name: Weekly Rebuild (CVE Updates) on: schedule: # Rebuild weekly to pick up Wolfi security patches - cron: '0 6 * * 1' workflow_dispatch: permissions: contents: read env: IMAGE_NAME: base-distro jobs: rebuild: runs-on: ubuntu-latest strategy: matrix: include: - config: apko/base.yaml variant: base - config: apko/build.yaml variant: build - config: apko/dotnet-runtime.yaml variant: dotnet-runtime - config: apko/dotnet-sdk.yaml variant: dotnet-sdk - config: apko/flutter-sdk.yaml variant: flutter-sdk steps: - name: Checkout code uses: actions/checkout@v3 - name: Install apko run: | APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') APKO_VERSION=$(curl -fsSL "https://api.github.com/repos/chainguard-dev/apko/releases/latest" | jq -r '.tag_name') APKO_VERSION_NUM="${APKO_VERSION#v}" curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/${APKO_VERSION}/apko_${APKO_VERSION_NUM}_linux_${APKO_ARCH}.tar.gz" \ -o /tmp/apko.tar.gz tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin rm /tmp/apko.tar.gz - name: Login to Docker Registry uses: docker/login-action@v3 with: username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Rebuild and push with latest Wolfi packages run: | apko publish ${{ matrix.config }} \ ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest - name: Install Docker Scout run: | curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh sh install-scout.sh - name: Docker Scout CVE Scan run: | docker pull ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest --only-severity critical,high