Skip to content

Use prow/GCB for automated image builds rather than GitHub Actions#2

Closed
kahirokunn wants to merge 1 commit intomainfrom
kahiro/official-image-publishing
Closed

Use prow/GCB for automated image builds rather than GitHub Actions#2
kahirokunn wants to merge 1 commit intomainfrom
kahiro/official-image-publishing

Conversation

@kahirokunn
Copy link
Copy Markdown
Owner

@kahirokunn kahirokunn commented Apr 16, 2026
edited
Loading

Summary

Switch the plugin image release pipeline from a GitHub Actions workflow that pushed to GHCR over to the standard k8s SIG release path (GCB postsubmit → k8s-staging-imageskpromoregistry.k8s.io).

Changes

  • Add cloudbuild.yaml invoked by the test-infra postsubmit.
  • Add make release-staging target that builds/pushes every plugins/*/cmd/plugin via the existing docker-buildx target.
  • Remove .github/workflows/release.yml.
  • Rewrite RELEASE.md and add .github/ISSUE_TEMPLATE/NEW_RELEASE.md to describe the new tag → staging → promote flow.

Related PRs

A follow-up PR will add the promotion manifest under registry.k8s.io/images/k8s-staging-cluster-inventory-api/.

Verification

Verified release-staging against a personal GHCR namespace:

$ make release-staging \
              REGISTRY=ghcr.io/kahirokunn/cluster-inventory-api \
              VERSION=test-(date +%Y%m%d-%H%M%S) \
              PLATFORMS=linux/amd64
docker buildx build -f hack/Dockerfile.plugin \
		--build-arg PLUGIN_NAME=kubeconfig-secretreader \
		--platform=linux/amd64 \
		-t ghcr.io/kahirokunn/cluster-inventory-api/kubeconfig-secretreader:test-20260417-154304 \
		--push \
		--attest type=provenance,mode=max \
		--attest type=sbom \
		.
[+] Building 7.2s (17/17) FINISHED                                                    docker:desktop-linux
 => [internal] load build definition from Dockerfile.plugin                                           0.0s
 => => transferring dockerfile: 1.54kB                                                                0.0s
 => resolve image config for docker-image://docker.io/docker/buildkit-syft-scanner:stable-1           0.5s
 => [internal] load metadata for docker.io/library/golang:1.25                                        0.5s
 => [internal] load .dockerignore                                                                     0.0s
 => => transferring context: 222B                                                                     0.0s
 => [builder 1/7] FROM docker.io/library/golang:1.25@sha256:3760478c76cfe25533e06176e983e7808293895d  0.0s
 => => resolve docker.io/library/golang:1.25@sha256:3760478c76cfe25533e06176e983e7808293895d48d15d09  0.0s
 => docker-image://docker.io/docker/buildkit-syft-scanner:stable-1                                    0.5s
 => => resolve docker.io/docker/buildkit-syft-scanner:stable-1                                        0.5s
 => [internal] load build context                                                                     0.1s
 => => transferring context: 155.71kB                                                                 0.1s
 => CACHED [builder 2/7] WORKDIR /src                                                                 0.0s
 => CACHED [builder 3/7] COPY go.mod go.sum ./                                                        0.0s
 => CACHED [builder 4/7] RUN go mod download                                                          0.0s
 => CACHED [builder 5/7] COPY . .                                                                     0.0s
 => CACHED [builder 6/7] RUN mkdir -p /out/bin && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build  -t  0.0s
 => CACHED [builder 7/7] RUN chmod 0555 /out/bin/kubeconfig-secretreader-plugin                       0.0s
 => CACHED [stage-1 1/1] COPY --from=builder /out/ /                                                  0.0s
 => CACHED [linux/amd64] generating sbom using docker.io/docker/buildkit-syft-scanner:stable-1        0.0s
 => exporting to image                                                                                5.7s
 => => exporting layers                                                                               0.0s
 => => exporting manifest sha256:3e923a6543ce1b56a5c14d15541ba474bb1982dbdeca0582bf2698f581a3998f     0.0s
 => => exporting config sha256:820353ffad46fb0fc7cf29c34804879f5772da92152e3efaed0fe6c02b8c9cb1       0.0s
 => => exporting attestation manifest sha256:1d2f59efd4cd1e47896c7607ef72c016e6c021c1d2265a3942eef0e  0.0s
 => => exporting manifest list sha256:925e48a3e429016e5fe24ce53ab0db2af23236abd366be31e29738bd22b402  0.0s
 => => naming to ghcr.io/kahirokunn/cluster-inventory-api/kubeconfig-secretreader:test-20260417-1543  0.0s
 => => pushing layers                                                                                 3.8s
 => => pushing manifest for ghcr.io/kahirokunn/cluster-inventory-api/kubeconfig-secretreader:test-20  1.9s
 => [auth] kahirokunn/cluster-inventory-api/kubeconfig-secretreader:pull,push token for ghcr.io       0.0s

