name: Check for Upstream Stable Updates on: schedule: # Daily at 8am UTC - cron: '0 8 * * *' push: paths: - '.gitea/workflows/update-check.yaml' permissions: contents: read env: IMAGE_NAME: base-distro jobs: check-wolfi: name: Check Wolfi package updates runs-on: ubuntu-latest outputs: updated: ${{ steps.check.outputs.updated }} steps: - name: Checkout code uses: actions/checkout@v3 - name: Install apko run: | APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') APKO_VERSION=$(curl -fsSL "https://api.github.com/repos/chainguard-dev/apko/releases/latest" | jq -r '.tag_name') APKO_VERSION_NUM="${APKO_VERSION#v}" curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/${APKO_VERSION}/apko_${APKO_VERSION_NUM}_linux_${APKO_ARCH}.tar.gz" \ -o /tmp/apko.tar.gz tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin rm /tmp/apko.tar.gz - name: Check for Wolfi package updates id: check run: | # Resolve current packages for each variant and compare with last known state UPDATED=false for config in apko/base.yaml apko/build.yaml apko/dotnet-runtime.yaml apko/dotnet-sdk.yaml apko/flutter-sdk.yaml; do VARIANT=$(basename "$config" .yaml) echo "Checking $VARIANT..." # Resolve package versions (dry-run build to see resolved versions) RESOLVED=$(apko resolve "$config" 2>&1 || true) HASH=$(echo "$RESOLVED" | sha256sum | cut -d' ' -f1) echo "$VARIANT=$HASH" >> "$GITHUB_OUTPUT" echo " Hash: $HASH" done echo "updated=$UPDATED" >> "$GITHUB_OUTPUT" check-dotnet: name: Check .NET stable releases runs-on: ubuntu-latest outputs: new_version: ${{ steps.check.outputs.new_version }} current_version: ${{ steps.check.outputs.current_version }} steps: - name: Check latest .NET stable release id: check run: | # Query the .NET release metadata for the latest stable SDK LATEST=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \ | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-sdk"] | sort_by(. | split(".") | map(tonumber)) | last') echo "Latest .NET stable SDK: $LATEST" echo "new_version=$LATEST" >> "$GITHUB_OUTPUT" # Check if we already have a rebuild tag for this version CURRENT_TAG="${LATEST}" echo "current_version=$CURRENT_TAG" >> "$GITHUB_OUTPUT" check-flutter: name: Check Flutter stable releases runs-on: ubuntu-latest outputs: new_version: ${{ steps.check.outputs.new_version }} has_new: ${{ steps.check.outputs.has_new }} steps: - name: Check latest Flutter stable release id: check run: | LATEST=$(curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json" \ | jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version') echo "Latest Flutter stable: $LATEST" echo "new_version=$LATEST" >> "$GITHUB_OUTPUT" # Check if a release with this tag already exists (unauthenticated, HTTP status only) STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/tags/v${LATEST}") if [ "$STATUS" = "200" ]; then echo "Release v${LATEST} already exists, skipping" echo "has_new=false" >> "$GITHUB_OUTPUT" else echo "New Flutter stable version found: $LATEST" echo "has_new=true" >> "$GITHUB_OUTPUT" fi rebuild: name: Rebuild and push all variants needs: [check-wolfi, check-dotnet, check-flutter] runs-on: ubuntu-latest strategy: matrix: include: - config: apko/base.yaml variant: base - config: apko/build.yaml variant: build - config: apko/dotnet-runtime.yaml variant: dotnet-runtime - config: apko/dotnet-sdk.yaml variant: dotnet-sdk - config: apko/flutter-sdk.yaml variant: flutter-sdk steps: - name: Checkout code uses: actions/checkout@v3 - name: Install apko run: | APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') APKO_VERSION=$(curl -fsSL "https://api.github.com/repos/chainguard-dev/apko/releases/latest" | jq -r '.tag_name') APKO_VERSION_NUM="${APKO_VERSION#v}" curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/${APKO_VERSION}/apko_${APKO_VERSION_NUM}_linux_${APKO_ARCH}.tar.gz" \ -o /tmp/apko.tar.gz tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin rm /tmp/apko.tar.gz - name: Install cosign run: | COSIGN_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') COSIGN_VERSION=$(curl -fsSL "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name') curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" \ -o /usr/local/bin/cosign chmod +x /usr/local/bin/cosign - name: Login to Docker Registry uses: docker/login-action@v3 with: username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Determine upstream version id: version run: | VARIANT="${{ matrix.variant }}" case "$VARIANT" in base|build) UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc-\K[0-9]+\.