add ko build actions

.github/actions/build_apko/action.yml

@@ -0,0 +1,56 @@
+name: Build apko image
+description: Build an apko image based on a supplied .yaml file
+
+inputs:
+  apkoConfig:
+    description: "Path to the apko .yaml config file. If left empty, all images will be built."
+    required: false
+  registry:
+    description: "Container registry to use"
+    default: "ghcr.io"
+    required: true
+  githubToken:
+    description: "GitHub authorization token"
+    required: true
+
+# Linux runner only (Docker required)
+runs:
+  using: "composite"
+  steps:
+    - name: Log in to the Container registry
+      id: docker-login
+      uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
+      with:
+        registry: ${{ inputs.registry }}
+        username: ${{ github.actor }}
+        password: ${{ inputs.githubToken }}
+
+    - name: Build apko images
+      shell: bash
+      run: |
+        # TODO: replace with apko publish
+        if [ -z "${{ inputs.apkoConfig }}" ]; then
+          echo "Building all images in image"
+          for imageConfig in image/apko/*.yaml; do
+            echo "Building image for $imageConfig"
+
+            imageName=$(basename $imageConfig | cut -d. -f1 )
+            registry=${{ inputs.registry }}/edgelesssys/apko-${imageName}
+            outTar=$imageName.tar
+
+            docker run -v "$PWD":/work cgr.dev/chainguard/apko build $imageConfig $registry $outTar
+            docker load < $outTar
+            docker push $registry
+
+          done
+        else
+          echo "Building image for ${{ inputs.apkoConfig }}"
+
+          imageName=$(basename ${{ inputs.apkoConfig }} | cut -d. -f1 )
+          registry=${{ inputs.registry }}/edgelesssys/apko-${imageName}
+          outTar=$imageName.tar
+
+          docker run -v "$PWD":/work cgr.dev/chainguard/apko build ${{ inputs.apkoConfig }} $registry $outTar
+          docker load < $outTar
+          docker push $registry
+        fi

.github/actions/build_ko/action.yml

@@ -0,0 +1,111 @@
+name: Build micro service using Ko
+description: Build and upload a go micro service using ko
+inputs:
+  name:
+    description: "Name of the micro-service"
+    required: true
+  registry:
+    description: "Name of the registry to use"
+    required: false
+    default: "ghcr.io"
+  pseudoVersion:
+    description: "Check if pseudo-version should be generated"
+    default: "false"
+    required: true
+  koConfig:
+    description: "Path to the .ko.yaml config file"
+    required: false
+    default: ".ko.yaml"
+  koTarget:
+    description: "Go package to build with ko"
+    required: true
+  pushTag:
+    description: "Use this image tag"
+    required: false
+  githubToken:
+    description: "GitHub authorization token"
+    required: true
+  generateKoSBOM:
+    description: "Generate unsigned ko SBOM"
+    required: false
+    default: "false"
+
+outputs:
+  container_full:
+    description: "Full container reference"
+    value: ${{ steps.build.container_full }}
+  container_image:
+    description: "Container image"
+    value: ${{ steps.build.outputs.container_image }}
+  container_tag:
+    description: "Container tag"
+    value: ${{ steps.build.container_tag }}
+
+
+# Linux runner only
+runs:
+  using: "composite"
+  steps:
+    - name: Determine pseudo version
+      if: ${{ inputs.pseudoVersion == 'true' }}
+      id: pseudo-version
+      uses: ./.github/actions/pseudo_version
+
+    - name: Set up ko
+      uses: imjasonh/setup-ko@v0.6
+
+    - name: Build and upload ko container image
+      shell: bash
+      id: build
+      env:
+        KO_USER: ${{ github.actor }}
+        KO_CONFIG_PATH: ${{ inputs.koConfig }}
+        KO_PASSWORD: ${{ inputs.githubToken }}
+        KO_DOCKER_REPO: ${{ inputs.registry }}/edgelesssys/${{ inputs.name }}-ko
+      run: |
+        tags=""
+        sbom=""
+
+        if [ "${{ github.ref }}" == "${{ github.event.repository.default_branch }}" ]; then
+          tags="latest"
+        else:
+          tags="${{ github.sha }}"
+        fi
+
+        if [ -n "${{ inputs.pushTag }}" ]; then
+          if [ -n "${tags}" ]; then
+            tags="${tags},${{ inputs.pushTag }}"
+          else
+            tags="${{ inputs.pushTag }}"
+          fi
+        fi
+
+        if [ -n "${{ steps.pseudo-version.outputs.pseudoVersion }}" ]; then
+          if [ -n "${tags}" ]; then
+            tags="${tags},${{ steps.pseudo-version.outputs.pseudoVersion }}"
+          else
+            tags="${{ steps.pseudo-version.outputs.pseudoVersion }}"
+          fi
+        fi
+
+        if [ "${{ inputs.generateKoSBOM }}" == "false" ]; then
+          sbom="--sbom=none"
+        fi
+
+        container_full=$(ko build ${{ inputs.koTarget }} --bare --tags ${tags} ${sbom})
+        container_image=$(echo $container_full | cut -d@ -f1)
+        container_tag=$(echo $container_full | cut -d: -f2)
+
+        cat <<EOF > container_data_ko.json
+        {
+          "container_full": "${container_full}",
+          "container_image": "${container_image}",
+          "container_tag": "${container_tag}"
+        }
+        EOF
+
+    - name: Upload Container Data # since github censors hashes that may share data with secrets, we need to upload the data as an artifact
+      uses: actions/upload-artifact@v2
+      with:
+        name: container_data_ko
+        path: container_data_ko.json

