ci: build distroless images

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
This commit is contained in:
Mark Sagi-Kazar 2022-04-14 15:35:32 +02:00
parent 6038af5044
commit 8b2ce6252d
No known key found for this signature in database
GPG key ID: 31AB0439F4C5C90E
2 changed files with 31 additions and 5 deletions

View file

@ -18,6 +18,9 @@ jobs:
- linux/amd64 - linux/amd64
- linux/arm/v7 - linux/arm/v7
- linux/arm64 - linux/arm64
variant:
- alpine
- distroless
outputs: outputs:
version: ${{ steps.details.outputs.version }} version: ${{ steps.details.outputs.version }}
@ -37,12 +40,17 @@ jobs:
*) VERSION=sha-${GITHUB_SHA::8};; *) VERSION=sha-${GITHUB_SHA::8};;
esac esac
VERSION_SUFFIX=""
if [[ "${{ matrix.variant }}" != "alpine" ]]; then
VERSION_SUFFIX="-${{ matrix.variant }}"
fi
TAGS=() TAGS=()
for image in $CONTAINER_IMAGES; do for image in $CONTAINER_IMAGES; do
TAGS+=("${image}:${VERSION}") TAGS+=("${image}:${VERSION}${VERSION_SUFFIX}")
if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then
TAGS+=("${image}:latest") TAGS+=("${image}:latest${VERSION_SUFFIX}")
fi fi
done done
@ -84,6 +92,7 @@ jobs:
push: ${{ github.event_name == 'push' }} push: ${{ github.event_name == 'push' }}
tags: ${{ steps.details.outputs.tags }} tags: ${{ steps.details.outputs.tags }}
build-args: | build-args: |
BASE_IMAGE=${{ matrix.variant }}
VERSION=${{ steps.details.outputs.version }} VERSION=${{ steps.details.outputs.version }}
COMMIT_HASH=${{ steps.details.outputs.commit_hash }} COMMIT_HASH=${{ steps.details.outputs.commit_hash }}
BUILD_DATE=${{ steps.details.outputs.build_date }} BUILD_DATE=${{ steps.details.outputs.build_date }}
@ -103,12 +112,29 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: container-images needs: container-images
if: github.event_name == 'push' if: github.event_name == 'push'
strategy:
matrix:
variant:
- alpine
- distroless
steps: steps:
# Workaround for lack of matrix output support
- name: Calculate container image details
id: details
run: |
VERSION="${{ needs.container-images.outputs.version }}"
if [[ "${{ matrix.variant }}" != "alpine" ]]; then
VERSION="${VERSION}-${{ matrix.variant }}"
fi
echo ::set-output name=version::${VERSION}
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.2.4 uses: aquasecurity/trivy-action@0.2.4
with: with:
image-ref: "ghcr.io/dexidp/dex:${{ needs.container-images.outputs.version }}" image-ref: "ghcr.io/dexidp/dex:${{ steps.details.outputs.version }}"
format: "sarif" format: "sarif"
output: "trivy-results.sarif" output: "trivy-results.sarif"

View file

@ -1,4 +1,4 @@
ARG BASEIMAGE=alpine ARG BASE_IMAGE=alpine
FROM golang:1.17.8-alpine3.14 AS builder FROM golang:1.17.8-alpine3.14 AS builder
@ -44,7 +44,7 @@ RUN wget -O /usr/local/bin/gomplate \
FROM alpine:3.15.4 AS alpine FROM alpine:3.15.4 AS alpine
FROM gcr.io/distroless/static:latest AS distroless FROM gcr.io/distroless/static:latest AS distroless
FROM $BASEIMAGE FROM $BASE_IMAGE
# Dex connectors, such as GitHub and Google logins require root certificates. # Dex connectors, such as GitHub and Google logins require root certificates.
# Proper installations should manage those certificates, but it's a bad user # Proper installations should manage those certificates, but it's a bad user