svrnty/docker-base-distro
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 13 Wiki Activity
2e07c31e99
docker-base-distro/.gitea/workflows/update-check.yaml
Mathias Beaulieu-Duncan 2e07c31e99
Some checks failed
Weekly Rebuild (CVE Updates) / rebuild (apko/build.yaml, build) (push) Failing after 28s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/base.yaml, base) (push) Failing after 30s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Failing after 26s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Failing after 26s
Details
Check for Upstream Stable Updates / Check Wolfi package updates (push) Successful in 16s
Details
Check for Upstream Stable Updates / Check .NET stable releases (push) Successful in 2s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/flutter-sdk.yaml, flutter-sdk) (push) Failing after 27s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/base.yaml, base) (push) Failing after 22s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/build.yaml, build) (push) Failing after 22s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Failing after 22s
Details
Check for Upstream Stable Updates / Check Flutter stable releases (push) Successful in 2s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Failing after 24s
Details
Check for Upstream Stable Updates / Create release for new Flutter version (push) Has been skipped
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/flutter-sdk.yaml, flutter-sdk) (push) Failing after 20s
Details
Add SBOM and provenance attestations via cosign 
Use cosign to attach SPDX SBOM (generated by apko) and SLSA
provenance attestations to all published images. Applied to
publish, rebuild, and update-check pipelines.

Also added push trigger on self-path for rebuild.yaml.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-02 10:12:47 -05:00