View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/ia0yna8fgrf3putgk5qu51h08
docker buildx build -f hack/Dockerfile.plugin \
		--build-arg PLUGIN_NAME=secretreader \
		--platform=linux/amd64 \
		-t ghcr.io/kahirokunn/cluster-inventory-api/secretreader:test-20260417-154304 \
		--push \
		--attest type=provenance,mode=max \
		--attest type=sbom \
		.
[+] Building 54.9s (17/17) FINISHED                                                   docker:desktop-linux
 => [internal] load build definition from Dockerfile.plugin                                           0.0s
 => => transferring dockerfile: 1.54kB                                                                0.0s
 => resolve image config for docker-image://docker.io/docker/buildkit-syft-scanner:stable-1           0.3s
 => [internal] load metadata for docker.io/library/golang:1.25                                        0.4s
 => [internal] load .dockerignore                                                                     0.0s
 => => transferring context: 222B                                                                     0.0s
 => [builder 1/7] FROM docker.io/library/golang:1.25@sha256:3760478c76cfe25533e06176e983e7808293895d  0.0s
 => => resolve docker.io/library/golang:1.25@sha256:3760478c76cfe25533e06176e983e7808293895d48d15d09  0.0s
 => CACHED docker-image://docker.io/docker/buildkit-syft-scanner:stable-1                             0.2s
 => => resolve docker.io/docker/buildkit-syft-scanner:stable-1                                        0.2s
 => [internal] load build context                                                                     0.1s
 => => transferring context: 155.71kB                                                                 0.1s
 => CACHED [builder 2/7] WORKDIR /src                                                                 0.0s
 => CACHED [builder 3/7] COPY go.mod go.sum ./                                                        0.0s
 => [builder 4/7] RUN go mod download                                                                11.3s
 => [builder 5/7] COPY . .                                                                            0.4s
 => [builder 6/7] RUN mkdir -p /out/bin && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build  -trimpat  35.2s
 => [builder 7/7] RUN chmod 0555 /out/bin/secretreader-plugin                                         0.2s
 => [stage-1 1/1] COPY --from=builder /out/ /                                                         0.0s
 => [linux/amd64] generating sbom using docker.io/docker/buildkit-syft-scanner:stable-1               0.6s
 => exporting to image                                                                                6.3s
 => => exporting layers                                                                               0.5s
 => => exporting manifest sha256:19063605ba1ac5b7e8dcdb704ce3366f91e214603cd7257fd6a2aabd747dfb09     0.0s
 => => exporting config sha256:7a668ee52e2686acfeea2faa775bce0ac3da73d62fb51e1077f40f3fad3d2e71       0.0s
 => => exporting attestation manifest sha256:87220a27cdb14faf629180974b28f688633c86bd0e4e24a853fcf9c  0.0s
 => => exporting manifest list sha256:985a0d8770b8b473cdcbc407b0a9b08e1fa54f21ac2652d427b4b1135d6377  0.0s
 => => naming to ghcr.io/kahirokunn/cluster-inventory-api/secretreader:test-20260417-154304           0.0s
 => => pushing layers                                                                                 3.7s
 => => pushing manifest for ghcr.io/kahirokunn/cluster-inventory-api/secretreader:test-20260417-1543  1.9s
 => [auth] kahirokunn/cluster-inventory-api/secretreader:pull,push token for ghcr.io                  0.0s

View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/y8sqyit991o0oqlcw6yk3v2yi

@kahirokunn kahirokunn force-pushed the kahiro/official-image-publishing branch 4 times, most recently from b4811a3 to 0debfed Compare April 16, 2026 08:56
@kahirokunn kahirokunn changed the title release: adopt Kubernetes image promotion flow Use prow/GCB for automated image builds rather than GitHub Actions Apr 16, 2026
@kahirokunn kahirokunn force-pushed the kahiro/official-image-publishing branch 4 times, most recently from 6210e94 to 0884b3b Compare April 17, 2026 05:35
@kahirokunn kahirokunn requested a review from Copilot April 17, 2026 06:38
Copilot AI reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Moves automated image builds away from GitHub Actions and toward Kubernetes test-infra (prow/GCB), updating the release process accordingly.

Changes:

  • Add a cloudbuild.yaml that runs make release-staging to build/push multi-arch plugin images to the k8s staging registry.
  • Add a release-staging Makefile target to build/push all plugin images in a loop.
  • Update release documentation and add a GitHub issue template; remove the GitHub Actions tag-based release workflow.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
cloudbuild.yaml New Cloud Build config to build/push images via GCB.
Makefile Adds release-staging and plugin discovery to build/push all plugin images.
RELEASE.md Updates release flow to staging + kpromo-based promotion to registry.k8s.io.
.github/workflows/release.yml Removes the GitHub Actions-based release pipeline.
.github/ISSUE_TEMPLATE/NEW_RELEASE.md Adds a release checklist issue template aligned to the new process.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Makefile Outdated
@kahirokunn kahirokunn force-pushed the kahiro/official-image-publishing branch from 0884b3b to 56f5098 Compare April 17, 2026 07:12
@kahirokunn
Use prow/GCB for automated image builds rather than GitHub Actions
2cd5253 
Signed-off-by: kahirokunn <okinakahiro@gmail.com>
@kahirokunn kahirokunn force-pushed the kahiro/official-image-publishing branch from 56f5098 to 2cd5253 Compare April 17, 2026 07:37
@kahirokunn kahirokunn closed this Apr 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kahirokunn