Consolidate PR and real release workflows (GoogleContainerTools#1845)

* WIP: consolidate PR and real release workflows

- push and sign an image tagged for every push to the repo (e.g., merged PRs)
- push and sign for tag pushes, with release tags
- build but don't push for opened PRs

WIP because I need to test more with the tag flow, but pushes worked in
my fork.

* apply release tags, uncomment kms stuff

* Tag images correctly during releases

* review feedback

.github/workflows/images.yaml

@@ -0,0 +1,111 @@
+name: Build images
+
+on:
+  pull_request:
+    branches: ['master']
+  push:
+    branches: ['master']
+    tags: ['v[0-9]+.[0-9]+.[0-9]+*']
+
+concurrency:
+  group: release-images-${{ github.head_ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-images:
+    permissions:
+      contents: read  # Read the repo contents.
+      id-token: write # Produce identity token for keyless signing.
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        image:
+        - executor
+        - executor-debug
+        - executor-slim
+        - warmer
+
+        include:
+        - image: executor
+          dockerfile: ./deploy/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          image-name: gcr.io/kaniko-project/executor
+          tag: ${{ github.sha }}
+          release-tag: latest
+
+        - image: executor-debug
+          dockerfile: ./deploy/Dockerfile_debug
+          platforms: linux/amd64,linux/arm64
+          image-name: gcr.io/kaniko-project/executor
+          tag: ${{ github.sha }}-debug
+          release_tag: debug
+
+        - image: executor-slim
+          dockerfile: ./deploy/Dockerfile_slim
+          platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
+          image-name: gcr.io/kaniko-project/executor
+          tag: ${{ github.sha }}-slim
+          release-tag: slim
+
+        - image: warmer
+          dockerfile: ./deploy/Dockerfile_warmer
+          platforms: linux/amd64,linux/arm64
+          image-name: gcr.io/kaniko-project/warmer
+          tag: ${{ github.sha }}
+          release-tag: latest
+
+    steps:
+    - uses: actions/checkout@v2
+
+    # Setup auth if not a PR.
+    - if: github.event_name != 'pull_request'
+      uses: google-github-actions/setup-gcloud@master
+      with:
+        service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}
+        project_id: kaniko-project
+        export_default_credentials: true
+    - if: github.event_name != 'pull_request'
+      run: gcloud auth configure-docker
+
+    # Build and push with Docker.
+    - uses: docker/setup-qemu-action@v1
+      with:
+        platforms: ${{ matrix.platforms }}
+    - uses: docker/setup-buildx-action@v1
+    - uses: docker/build-push-action@v2
+      id: build-and-push
+      with:
+        context: .
+        file: ${{ matrix.dockerfile }}
+        platforms: ${{ matrix.platforms }}
+        push: ${{ github.event_name != 'pull_request' }} # Only push if not a PR.
+        tags: ${{ matrix.image-name }}:${{ matrix.tag }}
+        # https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#github-cache
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+
+    # Sign images if not a PR.
+    - if: github.event_name != 'pull_request'
+      uses: sigstore/cosign-installer@main
+      with:
+        cosign-release: 'v1.4.1'
+    - if: github.event_name != 'pull_request'
+      env:
+        COSIGN_EXPERIMENTAL: "true"
+      run: |
+        cosign sign \
+            --kms gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign \
+            ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }}
+        cosign sign ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }}
+
+    # If a tag push, use crane to add more tags.
+    - if: startsWith(github.ref, 'refs/tags/v')
+      uses: imjasonh/[email protected]
+    - if: startsWith(github.ref, 'refs/tags/v')
+      name: Apply release tags
+      run: |
+        crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \
+            ${{ matrix.image-name }}:${GITHUB_REF/refs\/tags\//}
+        crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \
+            ${{ matrix.image-name }}:${{ matrix.release-tag }}