kitops-ml · gorkem · Nov 28, 2025 · Nov 28, 2025 · Nov 28, 2025 · Dec 2, 2025
diff --git a/.github/workflows/kubeflow-components-test.yaml b/.github/workflows/kubeflow-components-test.yaml
@@ -0,0 +1,51 @@
+name: Kubeflow Components Tests
+
+on:
+  pull_request:
+    paths:
+      - 'build/dockerfiles/kubeflow-components/**'
+      - '.github/workflows/kubeflow-components-test.yaml'
+
+jobs:
+  test-scripts:
+    name: Run BATS tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
+      - name: Install BATS
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y bats
+
+      - name: Run push-modelkit tests
+        working-directory: build/dockerfiles/kubeflow-components
+        run: bats tests/push-modelkit.bats
+
+      - name: Run unpack-modelkit tests
+        working-directory: build/dockerfiles/kubeflow-components
+        run: bats tests/unpack-modelkit.bats
+
+  test-container-build:
+    name: Test container build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130    # v3.7.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435  # v3.11.1
+
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
+      - name: Check kubeflow components container build
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83    # v6.18.0
+        with:
+          platforms: linux/amd64,linux/arm64
+          push: false
+          context: build/dockerfiles/kubeflow-components
+          file: build/dockerfiles/kubeflow-components/Dockerfile
+          build-args: |
+            KIT_BASE_IMAGE=ghcr.io/kitops-ml/kitops:next
diff --git a/.github/workflows/next-container-build.yaml b/.github/workflows/next-container-build.yaml
@@ -12,6 +12,7 @@ env:
   IMAGE_NAME: ${{ github.repository }}
   INIT_IMAGE_NAME: ${{ github.repository }}-init
   KIT_SERVE_IMAGE: ${{ github.repository }}-kserve
+  KUBEFLOW_IMAGE: ${{ github.repository }}-kubeflow
   NEXT_TAG: next
 
 permissions:
@@ -90,3 +91,20 @@ jobs:
             index:org.opencontainers.image.description=KitOps KServe container
             index:org.opencontainers.image.source=https://github.com/kitops-ml/kitops
             index:org.opencontainers.image.licenses=Apache-2.0
+
+      - name: Build and push Kubeflow Pipeline components container
+        id: build-kubeflow-container
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83    # v6.18.0
+        with:
+          platforms: linux/amd64,linux/arm64
+          push: true
+          context: build/dockerfiles/kubeflow-components
+          file: build/dockerfiles/kubeflow-components/Dockerfile
+          build-args: |
+            KIT_BASE_IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-kit-container.outputs.digest }}
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.KUBEFLOW_IMAGE }}:${{ env.NEXT_TAG }}
+          annotations: |
+            index:org.opencontainers.image.description=KitOps Kubeflow Pipeline Components
+            index:org.opencontainers.image.source=https://github.com/kitops-ml/kitops
+            index:org.opencontainers.image.licenses=Apache-2.0
diff --git a/.github/workflows/platform-release.yaml b/.github/workflows/platform-release.yaml
@@ -21,6 +21,7 @@ env:
   IMAGE_NAME: ${{ github.repository }}
   INIT_IMAGE_NAME: ${{ github.repository }}-init
   KIT_SERVE_IMAGE: ${{ github.repository }}-kserve
+  KUBEFLOW_IMAGE: ${{ github.repository }}-kubeflow
 
 permissions:
   contents: write
@@ -431,6 +432,24 @@ jobs:
             index:org.opencontainers.image.source=https://github.com/kitops-ml/kitops
             index:org.opencontainers.image.licenses=Apache-2.0
 
+      - name: Build and push Kubeflow Pipeline components container
+        id: build-kubeflow-container
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83    # v6.18.0
+        with:
+          platforms: linux/amd64,linux/arm64
+          push: true
+          context: build/dockerfiles/kubeflow-components
+          file: build/dockerfiles/kubeflow-components/Dockerfile
+          build-args: |
+            KIT_BASE_IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-kit-container.outputs.digest }}
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.KUBEFLOW_IMAGE }}:latest
+            ${{ env.REGISTRY }}/${{ env.KUBEFLOW_IMAGE }}:${{ github.ref_name }}
+          annotations: |
+            index:org.opencontainers.image.description=KitOps Kubeflow Pipeline Components
+            index:org.opencontainers.image.source=https://github.com/kitops-ml/kitops
+            index:org.opencontainers.image.licenses=Apache-2.0
+
       - name: Generate artifact attestation for base container
         uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a   # v3.0.0
         with:
@@ -451,3 +470,10 @@ jobs:
           subject-name: ${{ env.REGISTRY }}/${{ env.KIT_SERVE_IMAGE }}
           subject-digest: ${{ steps.build-kit-serve-container.outputs.digest }}
           push-to-registry: true
+
+      - name: Generate artifact attestation for kubeflow container
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a   # v3.0.0
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.KUBEFLOW_IMAGE }}
+          subject-digest: ${{ steps.build-kubeflow-container.outputs.digest }}
+          push-to-registry: true
diff --git a/build/dockerfiles/kubeflow-components/Dockerfile b/build/dockerfiles/kubeflow-components/Dockerfile
@@ -0,0 +1,32 @@
+# Multi-platform digest for Cosign v2.4.0
-# Multi-platform digest for Cosign v2.4.0
+# Multi-platform digest for Cosign v2.4.0
+# We pin Cosign to v2.4.0 for compatibility with our signing and verification scripts.
+# If you need to update Cosign, ensure that all scripts and workflows using Cosign are tested with the new version.
+# Check for breaking changes in Cosign's release notes: https://github.com/sigstore/cosign/releases
+# Update the digest and version only after confirming compatibility.
-# Multi-platform digest for Cosign v2.4.0
+# Multi-platform digest for Cosign v2.4.0
+# We pin Cosign to v2.4.0 for compatibility with our signing and verification scripts.
+# If you need to update Cosign, ensure that all scripts and workflows using Cosign are tested with the new version.
+# Check for breaking changes in Cosign's release notes: https://github.com/sigstore/cosign/releases
+# Update the digest and version only after confirming compatibility.
+ARG COSIGN_DIGEST=sha256:9d50ceb15f023eda8f58032849eedc0216236d2e2f4cfe1cdf97c00ae7798cfe
+ARG KIT_BASE_IMAGE=ghcr.io/kitops-ml/kitops:next
+
+FROM gcr.io/projectsigstore/cosign@$COSIGN_DIGEST AS cosign-install
+FROM $KIT_BASE_IMAGE
+
+# Install additional tools needed for scripts
+USER 0
+RUN apk add --no-cache \
+    bash \
+    jq
+USER 1001
+
+# Copy cosign from multi-platform build
+COPY --from=cosign-install /ko-app/cosign /usr/local/bin/cosign
+
+# Copy scripts (needs root for chmod)
+USER 0
+COPY scripts/ /scripts/
+RUN chmod +x /scripts/*.sh
+USER 1001
+
+# Set working directory
+WORKDIR /workspace
+
+# Default entrypoint
+ENTRYPOINT ["/bin/bash"]
+
+LABEL org.opencontainers.image.description="KitOps Kubeflow Pipeline Components"
+LABEL org.opencontainers.image.source="https://github.com/kitops-ml/kitops"
+LABEL org.opencontainers.image.licenses="Apache-2.0"