name: Weekly Rebuild (CVE Updates) on: schedule: # Rebuild weekly to pick up Wolfi security patches - cron: '0 6 * * 1' push: paths: - '.gitea/workflows/rebuild.yaml' permissions: contents: read env: IMAGE_NAME: base-distro jobs: rebuild: runs-on: ubuntu-latest strategy: matrix: include: - config: apko/base.yaml variant: base - config: apko/build.yaml variant: build - config: apko/dotnet-runtime.yaml variant: dotnet-runtime - config: apko/dotnet-sdk.yaml variant: dotnet-sdk - config: apko/flutter-sdk.yaml variant: flutter-sdk steps: - name: Checkout code uses: actions/checkout@v3 - name: Install apko run: | APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') APKO_VERSION=$(curl -fsSL "https://api.github.com/repos/chainguard-dev/apko/releases/latest" | jq -r '.tag_name') APKO_VERSION_NUM="${APKO_VERSION#v}" curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/${APKO_VERSION}/apko_${APKO_VERSION_NUM}_linux_${APKO_ARCH}.tar.gz" \ -o /tmp/apko.tar.gz tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin rm /tmp/apko.tar.gz - name: Install cosign run: | COSIGN_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') COSIGN_VERSION=$(curl -fsSL "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name') curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" \ -o /usr/local/bin/cosign chmod +x /usr/local/bin/cosign - name: Login to Docker Registry uses: docker/login-action@v3 with: username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Rebuild and push with latest Wolfi packages id: publish run: | IMAGE_REF=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest mkdir -p /tmp/sbom apko publish ${{ matrix.config }} \ --sbom-path /tmp/sbom \ --image-refs /tmp/image-refs.txt \ "${IMAGE_REF}" echo "image_ref=${IMAGE_REF}" >> "$GITHUB_OUTPUT" DIGEST=$(head -1 /tmp/image-refs.txt | sed 's/.*@//') echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" - name: Attach SBOM attestation env: COSIGN_YES: "true" run: | IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" SBOM_FILE=$(ls /tmp/sbom/*.spdx.json 2>/dev/null | head -1) if [ -n "$SBOM_FILE" ]; then cosign attach sbom --sbom "${SBOM_FILE}" "${IMAGE_DIGEST}" echo "SBOM attached successfully" else echo "No SBOM file found, skipping" fi - name: Generate and attach provenance env: COSIGN_YES: "true" run: | IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" cat > /tmp/provenance.json << PROVEOF { "_type": "https://in-toto.io/Statement/v0.1", "predicateType": "https://slsa.dev/provenance/v0.2", "subject": [ { "name": "${{ steps.publish.outputs.image_ref }}", "digest": { "sha256": "$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')" } } ], "predicate": { "buildType": "https://apko.dev/build/v1", "builder": { "id": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" }, "invocation": { "configSource": { "uri": "${{ github.server_url }}/${{ github.repository }}", "digest": { "sha1": "${{ github.sha }}" }, "entryPoint": "${{ matrix.config }}" } }, "metadata": { "buildInvocationID": "${{ github.run_id }}", "completeness": { "parameters": true, "environment": true, "materials": true } } } } PROVEOF cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}" echo "Provenance attestation attached successfully" - name: Install Docker Scout run: | curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh sh install-scout.sh - name: Docker Scout CVE Scan run: | docker pull ${{ steps.publish.outputs.image_ref }} docker scout cves ${{ steps.publish.outputs.image_ref }} --only-severity critical,high