docker-base-distro/.gitea/workflows/rebuild.yaml

name: Weekly Rebuild (CVE Updates)

on:
  schedule:
    # Rebuild weekly to pick up Wolfi security patches
    - cron: '0 6 * * 1'
  workflow_dispatch:

permissions:
  contents: read

env:
  IMAGE_NAME: base-distro

jobs:
  rebuild:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - config: apko/base.yaml
            variant: base
          - config: apko/build.yaml
            variant: build
          - config: apko/dotnet-runtime.yaml
            variant: dotnet-runtime
          - config: apko/dotnet-sdk.yaml
            variant: dotnet-sdk
          - config: apko/flutter-sdk.yaml
            variant: flutter-sdk
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Install apko
        run: |
          APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
          APKO_VERSION=$(curl -fsSL "https://api.github.com/repos/chainguard-dev/apko/releases/latest" | jq -r '.tag_name')
          curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/${APKO_VERSION}/apko_linux_${APKO_ARCH}.tar.gz" | tar xz -C /usr/local/bin apko          

      - name: Login to Docker Registry
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: Rebuild and push with latest Wolfi packages
        run: |
          apko publish ${{ matrix.config }} \
            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest          

      - name: Install Docker Scout
        run: |
          curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
          sh install-scout.sh          

      - name: Docker Scout CVE Scan
        run: |
          docker pull ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
          docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest --only-severity critical,high