2e07c31e99
Some checks failed
Weekly Rebuild (CVE Updates) / rebuild (apko/build.yaml, build) (push) Failing after 28s
Weekly Rebuild (CVE Updates) / rebuild (apko/base.yaml, base) (push) Failing after 30s
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Failing after 26s
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Failing after 26s
Check for Upstream Stable Updates / Check Wolfi package updates (push) Successful in 16s
Check for Upstream Stable Updates / Check .NET stable releases (push) Successful in 2s
Weekly Rebuild (CVE Updates) / rebuild (apko/flutter-sdk.yaml, flutter-sdk) (push) Failing after 27s
Check for Upstream Stable Updates / Rebuild and push all variants (apko/base.yaml, base) (push) Failing after 22s
Check for Upstream Stable Updates / Rebuild and push all variants (apko/build.yaml, build) (push) Failing after 22s
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Failing after 22s
Check for Upstream Stable Updates / Check Flutter stable releases (push) Successful in 2s
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Failing after 24s
Check for Upstream Stable Updates / Create release for new Flutter version (push) Has been skipped
Check for Upstream Stable Updates / Rebuild and push all variants (apko/flutter-sdk.yaml, flutter-sdk) (push) Failing after 20s
Use cosign to attach SPDX SBOM (generated by apko) and SLSA provenance attestations to all published images. Applied to publish, rebuild, and update-check pipelines. Also added push trigger on self-path for rebuild.yaml. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
149 lines
5.3 KiB
YAML
149 lines
5.3 KiB
YAML
name: Build and Push Base Distro Images
|
|
|
|
on:
|
|
release:
|
|
types: [published, prereleased]
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
IMAGE_NAME: base-distro
|
|
|
|
jobs:
|
|
build-and-push:
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- config: apko/base.yaml
|
|
variant: base
|
|
- config: apko/build.yaml
|
|
variant: build
|
|
- config: apko/dotnet-runtime.yaml
|
|
variant: dotnet-runtime
|
|
- config: apko/dotnet-sdk.yaml
|
|
variant: dotnet-sdk
|
|
- config: apko/flutter-sdk.yaml
|
|
variant: flutter-sdk
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Determine tag
|
|
id: tag
|
|
run: |
|
|
if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
|
|
echo "suffix=dev" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "suffix=latest" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
- name: Install apko
|
|
run: |
|
|
APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
|
|
APKO_VERSION=$(curl -fsSL "https://api.github.com/repos/chainguard-dev/apko/releases/latest" | jq -r '.tag_name')
|
|
APKO_VERSION_NUM="${APKO_VERSION#v}"
|
|
curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/${APKO_VERSION}/apko_${APKO_VERSION_NUM}_linux_${APKO_ARCH}.tar.gz" \
|
|
-o /tmp/apko.tar.gz
|
|
tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
|
|
rm /tmp/apko.tar.gz
|
|
|
|
- name: Install cosign
|
|
run: |
|
|
COSIGN_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
|
|
COSIGN_VERSION=$(curl -fsSL "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name')
|
|
curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" \
|
|
-o /usr/local/bin/cosign
|
|
chmod +x /usr/local/bin/cosign
|
|
|
|
- name: Login to Docker Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
username: ${{ secrets.REGISTRY_USERNAME }}
|
|
password: ${{ secrets.REGISTRY_PASSWORD }}
|
|
|
|
- name: Build and push image
|
|
id: publish
|
|
run: |
|
|
IMAGE_REF=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }}
|
|
mkdir -p /tmp/sbom
|
|
apko publish ${{ matrix.config }} \
|
|
--sbom-path /tmp/sbom \
|
|
--image-refs /tmp/image-refs.txt \
|
|
"${IMAGE_REF}"
|
|
echo "image_ref=${IMAGE_REF}" >> "$GITHUB_OUTPUT"
|
|
DIGEST=$(head -1 /tmp/image-refs.txt | sed 's/.*@//')
|
|
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Attach SBOM attestation
|
|
env:
|
|
COSIGN_YES: "true"
|
|
run: |
|
|
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
|
|
# Attach SPDX SBOM
|
|
SBOM_FILE=$(ls /tmp/sbom/*.spdx.json 2>/dev/null | head -1)
|
|
if [ -n "$SBOM_FILE" ]; then
|
|
cosign attach sbom --sbom "${SBOM_FILE}" "${IMAGE_DIGEST}"
|
|
echo "SBOM attached successfully"
|
|
else
|
|
echo "No SBOM file found, skipping"
|
|
fi
|
|
|
|
- name: Generate and attach provenance
|
|
env:
|
|
COSIGN_YES: "true"
|
|
run: |
|
|
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
|
|
# Generate SLSA-style provenance
|
|
cat > /tmp/provenance.json << PROVEOF
|
|
{
|
|
"_type": "https://in-toto.io/Statement/v0.1",
|
|
"predicateType": "https://slsa.dev/provenance/v0.2",
|
|
"subject": [
|
|
{
|
|
"name": "${{ steps.publish.outputs.image_ref }}",
|
|
"digest": {
|
|
"sha256": "$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')"
|
|
}
|
|
}
|
|
],
|
|
"predicate": {
|
|
"buildType": "https://apko.dev/build/v1",
|
|
"builder": {
|
|
"id": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
|
|
},
|
|
"invocation": {
|
|
"configSource": {
|
|
"uri": "${{ github.server_url }}/${{ github.repository }}",
|
|
"digest": {
|
|
"sha1": "${{ github.sha }}"
|
|
},
|
|
"entryPoint": "${{ matrix.config }}"
|
|
}
|
|
},
|
|
"metadata": {
|
|
"buildInvocationID": "${{ github.run_id }}",
|
|
"completeness": {
|
|
"parameters": true,
|
|
"environment": true,
|
|
"materials": true
|
|
}
|
|
}
|
|
}
|
|
}
|
|
PROVEOF
|
|
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
|
|
echo "Provenance attestation attached successfully"
|
|
|
|
- name: Install Docker Scout
|
|
run: |
|
|
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
|
|
sh install-scout.sh
|
|
|
|
- name: Docker Scout CVE Scan
|
|
run: |
|
|
docker pull ${{ steps.publish.outputs.image_ref }}
|
|
docker scout cves ${{ steps.publish.outputs.image_ref }} --only-severity critical,high
|