forked from mystiq/dex
ci: build distroless images
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
This commit is contained in:
parent
6038af5044
commit
8b2ce6252d
2 changed files with 31 additions and 5 deletions
32
.github/workflows/artifacts.yaml
vendored
32
.github/workflows/artifacts.yaml
vendored
|
@ -18,6 +18,9 @@ jobs:
|
||||||
- linux/amd64
|
- linux/amd64
|
||||||
- linux/arm/v7
|
- linux/arm/v7
|
||||||
- linux/arm64
|
- linux/arm64
|
||||||
|
variant:
|
||||||
|
- alpine
|
||||||
|
- distroless
|
||||||
outputs:
|
outputs:
|
||||||
version: ${{ steps.details.outputs.version }}
|
version: ${{ steps.details.outputs.version }}
|
||||||
|
|
||||||
|
@ -37,12 +40,17 @@ jobs:
|
||||||
*) VERSION=sha-${GITHUB_SHA::8};;
|
*) VERSION=sha-${GITHUB_SHA::8};;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
VERSION_SUFFIX=""
|
||||||
|
if [[ "${{ matrix.variant }}" != "alpine" ]]; then
|
||||||
|
VERSION_SUFFIX="-${{ matrix.variant }}"
|
||||||
|
fi
|
||||||
|
|
||||||
TAGS=()
|
TAGS=()
|
||||||
for image in $CONTAINER_IMAGES; do
|
for image in $CONTAINER_IMAGES; do
|
||||||
TAGS+=("${image}:${VERSION}")
|
TAGS+=("${image}:${VERSION}${VERSION_SUFFIX}")
|
||||||
|
|
||||||
if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then
|
if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then
|
||||||
TAGS+=("${image}:latest")
|
TAGS+=("${image}:latest${VERSION_SUFFIX}")
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
@ -84,6 +92,7 @@ jobs:
|
||||||
push: ${{ github.event_name == 'push' }}
|
push: ${{ github.event_name == 'push' }}
|
||||||
tags: ${{ steps.details.outputs.tags }}
|
tags: ${{ steps.details.outputs.tags }}
|
||||||
build-args: |
|
build-args: |
|
||||||
|
BASE_IMAGE=${{ matrix.variant }}
|
||||||
VERSION=${{ steps.details.outputs.version }}
|
VERSION=${{ steps.details.outputs.version }}
|
||||||
COMMIT_HASH=${{ steps.details.outputs.commit_hash }}
|
COMMIT_HASH=${{ steps.details.outputs.commit_hash }}
|
||||||
BUILD_DATE=${{ steps.details.outputs.build_date }}
|
BUILD_DATE=${{ steps.details.outputs.build_date }}
|
||||||
|
@ -103,12 +112,29 @@ jobs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: container-images
|
needs: container-images
|
||||||
if: github.event_name == 'push'
|
if: github.event_name == 'push'
|
||||||
|
strategy:
|
||||||
|
matrix:
|
||||||
|
variant:
|
||||||
|
- alpine
|
||||||
|
- distroless
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
# Workaround for lack of matrix output support
|
||||||
|
- name: Calculate container image details
|
||||||
|
id: details
|
||||||
|
run: |
|
||||||
|
VERSION="${{ needs.container-images.outputs.version }}"
|
||||||
|
|
||||||
|
if [[ "${{ matrix.variant }}" != "alpine" ]]; then
|
||||||
|
VERSION="${VERSION}-${{ matrix.variant }}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo ::set-output name=version::${VERSION}
|
||||||
|
|
||||||
- name: Run Trivy vulnerability scanner
|
- name: Run Trivy vulnerability scanner
|
||||||
uses: aquasecurity/trivy-action@0.2.4
|
uses: aquasecurity/trivy-action@0.2.4
|
||||||
with:
|
with:
|
||||||
image-ref: "ghcr.io/dexidp/dex:${{ needs.container-images.outputs.version }}"
|
image-ref: "ghcr.io/dexidp/dex:${{ steps.details.outputs.version }}"
|
||||||
format: "sarif"
|
format: "sarif"
|
||||||
output: "trivy-results.sarif"
|
output: "trivy-results.sarif"
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
ARG BASEIMAGE=alpine
|
ARG BASE_IMAGE=alpine
|
||||||
|
|
||||||
FROM golang:1.17.8-alpine3.14 AS builder
|
FROM golang:1.17.8-alpine3.14 AS builder
|
||||||
|
|
||||||
|
@ -44,7 +44,7 @@ RUN wget -O /usr/local/bin/gomplate \
|
||||||
FROM alpine:3.15.4 AS alpine
|
FROM alpine:3.15.4 AS alpine
|
||||||
FROM gcr.io/distroless/static:latest AS distroless
|
FROM gcr.io/distroless/static:latest AS distroless
|
||||||
|
|
||||||
FROM $BASEIMAGE
|
FROM $BASE_IMAGE
|
||||||
|
|
||||||
# Dex connectors, such as GitHub and Google logins require root certificates.
|
# Dex connectors, such as GitHub and Google logins require root certificates.
|
||||||
# Proper installations should manage those certificates, but it's a bad user
|
# Proper installations should manage those certificates, but it's a bad user
|
||||||
|
|
Loading…
Reference in a new issue