Skip to content

Use prow/GCB for automated image builds rather than GitHub Actions#53

Merged
k8s-ci-robot merged 1 commit intokubernetes-sigs:mainfrom
kahirokunn:kahiro/official-image-publishing
Apr 19, 2026
Merged

Use prow/GCB for automated image builds rather than GitHub Actions#53
k8s-ci-robot merged 1 commit intokubernetes-sigs:mainfrom
kahirokunn:kahiro/official-image-publishing

Conversation

@kahirokunn
Copy link
Copy Markdown
Member

@kahirokunn kahirokunn commented Apr 17, 2026

Summary

Switch the plugin image release pipeline from a GitHub Actions workflow that pushed to GHCR over to the standard k8s SIG release path (GCB postsubmit → k8s-staging-imageskpromoregistry.k8s.io).

Changes

  • Add cloudbuild.yaml invoked by the test-infra postsubmit.
  • Add make release-staging target that builds/pushes every plugins/*/cmd/plugin via the existing docker-buildx target.
  • Remove .github/workflows/release.yml.
  • Rewrite RELEASE.md and add .github/ISSUE_TEMPLATE/NEW_RELEASE.md to describe the new tag → staging → promote flow.

Related PRs

A follow-up PR will add the promotion manifest under registry.k8s.io/images/k8s-staging-cluster-inventory-api/.

Verification

Verified release-staging against a personal GHCR namespace:

$ make release-staging \
              REGISTRY=ghcr.io/kahirokunn/cluster-inventory-api \
              VERSION=test-(date +%Y%m%d-%H%M%S) \
              PLATFORMS=linux/amd64
docker buildx build -f hack/Dockerfile.plugin \
		--build-arg PLUGIN_NAME=kubeconfig-secretreader \
		--platform=linux/amd64 \
		-t ghcr.io/kahirokunn/cluster-inventory-api/kubeconfig-secretreader:test-20260417-154304 \
		--push \
		--attest type=provenance,mode=max \
		--attest type=sbom \
		.
[+] Building 7.2s (17/17) FINISHED                                                    docker:desktop-linux
 => [internal] load build definition from Dockerfile.plugin                                           0.0s
 => => transferring dockerfile: 1.54kB                                                                0.0s
 => resolve image config for docker-image://docker.io/docker/buildkit-syft-scanner:stable-1           0.5s
 => [internal] load metadata for docker.io/library/golang:1.25                                        0.5s
 => [internal] load .dockerignore                                                                     0.0s
 => => transferring context: 222B                                                                     0.0s
 => [builder 1/7] FROM docker.io/library/golang:1.25@sha256:3760478c76cfe25533e06176e983e7808293895d  0.0s
 => => resolve docker.io/library/golang:1.25@sha256:3760478c76cfe25533e06176e983e7808293895d48d15d09  0.0s
 => docker-image://docker.io/docker/buildkit-syft-scanner:stable-1                                    0.5s
 => => resolve docker.io/docker/buildkit-syft-scanner:stable-1                                        0.5s
 => [internal] load build context                                                                     0.1s
 => => transferring context: 155.71kB                                                                 0.1s
 => CACHED [builder 2/7] WORKDIR /src                                                                 0.0s
 => CACHED [builder 3/7] COPY go.mod go.sum ./                                                        0.0s
 => CACHED [builder 4/7] RUN go mod download                                                          0.0s
 => CACHED [builder 5/7] COPY . .                                                                     0.0s
 => CACHED [builder 6/7] RUN mkdir -p /out/bin && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build  -t  0.0s
 => CACHED [builder 7/7] RUN chmod 0555 /out/bin/kubeconfig-secretreader-plugin                       0.0s
 => CACHED [stage-1 1/1] COPY --from=builder /out/ /                                                  0.0s
 => CACHED [linux/amd64] generating sbom using docker.io/docker/buildkit-syft-scanner:stable-1        0.0s
 => exporting to image                                                                                5.7s
 => => exporting layers                                                                               0.0s
 => => exporting manifest sha256:3e923a6543ce1b56a5c14d15541ba474bb1982dbdeca0582bf2698f581a3998f     0.0s
 => => exporting config sha256:820353ffad46fb0fc7cf29c34804879f5772da92152e3efaed0fe6c02b8c9cb1       0.0s
 => => exporting attestation manifest sha256:1d2f59efd4cd1e47896c7607ef72c016e6c021c1d2265a3942eef0e  0.0s
 => => exporting manifest list sha256:925e48a3e429016e5fe24ce53ab0db2af23236abd366be31e29738bd22b402  0.0s
 => => naming to ghcr.io/kahirokunn/cluster-inventory-api/kubeconfig-secretreader:test-20260417-1543  0.0s
 => => pushing layers                                                                                 3.8s
 => => pushing manifest for ghcr.io/kahirokunn/cluster-inventory-api/kubeconfig-secretreader:test-20  1.9s
 => [auth] kahirokunn/cluster-inventory-api/kubeconfig-secretreader:pull,push token for ghcr.io       0.0s

