Move image-detector jobs to github workflow (#11980)

* Move image-detetcor jobs to github workflow

* Fix github actions variable config

.github/workflows/push-update-security-config.yaml

@@ -0,0 +1,56 @@
+name: push-update-security-config
+
+on:
+  schedule:
+    - cron: 0 8 * * *
+  push:
+    branches:
+      - main
+    paths:
+      - '**/*.md'
+      - '**/*.yml'
+      - '**/*.yaml'
+      - '**/*.tf'
+      - '**/*.tfvars'
+
+jobs:
+  autobump:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # This is required for requesting the JWT token
+      contents: read # This is required for actions/checkout
+    concurrency:
+      group: post-test-infra-image-detector-autobump
+      cancel-in-progress: false
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Authenticate in GCP
+        id: 'auth'
+        uses: 'google-github-actions/auth@v2'
+        with:
+          project_id: ${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}
+          workload_identity_provider: ${{ vars.GH_COM_KYMA_PROJECT_GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER }}
+
+      - name: Get kyma bot token from Secret Manager
+        id: 'secrets'
+        uses: 'google-github-actions/get-secretmanager-secrets@v2'
+        with:
+          secrets: |-
+            kyma-autobump-token:${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}/${{ vars.KYMA_AUTOBUMP_BOT_GITHUB_SECRET_NAME }}
+
+      - name: Store Github Token for autobumper
+        run: echo ${{ steps.secrets.outputs.kyma-autobump-token }} > /etc/github/token
+
+      - name: Find images to scan
+        run: |
+          docker run \
+            -v /etc/github/token:/etc/github/token:ro
+            europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/image-detector:v20240924-a3a85f88 \
+            --terraform-dir=configs/terraform \
+            --sec-scanner-config=sec-scanners-config.yaml \
+            --autobump-config=configs/autobump-config/test-infra-sec-config-autobump-config.yaml
+
+
+      
+

configs/terraform/environments/prod/kyma-bots-secrets-variables.tf

@@ -9,6 +9,13 @@ variable "kyma_autobump_bot_github_token_secret_name" {
   default     = "kyma-autobump-bot-github-token"
 }
 
+# TODO(kacpermalachowski): Rename to kyma_autobump_bot_github_token_secret_name after Prow removal
+variable "kyma_autobump_bot_github_token_sm_secret_name" {
+  type        = string
+  description = "Name of the kyma-autobump-bot-github-token secret in the Google's Secret Manager. This secret is used by automatic bumpers to interact with GitHub."
+  default     = "workloads_default_kyma-autobump-bot-github-token"
+}
+
 variable "kyma_bot_github_sap_token_secret_name" {
   type        = string
   description = "Name of the kyma-bot-github-sap-token secret. This is used by automation to interact with SAP GitHub instance."

configs/terraform/environments/prod/kyma-bots-secrets.tf

@@ -66,3 +66,11 @@ resource "kubernetes_cluster_role_binding" "access_kyma_bot_github_tokens_untrus
     name      = var.external_secrets_k8s_sa_trusted_cluster.name
   }
 }
+
+# 
+resource "github_actions_variable" "kyma_autobump_bot_github_token_secret_name" {
+  provider = github.kyma_project
+  repository = data.github_repository.test_infra.full_name
+  variable_name = "KYMA_AUTOBUMP_BOT_GITHUB_SECRET_NAME"
+  value = var.kyma_autobump_bot_github_token_sm_secret_name
+}

prow/jobs/kyma-project/test-infra/prow-periodics.yaml

@@ -31,41 +31,6 @@ postsubmits: # runs on main
             args:
               - "--config=configs/autobump-config/test-infra-markdown-index-autobump-config.yaml"
               - "--labels-override=kind/chore,area/documentation"
-    - name: post-test-infra-image-detector-autobump
-      annotations:
-        description: "autobump prow images for scan"
-        owner: "neighbors"
-      labels:
-        prow.k8s.io/pubsub.project: "sap-kyma-prow"
-        prow.k8s.io/pubsub.runID: "post-test-infra-image-detector-autobump"
-        prow.k8s.io/pubsub.topic: "prowjobs"
-        preset-autobump-bot-github-token: "true"
-      run_if_changed: '.(md|yml|yaml|tf|tfvars)$'
-      skip_report: false
-      cluster: trusted-workload
-      max_concurrency: 10
-      branches:
-        - ^main$
-      reporter_config:
-        slack:
-          channel: kyma-neighbors-alerts
-      spec:
-        containers:
-          - image: "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/image-detector:v20240924-a3a85f88"
-            securityContext:
-              privileged: false
-              seccompProfile:
-                type: RuntimeDefault
-              allowPrivilegeEscalation: false
-            command:
-              - "/ko-app/image-detector"
-            args:
-              - "--prow-config=prow/config.yaml"
-              - "--prow-jobs-dir=prow/jobs"
-              - "--terraform-dir=configs/terraform"
-              - "--sec-scanner-config=sec-scanners-config.yaml"
-              - "--kubernetes-dir=prow/cluster/components"
-              - "--autobump-config=configs/autobump-config/test-infra-sec-config-autobump-config.yaml"
     - name: post-test-infra-deploy-prow
       annotations:
         description: "Deploy prow components"
@@ -130,43 +95,6 @@ periodics: # runs on schedule
             args:
               - "--config=configs/autobump-config/prow-cluster-autobump-config.yaml"
               - "--labels-override=kind/chore,area/prow"
-    - name: test-infra-image-detector-autobump
-      annotations:
-        description: "daily detect prow images for scan"
-        owner: "neighbors"
-      labels:
-        prow.k8s.io/pubsub.project: "sap-kyma-prow"
-        prow.k8s.io/pubsub.runID: "test-infra-image-detector-autobump"
-        prow.k8s.io/pubsub.topic: "prowjobs"
-        preset-autobump-bot-github-token: "true"
-      cron: "0 8 * * *"
-      skip_report: false
-      decorate: true
-      cluster: trusted-workload
-      extra_refs:
-        - org: kyma-project
-          repo: test-infra
-          base_ref: main
-      reporter_config:
-        slack:
-          channel: kyma-neighbors-alerts
-      spec:
-        containers:
-          - image: "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/image-detector:v20240924-a3a85f88"
-            securityContext:
-              privileged: false
-              seccompProfile:
-                type: RuntimeDefault
-              allowPrivilegeEscalation: false
-            command:
-              - "/ko-app/image-detector"
-            args:
-              - "--prow-config=prow/config.yaml"
-              - "--prow-jobs-dir=prow/jobs"
-              - "--terraform-dir=configs/terraform"
-              - "--sec-scanner-config=sec-scanners-config.yaml"
-              - "--kubernetes-dir=prow/cluster/components"
-              - "--autobump-config=configs/autobump-config/test-infra-sec-config-autobump-config.yaml"
     - name: ci-prow-autobump-jobs
       annotations:
         description: "Autobump image versions in prow jobs"