         uses: docker/[email protected]
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_PASSWORD }}
 
-      - name: "set image tag for pull request"
-        run: |
-          echo "IMAGE_TAG=pr${{ github.event.pull_request.number }}" >> $GITHUB_ENV
-        if: ${{ github.event_name == 'pull_request' }}
-
-      - name: "set image tag for develop"
-        run: |
-          echo "IMAGE_TAG=latest" >> $GITHUB_ENV
-        if: ${{ github.event_name == 'push' }}
+      - name: "[metadata] generate image tags"
+        id: meta
+        uses: docker/[email protected]
+        with:
+          images: ${{ env.DOCKER_HUB_REPO }}
 
-      - name: "build and push images"
+      - name: "[build] build and push by digest"
+        id: build
         uses: docker/[email protected]
         with:
-          context: kubectl-shell/ 
-          tags: ${{ env.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }}
+          context: kubectl-shell/        
+          platforms: ${{ matrix.config.platform }}/${{ matrix.config.arch }}
           build-args: |
-            KUBERNETES_RELEASE=v1.31.0
-            ALPINE=alpine:latest
             HELM_VERSION=v3.15.4
-          platforms: |
-            linux/amd64
-            linux/arm64
-            linux/arm
-            linux/ppc64le
-          sbom: true
-          provenance: true
-          push: true
-
-      - name: "docker scout scan"
-        id: docker-scout
-        if: ${{ github.event_name == 'pull_request' }}
-        uses: docker/scout-action@v1
+            KUBERNETES_RELEASE=v1.31.0
+          labels: ${{ steps.meta.outputs.labels }}
+          outputs: type=image,name=${{ env.DOCKER_HUB_REPO }},push-by-digest=true,name-canonical=true,push=true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          attests: |
+            type=sbom
+            type=provenance,mode=max
+
+      - name: "[build] export digest"
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"          
+
+      - name: "[build] upload digest"
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ matrix.config.platform }}-${{ matrix.config.arch }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  build_manifests:
+    if: github.event.pull_request.draft == false
+    runs-on: ubuntu-latest
+    needs: [build_images]
+    steps:
+      - name: "[preparation] download digests"
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: "[preparation] setup manifest name"
+        run: |
+          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
+            # use the release branch name as the tag for release branches
+            # for instance, release/2.19 becomes 2.19
+            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2)
+          elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
+            # use pr${{ github.event.number }} as the tag for pull requests
+            # for instance, pr123
+            CONTAINER_IMAGE_TAG="pr${{ github.event.number }}"
+          else
+            # replace / with - in the branch name
+            # for instance, feature/1.0.0 -> feature-1.0.0
+            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g')
+          fi
+
+          # export the tag to the environment
+          echo "CONTAINER_IMAGE_TAG=${CONTAINER_IMAGE_TAG}" >> $GITHUB_ENV
+
+      - name: "[metadata] generate image tags"
+        id: meta
+        uses: docker/[email protected]
         with:
-          command: cves
-          image: ${{ env.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }}
-          to: portainer/base:latest
-          ignore-unchanged: true
-          only-severities: critical,high
-          write-comment: true
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          images: ${{ env.DOCKER_HUB_REPO }}
+          tags: |
+            type=raw,value=${{ env.CONTAINER_IMAGE_TAG }}
+
+      - name: "[preparation] set up docker context for buildx"
+        run: docker context create builders
+
+      - name: "[preparation] set up docker buildx"
+        uses: docker/[email protected]
+        with:
+          endpoint: builders
+          driver-opts: image=moby/buildkit:v0.16.0
+
+      - name: "[preparation] docker login"
+        uses: docker/[email protected]
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: "[build] create manifest list and push"
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.DOCKER_HUB_REPO }}@sha256:%s ' *)          
+
+      - name: "[validate] inspect image"
+        run: |
+          docker buildx imagetools inspect ${{ env.DOCKER_HUB_REPO }}:${{ steps.meta.outputs.version }}