name: Build and Push Base Distro Images on: release: types: [published, prereleased] workflow_dispatch: permissions: contents: read env: IMAGE_NAME: base-distro jobs: build-and-push: runs-on: ubuntu-latest strategy: matrix: include: - config: apko/base.yaml variant: base - config: apko/build.yaml variant: build - config: apko/dotnet-runtime.yaml variant: dotnet-runtime - config: apko/dotnet-sdk.yaml variant: dotnet-sdk - config: apko/flutter-sdk.yaml variant: flutter-sdk steps: - name: Checkout code uses: actions/checkout@v3 - name: Determine tag id: tag run: | if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then echo "suffix=dev" >> $GITHUB_OUTPUT else echo "suffix=latest" >> $GITHUB_OUTPUT fi - name: Install apko run: | APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') APKO_VERSION=$(curl -fsSL "https://api.github.com/repos/chainguard-dev/apko/releases/latest" | jq -r '.tag_name') curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/${APKO_VERSION}/apko_linux_${APKO_ARCH}.tar.gz" | tar xz -C /usr/local/bin apko - name: Login to Docker Registry uses: docker/login-action@v3 with: username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Build and push image run: | apko publish ${{ matrix.config }} \ ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }} - name: Install Docker Scout run: | curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh sh install-scout.sh - name: Docker Scout CVE Scan run: | docker pull ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }} docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }} --only-severity critical,high