kagent-dev
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 25 additions & 94 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 25 additions & 94 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 69 additions & 68 deletions b/‎.github/workflows/release.yml‎
Lines changed: 69 additions & 68 deletions
diff --git a/‎.gitignore‎
Lines changed: 2 additions & 2 deletions b/‎.gitignore‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎Dockerfile‎
Lines changed: 23 additions & 4 deletions b/‎Dockerfile‎
Lines changed: 23 additions & 4 deletions
@@ -3,18 +3,20 @@ name: CI/CD Pipeline
 permissions:
   actions: read
   contents: read
-  security-events: write
 
 on:
   push:
-    branches: [ main, develop ]
+    branches: [ main ]
   pull_request:
     branches: [ main ]
 
 env:
-  DOCKER_REGISTRY: otomato
-  DOCKER_IMAGE: khook
-  GO_VERSION: '1.21'
+  # Cache key components for better organization
+  CACHE_KEY_PREFIX: kagent-v2
+  BRANCH_CACHE_KEY: ${{ github.head_ref || github.ref_name }}
+  # Consistent builder configuration
+  BUILDX_BUILDER_NAME: kagent-builder-v0.23.0
+  BUILDX_VERSION: v0.23.0
 
 jobs:
   test:
@@ -26,8 +28,6 @@ jobs:
 
     - name: Set up Go
       uses: actions/setup-go@v4
-      with:
-        go-version: ${{ env.GO_VERSION }}
 
     - name: Cache Go modules
       uses: actions/cache@v3
@@ -58,100 +58,31 @@ jobs:
         flags: unittests
         name: codecov-umbrella
 
-  build:
-    name: Build
-    runs-on: ubuntu-latest
-    needs: test
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
-
-    - name: Set up Go
-      uses: actions/setup-go@v4
-      with:
-        go-version: ${{ env.GO_VERSION }}
-
-    - name: Build binary
-      run: make build
-
-    - name: Upload binary artifact
-      uses: actions/upload-artifact@v4
-      with:
-        name: khook-controller
-        path: bin/manager
-
   docker:
-    name: Docker Build and Push
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5001:5000
+    name: Docker Build
     runs-on: ubuntu-latest
-    needs: [test, build]
-    if: github.ref == 'refs/heads/main'
     steps:
     - name: Checkout code
       uses: actions/checkout@v4
 
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+      with:
+        platforms: linux/amd64,linux/arm64
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
-
-    - name: Login to Docker Hub
-      uses: docker/login-action@v3
       with:
-        username: ${{ secrets.DOCKERHUB_USER }}
-        password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
-    - name: Extract metadata
-      id: meta
-      uses: docker/metadata-action@v5
-      with:
-        images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}
-        tags: |
-          type=ref,event=branch
-          type=ref,event=pr
-          type=sha,prefix={{branch}}-
-          type=raw,value=latest,enable={{is_default_branch}}
-
-    - name: Build and push Docker image
-      uses: docker/build-push-action@v5
-      with:
-        context: .
+        name: ${{ env.BUILDX_BUILDER_NAME }}
+        version: ${{ env.BUILDX_VERSION }}
         platforms: linux/amd64,linux/arm64
-        push: true
-        tags: |
-          ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:${{ github.sha }}
-          ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:latest
-        labels: ${{ steps.meta.outputs.labels }}
-        cache-from: type=gha
-        cache-to: type=gha,mode=max
-
-  security:
-    name: Security Scan
-    runs-on: ubuntu-latest
-    needs: test
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
-
-    - name: Run Gosec Security Scanner
-      uses: securego/gosec@master
-      with:
-        args: './...'
-
-    - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@master
-      with:
-        scan-type: 'fs'
-        scan-ref: '.'
-        format: 'sarif'
-        output: 'trivy-results.sarif'
-
-    - name: Check for Trivy SARIF file
-      run: |
-        if [ ! -f "trivy-results.sarif" ]; then
-          echo "Trivy results file not found!"
-          exit 1
-        fi
-
-    - name: Upload Trivy scan results to GitHub Security tab
-      uses: github/codeql-action/upload-sarif@v3
-      if: always()
-      with:
-        sarif_file: 'trivy-results.sarif'
+        use: 'true'
+        driver-opts: network=host
+    - name: Build Docker image
+      env:
+        DOCKER_BUILD_ARGS: --push --platform linux/amd64,linux/arm64
+      run: make docker-build
@@ -3,102 +3,103 @@ name: Release
 on:
   push:
     tags:
-      - 'v*'
+    - "v*.*.*"
 
 env:
-  DOCKER_REGISTRY: otomato
-  DOCKER_IMAGE: khook
-  GO_VERSION: '1.21'
+  # Cache key components for better organization
+  CACHE_KEY_PREFIX: kagent-v2
+  BRANCH_CACHE_KEY: ${{ github.head_ref || github.ref_name }}
+  # Consistent builder configuration
+  BUILDX_BUILDER_NAME: kagent-builder-v0.23.0
+  BUILDX_VERSION: v0.23.0
+  DOCKER_REGISTRY: ghcr.io
+  DOCKER_REPO: kagent-dev/khook
 
 jobs:
-  release:
-    name: Create Release
+  push-images:
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5001:5000
+    name: Docker Build
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
       uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
 
