redhat-et · maryamtahhan · Jan 15, 2025 · Jan 15, 2025 · Jan 15, 2025 · Jan 15, 2025
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,14 @@
+# Please see the documentation for all configuration options:
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      day: monday
+      interval: weekly
+    groups:
+      github-actions:
+        patterns:
+          - "*"
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
@@ -1,45 +1,85 @@
-name: Build AF_XDP Device Plugin Image
+name: image
 
-on:
+on: # yamllint disable-line rule:truthy
   push:
-    branches: [ "main" ]
+    branches:
+      - main
+    paths:
+      - .github/workflows/build-image.yml
+      - ./images/amd64.dockerfile
   pull_request:
-    paths: [.github/workflows/build-image.yml]
+    paths:
+      - .github/workflows/build-image.yml
+      - ./images/amd64.dockerfile
+  workflow_dispatch:
 
 jobs:
-
-  build:
+  image_build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+      packages: write
     strategy:
       fail-fast: false
       matrix:
         include:
-          - registry: quay.io
-            organization: afxdp-plugins-for-kubernetes
-            image: afxdp-device-plugin
-            dockerfile: ./images/amd64.dockerfile
-            context: .
-            tags: 'latest'
+          - IMAGE_NAME: afxdp-dp-plugin
+            IMAGE_FILE: ./images/amd64.dockerfile
+            PLATFORMS: linux/amd64
+            LABEL: latest
 
     steps:
-     - uses: actions/checkout@v4
-
-     - name: Set up Docker Buildx
-       uses: docker/setup-buildx-action@v3
-
-     - name: Login to quay.io
-       uses: docker/login-action@v3
-       with:
-          registry: ${{matrix.registry}}/${{matrix.organization}}
-          username: ${{ secrets.QUAY_USERNAME }}
-          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
-
-     - name: Build and push image
-       uses: docker/build-push-action@v5
-       with:
-          push: true
-          tags: ${{matrix.registry}}/${{matrix.organization}}/${{matrix.image}}:${{matrix.tags}}
-          labels: 'latest'
-          file: ${{ matrix.dockerfile }}
-          build-args: ${{ matrix.build_args }}
-          context: ${{ matrix.context }}
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # NOTE:  setting fetch-depth to 0 to retrieve the entire history
+          # instead of a shallow-clone so that all tags are fetched as well.
+          # This is necessary for computing the VERSION using `git describe`
+          fetch-depth: 0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          image: tonistiigi/binfmt:qemu-v8.1.5
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Set up cosign
+        uses: sigstore/cosign-installer@main
+
+      - name: Login to Quay
+        if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io/afxdp-plugins-for-kubernete
+          username: ${{ secrets.quay_username }}
+          password: ${{ secrets.quay_robot_token }}
+
+      - name: Build and (conditionally) push image
+        id: build-push-image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: ${{ matrix.PLATFORMS }}
+          push: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
+          tags: quay.io/afxdp-plugins-for-kubernete/${{ matrix.IMAGE_NAME }}:${{ matrix.LABEL }}
+          labels: ${{ matrix.LABEL }}
+          build-args: ${{matrix.BUILD_ARGS}}
+          file: ${{ matrix.IMAGE_FILE }}
+
+      - name: Sign images with GitHub OIDC Token
+        if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
+        run: |
+          cosign sign -y quay.io/afxdp-plugins-for-kubernete/${{ matrix.IMAGE_NAME }}:${{ matrix.LABEL }}@${{ steps.build-push-image.outputs.digest }}
+
+      - name: Generate image attestation
+        if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
+
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: quay.io/afxdp-plugins-for-kubernete/${{ matrix.IMAGE_NAME }}
+          subject-digest: ${{ steps.build-push-image.outputs.digest }}
+          push-to-registry: true
diff --git a/.github/workflows/internal-ci.yml b/.github/workflows/internal-ci.yml