name: Build and Push Base Distro Images on: release: types: [published, prereleased] workflow_dispatch: permissions: contents: read env: IMAGE_NAME: base-distro jobs: build-and-push: runs-on: ubuntu-latest strategy: matrix: include: - config: apko/base.yaml variant: base - config: apko/build.yaml variant: build - config: apko/dotnet-runtime.yaml variant: dotnet-runtime - config: apko/dotnet-sdk.yaml variant: dotnet-sdk - config: apko/flutter.yaml variant: flutter steps: - name: Checkout code uses: actions/checkout@v3 - name: Determine tag id: tag run: | if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then echo "suffix=dev" >> $GITHUB_OUTPUT else echo "suffix=latest" >> $GITHUB_OUTPUT fi - name: Install apko run: | curl -fsSL "https://github.com/chainguard-dev/apko/releases/latest/download/apko_$(uname -s)_$(uname -m).tar.gz" | tar xz -C /usr/local/bin apko - name: Login to Docker Registry uses: docker/login-action@v3 with: username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Build and push image run: | apko publish ${{ matrix.config }} \ ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }} - name: Install Docker Scout run: | curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh sh install-scout.sh - name: Docker Scout CVE Scan run: | docker pull ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }} docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }} --only-severity critical,high