Feature/tuning

.github/workflows/build.yaml

@@ -18,17 +18,77 @@ on:
             type: boolean
             required: false
             default: false
+    push:
+      branches:
+        - feature/exec
+        - feature/tuning
+
 jobs:
+  prepare:
+    name: Resolve build parameters
+    runs-on: ubuntu-latest
+    outputs:
+      image_tag: ${{ steps.params.outputs.image_tag }}
+      client: ${{ steps.params.outputs.client }}
+      platforms: ${{ steps.params.outputs.platforms }}
+      cosign: ${{ steps.params.outputs.cosign }}
+    steps:
+      - id: params
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "image_tag=${{ inputs.IMAGE_TAG }}" >> "$GITHUB_OUTPUT"
+            echo "client=${{ inputs.CLIENT }}" >> "$GITHUB_OUTPUT"
+            echo "platforms=${{ inputs.PLATFORMS }}" >> "$GITHUB_OUTPUT"
+            echo "cosign=${{ inputs.CO_SIGN }}" >> "$GITHUB_OUTPUT"
+          else
+            # Push trigger: derive tag from short commit SHA
+            echo "image_tag=dev-${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
+            echo "client=test" >> "$GITHUB_OUTPUT"
+            echo "platforms=false" >> "$GITHUB_OUTPUT"
+            echo "cosign=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  tag-for-go-module:
+    needs: prepare
+    name: Create Git tag so Go modules can resolve this version
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Create git tag matching IMAGE_TAG
+        run: |
+          git tag -f "go/${{ needs.prepare.outputs.image_tag }}"
+          git push origin "go/${{ needs.prepare.outputs.image_tag }}" --force
+
   publish-image:
+    needs: [prepare, tag-for-go-module]
     permissions:
       id-token: write
       packages: write
       contents: read
     uses: ./.github/workflows/publish-image.yaml
     with:
-      client: ${{ inputs.CLIENT }}
-      image_name: "quay.io/${{ github.repository_owner }}/storge"
-      image_tag: ${{ inputs.IMAGE_TAG }}
-      support_platforms: ${{ inputs.PLATFORMS }}
-      cosign: ${{ inputs.CO_SIGN }}
-    secrets: inherit
+      client: ${{ needs.prepare.outputs.client }}
+      image_name: "ghcr.io/${{ github.repository_owner }}/storage"
+      image_tag: ${{ needs.prepare.outputs.image_tag }}
+      support_platforms: ${{ needs.prepare.outputs.platforms == 'true' }}
+      cosign: ${{ needs.prepare.outputs.cosign == 'true' }}
+    secrets: inherit
+
+  trigger-node-agent:
+    needs: [prepare, publish-image]
+    name: Trigger node-agent rebuild with matching tag
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger node-agent build
+        env:
+          GH_TOKEN: ${{ secrets.CROSS_REPO_PAT }}
+        run: |
+          IMAGE_TAG="${{ needs.prepare.outputs.image_tag }}"
+          echo "Triggering node-agent build with IMAGE_TAG=${IMAGE_TAG} STORAGE_REF=${IMAGE_TAG}"
+          gh workflow run build.yaml \
+            --repo "${{ github.repository_owner }}/node-agent" \
+            --ref ${{ github.ref_name }} \
+            -f IMAGE_TAG="${IMAGE_TAG}" \
+            -f STORAGE_REF="${IMAGE_TAG}"

.github/workflows/manual-integration-tests.yml

@@ -12,13 +12,13 @@ on:
         required: true
         default: 'main'
       node_agent_image:
-        description: 'Node Agent image (e.g. quay.io/kubescape/node-agent:latest)'
+        description: 'Node Agent image (e.g. ghcr.io/k8sstormcenter/node-agent:latest)'
         required: true
-        default: 'quay.io/kubescape/node-agent:latest'
+        default: 'ghcr.io/k8sstormcenter/node-agent:latest'
       storage_image:
         description: 'Storage image (e.g. quay.io/kubescape/storage:latest)'
         required: true
-        default: 'quay.io/kubescape/storage:latest'
+        default: 'ghcr.io/k8sstormcenter/storage:latest'
       extra_helm_set_args:
         description: 'Extra Helm --set arguments (comma-separated, e.g. foo=bar,bar=baz)'
         required: false
@@ -27,6 +27,9 @@ on:
 jobs:
   integration-tests:
     runs-on: ubuntu-large
+    permissions:
+      checks: write
+      pull-requests: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4