View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/ia0yna8fgrf3putgk5qu51h08
docker buildx build -f hack/Dockerfile.plugin \
		--build-arg PLUGIN_NAME=secretreader \
		--platform=linux/amd64 \
		-t ghcr.io/kahirokunn/cluster-inventory-api/secretreader:test-20260417-154304 \
		--push \
		--attest type=provenance,mode=max \
		--attest type=sbom \
		.
[+] Building 54.9s (17/17) FINISHED                                                   docker:desktop-linux
 => [internal] load build definition from Dockerfile.plugin                                           0.0s
 => => transferring dockerfile: 1.54kB                                                                0.0s
 => resolve image config for docker-image://docker.io/docker/buildkit-syft-scanner:stable-1           0.3s
 => [internal] load metadata for docker.io/library/golang:1.25                                        0.4s
 => [internal] load .dockerignore                                                                     0.0s
 => => transferring context: 222B                                                                     0.0s
 => [builder 1/7] FROM docker.io/library/golang:1.25@sha256:3760478c76cfe25533e06176e983e7808293895d  0.0s
 => => resolve docker.io/library/golang:1.25@sha256:3760478c76cfe25533e06176e983e7808293895d48d15d09  0.0s
 => CACHED docker-image://docker.io/docker/buildkit-syft-scanner:stable-1                             0.2s
 => => resolve docker.io/docker/buildkit-syft-scanner:stable-1                                        0.2s
 => [internal] load build context                                                                     0.1s
 => => transferring context: 155.71kB                                                                 0.1s
 => CACHED [builder 2/7] WORKDIR /src                                                                 0.0s
 => CACHED [builder 3/7] COPY go.mod go.sum ./                                                        0.0s
 => [builder 4/7] RUN go mod download                                                                11.3s
 => [builder 5/7] COPY . .                                                                            0.4s
 => [builder 6/7] RUN mkdir -p /out/bin && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build  -trimpat  35.2s
 => [builder 7/7] RUN chmod 0555 /out/bin/secretreader-plugin                                         0.2s
 => [stage-1 1/1] COPY --from=builder /out/ /                                                         0.0s
 => [linux/amd64] generating sbom using docker.io/docker/buildkit-syft-scanner:stable-1               0.6s
 => exporting to image                                                                                6.3s
 => => exporting layers                                                                               0.5s
 => => exporting manifest sha256:19063605ba1ac5b7e8dcdb704ce3366f91e214603cd7257fd6a2aabd747dfb09     0.0s
 => => exporting config sha256:7a668ee52e2686acfeea2faa775bce0ac3da73d62fb51e1077f40f3fad3d2e71       0.0s
 => => exporting attestation manifest sha256:87220a27cdb14faf629180974b28f688633c86bd0e4e24a853fcf9c  0.0s
 => => exporting manifest list sha256:985a0d8770b8b473cdcbc407b0a9b08e1fa54f21ac2652d427b4b1135d6377  0.0s
 => => naming to ghcr.io/kahirokunn/cluster-inventory-api/secretreader:test-20260417-154304           0.0s
 => => pushing layers                                                                                 3.7s
 => => pushing manifest for ghcr.io/kahirokunn/cluster-inventory-api/secretreader:test-20260417-1543  1.9s
 => [auth] kahirokunn/cluster-inventory-api/secretreader:pull,push token for ghcr.io                  0.0s

View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/y8sqyit991o0oqlcw6yk3v2yi

@k8s-ci-robot k8s-ci-robot requested a review from qiujian16 April 17, 2026 07:06
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Apr 17, 2026
@k8s-ci-robot k8s-ci-robot added sig/multicluster Categorizes an issue or PR as relevant to SIG Multicluster. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 17, 2026
@kahirokunn kahirokunn force-pushed the kahiro/official-image-publishing branch from 0884b3b to 56f5098 Compare April 17, 2026 07:12
@kahirokunn
Use prow/GCB for automated image builds rather than GitHub Actions
2cd5253 
Signed-off-by: kahirokunn <okinakahiro@gmail.com>
@kahirokunn kahirokunn force-pushed the kahiro/official-image-publishing branch from 56f5098 to 2cd5253 Compare April 17, 2026 07:37
mikeshng
mikeshng approved these changes Apr 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@mikeshng mikeshng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

This is great work! Thank you!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 19, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Apr 19, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kahirokunn, mikeshng

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [kahirokunn,mikeshng]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 1920fca into kubernetes-sigs:main Apr 19, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mikeshng mikeshng mikeshng approved these changes

@qiujian16 qiujian16 Awaiting requested review from qiujian16

@RainbowMango RainbowMango Awaiting requested review from RainbowMango

Assignees

@mikeshng mikeshng

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/multicluster Categorizes an issue or PR as relevant to SIG Multicluster. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kahirokunn @k8s-ci-robot @mikeshng