256 lines
9.7 KiB
YAML
Raw Blame History

name: Check for Upstream Stable Updates
on:
schedule:
# Daily at 8am UTC
- cron: '0 8 * * *'
push:
paths:
- '.gitea/workflows/update-check.yaml'
permissions:
contents: read
env:
IMAGE_NAME: base-distro
jobs:
check-wolfi:
name: Check Wolfi package updates
runs-on: ubuntu-latest
outputs:
updated: ${{ steps.check.outputs.updated }}
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install apko
run: |
APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
APKO_VERSION=$(curl -fsSL "https://api.github.com/repos/chainguard-dev/apko/releases/latest" | jq -r '.tag_name')
APKO_VERSION_NUM="${APKO_VERSION#v}"
curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/${APKO_VERSION}/apko_${APKO_VERSION_NUM}_linux_${APKO_ARCH}.tar.gz" \
-o /tmp/apko.tar.gz
tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
rm /tmp/apko.tar.gz
- name: Check for Wolfi package updates
id: check
run: |
# Resolve current packages for each variant and compare with last known state
UPDATED=false
for config in apko/base.yaml apko/build.yaml apko/dotnet-runtime.yaml apko/dotnet-sdk.yaml apko/flutter-sdk.yaml; do
VARIANT=$(basename "$config" .yaml)
echo "Checking $VARIANT..."
# Resolve package versions (dry-run build to see resolved versions)
RESOLVED=$(apko resolve "$config" 2>&1 || true)
HASH=$(echo "$RESOLVED" | sha256sum | cut -d' ' -f1)
echo "$VARIANT=$HASH" >> "$GITHUB_OUTPUT"
echo " Hash: $HASH"
done
echo "updated=$UPDATED" >> "$GITHUB_OUTPUT"
check-dotnet:
name: Check .NET stable releases
runs-on: ubuntu-latest
outputs:
new_version: ${{ steps.check.outputs.new_version }}
current_version: ${{ steps.check.outputs.current_version }}
steps:
- name: Check latest .NET stable release
id: check
run: |
# Query the .NET release metadata for the latest stable SDK
LATEST=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \
| jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-sdk"] | sort_by(. | split(".") | map(tonumber)) | last')
echo "Latest .NET stable SDK: $LATEST"
echo "new_version=$LATEST" >> "$GITHUB_OUTPUT"
# Check if we already have a rebuild tag for this version
CURRENT_TAG="${LATEST}"
echo "current_version=$CURRENT_TAG" >> "$GITHUB_OUTPUT"
check-flutter:
name: Check Flutter stable releases
runs-on: ubuntu-latest
outputs:
new_version: ${{ steps.check.outputs.new_version }}
has_new: ${{ steps.check.outputs.has_new }}
steps:
- name: Check latest Flutter stable release
id: check
run: |
LATEST=$(curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json" \
| jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version')
echo "Latest Flutter stable: $LATEST"
echo "new_version=$LATEST" >> "$GITHUB_OUTPUT"
# Check if a release with this tag already exists (unauthenticated, HTTP status only)
STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
"${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/tags/v${LATEST}")
if [ "$STATUS" = "200" ]; then
echo "Release v${LATEST} already exists, skipping"
echo "has_new=false" >> "$GITHUB_OUTPUT"
else
echo "New Flutter stable version found: $LATEST"
echo "has_new=true" >> "$GITHUB_OUTPUT"
fi
rebuild:
name: Rebuild and push all variants
needs: [check-wolfi, check-dotnet, check-flutter]
runs-on: ubuntu-latest
strategy:
matrix:
include:
- config: apko/base.yaml
variant: base
- config: apko/build.yaml
variant: build
- config: apko/dotnet-runtime.yaml
variant: dotnet-runtime
- config: apko/dotnet-sdk.yaml
variant: dotnet-sdk
- config: apko/flutter-sdk.yaml
variant: flutter-sdk
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install apko
run: |
APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
APKO_VERSION=$(curl -fsSL "https://api.github.com/repos/chainguard-dev/apko/releases/latest" | jq -r '.tag_name')
APKO_VERSION_NUM="${APKO_VERSION#v}"
curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/${APKO_VERSION}/apko_${APKO_VERSION_NUM}_linux_${APKO_ARCH}.tar.gz" \
-o /tmp/apko.tar.gz
tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
rm /tmp/apko.tar.gz
- name: Install cosign
run: |
COSIGN_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
COSIGN_VERSION=$(curl -fsSL "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name')
curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" \
-o /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign
- name: Login to Docker Registry
uses: docker/login-action@v3
with:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Build and push image
id: publish
run: |
IMAGE_REF=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
mkdir -p /tmp/sbom
apko publish ${{ matrix.config }} \
--sbom-path /tmp/sbom \
--image-refs /tmp/image-refs.txt \
"${IMAGE_REF}"
echo "image_ref=${IMAGE_REF}" >> "$GITHUB_OUTPUT"
DIGEST=$(head -1 /tmp/image-refs.txt | sed 's/.*@//')
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
- name: Attach SBOM attestation
env:
COSIGN_YES: "true"
run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
SBOM_FILE=$(ls /tmp/sbom/*.spdx.json 2>/dev/null | head -1)
if [ -n "$SBOM_FILE" ]; then
cosign attach sbom --sbom "${SBOM_FILE}" "${IMAGE_DIGEST}"
echo "SBOM attached successfully"
else
echo "No SBOM file found, skipping"
fi
- name: Generate and attach provenance
env:
COSIGN_YES: "true"
run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
cat > /tmp/provenance.json << PROVEOF
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": [
{
"name": "${{ steps.publish.outputs.image_ref }}",
"digest": {
"sha256": "$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')"
}
}
],
"predicate": {
"buildType": "https://apko.dev/build/v1",
"builder": {
"id": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
},
"invocation": {
"configSource": {
"uri": "${{ github.server_url }}/${{ github.repository }}",
"digest": {
"sha1": "${{ github.sha }}"
},
"entryPoint": "${{ matrix.config }}"
}
},
"metadata": {
"buildInvocationID": "${{ github.run_id }}",
"completeness": {
"parameters": true,
"environment": true,
"materials": true
}
}
}
}
PROVEOF
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
echo "Provenance attestation attached successfully"
- name: Install Docker Scout
run: |
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
sh install-scout.sh
- name: Docker Scout CVE Scan
run: |
docker pull ${{ steps.publish.outputs.image_ref }}
docker scout cves ${{ steps.publish.outputs.image_ref }} --only-severity critical,high
notify-flutter:
name: Create release for new Flutter version
needs: [check-flutter]
if: needs.check-flutter.outputs.has_new == 'true'
runs-on: ubuntu-latest
steps:
- name: Create Gitea release
run: |
VERSION="${{ needs.check-flutter.outputs.new_version }}"
echo "Creating release v${VERSION} for new Flutter stable..."
curl -fsSL -X POST \
-H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
-H "Content-Type: application/json" \
"${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases" \
-d "{
\"tag_name\": \"v${VERSION}\",
\"name\": \"v${VERSION} - Flutter ${VERSION}\",
\"body\": \"Automated release triggered by Flutter stable ${VERSION} detection.\n\nUpstream: https://docs.flutter.dev/release/release-notes\",
\"draft\": false,
\"prerelease\": false
}"
echo "Release v${VERSION} created successfully"
Reference in New Issue View Git Blame Copy Permalink