docker-base-distro/.gitea/workflows/rebuild.yaml

name: Weekly Rebuild (CVE Updates)

on:
  schedule:
    # Rebuild weekly to pick up Wolfi security patches
    - cron: '0 6 * * 1'
  push:
    paths:
      - '.gitea/workflows/rebuild.yaml'

permissions:
  contents: read

env:
  IMAGE_NAME: base-distro

jobs:
  rebuild:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - config: apko/base.yaml
            variant: base
          - config: apko/build.yaml
            variant: build
          - config: apko/dotnet-runtime.yaml
            variant: dotnet-runtime
          - config: apko/dotnet-sdk.yaml
            variant: dotnet-sdk
          - config: apko/flutter-sdk.yaml
            variant: flutter-sdk
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Install apko
        run: |
          APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
          APKO_VERSION=$(curl -fsSL "https://api.github.com/repos/chainguard-dev/apko/releases/latest" | jq -r '.tag_name')
          APKO_VERSION_NUM="${APKO_VERSION#v}"
          curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/${APKO_VERSION}/apko_${APKO_VERSION_NUM}_linux_${APKO_ARCH}.tar.gz" \
            -o /tmp/apko.tar.gz
          tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
          rm /tmp/apko.tar.gz          

      - name: Install cosign
        run: |
          COSIGN_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
          COSIGN_VERSION=$(curl -fsSL "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name')
          curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" \
            -o /usr/local/bin/cosign
          chmod +x /usr/local/bin/cosign          

      - name: Login to Docker Registry
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: Determine upstream version
        id: version
        run: |
          VARIANT="${{ matrix.variant }}"

          case "$VARIANT" in
            base|build)
              # Use Wolfi glibc version as base version
              UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc-\K[0-9]+\.[0-9]+' | head -1 || echo "0.0")
              if [ "$UPSTREAM" = "" ] || [ "$UPSTREAM" = "0.0" ]; then
                UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc \(\K[0-9]+\.[0-9]+' | head -1 || echo "2.42")
              fi
              ;;
            dotnet-runtime)
              # Use latest .NET runtime version
              UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \
                | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-runtime"] | sort_by(. | split(".") | map(tonumber)) | last')
              ;;
            dotnet-sdk)
              # Use latest .NET SDK version
              UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \
                | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-sdk"] | sort_by(. | split(".") | map(tonumber)) | last')
              ;;
            flutter-sdk)
              # Use latest Flutter stable version
              UPSTREAM=$(curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json" \
                | jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version')
              ;;
          esac

          echo "upstream=${UPSTREAM}" >> "$GITHUB_OUTPUT"
          echo "Upstream version for ${VARIANT}: ${UPSTREAM}"

          # Query DockerHub for existing tags to determine build increment
          REPO_NAME="${{ env.IMAGE_NAME }}"
          REGISTRY_URL="${{ secrets.REGISTRY_URL }}"
          # Extract namespace/repo from registry URL (e.g. docker.io/svrnty -> svrnty)
          NAMESPACE=$(echo "$REGISTRY_URL" | sed 's|.*://||; s|.*\.io/||; s|/$||')

          # Query DockerHub API for tags matching this variant and version
          EXISTING_TAGS=$(curl -s "https://hub.docker.com/v2/repositories/${NAMESPACE}/${REPO_NAME}/tags?page_size=100&name=${VARIANT}-${UPSTREAM}." \
            | jq -r '.results[]?.name // empty' 2>/dev/null || echo "")

          # Find highest build number
          MAX_BUILD=0
          for tag in $EXISTING_TAGS; do
            BUILD_NUM=$(echo "$tag" | grep -oP "\.\K[0-9]+$" || echo "0")
            if [ "$BUILD_NUM" -gt "$MAX_BUILD" ] 2>/dev/null; then
              MAX_BUILD=$BUILD_NUM
            fi
          done

          NEXT_BUILD=$((MAX_BUILD + 1))
          VERSION_TAG="${VARIANT}-${UPSTREAM}.${NEXT_BUILD}"
          echo "version_tag=${VERSION_TAG}" >> "$GITHUB_OUTPUT"
          echo "Next version tag: ${VERSION_TAG}"          

      - name: Rebuild and push with latest Wolfi packages
        id: publish
        run: |
          IMAGE_LATEST=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
          IMAGE_VERSIONED=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }}
          mkdir -p /tmp/sbom
          apko publish ${{ matrix.config }} \
            --sbom-path /tmp/sbom \
            --image-refs /tmp/image-refs.txt \
            "${IMAGE_LATEST}" \
            "${IMAGE_VERSIONED}"
          echo "image_ref=${IMAGE_LATEST}" >> "$GITHUB_OUTPUT"
          echo "image_versioned=${IMAGE_VERSIONED}" >> "$GITHUB_OUTPUT"
          DIGEST=$(head -1 /tmp/image-refs.txt | sed 's/.*@//')
          echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"          

      - name: Attach SBOM attestation
        env:
          COSIGN_YES: "true"
        run: |
          IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
          SBOM_FILE=$(ls /tmp/sbom/*.spdx.json 2>/dev/null | head -1)
          if [ -n "$SBOM_FILE" ]; then
            cosign attach sbom --sbom "${SBOM_FILE}" "${IMAGE_DIGEST}"
            echo "SBOM attached successfully"
          else
            echo "No SBOM file found, skipping"
          fi          

      - name: Generate and attach provenance
        env:
          COSIGN_YES: "true"
        run: |
          IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
          DIGEST_SHA=$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')
          jq -n \
            --arg type "https://in-toto.io/Statement/v0.1" \
            --arg predType "https://slsa.dev/provenance/v0.2" \
            --arg name "${{ steps.publish.outputs.image_versioned }}" \
            --arg sha "$DIGEST_SHA" \
            --arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
            --arg buildType "https://apko.dev/build/v1" \
            --arg uri "${{ github.server_url }}/${{ github.repository }}" \
            --arg sha1 "${{ github.sha }}" \
            --arg entry "${{ matrix.config }}" \
            --arg runId "${{ github.run_id }}" \
            '{
              "_type": $type,
              "predicateType": $predType,
              "subject": [{"name": $name, "digest": {"sha256": $sha}}],
              "predicate": {
                "builder": {"id": $builder},
                "buildType": $buildType,
                "invocation": {
                  "configSource": {"uri": $uri, "digest": {"sha1": $sha1}, "entryPoint": $entry}
                },
                "metadata": {
                  "buildInvocationID": $runId,
                  "completeness": {"parameters": true, "environment": true, "materials": true}
                }
              }
            }' > /tmp/provenance.json
          cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
          echo "Provenance attestation attached successfully"          

      - name: Install Docker Scout
        run: |
          curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
          sh install-scout.sh          

      - name: Docker Scout CVE Scan
        run: |
          docker pull ${{ steps.publish.outputs.image_ref }}
          docker scout cves ${{ steps.publish.outputs.image_ref }} --only-severity critical,high