-    - name: Set up Go
-      uses: actions/setup-go@v4
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
       with:
-        go-version: ${{ env.GO_VERSION }}
-
-    - name: Build binaries
-      run: |
-        make build
-        # Build for multiple architectures
-        GOOS=linux GOARCH=amd64 go build -o bin/manager-linux-amd64 cmd/main.go
-        GOOS=linux GOARCH=arm64 go build -o bin/manager-linux-arm64 cmd/main.go
-        GOOS=darwin GOARCH=amd64 go build -o bin/manager-darwin-amd64 cmd/main.go
-        GOOS=darwin GOARCH=arm64 go build -o bin/manager-darwin-arm64 cmd/main.go
-        GOOS=windows GOARCH=amd64 go build -o bin/manager-windows-amd64.exe cmd/main.go
-
+        platforms: linux/amd64,linux/arm64
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
+      with:
+        name: ${{ env.BUILDX_BUILDER_NAME }}
+        version: ${{ env.BUILDX_VERSION }}
+        platforms: linux/amd64,linux/arm64
+        use: 'true'
+        driver-opts: network=host
 
-    - name: Login to Docker Hub
+    - name: Login to GitHub Container Registry
       uses: docker/login-action@v3
       with:
-        username: ${{ secrets.DOCKER_USERNAME }}
-        password: ${{ secrets.DOCKER_PASSWORD }}
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Build Docker image
+      env:
+        DOCKER_BUILD_ARGS: --push --platform linux/amd64,linux/arm64
+      run: make docker-build
 
-    - name: Extract tag name
-      id: tag
-      run: echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+  push-helm-chart:
+    needs:
+    - push-images
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+    - name: 'Checkout GitHub Action'
+      uses: actions/checkout@main
 
-    - name: Build and push Docker image
-      uses: docker/build-push-action@v5
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v3
       with:
-        context: .
-        platforms: linux/amd64,linux/arm64
-        push: true
-        tags: |
-          ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:${{ steps.tag.outputs.tag }}
-          ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:latest
-        cache-from: type=gha
-        cache-to: type=gha,mode=max
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Build Helm chart
+      run: make helm-publish
 
-    - name: Generate release manifests
-      run: |
-        mkdir -p release
-        # Generate install manifest
-        cat > release/install.yaml << EOF
-        # KHook Controller Installation Manifest
-        # Version: ${{ steps.tag.outputs.tag }}
-        ---
-        EOF
-        cat config/crd/bases/kagent.dev_hooks.yaml >> release/install.yaml
-        echo "---" >> release/install.yaml
-        # Add RBAC and deployment manifests here when they exist
-        
-        # Generate CRD-only manifest
-        cp config/crd/bases/kagent.dev_hooks.yaml release/crds.yaml
+  release:
+    needs:
+    - push-helm-chart
+    name: Create Release
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
 
     - name: Create GitHub Release
-      uses: softprops/action-gh-release@v1
+      uses: softprops/action-gh-release@v2
+      if: startsWith(github.ref, 'refs/tags/')
       with:
-        tag_name: ${{ steps.tag.outputs.tag }}
-        name: Release ${{ steps.tag.outputs.tag }}
         draft: false
         prerelease: false
         generate_release_notes: true
-        files: |
-          bin/manager-*
-          release/install.yaml
-          release/crds.yaml
-        body: |
-          ## Docker Images
-          
-          ```bash
-          docker pull ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:${{ steps.tag.outputs.tag }}
-          ```
-          
+        body: |          
           ## Installation
           
           ```bash
-          kubectl apply -f https://github.com/${{ github.repository }}/releases/download/${{ steps.tag.outputs.tag }}/install.yaml
+          helm install khook-crds oci://ghcr.io/kagent-dev/khook/helm/khook-crds \
+              --namespace kagent \
+              --create-namespace
+          helm install khook oci://ghcr.io/kagent-dev/khook/helm/khook \
+              --namespace kagent \
+              --create-namespace
           ```
           
           ## What's Changed
 
@@ -61,8 +61,8 @@ coverage.html
 .env.*.local
 
 # Helm charts
-charts/*/charts/
-charts/*/requirements.lock
+helm/*/charts/
+helm/*/requirements.lock
 
 # Generated files
 *.pb.go
 
@@ -1,21 +1,33 @@
 # Build the manager binary
-FROM golang:1.24 AS builder
+ARG BUILDPLATFORM
+FROM --platform=$BUILDPLATFORM golang:1.24 AS builder
+ARG TARGETARCH
+ARG TARGETPLATFORM
+# This is used to print the build platform in the logs
+ARG BUILDPLATFORM
+
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum
+
 # cache deps before building and copying source so that we don't need to re-download as much
 # and so that source changes don't invalidate our downloaded layer
-RUN go mod download
+RUN --mount=type=cache,target=/root/go/pkg/mod,rw      \
+    --mount=type=cache,target=/root/.cache/go-build,rw \
+     go mod download
 
 # Copy the go source
 COPY cmd/ cmd/
 COPY api/ api/
 COPY internal/ internal/
 
-# Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager cmd/main.go
+ARG LDFLAGS
+RUN --mount=type=cache,target=/root/go/pkg/mod,rw             \
+    --mount=type=cache,target=/root/.cache/go-build,rw        \
+    echo "Building on $BUILDPLATFORM -> linux/$TARGETARCH" && \
+    CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -ldflags "$LDFLAGS" -o manager cmd/main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
@@ -24,4 +36,11 @@ WORKDIR /
 COPY --from=builder /workspace/manager .
 USER 65532:65532
 
+ARG VERSION
+
+LABEL org.opencontainers.image.source=https://github.com/kagent-dev/khook
+LABEL org.opencontainers.image.description="Khook is the controller for running hooks for agents."
+LABEL org.opencontainers.image.authors="Kagent Creators 🤖"
+LABEL org.opencontainers.image.version="$VERSION"
+
 ENTRYPOINT ["/manager"]