svrnty/docker-base-distro
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 13 Wiki Activity
2e07c31e99
docker-base-distro/.gitea/workflows/rebuild.yaml
Mathias Beaulieu-Duncan 2e07c31e99
Some checks failed
Weekly Rebuild (CVE Updates) / rebuild (apko/build.yaml, build) (push) Failing after 28s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/base.yaml, base) (push) Failing after 30s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Failing after 26s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Failing after 26s
Details
Check for Upstream Stable Updates / Check Wolfi package updates (push) Successful in 16s
Details
Check for Upstream Stable Updates / Check .NET stable releases (push) Successful in 2s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/flutter-sdk.yaml, flutter-sdk) (push) Failing after 27s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/base.yaml, base) (push) Failing after 22s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/build.yaml, build) (push) Failing after 22s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Failing after 22s
Details
Check for Upstream Stable Updates / Check Flutter stable releases (push) Successful in 2s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Failing after 24s
Details
Check for Upstream Stable Updates / Create release for new Flutter version (push) Has been skipped
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/flutter-sdk.yaml, flutter-sdk) (push) Failing after 20s
Details
Add SBOM and provenance attestations via cosign 
Use cosign to attach SPDX SBOM (generated by apko) and SLSA
provenance attestations to all published images. Applied to
publish, rebuild, and update-check pipelines.

Also added push trigger on self-path for rebuild.yaml.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-02 10:12:47 -05:00

141 lines
5.0 KiB
YAML
Raw Blame History

name: Weekly Rebuild (CVE Updates)
on:
schedule:
# Rebuild weekly to pick up Wolfi security patches
- cron: '0 6 * * 1'
push:
paths:
- '.gitea/workflows/rebuild.yaml'
permissions:
contents: read
env:
IMAGE_NAME: base-distro
jobs:
rebuild:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- config: apko/base.yaml
variant: base
- config: apko/build.yaml
variant: build
- config: apko/dotnet-runtime.yaml
variant: dotnet-runtime
- config: apko/dotnet-sdk.yaml
variant: dotnet-sdk
- config: apko/flutter-sdk.yaml
variant: flutter-sdk
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install apko
run: |
APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
APKO_VERSION=$(curl -fsSL "https://api.github.com/repos/chainguard-dev/apko/releases/latest" | jq -r '.tag_name')
APKO_VERSION_NUM="${APKO_VERSION#v}"
curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/${APKO_VERSION}/apko_${APKO_VERSION_NUM}_linux_${APKO_ARCH}.tar.gz" \
-o /tmp/apko.tar.gz
tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
rm /tmp/apko.tar.gz
- name: Install cosign
run: |
COSIGN_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
COSIGN_VERSION=$(curl -fsSL "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name')
curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" \
-o /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign
- name: Login to Docker Registry
uses: docker/login-action@v3
with:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Rebuild and push with latest Wolfi packages
id: publish
run: |
IMAGE_REF=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
mkdir -p /tmp/sbom
apko publish ${{ matrix.config }} \
--sbom-path /tmp/sbom \
--image-refs /tmp/image-refs.txt \
"${IMAGE_REF}"
echo "image_ref=${IMAGE_REF}" >> "$GITHUB_OUTPUT"
DIGEST=$(head -1 /tmp/image-refs.txt | sed 's/.*@//')
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
- name: Attach SBOM attestation
env:
COSIGN_YES: "true"
run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
SBOM_FILE=$(ls /tmp/sbom/*.spdx.json 2>/dev/null | head -1)
if [ -n "$SBOM_FILE" ]; then
cosign attach sbom --sbom "${SBOM_FILE}" "${IMAGE_DIGEST}"
echo "SBOM attached successfully"
else
echo "No SBOM file found, skipping"
fi
- name: Generate and attach provenance
env:
COSIGN_YES: "true"
run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
cat > /tmp/provenance.json << PROVEOF
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": [
{
"name": "${{ steps.publish.outputs.image_ref }}",
"digest": {
"sha256": "$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')"
}
}
],
"predicate": {
"buildType": "https://apko.dev/build/v1",
"builder": {
"id": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
},
"invocation": {
"configSource": {
"uri": "${{ github.server_url }}/${{ github.repository }}",
"digest": {
"sha1": "${{ github.sha }}"
},
"entryPoint": "${{ matrix.config }}"
}
},
"metadata": {
"buildInvocationID": "${{ github.run_id }}",
"completeness": {
"parameters": true,
"environment": true,
"materials": true
}
}
}
}
PROVEOF
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
echo "Provenance attestation attached successfully"
- name: Install Docker Scout
run: |
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
sh install-scout.sh
- name: Docker Scout CVE Scan
run: |
docker pull ${{ steps.publish.outputs.image_ref }}
docker scout cves ${{ steps.publish.outputs.image_ref }} --only-severity critical,high
Reference in New Issue View Git Blame Copy Permalink