kubescape · entlein · Mar 13, 2026 · Mar 13, 2026 · Mar 13, 2026 · Mar 14, 2026
diff --git a/.github/workflows/benchmark.yaml b/.github/workflows/benchmark.yaml
@@ -30,7 +30,7 @@ concurrency:
 
 jobs:
   benchmark:
-    runs-on: ubuntu-large
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -57,10 +57,13 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
+          # Baseline = latest UPSTREAM release. Our fork doesn't tag releases,
+          # so querying ${{ github.repository }} gives 404. Comparing against
+          # upstream is also the meaningful baseline for performance work.
           if [[ -n "${{ inputs.before_image }}" ]]; then
             echo "BEFORE_IMAGE=${{ inputs.before_image }}" >> "$GITHUB_OUTPUT"
           else
-            LATEST_TAG=$(gh api repos/${{ github.repository }}/releases/latest --jq '.tag_name')
+            LATEST_TAG=$(gh api repos/kubescape/node-agent/releases/latest --jq '.tag_name')
             echo "BEFORE_IMAGE=quay.io/kubescape/node-agent:${LATEST_TAG}" >> "$GITHUB_OUTPUT"
           fi
 

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -0,0 +1,102 @@
+name: build-image
+
+on:
+  workflow_dispatch:
+    inputs:
+      IMAGE_TAG:
+        required: true
+        type: string
+        description: "Image tag for the node-agent image"
+      STORAGE_REF:
+        required: false
+        type: string
+        default: ""
+        description: "Branch/tag/commit of k8sstormcenter/storage to use (leave empty to keep go.mod default)"
+      PLATFORMS:
+        type: boolean
+        required: false
+        default: false
+        description: "Build for both amd64 and arm64"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: "1.25"
+
+      - name: Update storage dependency
+        if: ${{ inputs.STORAGE_REF != '' }}
+        env:
+          STORAGE_REF: ${{ inputs.STORAGE_REF }}
+          GONOSUMCHECK: "*"
+          GOFLAGS: ""
+        run: |
+          echo "Replacing github.com/kubescape/storage with github.com/k8sstormcenter/storage@${STORAGE_REF}"
+          go mod edit -replace "github.com/kubescape/storage=github.com/k8sstormcenter/storage@${STORAGE_REF}"
+          go mod tidy
+          echo "Resolved storage version:"
+          grep "k8sstormcenter/storage" go.sum | head -1
+
+      - name: Ensure ig is installed
+        run: |
+          curl -L https://github.com/inspektor-gadget/inspektor-gadget/releases/download/v0.45.0/ig_0.45.0_amd64.deb -O
+          sudo dpkg -i ig_0.45.0_amd64.deb
+
+      - name: Build gadgets
+        run: make gadgets
+
+      - name: Set up QEMU
+        if: ${{ inputs.PLATFORMS }}
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: build/Dockerfile
+          tags: ghcr.io/${{ github.repository_owner }}/node-agent:${{ inputs.IMAGE_TAG }}
+          build-args: image_version=${{ inputs.IMAGE_TAG }}
+          platforms: ${{ inputs.PLATFORMS && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
+          push: true
+
+
+  trigger-component-tests:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+    steps:
+      - name: Trigger component tests
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          STORAGE_TAG="${{ inputs.IMAGE_TAG }}"
+          NODE_AGENT_TAG="${{ inputs.IMAGE_TAG }}"
+          STORAGE_REF="${{ inputs.STORAGE_REF }}"
+          echo "Triggering component tests with STORAGE_TAG=${STORAGE_TAG} NODE_AGENT_TAG=${NODE_AGENT_TAG} STORAGE_REF=${STORAGE_REF}"
+          gh workflow run component-tests.yaml \
+            --repo "${{ github.repository }}" \
+            --ref "${{ github.ref_name }}" \
+            -f STORAGE_TAG="${STORAGE_TAG}" \
+            -f NODE_AGENT_TAG="${NODE_AGENT_TAG}" \
+            -f STORAGE_REF="${STORAGE_REF}"
diff --git a/.github/workflows/bypass.yaml b/.github/workflows/bypass.yaml
@@ -20,7 +20,7 @@ jobs:
     needs: reset-run-number
     uses: ./.github/workflows/incluster-comp-pr-merged.yaml
     with:
-      IMAGE_NAME: quay.io/${{ github.repository_owner }}/node-agent
+      IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/node-agent
       IMAGE_TAG: v0.2.${{ needs.reset-run-number.outputs.run-number }}
       COMPONENT_NAME: nodeAgent
       CGO_ENABLED: 0