.github/actions/build_micro_service_ko/action.yml

@@ -0,0 +1,78 @@
+name: Build micro service (KO)
+description: Build and upload a container image for a Constellation micro-service
+inputs:
+  name:
+    description: "Name of the micro-service"
+    required: true
+  koConfig:
+    description: "Path to the .ko.yaml config file"
+    default: ".ko.yaml"
+    required: false
+  pseudoVersion:
+    description: "Check if pseudo-version should be generated"
+    default: "false"
+    required: true
+  koTarget:
+    description: "Go package to build with ko"
+    required: true
+  pushTag:
+    description: "Use this image tag"
+    required: false
+  githubToken:
+    description: "GitHub authorization token"
+    required: true
+  generateKoSBOM:
+    description: "Generate unsigned ko SBOM"
+    required: false
+    default: "false"
+  cosignPublicKey:
+    description: "Cosign public key"
+    required: false
+  cosignPrivateKey:
+    description: "Cosign private key"
+    required: false
+  cosignPassword:
+    description: "Password for Cosign private key"
+    required: false
+
+# Linux runner only
+runs:
+  using: "composite"
+  steps:
+    - name: Determine pseudo version
+      #if: ${{ inputs.pseudoVersion == 'true' }}
+      if: ${{ failure() }}
+      uses: ./.github/actions/pseudo_version
+      with:
+        constellationPath: ${{ inputs.constellationPath }}
+
+    - name: Build and upload container image
+      id: build-and-upload
+      uses: ./.github/actions/build_ko
+      with:
+        name: ${{ inputs.name }}
+        koConfig: ${{ inputs.koConfig }}
+        pseudoVersion: ${{ inputs.pseudoVersion }}
+        koTarget: ${{ inputs.koTarget }}
+        githubToken: ${{ inputs.GITHUB_TOKEN }}
+        pushTag: ci-test
+
+    - name: Download ko Container Data
+      id: download_container_data
+      uses: actions/download-artifact@v2
+      with:
+        name: container_data_ko
+        path: CONTAINER_DATA_KO
+    - shell: bash
+      run: |
+        container_full=$(jq -r .container_full < container_data_ko.json)
+        echo CONTAINER_FULL=$container_full >> $GITHUB_ENV
+
+    - name: Generate SBOM
+      uses: ./.github/actions/container_sbom
+      with:
+        containerReference: ${{ env.CONTAINER_FULL }}
+        cosignPublicKey: ${{ inputs.cosignPublicKey }}
+        cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
+        cosignPassword: ${{ inputs.cosignPassword }}
+      if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' && inputs.generateKoSBOM == 'false' }}