.github/workflows/pr-created.yaml

@@ -13,6 +13,10 @@ concurrency:
 
 jobs:
   pr-created:
+    permissions:
+      pull-requests: write
+      security-events: write
+      contents: read
     uses: kubescape/workflows/.github/workflows/incluster-comp-pr-created.yaml@main
     with:
       CGO_ENABLED: 0

.github/workflows/pr-merged.yaml

@@ -13,7 +13,7 @@ jobs:
     if: ${{ github.event.pull_request.merged == true }} ## Skip if not merged
     uses: kubescape/workflows/.github/workflows/incluster-comp-pr-merged.yaml@main
     with:
-      IMAGE_NAME: quay.io/${{ github.repository_owner }}/storage
+      IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/storage
       IMAGE_TAG: v0.0.${{ github.run_number }}
       COMPONENT_NAME: storage
       CGO_ENABLED: 0

.github/workflows/publish-image.yaml

@@ -25,22 +25,22 @@ on:
         type: boolean
         description: 'support amd64/arm64'
 jobs:
-  check-secret:
-    name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
-    runs-on: ubuntu-latest
-    outputs:
-      is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
-    steps:
-      - name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
-        id: check-secret-set
-        env:
-          QUAYIO_REGISTRY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-          QUAYIO_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
-        run: |
-          echo "is-secret-set=${{ env.QUAYIO_REGISTRY_USERNAME != '' && env.QUAYIO_REGISTRY_PASSWORD != '' }}" >> $GITHUB_OUTPUT
+  # check-secret:
+  #   name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
+  #   runs-on: ubuntu-latest
+  #   outputs:
+  #     is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
+  #   steps:
+  #     - name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
+  #       id: check-secret-set
+  #       env:
+  #         QUAYIO_REGISTRY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
+  #         QUAYIO_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+  #       run: |
+  #         echo "is-secret-set=${{ env.QUAYIO_REGISTRY_USERNAME != '' && env.QUAYIO_REGISTRY_PASSWORD != '' }}" >> $GITHUB_OUTPUT
   build-image:
-    needs: [check-secret]
-    if: needs.check-secret.outputs.is-secret-set == 'true'
+    # needs: [check-secret]
+    # if: needs.check-secret.outputs.is-secret-set == 'true'
     name: Build image and upload to registry
     runs-on: ubuntu-latest
     steps:
@@ -51,24 +51,25 @@ jobs:
         uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # ratchet:docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # ratchet:docker/setup-buildx-action@v2
-      - name: Login to Quay.io
-        env:
-          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
-          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and push image
         if: ${{ inputs.support_platforms }}
         run: docker buildx build . --file build/Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push --platform linux/amd64,linux/arm64
       - name: Build and push image without amd64/arm64 support
         if: ${{ !inputs.support_platforms }}
         run: docker buildx build . --file build/Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push
-      - name: Install cosign
-        uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341 # ratchet:sigstore/cosign-installer@main
-        with:
-          cosign-release: 'v1.12.0'
-      - name: sign kubescape container image
-        if: ${{ inputs.cosign }}
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-          cosign sign --force ${{ inputs.image_name }}
+      # - name: Install cosign
+      #   uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341 # ratchet:sigstore/cosign-installer@main
+      #   with:
+      #     cosign-release: 'v3.0.4'
+      # - name: sign kubescape container image
+      #   if: ${{ inputs.cosign }}
+      #   env:
+      #     COSIGN_EXPERIMENTAL: "true"
+      #   run: |
+      #     cosign sign --force ${{ inputs.image_name }}

.gitignore

@@ -3,4 +3,16 @@ vendor/*
 artifacts/simple-image/storage-apiserver
 artifacts/simple-image/kube-sample-apiserver
 logs-*/*
-tmp/*
+tmp/*
+
+# Integration test artifacts
+tests/integration-test-suite/junit-*.xml
+tests/integration-test-suite/log-*.txt
+tests/integration-test-suite/integration-test-suite.test
+
+# TODO: Fix upstream - these test files import containerwatcher/v1 which was
+# renamed to containerprofilemanager/v1 in node-agent. Until the upstream
+# integration test suite is updated, local builds require patching these imports.
+tests/integration-test-suite/case_*_test.go
+tests/integration-test-suite/go.mod
+tests/integration-test-suite/go.sum

Makefile

@@ -2,7 +2,7 @@ DOCKERFILE_PATH=./build/Dockerfile
 BINARY_NAME=storage
 
 TAG?=test
-IMAGE?=quay.io/kubescape/$(BINARY_NAME)
+IMAGE?=ghcr.io/k8sstormcenter/$(BINARY_NAME)
 
 
 build: