Merge pull request #2478 from dexidp/distroless

Publish official distroless images
This commit is contained in:
Márk Sági-Kazár 2022-04-15 08:48:42 +02:00 committed by GitHub
commit c8ff7ed40a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 39 additions and 10 deletions

View file

@ -18,6 +18,9 @@ jobs:
- linux/amd64
- linux/arm/v7
- linux/arm64
variant:
- alpine
- distroless
outputs:
version: ${{ steps.details.outputs.version }}
@ -37,12 +40,17 @@ jobs:
*) VERSION=sha-${GITHUB_SHA::8};;
esac
VERSION_SUFFIX=""
if [[ "${{ matrix.variant }}" != "alpine" ]]; then
VERSION_SUFFIX="-${{ matrix.variant }}"
fi
TAGS=()
for image in $CONTAINER_IMAGES; do
TAGS+=("${image}:${VERSION}")
TAGS+=("${image}:${VERSION}${VERSION_SUFFIX}")
if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then
TAGS+=("${image}:latest")
TAGS+=("${image}:latest${VERSION_SUFFIX}")
fi
done
@ -84,6 +92,7 @@ jobs:
push: ${{ github.event_name == 'push' }}
tags: ${{ steps.details.outputs.tags }}
build-args: |
BASE_IMAGE=${{ matrix.variant }}
VERSION=${{ steps.details.outputs.version }}
COMMIT_HASH=${{ steps.details.outputs.commit_hash }}
BUILD_DATE=${{ steps.details.outputs.build_date }}
@ -103,12 +112,29 @@ jobs:
runs-on: ubuntu-latest
needs: container-images
if: github.event_name == 'push'
strategy:
matrix:
variant:
- alpine
- distroless
steps:
# Workaround for lack of matrix output support
- name: Calculate container image details
id: details
run: |
VERSION="${{ needs.container-images.outputs.version }}"
if [[ "${{ matrix.variant }}" != "alpine" ]]; then
VERSION="${VERSION}-${{ matrix.variant }}"
fi
echo ::set-output name=version::${VERSION}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.2.4
with:
image-ref: "ghcr.io/dexidp/dex:${{ needs.container-images.outputs.version }}"
image-ref: "ghcr.io/dexidp/dex:${{ steps.details.outputs.version }}"
format: "sarif"
output: "trivy-results.sarif"

View file

@ -1,11 +1,11 @@
name: Docker
on:
push:
branches:
- master
tags:
- v[0-9]+.[0-9]+.[0-9]+
# push:
# branches:
# - master
# tags:
# - v[0-9]+.[0-9]+.[0-9]+
pull_request:
jobs:

View file

@ -1,4 +1,4 @@
ARG BASEIMAGE=alpine:3.15.4
ARG BASE_IMAGE=alpine
FROM golang:1.17.8-alpine3.14 AS builder
@ -40,8 +40,11 @@ RUN wget -O /usr/local/bin/gomplate \
"https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS:-linux}-${TARGETARCH:-amd64}${TARGETVARIANT}" \
&& chmod +x /usr/local/bin/gomplate
# For Dependabot to detect base image versions
FROM alpine:3.15.4 AS alpine
FROM gcr.io/distroless/static:latest AS distroless
FROM $BASEIMAGE
FROM $BASE_IMAGE
# Dex connectors, such as GitHub and Google logins require root certificates.
# Proper installations should manage those certificates, but it's a bad user