[0-9]+' | head -1 || echo "0.0") if [ "$UPSTREAM" = "" ] || [ "$UPSTREAM" = "0.0" ]; then UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc \(\K[0-9]+\.[0-9]+' | head -1 || echo "2.42") fi ;; dotnet-runtime) UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \ | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-runtime"] | sort_by(. | split(".") | map(tonumber)) | last') ;; dotnet-sdk) UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \ | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-sdk"] | sort_by(. | split(".") | map(tonumber)) | last') ;; flutter-sdk) UPSTREAM=$(curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json" \ | jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version') ;; esac echo "upstream=${UPSTREAM}" >> "$GITHUB_OUTPUT" echo "Upstream version for ${VARIANT}: ${UPSTREAM}" REPO_NAME="${{ env.IMAGE_NAME }}" REGISTRY_URL="${{ secrets.REGISTRY_URL }}" NAMESPACE=$(echo "$REGISTRY_URL" | sed 's|.*://||; s|.*\.io/||; s|/$||') EXISTING_TAGS=$(curl -s "https://hub.docker.com/v2/repositories/${NAMESPACE}/${REPO_NAME}/tags?page_size=100&name=${VARIANT}-${UPSTREAM}." \ | jq -r '.results[]?.name // empty' 2>/dev/null || echo "") MAX_BUILD=0 for tag in $EXISTING_TAGS; do BUILD_NUM=$(echo "$tag" | grep -oP "\.\K[0-9]+$" || echo "0") if [ "$BUILD_NUM" -gt "$MAX_BUILD" ] 2>/dev/null; then MAX_BUILD=$BUILD_NUM fi done NEXT_BUILD=$((MAX_BUILD + 1)) VERSION_TAG="${VARIANT}-${UPSTREAM}.${NEXT_BUILD}" echo "version_tag=${VERSION_TAG}" >> "$GITHUB_OUTPUT" echo "Next version tag: ${VERSION_TAG}" - name: Build and push image id: publish run: | IMAGE_LATEST=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest IMAGE_VERSIONED=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }} mkdir -p /tmp/sbom apko publish ${{ matrix.config }} \ --sbom-path /tmp/sbom \ --image-refs /tmp/image-refs.txt \ "${IMAGE_LATEST}" \ "${IMAGE_VERSIONED}" echo "image_ref=${IMAGE_LATEST}" >> "$GITHUB_OUTPUT" echo "image_versioned=${IMAGE_VERSIONED}" >> "$GITHUB_OUTPUT" DIGEST=$(head -1 /tmp/image-refs.txt | sed 's/.*@//') echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" - name: Attach SBOM attestation env: COSIGN_YES: "true" run: | IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" SBOM_FILE=$(ls /tmp/sbom/*.spdx.json 2>/dev/null | head -1) if [ -n "$SBOM_FILE" ]; then cosign attach sbom --sbom "${SBOM_FILE}" "${IMAGE_DIGEST}" echo "SBOM attached successfully" else echo "No SBOM file found, skipping" fi - name: Generate and attach provenance env: COSIGN_YES: "true" run: | IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" jq -n \ --arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ --arg buildType "https://apko.dev/build/v1" \ --arg uri "${{ github.server_url }}/${{ github.repository }}" \ --arg sha1 "${{ github.sha }}" \ --arg entry "${{ matrix.config }}" \ --arg runId "${{ github.run_id }}" \ '{ "builder": {"id": $builder}, "buildType": $buildType, "invocation": { "configSource": {"uri": $uri, "digest": {"sha1": $sha1}, "entryPoint": $entry} }, "metadata": { "buildInvocationID": $runId, "completeness": {"parameters": true, "environment": true, "materials": true} } }' > /tmp/provenance.json cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}" echo "Provenance attestation attached successfully" - name: Install Docker Scout run: | curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh sh install-scout.sh - name: Docker Scout CVE Scan run: | docker pull ${{ steps.publish.outputs.image_ref }} docker scout cves ${{ steps.publish.outputs.image_ref }} --only-severity critical,high notify-flutter: name: Create release for new Flutter version needs: [check-flutter] if: needs.check-flutter.outputs.has_new == 'true' runs-on: ubuntu-latest steps: - name: Create Gitea release run: | VERSION="${{ needs.check-flutter.outputs.new_version }}" echo "Creating release v${VERSION} for new Flutter stable..." curl -fsSL -X POST \ -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \ -H "Content-Type: application/json" \ "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases" \ -d "{ \"tag_name\": \"v${VERSION}\", \"name\": \"v${VERSION} - Flutter ${VERSION}\", \"body\": \"Automated release triggered by Flutter stable ${VERSION} detection.\n\nUpstream: https://docs.flutter.dev/release/release-notes\", \"draft\": false, \"prerelease\": false }" echo "Release v${VERSION} created successfully"